SP-014: Awareness and Training Pattern
Diagram:
Legend: Awareness and training pattern for end users focused on AT and PS families of controls.
Description: Awareness and training should cover basic IT security for all end users, with targeted content based on job roles to
supplement the basic materials. Typical training materials would include:
- Relevant elements of organisation policies such as password protection, protecting your computer, and use of portable devices like USB storage
- Acceptable usage policies that cover areas such as permitted internet access and email use
- Responding to common security incidents and how to report security concerns
- Data security and document handling including protecting information outside the organisation
- Internet safety and malware
- Phishing and email security
- Physical and workplace security including visitors
- Specific compliance materials depending on industry such as Anti Money Laundering for financials
Methods to measure the success of awareness campaigns should be based on click-through metrics for emails, page views and page times for the intranet portal or library, and success rates for multiple choice tests on the topic concerned. Consider if there are also ways you might track behaviour changes related to the awareness message, e.g. clean desk checks before and after an awareness campaign on the topic
Employment and 3rd party contracts are an important means to enforce security awareness and training, and induction days can be used to deliver training for new staff members, along with links to further information. Careful thought on use of physical media to reinforce messages is recommended to prevent habituation.
Assumptions: None.
Typical challenges: Choose a provider for awareness content which can reduce the amount of time to create a library of materials. Identify high risk job roles for additional targeted messages and training. Align the content and format to organisation culture, make sure that the style of messages resonates with the audience, work with internal communications team in your organisation.
Indications: All organisations should maintain an awareness and training program.
Contra-indications: None.
Resistance against threats: The 'human factor' is a crucial part of maintaining information security. Without addressing awareness and training for staff and 3rd parties it is unlikely you will meet your security goals.
References:
Human factors in information security- ...lays out the case for managing the human side of information security just as carefully as the technical side....awareness is the most cost-effective form of security control
Managing the Human Factor in Information Security: How to Win Over Staff and Influence Business Managers (Paperback) by David Lacey
NIST 800-50 Building an Information Technology Security Awareness and Training Program
ENISA report Information security awareness initiatives: Current practice and the measurement of success
ENISA's ten security awareness good practices
Related patterns: None
Classification: People
Release: 08.02
Authors: Russell Wing
Reviewer(s): TBD
Control details
AT-01 Security Awareness And Training Policy And Procedures
AT-02 Security Awareness
AT-03 Security Training
AT-04 Security Training Records
PL-04 Rules Of Behavior
PS-01 Personnel Security Policy And Procedures
PS-02 Position Categorization
PS-06 Access Agreements
PS-07 Third-Party Personnel Security
PS-08 Personnel Sanctions
RA-03 Risk Assessment