This chapter outlines advanced options for security training. It builds on previous publications (Weippl 2005, 2006) and expands them by including aspects of European-wide cooperation efforts in security awareness. Various examples will show what characterizes successful programs. The authors cooperate with ENISA (http://www. enisa.eu.int/) to create a new multi-language awareness training program that uses virtual environments to allow users to train on real systems without any danger. We describe the design and the proposed implementation of the system. In cooperation with the Austrian Computer Society (http://www.ocg.at) we lay the basis for an ECDLmodule on IT security awareness training. Companies are obliged to reasonably secure their IT systems and user awareness training is one of the most important and effective means of increasing security. If claims are filed against a company, it is in the interest of management to provide proof that all users completed IT security training. Moreover, advanced and experienced users need a training environment that lets them try complex scenarios in a safe environment.
TopIntroduction
The fact that IT security is relevant for companies, universities, and organizations is eventually being picked up by managers, not only by IT professionals. While security often was reduced to the traditional CIA requirements of confidentiality, integrity, and availability, both corporate and non-profit environments also need to take other aspects into account such as validity, completeness, and precision of security policies.
In today’s digital age where we live and work, citizens and businesses find Information Communication Technologies (ICTs) invaluable in daily tasks. At the same time, more and more citizens and businesses are at risk of information security breaches (ENISA 2006).
According to Eurostat, the European Union average (reference period: first quarter for households, January for enterprises) concerning Internet access is that 52 percent of households and 94 percent of enterprises are already connected to the Internet (Eurostat 2006).
It may seem that implementing good security policies can be achieved by reading a couple of good books and attending one or two training seminars. Clearly, technical personnel such as administrators also need practical training on a technical level. As obvious as this may seem, many companies—especially smaller ones—tend to neglect the training because of daily work. In contrast, large companies usually have established training programs that employees are required to attend.
According to Avizienis (2001, 2004), dependability encompasses five aspects: availability, reliability, safety, integrity, and maintainability. Security is commonly defined as confidentiality, integrity, and availability (CIA).