- The Importance of the Human Firewall
- Creating a Security Awareness Program
- Step 1: Gather Information
- Step 2: Develop a Format and Forum in Which to Present the Information
- Step 3: Prepare the Program Material
- Step 4. Present the Program to the Pilot Group
- Step 5: Present the Program to Senior Management
- Step 6: Develop a Schedule for Updating the Program
Step 3: Prepare the Program Material
To be most effective and reach the most people, it's best that the program follow the "blended learning" approach. In other words, because people learn in different ways, it's best to use a multifaceted program that reaches out to employees and contractors in numerous methods. The following sections provide some examples.
The core of the security awareness program is usually a session in which one or more presenters address the firm's employees. The presenters must be knowledgeable about the organization's security policy and may consist of the developers of the program, members of the information security staff, or senior management.
During this session, the presenters discuss the issues relevant to the audience (keeping in mind that different groups within the organization may need to hear different subject material). Depending on the number of attendees, this interactive session may allow policy questions or concerns to be raised and fielded. This session can also, in some form, be incorporated into the new-hire orientation program.
The session doesn't need to be long, as it's important to keep the audience's attention. It may be helpful to use a video during the presentation, to prevent the session from becoming a "lecture." Also, since people like free goodies, distributing items such as a mouse pad or key chain at the end of the presentation session enables people to leave with a smile and can serve as a reminder of the session.
As mentioned above, a video can break up the monotony of a presentation session. Any video that demonstrates the need to protect the firm's resources and everyone's role toward this effort can be suitable. (Entertainment value should be considered as well, since you don't want to lose the audience.) There are videos available on many relevant topics, including those that illustrate the ease and consequences of social engineering, and the potentially disastrous chain of events after a successful hack.
Web-Based Learning Material
Web-based learning can take two forms:
Computer-based training (CBT) modules
Providing information on the company intranet
The purpose of using CBT components as a part of the security awareness program is to allow for training employees who cannot conveniently attend the presentations, such as telecommuters or remote office employees. CBTs can also provide follow-up information from the presentation session. They can focus on specific areas, such as email viruses, to provide more detailed information as required by the various divisions of the organization.
If your company intranet is frequently viewed by employees and contractors of the firm, it may be wise to create a section of the intranet where updated security information can be presented on a periodic basis. This can include relevant security alerts, virus information, and modifications to the security policy.
Posters or other signage placed in common areas of the workplace, such as cafeterias and building entrances, can effectively raise awareness of security issues in an unobtrusive manner.
Developing a CD containing relevant security information that can be distributed to all employees may serve as a notice of the organization's seriousness about information security. The CD can contain key presentation slides, hack prevention tips, security contact information, and highlights from the security policy.
Make sure that there is no truly confidential information on the CD, as this information can be released by the employee accidentally.
In addition to developing the material, a detailed schedule must be determined for the deployment of each component. For example, if CBTs are designed to augment the information presented in the group session, they should be made available shortly after the session is over.
The organization may want to place posters and other advertising around the workplace in advance of the sessions, to begin to make employees aware that they're coming.