The Human FirewallCreating a security aware workforce

APPLIED INFORMATION SERVICES

Andrew BreakwellBusiness Development Director

Compliance Division

2Agenda

Establishing the Need

Common pitfalls

Planning

Delivery

Evaluation and Metrics

3Corporate overview

Governance, Risk and Compliance (GRC) specialists for more than 16 years

Focus on improving staff awareness, knowledge and understanding

Providers of: Information newsfeeds and alerts

Learning content and services

Risk management and auditing systems

Part of SAI Global, ASX quoted, c950 employees

Offices in Europe, North America and Australasia

Global client base – specialists in large scale, international deployments

4,000,000+ end users, resources in 20+ languages

4Establishing the Need

“Most security breaches occur at ground floor level, through employees making errors or inadvertently revealing information. It is ironic therefore that so many organizations do not have a comprehensive awareness program in place... perhaps missing the obvious and focusing upon the rather more stimulating high-tech threat instead.”

ISO 17799 News

5Establishing the Need

Deloitte 2007 Global Security Survey‘79 percent of participants cite the human factor as the root cause of information security failures’

CSI Computer Crime and Security Survey 2007‘The average annual loss reported in this year’s survey shot up to $350,424 from $168,000 the previous year’

ENISA: IS Awareness Initiatives – Current practice and the measurements of success 2007‘… information security is seen as a high or very high priority in four fifths of respondents.’

‘War stories’

6Common pitfalls

Lack of senior management support

Adopting a ‘one size fits all’ approach – mismatch between content and target audience

Not connecting the program to a Needs Assessment

Objectives and outcomes poorly defined

Training ‘fatigue’

Poor communication and planning

Developing a limited program based on specific budget target (not the one you want)

Lack of in-house expertise – not involving other experts

Assuming it’s a one-time initiative – not an ongoing process

Lack of evaluation and measurement

BORING…! Lack of engaging and relevant content

7Planning

Needs assessment

8Planning

Needs Assessment

WHO gets the training

WHAT training they get

HOW the training is delivered

WHERE the training takes place

WHEN the training takes place

Over the short, medium and long term

Aligned with corporate goals and objectives

Clear business case for all elements

Clearly defined measurement criteria - benchmarking

9Planning

Needs assessment

Identify audience – not a ‘one size fits all’ approach

10Planning

Identify audience

Full time/Part time?

New hires, trainees?

Senior management or management-role?

Specific departments or job ‘families’ (e.g. HR, IT, Security)?

Based on job or role (e.g. employees handling large amounts of data, remote workers)?

Specific technology users (e.g. employees with laptops)?

Specific location (e.g. country or region, manufacturing site, branch offices)?

PLUS customers, suppliers?

11Planning

Needs assessment

Identify audience – not a ‘one size fits all’ approach

Set objectives and timescales

Collaborate

Communicate and market

What’s available?

Establish the team – identify project owner

Identify resource and budget needs

Express funding needs

Assign a Program Manager

12Delivery

Develop course content

Core training

Senior management training

13Delivery

Core training – to include content for senior managers

E-learning for IT users Reduced delivery costs Reduced training time Flexibility and convenience Engaging and interactive Self-paced and non-threatening Consistent content and delivery Ease of updating Accurate measurement and control Tailored content – ‘off-the-shelf’ or bespoke

Workshops PowerPoints Handouts Trainers Notes ‘Train the Trainer’ sessions

14Delivery

E-learning – engaging content

15Delivery

Develop course content

Core training

Senior management training

New starter training

Refresher training

Specialist training

Assessment testing

16Delivery

Assessment testing

17Delivery

Develop course content

Core training

Senior management training

New starter training

Refresher training

Specialist training

Assessment testing

Ongoing awareness activity

18Delivery

Ongoing awareness activity

Interactive e-mailsMarketing materials

Posters Newsletters

Cartoons

Giveaways

Video ‘Moments’

19Delivery

Develop course content

Confirm technology requirements and test

Establish tracking and reporting criteria

Plan and communicate implementation timetable

Schedule launch and pre-launch activity

Ensure clear ownership of project

Analyse effectiveness of training using metrics

20Evaluation and metrics

Benchmarking prior to training

Completion rates (against previous training?) Total target audience By sector By job role

Three further levels Reaction level – measuring ‘attitudes’ i.e. through evaluation

questionnaires, structured interviews etc Immediate level – measuring users’ ‘knowledge’ i.e. through

pre- and post-training assessment tests Functional level – measuring ‘behavioural’ change i.e. through

observation of business processes and indicators, i.e. helpdesk calls, security breaches and incidents

Return on investment

The Human FirewallCreating a security aware workforce

APPLIED INFORMATION SERVICES

Andrew BreakwellBusiness Development Director

Compliance Division