Building a Security Policy Framework for a Large, Multi-national Company

By Leslie VanCura

Information Security is not just technology. It is a process, a policy, and a culture. Our organization had spent millions of dollars on technology to keep the “bad guys” out, but we had spent little time building the foundations of our Information Security Program. We did not have relevant, current policies or a culture of security awareness among our managers or end users. The technology was not able to prevent end users from disabling it or doing unintentional damage by opening strange email attachments or telling someone their password. This paper will discuss how we created a Security Awareness Program to address this problem. The program covers policy development, an awareness campaign, and compliance monitoring.
» Read more

Anti-Phishing: Factors to Consider When Planning, Developing and Implementing Phishing Awareness Training

By Randi Sherman

Security awareness training is very broad in scope, but essentially it amounts to creating a formalized environment for familiarizing and educating employees about proper procedures for protecting a company from intrusion and theft. Properly designed, it should ensure that all workers understand corporate policies and procedures for using company assets in a secure and conscientious manner. That being said, phishing is a black art. It is designed to trick otherwise conscientious employees into doing something that they would never ordinarily consider. Phishing poses a unique problem to corporate security. In many cases, employees have abrogated their responsibilities, operating under the mistaken impression that filters remove all incoming threats from e-mails. This is a notion that we need to do away with; phishing awareness education is the key.
» Read more

Non Technical Countermeasures

By Daniel Brecht

Today’s cyber scammers are quite savvy in their attempts to bypass security measures and collect information and data that should not normally be publicly exposed. Phishing, in particular, is a widely used social engineering technique that targets users by means of a bait to solicit personal information or deceive victims into performing certain actions, such as opening malicious links or attachments.
» Read more

Using Influence Strategies to Improve Security Awareness Programs

By Alyssa Robinson

Even companies with extensive, well-funded security awareness programs fall victim to attacks involving phishing, weak passwords and SQL injection, presumably the primary targets of user education. Either their users don’t have the skills to avoid these pitfalls, or they lack the motivation to apply those skills. Psychologists and other social scientists have studied the roots of effective behavioral change and have solutions to offer. By exploring personal, social and environmental sources of motivation and ability, security awareness professionals can attack the problem from multiple sides and give users both the ability and the will to make necessary changes.
» Read more

Security Awareness Training as a Revenue Generator

By Miller Henley

One of the roadblocks that IT managers often encounter when trying to implement IT security awareness training initiatives is justifying expenses associated with the program. Businesses live and die by return on investment (ROI) and rightfully so. Executives insist upon proof that any outlay of resources will have a positive impact on the bottom line. Unlike a product that is purchased and resold, an online advertising campaign where clicks may be tracked, or the addition of a new sales rep with a corresponding increase in sales, it is a little more difficult to pinpoint the exact economic benefit of IT security awareness training, but certainly doable.
» Read more

Designing the Perfect Security Awareness Newsletter

By John G. Laskey

Even in smaller organizations, a regular security awareness newsletter can support effective, participative security. While your organization’s editorial rules could be a creative break on a really great newsletter, the following tips can help you build up an effective one that will be welcomed by associates and be an asset to the organization’s security. It is important to encourage communications between security managers and the organization’s associates. At best, this can be used to measure the effectiveness of security issues even allowing you to make adjustments where these are merited. Newsletters should encourage discussion; always ensuring things stays inside of editorial guidelines.
» Read more

Moving from Consciousness to Culture: Creating an Environment of Security Awareness

By Mary Munley

Although the aftermath of September 11th has brought to the forefront the realization that security threats are real, most companies are still far from creating a culture of security awareness within their organizations. This is particularly true with information security even though recent surveys have shown that corporations are worried about the financial impact of threats and attacks against their computer systems. Unfortunately, many of these same organizations are still focusing primarily on technical solutions such as firewalls, anti-virus software, patches, biometric devices and the like, to protect themselves against these threats. They have failed to take an overall holistic approach to security by combining technology with awareness. Most have recognized the importance of having clear and enforceable policies, but have stopped short of developing a comprehensive, ongoing awareness program.
» Read more

Creating an IT Security Awareness Program for Senior Management

By Robert Nellis

This paper will present an approach to creating and deploying a security awareness program with senior management as the intended audience. A successful program for senior management is the key to the security program for the entire organization and therefore needs to be carefully and concisely constructed. Creating the program requires numerous resources, a clear understanding of security within the organization and an understanding of the position of senior management on IT security. This paper will outline the steps necessary to identify the current level of senior management’s IT security knowledge. Once the knowledge level is identified the steps to develop the content of the awareness program based on this knowledge will be discussed.
» Read more

Security Awareness for Sales Representatives

By Dan Virgillito

The performance of salespersons is usually measured in terms of revenue, not in terms of security awareness. As a result, most of their efforts are geared towards closing contracts and not vulnerabilities. If your sales representatives do not know how to protect the confidentiality of business information, your valuable assets (corporate information) could be mishandled or accessed by unauthorized individuals. You also risk being non-compliant to laws that require enterprises to adhere to information safety and security awareness.
» Read more

Methods and Techniques of Implementing a Security Awareness Program

By William Hubbard

Implementing a successful Security Awareness Program is an essential step in enhancing security within any organization. The mindset and behavior of employees is the crux of the issue – in order to operate at an acceptable level of awareness the organization’s employees must have certain basic knowledge to behave “securely”. But how do you, the security awareness program director, provide this knowledge? This paper will illustrate why security awareness is so important and what it is supposed to accomplish. Furthermore, it will also cover program contents, methods and techniques of teaching, and resources the security awareness program director might use to better achieve the goal of greater security awareness within an organization. By using the methods and techniques discussed, the program director can develop a dynamic and effective program that both engages employees and helps them learn better security behavior.
» Read more

1 2