Creating a Security Education, Training, and Awareness Program

Creating a Security Education, Training, and Awareness Program

Nick Pullman (Citigroup, USA) and Kevin Streff (Dakota State University, USA)
DOI: 10.4018/978-1-60566-132-2.ch020
OnDemand PDF Download:


Security training and awareness is often overlooked or not given sufficient focus in many organizations despite being a critical component of a layered defense. Organizations often purchase expensive hardware and software to help secure their organization, but fail to allocate resources to train employees who will install and configure the product. Similarly, organizations will devote many hours developing polices and procedures to protect sensitive information, but fail to allocate the appropriate resources to ensure awareness of those policies and procedures. This chapter discusses how to design, create, and implement a formal security education, training, and awareness (SETA) program as a component of a layered defense strategy.
Chapter Preview


Kevin Mitnick, one of the world’s most famous hackers, wasn’t particularly skilled at exploiting technology, but was notoriously effective at social engineering; he tricked and persuaded individuals into disclosing sensitive information. Mitnick took advantage of individuals’ trusting nature by impersonating “trusted” individuals to perform reconnaissance for later attacks. The adage goes that a chain is only as strong as its weakest link, and many security experts would agree that the human element is the weakest link in information security (Hansche, Berti, & Hare, 2004). These threats due to human failures are significant with the theft of intellectual property accounting for a loss of $59 billion a year from American companies (National Security Institute, 2007). A security education, training, and awareness program aims to mitigate the human risk in securing organizations and their assets. The core issue with organizations today, however, isn’t whether or not to perform security training and awareness, many organizations have some form of training and awareness, but how to implement a program that it is effective and efficient in providing the additional level of security that was intended.

A security education, training, and awareness (SETA) program is designed to mitigate threats due to human factors such as employees not being properly trained on a specific technology or not being aware of a security policy. There are many facets to information security and organizations tend to try and solve security issues with a technical bias; however, the reality is that humans are typically the first and last line of defense in protecting the organization. Technical-only solutions are insufficient as these defenses are installed and managed by individuals who if not properly trained could leave a system vulnerable to attack. In addition, employees use systems and applications on a daily basis so they are the most likely the first to identify issues or security breaches.

There are three pieces to understand with regard to security education, training and awareness:

  • creating an overall security program,

  • understanding SETA fundamentals, and

  • creating the SETA program.

First, before beginning to create the SETA program, the organization must develop a comprehensive information security program. The overall security program details the approach that the organization will use to secure its assets. Next, the organization must understand the fundamentals behind a SETA program such as which topics are appropriate and what the best methods are for delivering the learning material. Finally, after the organization has an understanding of the appropriate topics, materials, and distribution methods, they can create the SETA program. This includes determining what the needs of the organization are, ensuring that there is an appropriate plan for designing and executing the SETA program, and following appropriate methods to implement and evaluate the SETA program. It is important for an organization to understand its overall security needs so that the SETA program can be developed to meet those needs. In addition, following a defined process for implementing and evaluating the SETA program will ensure that the program is effective, efficient, and continuously improving.


People Based Security Breaches

Information assurance is the process of protecting the confidentiality, integrity and availability of electronic systems and the information it stores, processes and transacts (McCumber, 2005). There are many different types of security incidents as it relates to compromising information, such as loss or theft of data, unauthorized changes, disclosure of sensitive information, and loss of system availability and these incidents could originate for a number of reasons such as viruses, hackers, insider abuse, and natural disasters. Technical attacks, such as remote exploits and malware, are important to defend against, but equally or more important are the human aspects of information security.

Key Terms in this Chapter

Procedure: Information security procedures are documents that support the security policy and standards in a detailed step-by-step manner.

Policy: The information security policies are the high-level documents that define the security goals, approach, and strategies of the organization.

Fully Decentralized: A fully decentralized model implements a centralized policy with distributed strategy and implementation.

Centralized Model: A centralized model implements all of the functions of the SETA program, policy, strategy, and implementation at a centrally managed authority.

Partially Decentralized: A partially decentralized model implements the policy and strategy of the SETA program by a central authority, but the implementation is managed by individual departments.

Standard: Security standards are documents that describe the mandatory requirements that the organization will implement in order to comply with security policy.

Defense-in-Depth: Defense-in-depth is a layered security approach in which people, process, and technology are utilized to protect an organization’s assets.

Guideline: Guidelines provide additional clarification on how to comply with security policies, but whereas standards are required, guidelines provide a recommendation but not an explicit requirement.

ISO17799 / ISO27001: ISO 17799 and ISO 27001 are complimentary security standards which define a process to create an information security management system and the specific control objects which should be met.

Complete Chapter List

Search this Book:
Editorial Advisory Board
Table of Contents
John Walp
Manish Gupta, Raj Sharman
Chapter 1
C. Warren Axelrod
This chapter examines the impact of catastrophes on information security and suggests who might have responsibility for maintaining an appropriate... Sample PDF
Responsibilities and Liabilities with Respect to Catastrophes
Chapter 2
David Porter
This chapter discusses the latest developments in the shifting threat landscape and their impact on the world of information security. It describes... Sample PDF
The Complex New World of Information Security
Chapter 3
Ahmed Awad E. Ahmed
In recent years, many studies have highlighted the unprecedented growth in security threats from multiple and varied sources faced by corporate, as... Sample PDF
Employee Surveillance Based on Free Text Detection of Keystroke Dynamics
Chapter 4
Arunabha Mukhopadhyay, Samir Chatterjee, Debashis Saha, Ambuj Mahanti, Samir K. Sadhukhan
An online business organization spends millions of dollars on firewalls, anti-virus, intrusion detection systems, digital signature, and encryption... Sample PDF
E-Risk Insurance Product Design: A Copula Based Bayesian Belief Network Model
Chapter 5
Guoling Lao
E-commerce mode aggravates information asymmetry so that honesty-credit problems become more serious. This chapter discusses the honesty-credit... Sample PDF
E-Commerce Security and Honesty-Credit
Chapter 6
Zhixiong Zhang, Xinwen Zhang, Ravi Sandhu
This chapter addresses the problem that traditional role-base access control (RBAC) models do not scale up well for modeling security policies... Sample PDF
Towards a Scalable Role and Organization Based Access Control Model with Decentralized Security Administration
Chapter 7
Chandan Mazumdar
There has been an unprecedented thrust in employing Computers and Communication technologies in all walks of life. The systems enabled by... Sample PDF
Enterprise Information System Security: A Life-Cycle Approach
Chapter 8
Peter O. Orondo
Most companies would agree that securing their information assets is worth some investment. It is thus plausible to assume that low levels of IT... Sample PDF
An Alternative Model of Information Security Investment
Chapter 9
George O.M. Yee
The growth of the Internet is increasing the deployment of e-services in such areas as e-commerce, e-learning, and e-health. In parallel, the... Sample PDF
Avoiding Pitfalls in Policy-Based Privacy Management
Chapter 10
Supriya Singh
Enabling customers to influence the way they are represented in the bank’s databases, is one of the major personalization, responsiveness, and... Sample PDF
Privacy and Banking in Australia
Chapter 11
Madhusudhanan Chandrasekaran, Shambhu Upadhyaya
Phishing scams pose a serious threat to end-users and commercial institutions alike. E-mail continues to be the favorite vehicle to perpetrate such... Sample PDF
A Multistage Framework to Defend Against Phishing Attacks
Chapter 12
Ghita Kouadri Mostefaoui, Patrick Brézillon
In recent years, the security research community has been very active in proposing different techniques and algorithms to face the proliferating... Sample PDF
A New Approach to Reducing Social Engineering Impact
Chapter 13
Yang Wang
Privacy-enhancing technologies (PETs), which constitute a wide array of technical means for protecting users’ privacy, have gained considerable... Sample PDF
Privacy-Enhancing Technologies
Chapter 14
Douglas P. Twitchell
This chapter introduces and defines social engineering, a recognized threat to the security of information systems. It also introduces a taxonomy... Sample PDF
Social Engineering and its Countermeasures
Chapter 15
Tom S. Chan
Social networking has become one of the most popular applications on the Internet since the burst of the dot-com bubble. Apart from being a haven... Sample PDF
Social Networking Site: Opportunities and Security Challenges
Chapter 16
James W. Ragucci, Stefan A. Robila
Fraudulent e-mails, known as phishing attacks, have brought chaos across the digital world causing billions of dollars of damage. These attacks are... Sample PDF
Designing Antiphishing Education
Chapter 17
Serkan Ada
This chapter discusses the recent theories used in information security research studies. The chapter initially introduces the importance of the... Sample PDF
Theories Used in Information Security Research: Survey and Agenda
Chapter 18
Samuel Liles
Information assurance education is an interdisciplinary endeavor that only when taken as a holistic and inclusive educational activity can be... Sample PDF
Information Assurance and Security Curriculum Meeting the SIGITE Guidelines
Chapter 19
Gary Hinson
This chapter highlights the broad range of factors that are relevant to the design of information security awareness programs, primarily by... Sample PDF
Information Security Awareness
Chapter 20
Nick Pullman, Kevin Streff
Security training and awareness is often overlooked or not given sufficient focus in many organizations despite being a critical component of a... Sample PDF
Creating a Security Education, Training, and Awareness Program
Chapter 21
E. Kritzinger, S.H von Solms
This chapter introduces information security within the educational environments that utilize electronic resources. The education environment... Sample PDF
Information Security Within an E-Learning Environment
Chapter 22
Donald Murphy, Manish Gupta, H.R. Rao
We present five emerging areas in information security that are poised to bring the radical benefits to the information security practice and... Sample PDF
Research Notes on Emerging Areas of Conflict in Security
Chapter 23
C. Orhan Orgun
This chapter develops a linguistically robust encryption system, LunabeL, which converts a message into syntactically and semantically innocuous... Sample PDF
The Human Attack in Linguistic Steganography
Chapter 24
Sérgio Tenreiro de Magalhães, Kenneth Revett, Henrique M.D. Santos, Leonel Duarte dos Santos, André Oliveira, César Ariza
The traditional approach to security has been the use of passwords. They provide the system with a barrier to access what was quite safe in the... Sample PDF
Using Technology to Overcome the Password's Contradiction
Chapter 25
Antonio Cerone
Reducing the likelihood of human error in the use of interactive systems is increasingly important. Human errors could not only hinder the correct... Sample PDF
Formal Analysis of Security in Interactive Systems
Chapter 26
Tejaswini Herath
It is estimated that over 1 billion people now have access to the Internet. This unprecedented access and use of Internet by individuals around the... Sample PDF
Internet Crime: How Vulnerable Are You? Do Gender, Social Influence and Education play a Role in Vulnerability?
Chapter 27
Jarrod Trevathan
Shill bidding is where spurious bids are introduced into an auction to drive up the final price for the seller, thereby defrauding legitimate... Sample PDF
Detecting Shill Bidding in Online English Auctions
Chapter 28
Carsten Röcker, Carsten Magerkurth, Steve Hinske
In this chapter we present a novel concept for personalized privacy support on large public displays. In the first step, two formative evaluations... Sample PDF
Information Security at Large Public Displays
Chapter 29
Yuko Murayama, Carl Hauser, Natsuko Hikage, Basabi Chakraborty
The sense of security, identified with the Japanese term, Anshin, is identified as an important contributor to emotional trust. This viewpoint... Sample PDF
The Sense of Security and Trust
About the Contributors