Methodologies for Information Security Awareness Program

Presenting a clear security awareness message to all employees in Software Development Companies can be achieved by variety of methods but all of them are not very effective and sometimes do not meet the requirements of the organization. These methods if implemented together lead to a comprehensive security awareness program. The organization can also chose any one of them to address the most critical and vital issue in the business without implementing a full fledge security program. All of these methods have the same core message, the employee responsibility and his behavior towards organization’s information asset’s security. Having different media and techniques to convey this message will get audience attention. They will be more attentive to new occurrence than to the same communication type and method every time.

Here are some of the methods to convey security awareness message across the organization:

• Information Security awareness training
• Computer based information security awareness
• Awareness services and reminder tools

1. Information Security Awareness Training

This is very mature, experienced and most effective method to get users attention in a class room environment. It helps to explain the subject and its contents in an interactive way. The contents of the sessions could be different as per the audience profile. Usually security awareness audience can be categorized into the following categories.

i. Management

The management is the ultimate and most important sponsor of the awareness program. He has a very specific need to understand the goals of awareness program and the role security plays in achieving their business objectives.

The presentation to the management should focus on security threats which organization may encounter in the shorter or longer run. It should be clearly communicated to the management that without its support the organization and the employees will not be able to protect information assets. Below are some of the management mistakes which have to be highlighted in the presentation.

• Ignore security problems
• Fail to realize the value of their information reputations
• Rely primarily on technology/products.
• Fail to deal with the operational aspects of security
• Fail to understand the relationship of information security to their business
• Not providing training/ time to their staff.
• Always think quick and visible return on investment while implementing solution

ii. End Users

End users usually are not responsible for overall protection of the information in IT Companies. They must secure the work environment and the information they are dealing with. End users are involved in day to day activities and use data to perform their jobs. This type of audience requires detailed understanding of the information security threats, damage by those threats and solutions to mitigate the damage. They should also be familiar with the policies and procedures which will help them to ensure performance and security.

The underline message that should be communicated to end users is, consult your information security department whenever something went wrong or whenever you have questions. Here are some of the mistakes of end users which should be highlighted in the presentation.

• Violation of security policy
• Opening unsolicited e-mail attachments
• Installing software from unknown sources
• Visiting suspicious web sites
• Not reporting security incidents
• Victims of social engineering

iii. Technical Staff

Mostly it is understood that technical people do not require security awareness as they are the ones who designed the system so why should they be called for basic awareness sessions? The purpose of security awareness session for technical people is explaining them how technology is helping out business and what is needed to protect business and technology.

Awareness session for technical people should be centered on technology is not driving the business, it is the opposite. It is always the business that decides the need of technology.

As discussed earlier, security awareness program doesn’t mean one-size fits for all but topics have to be customized according to profile of the audience.

2. Computer Based Information Security Awareness

Some of the companies make awareness program easy and accessible for users at all times. They design a computer application and install it on the company’s network which is available all the time. By using this self-learning approach employees can access at their leisure and then learn by themselves the topics which are of interest to them. Mainly computer applications cover two basic modules and compliant with company security policies. The first module is a self-assessment using a survey form. This helps users to assess where they are lacking in understanding company security policies. It’s a good technique for users to analyze their strengths, weaknesses and compliance with company’s awareness program. The second module is usually on the education of security issues, this helps users to learn and educate themselves the company security Policies and Procedures. 

Following are some of the topics which education module should cover:

• Password Construction
• Internet Usage
• Telephone Fraud
• Physical Security
• E-mail Usage
• Viruses
• Desktop Security
• Social Engineering
• Identity theft

3. Awareness Services and Reminder Tools

As discussed many times before, the security awareness is a continuous process and it should be a part of employee’s job description and work environment in Software Development Companies. Using reminder tools is one of the methods to keep employees updated on security awareness topics and remind them from time to time.

Below are some of the reminder tools available, organization can choose any or all of them as per its need and acceptance.

i. Multimedia Presentation

Multimedia presentation on security awareness topics is a good and interactive tool. Employees can use it as a refresher on all the topics which they have already covered in awareness training. It is also a great help for remote users where to organize training is not cost effective.

ii. Security Booklet

Most of the people in the organization find it convenient to read hard copy of the subject instead of soft or electronic format. Booklet in this case is an effective tool to convey information security awareness message, organization’s objective and user’s responsibility in protecting information assets. The booklet can also contain information security related pictures, quotes and case studies to educate employees.

iii. Security Posters

It is widely said that pictures and images are more effective to convey one’s message across different types of community. People are more prone and feel happy to see graphical representation. Organization can design posters on different security issues and themes and place them on public places like entry door, sports hall, dining hall, cafeteria, recreation room, and near the water coolers in the organization.There are lot of web sites that offer free posters or free sample of them, you can simply download and print them out.

iv. Computer Screen Saver

Screen savers can be a good idea to promote security messages. Almost all of the employees in an organization use computers and have screen savers which appear while computer is idle. Screen savers can be developed by using security awareness messages, quotes or graphical representation of security related issues and installed on employee’s computer. A customizable free screen saver from Microsoft Corporation is available.

v. Email Shots

Most cost effective tool to remind users about security awareness is an email message. Email is widely used communication medium and most of the staff access email once in a day. Sending email periodically containing security awareness reminder is a good and effective tool.

vi. Promotional Items with Security Issues

Gift items and promotional tools like Pencils, Pens, Erasers, Notepads, Mouse pads, Key chains, Cups or mugs etc. can be printed with security wordings, quotes and pictures and distributed among people. This is also one of the motivational tools to remind employees of security issues.

vii. Security Newsletter

Many of the big organizations publish monthly or quarterly official newsletter. Add security related news and messages in that newsletter and give free copy to all employees could be an effective reminder. This newsletter can also be used as motivational tool by adding best employee of the month/quarter. Who won prize on taking care of security issues, or by participating actively in protecting the company’s information assets.