Why Security Awareness?

The best physical security and logical security are undone if an employee makes a security blunder. You need people security to fight basic security errors made by new, complicit, or uninformed employees. Security awareness training builds people security.

From NIST Special Publication 800-16: Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly.

Both NIST and IEC recommend awareness training for all employees. However, NIST recommends periodic awareness training while IEC 27002 recommends:

An adequate level of awareness, education, and training in security procedures and the correct use of information processing facilities should be provided to all employees, contractors and third party users to minimize possible security risks.

Why is IT Security Awareness important?

IT Security Awareness is important:

• Before a data breach: Employees with access to data are the single largest contributing factor to modern data breaches. Educating employees on IT Security pitfalls is critical to maintaining data security and avoiding an unwanted data breach.
• After a data breach: Any organization that suffers a data breach that involves loss of personally identifiable information (PII) or sensitive information will experience costly litigation and a loss of public confidence. Liability is minimized if an organization can show that reasonable care had been taken to ensure the confidentially and integrity of such data.

Is eLearning effective for IT Security Awareness?

Instructor-led Security Awareness is the most effective educational medium, but it is time intensive, costly, and inconvenient for employee schedules, meetings, workloads, vacation, sick leave, and personal time off.

Online delivery of Security Awareness provides a cost-effective, convenient means of delivery for new employees and works conveniently into and around existing employee schedules.

What other benefits does eLearning provide?

• When a modern Learning Management System (LMS) delivers eLearning to employees, each student is identified and tracked through the course. LMS reports are convenient, accurate, and easily available. LMS reports on Security Awareness training are a viable metric for security audits.
• eLearning reports on quiz scores identify low-scoring employees as possible security risks who may need further investigation.
• eLearning course content can be easily revised throughout the year.

CSI 2007 Survey

In a survey taken by the Computer Security Institute in 2007, 486 respondents were asked to rate the importance of several security awareness topics to their organizations. For more information on how companies view security awareness and other security metrics, download the full report at http://www.gocsi.com.