Creating a Security Education, Training, and Awareness Program

Nick Pullman; Kevin Streff

doi:10.4018/978-1-60566-132-2.ch020

Special Offers
- IGI Global’s New Emerging Topic e-Book Collections
  Acquire highly focused and affordable Cutting-Edge Peer-Reviewed Research Content through a selection of 17 topic-focused e-Book Collections discounted up to 90%, compared to list prices. Collection topics include Artificial Intelligence, Data Science, Language Learning, Marketing and Customer Relations, Sustainability, and many more. Hosted on the InfoSci^® platform, these collections feature no DRM, no additional cost for multi-user licensing, no embargo of content, full-text PDF & HTML format, and more.
  Learn More
- Open Access Book (Free Access) - Encyclopedia of Information Science and Technology, Sixth Edition (ISBN: 9781668473665)
  The Encyclopedia of Information Science and Technology, Sixth Edition) continues the legacy set forth by the first five editions by providing comprehensive coverage and up-to-date definitions of the most important issues, concepts, and trends pertaining to technological advancements and information management within a variety of settings and industries. The entire book is being published under open access.
  Read Now
- Open Access Book (Free Access) - Food Sustainability, Environmental Awareness, and Adaptation and Mitigation Strategies for Developing Countries (ISBN: 9781668456293)
  Food Sustainability, Environmental Awareness, and Adaptation and Mitigation Strategies for Developing Countries provides information on the recent technology, mitigation, and environmental protection that must be applied for food sustainability in developing countries. This book is being published under Platinum Open Access through funding from Diponegoro University, Indonesia.
  Read Now
- Open Access Book (Free Access) - New Models of Higher Education: Unbundled, Rebundled, Customized, and DIY (ISBN: 9781668438091)
  The Walmart Corporation and the Lumina Foundation have provided funding to make New Models of Higher Education: Unbundled, Rebundled, Customized, and DIY fully open access, completely removing any paywall between scholars in education and the latest research on new models for the future of higher education.
  Read Now
- Open Access Book (Free Access) - Handbook of Research on the Global View of Open Access and Scholarly Communications (ISBN: 9781799898054)
  Through a collaboration between IGI Global and the University of North Texas, the Handbook of Research on the Global View of Open Access and Scholarly Communications has been published as fully open access, completely removing any paywall between researchers of any field, and the latest research on the equitable and inclusive nature of Open Access and all of its complications.
  Read Now
Books
- - Books by Subject
  - Business, Administration, & Management
  - Scientific, Technical, & Medical (STM)
  - Education
  - Books by Field
Journals
- - Journals
  - OnDemand Journal Articles
  - Journals by Subject
  - Business, Administration, & Management
  - Scientific, Technical, & Medical (STM)
  - Education
  - Journals by Field
e-Collections
OnDemand
Open Access
- View All Open Access Opportunities
  Search across all of IGI Global’s available open access publishing opportunities to unleash your research potential.
  Find an Open Access Journal for Your Next Manuscript
  Search across all of IGI Global’s available open access publishing opportunities to unleash your research potential.
  Submit an Open Access Book Proposal
  Learn more about open access book publishing and how it can propel your research forward in the field.
  Convert Your Work to Open Access
  Already published? You can convert your work to open access to increase its impact through IGI Global’s Restrospective Open Access Program.
  Utilize Open Access Collection Database
  Open up your research potential by utilizing our open access content or integrating the open access collection into your library
  Consider Open Access Agreements
  For Libraries: consider no-cost or investment-level open access agreements with IGI Global to support your faculty's research endeavors.
  Search Funding Resources
  Looking for additional funding resources to support your open accesss endeavors? View industry resources compiled by our open access team.
  Review Open Access Policies & Ethical Guidelines
  Considering IGI Global to publish your work under open access? Review IGI Global’s open access policies and ethical guidelines
Publish with Us
Resources
- - Instructors
  - Course Adoption
  - Teaching Cases
  - K-12 Online Learning Collection
  - Authors and Editors
  - eEditorial Discovery^® System
  - Peer Review Process
  - Ethics and Malpractice
  - COPE Membership
  - Fair Use Policy
  - Open Access Publishing
  - FAQ
Catalogs
About Us

Creating a Security Education, Training, and Awareness Program

Nick Pullman, Kevin Streff

Source Title: Handbook of Research on Social and Organizational Liabilities in Information Security

DOI: 10.4018/978-1-60566-132-2.ch020

OnDemand:

(Individual Chapters)

Available

$37.50

Current Special Offers

No Current Special Offers

Abstract

Security training and awareness is often overlooked or not given sufficient focus in many organizations despite being a critical component of a layered defense. Organizations often purchase expensive hardware and software to help secure their organization, but fail to allocate resources to train employees who will install and configure the product. Similarly, organizations will devote many hours developing polices and procedures to protect sensitive information, but fail to allocate the appropriate resources to ensure awareness of those policies and procedures. This chapter discusses how to design, create, and implement a formal security education, training, and awareness (SETA) program as a component of a layered defense strategy.

Chapter Preview

Top

Overview

Kevin Mitnick, one of the world’s most famous hackers, wasn’t particularly skilled at exploiting technology, but was notoriously effective at social engineering; he tricked and persuaded individuals into disclosing sensitive information. Mitnick took advantage of individuals’ trusting nature by impersonating “trusted” individuals to perform reconnaissance for later attacks. The adage goes that a chain is only as strong as its weakest link, and many security experts would agree that the human element is the weakest link in information security (Hansche, Berti, & Hare, 2004). These threats due to human failures are significant with the theft of intellectual property accounting for a loss of $59 billion a year from American companies (National Security Institute, 2007). A security education, training, and awareness program aims to mitigate the human risk in securing organizations and their assets. The core issue with organizations today, however, isn’t whether or not to perform security training and awareness, many organizations have some form of training and awareness, but how to implement a program that it is effective and efficient in providing the additional level of security that was intended.

A security education, training, and awareness (SETA) program is designed to mitigate threats due to human factors such as employees not being properly trained on a specific technology or not being aware of a security policy. There are many facets to information security and organizations tend to try and solve security issues with a technical bias; however, the reality is that humans are typically the first and last line of defense in protecting the organization. Technical-only solutions are insufficient as these defenses are installed and managed by individuals who if not properly trained could leave a system vulnerable to attack. In addition, employees use systems and applications on a daily basis so they are the most likely the first to identify issues or security breaches.

There are three pieces to understand with regard to security education, training and awareness:

•
creating an overall security program,
•
understanding SETA fundamentals, and
•
creating the SETA program.

First, before beginning to create the SETA program, the organization must develop a comprehensive information security program. The overall security program details the approach that the organization will use to secure its assets. Next, the organization must understand the fundamentals behind a SETA program such as which topics are appropriate and what the best methods are for delivering the learning material. Finally, after the organization has an understanding of the appropriate topics, materials, and distribution methods, they can create the SETA program. This includes determining what the needs of the organization are, ensuring that there is an appropriate plan for designing and executing the SETA program, and following appropriate methods to implement and evaluate the SETA program. It is important for an organization to understand its overall security needs so that the SETA program can be developed to meet those needs. In addition, following a defined process for implementing and evaluating the SETA program will ensure that the program is effective, efficient, and continuously improving.

Top

People Based Security Breaches

Information assurance is the process of protecting the confidentiality, integrity and availability of electronic systems and the information it stores, processes and transacts (McCumber, 2005). There are many different types of security incidents as it relates to compromising information, such as loss or theft of data, unauthorized changes, disclosure of sensitive information, and loss of system availability and these incidents could originate for a number of reasons such as viruses, hackers, insider abuse, and natural disasters. Technical attacks, such as remote exploits and malware, are important to defend against, but equally or more important are the human aspects of information security.

Key Terms in this Chapter

Procedure: Information security procedures are documents that support the security policy and standards in a detailed step-by-step manner.

Policy: The information security policies are the high-level documents that define the security goals, approach, and strategies of the organization.

Fully Decentralized: A fully decentralized model implements a centralized policy with distributed strategy and implementation.

Centralized Model: A centralized model implements all of the functions of the SETA program, policy, strategy, and implementation at a centrally managed authority.

Partially Decentralized: A partially decentralized model implements the policy and strategy of the SETA program by a central authority, but the implementation is managed by individual departments.

Standard: Security standards are documents that describe the mandatory requirements that the organization will implement in order to comply with security policy.

Defense-in-Depth: Defense-in-depth is a layered security approach in which people, process, and technology are utilized to protect an organization’s assets.

Guideline: Guidelines provide additional clarification on how to comply with security policies, but whereas standards are required, guidelines provide a recommendation but not an explicit requirement.

ISO17799 / ISO27001: ISO 17799 and ISO 27001 are complimentary security standards which define a process to create an information security management system and the specific control objects which should be met.

Complete Chapter List

Search this Book:

Reset

MLA

APA

Chicago

Export Reference

Creating a Security Education, Training, and Awareness Program

Abstract

Overview

People Based Security Breaches

Key Terms in this Chapter

Complete Chapter List