Home > Articles

  • Print
  • + Share This
This chapter is from the book

This chapter is from the book

Security Awareness Training

Know what is required for Security Awareness Training.

The importance of security awareness training and education cannot be overstated. By taking the policy, standards, and procedures and teaching all the stakeholders about their roles in maintaining the security environment, they will embrace the policy as an integral part of their jobs. This is not easy. One problem is that over the last decade, the commitment to security by industry-leading companies has been viewed as lacking. The results are products that have insufficient security measures being installed into environments that further weaken the information security program. The dichotomy can be confusing.

Security awareness training requires clear communication. One thing you might consider for your organization is hiring a technically competent communicator for the security department. This person would do the training, educate the department to the concerns of its users, and act as a liaison between users and the department. Having someone who can communicate helps raise the confidence level users should have for the department.

Mandating that training be required for anyone with access to an organization's information assets is reasonable. Human resources should have complete records, including information on training courses required and taken as well as all signed documents showing acceptance of defined corporate policies.

Management should not only set aside time for training, but also encourage it. One company I was involved with mandated training during specific time periods, and unless employees were involved with a client or were ill, they were required to attend. This policy allowed the employee to be suspended without pay until she attended the course or watched it on videotape. You might not want to go to this extreme, but it is a good way to get 100% compliance.

Understanding the management role of information security means understanding how the information security process interfaces with the rest of the organization. It is not enough to just set policies—security is a process that must be molded into the business process to support its functions. Management must support these processes with commitment and training.

Understanding what is to be protected is an important beginning of the management process. A risk analysis is used to determine the information assets that need to be protected and how they can be best protected. The risk analysis takes into consideration the costs of the assets to determine not only the countermeasures, but also whether the assets are worth protecting.

Using this information, policies, guidelines, standards, and procedures can be created to reach the security goals. Policies can be described as the goals of the information security program. Guidelines are suggestions, and standards are the specific security mechanisms that can be used. Procedures use the guidelines and standards to implement the policies.

Access methods and protection mechanisms are used to manage the access and movement of data. A typical access method paradigm is to set the roles and responsibilities for access to the data. Protection mechanisms are used to compartmentalize access to data and processes. Layers are used to prevent unauthorized access to protected resources and data, whereas abstraction and data hiding are used to protect data.

Knowing who your users are is as important as setting their access rights to information assets. Employment policies enforce background checks during the hiring process to prevent hiring those who might be security risks. They can also set termination procedures to prevent the terminated user from destroying systems and data out of malice.

Change control and configuration management can be used to prevent unauthorized changes to the network. Change control policies can be used to maintain the configuration of all information assets to prevent them from being used to attack your organization.

The only way to really demonstrate management support of the policies and procedures is to require and support security awareness training. Through training, users come to understand their roles and responsibilities in the security environment. Training is the only way for the users to understand their responsibilities.

Chapter Summary


  • Abstraction

  • Access control

  • Accountability

  • Annualized loss expectancy

  • Annualized rate of occurrence

  • Asset valuation

  • Audit

  • Authentication

  • Authorization

  • Availability

  • Awareness training

  • Baselines

  • Change control

  • Confidentiality

  • Configuration management

  • Countermeasures

  • Cryptographic keys

  • Data classification

  • Data hiding

  • Encryption

  • Exposure factor

  • Guidelines

  • Identification

  • Incident response

  • Integrity

  • Layering

  • Nonrepudiation

  • Password

  • Policies

  • Procedures

  • Responsibilities

  • Revision control

  • Risk analysis

  • Risk management

  • Roles

  • Single loss expectancy

  • Tokens

Apply Your KnowledgeExercises

3.1 Making Information Security Management Decisions

A good way to understand the management responsibilities of information security is to look at an aspect of a risk assessment and determine the best course of action. The following questions are designed to lead you down the decision path.

Estimated Time: 30–45 minutes

  1. Your organization uses a dial-in terminal service to support customer service. The system consists of 21 inbound telephone lines and 3 outgoing lines. When calculating the risk because of an outage, the annualized loss expectancy (ALE) is $350,000. As a countermeasure, it has been decided to look into installing another telephone circuit and modem bank. The cost for this new installation is estimated to be $350,000, but it will lower the ALE to $25,000. Is this a cost-effective countermeasure? Why?

  2. For the previous question, which policy statement(s) should be written to support your decision?

  3. Which policy statement(s) could be written that would cover the usage of the outbound modems?

  4. How would you ensure that everyone knows and follows these policies, aside from awareness training?

Review Questions

  1. What are information security's fundamental principles?

  2. What is the method for a system to know who is accessing its resources?

  3. What is nonrepudiation?

  4. What is the purpose of performing a risk analysis?

  5. What are the categories of risks that are looked at during a risk analysis?

  6. How are information security procedures formed?

  7. The Bell-LaPadula security model uses what mechanism to protect system resources?

  8. What is the difference between synchronous and asynchronous encryption technologies?

  9. What is the purpose of classifying data?

  10. In the context of information security, why would an organization do a background check and have an employee sign an employment agreement?

Exam Questions

  1. How do you calculate the annualized loss expectancy of a particular risk?

    1. SLE x ARO

    2. Cost of asset – Cost of Safeguard

    3. Asset value x EF

    4. EF x ARO

  2. What is an information security policy?

    1. Guidelines used to define a security program

    2. Procedures for configuring firewalls

    3. Management's statements outlining its security goals

    4. Risk management procedures

  3. A security program is a balance of what?

    1. Risks and countermeasures

    2. Access controls and physical controls

    3. Firewalls and intrusion detection

    4. Technical and nontechnical roles

  4. Which statement is true when considering the information security objectives that the military would use versus the objectives used for commercial systems?

    1. A military system requires higher security because the risks are greater.

    2. Military systems base their controls on confidentiality, whereas commercial systems are based on availability and data integrity.

    3. Only the military can make systems really secure.

    4. Military systems base their controls on availability and data integrity, whereas commercial systems are based on confidentiality.

  5. What does a risk analysis show management?

    1. The amount of money that could be lost if security measures are not implemented

    2. How much a countermeasure will cost

    3. The cost benefit of implementing a countermeasure

    4. The amount of money that can be saved if security is implemented

  6. Who has the responsibility to determine the classification level for information?

    1. Users

    2. Management

    3. Data owners

    4. Security administrators

  7. Why should the team performing a risk analysis be formed with representatives from all departments?

    1. To ensure everyone is involved.

    2. To ensure that all the risk used in the analysis is as representative as possible.

    3. The risk analysis should be performed by an outside group and not by biased insiders.

    4. To hold those accountable for causing the risk.

  8. Which of the following is not a basic principle of authentication?

    1. What the entity knows

    2. Where the entity is

    3. Who the entity is

    4. What the entity may have

  9. What is the purpose of designing a system using the Bell-LaPadula model?

    1. To hide data from other layers

    2. To manage data and methods as objects

    3. To convert data to something that cannot be read

    4. To separate resources of a system into security zones

  10. Managing an information security program is a matter of using the following principles except which one?

    1. Accountability

    2. Integrity

    3. Confidentiality

    4. Availability

Answers to Review Questions

  1. Confidentiality, integrity, and accountability. For more information, see the section "CIA: Information Security's Fundamental Principles."

  2. Identification and authentication is the method that associates that the object (user, process, and so on) is the entity it claims to be. See the section "Identification and Authentication" for more information.

  3. Nonrepudiation is the ability to ensure that the originator of a communication or message is the true sender by guaranteeing authenticity of its digital signature. For more information, see the section "Nonrepudiation."

  4. The purpose of a risk analysis is to assess and quantify damage to information assets and to help justify appropriate safeguards. This was described in the section "Risk Management and Analysis."

  5. The risk categories are damage resulting in physical loss of an asset or the inability to access the asset, disclosure of critical information, and losses that may be permanent or temporary. This was discussed in the section "Risk Management and Analysis."

  6. Procedures are formed from guidelines and standards to implement the stated policies. For more information, see the "Policies, Standards, Guidelines, and Procedures" section.

  7. The Bell-LaPadula model uses layering to separate resources into security zones. This was discussed in the "Layering" section.

  8. Synchronous encryption uses the same key to encrypt and decrypt a message. Asynchronous, or public key, encryption uses two keys: The public key of the user who is to read the message is used to encrypt that message, and the private key is used by the recipient to decrypt the message. More information can be found in the "Encryption" section.

  9. Classifying data is supposed to tell you how the data is to be protected. The section "Classifying Data" explains this further.

  10. Background checks and employee agreements are tools used to prevent insider attacks. This was discussed in the "Employment Policies and Practices" section.

Answers to Exam Questions

  1. A. Answer A is the correct answer because the calculation for the annualized loss expectancy (ALE) is the single loss expectancy (SLE) times the annual rate of occurrence (ARO). Answers B and D are not correct and do not calculate anything worthwhile for a risk analysis. Answer C calculates the SLE value. See the "Asset Valuation" section for more information.

  2. C. Answer C is the correct answer because policies are used to describe how an organization wants to protect information assets. Answer A is wrong because guidelines are derived from the policies. Answer B is a procedure that would support a policy. Answer D is wrong because risk management is a component in creating the policy and does not define them. See the "Policies, Standards, Guidelines, and Procedures" section for more information.

  3. D. Answer D is correct because, as the entire chapter shows, security has both components, including physical and personnel security. Answer A is incorrect because it describes only the risk analysis process. Answer B is incorrect because it is focused on two areas of a security program. Answer C is wrong because it concentrates only on network controls.

  4. B. Answer A is wrong because the risks can be similar and even greater for some commercial systems. Answer C is wrong because there are plenty of commercial systems that are secure, and answer D is the reverse of the correct answer. See the "Classifying Data" section for more information.

  5. A. Answers B and C are wrong because they are parts of the risk analysis. Answer D is wrong because it is what the analysis demonstrates, which is only part of the story. See the "Risk Analysis" section for more information.

  6. C. Answer A is wrong because the users are the ones for which the protections are being instituted. Answers B and D are wrong because they do not have the custodial responsibility to understand how data should be accessed. See the "Classifying Data" section for more information.

  7. B. Answer A is a nice idea but not the reason to include all departments. Answer C is wrong because, even if outsiders were used, which was discussed as an option, the insiders would have to provide input into their departments' risks. Answer D is an interesting concept, but not everyone is involved in risks. See the "Risk Analysis" section for more information.

  8. B. Answers A, C, and D are all principles of authentication. Identifying the location can be helpful but is not one of the basic principles. See "Identification and Authentication" section for more information.

  9. D. Answer A is wrong because it is the purpose of data hiding. Answer B is wrong because it is a principle of abstraction, and answer C is wrong because it is the principle of encryption. See "Understanding Protection Mechanisms" section for more information.

  10. A. Answers B, C, and, D are the basic C.I.A. principles. See the "Defining Security Principles" section for more information.

Suggested Readings and Resources

  1. Barman, Scott. Writing Information Security Policies. New Riders Publishing, 2001.

  2. Nichols, Randall K., and Julie J. Ryan. Defending Your Digital Assets Against Hackers, Crackers, Spies, and Thieves. McGraw-Hill Professional Publishing, 2000.

  3. Peltier, Thomas R. Information Security Risk Analysis. Auerbach Publications, 2001.

  4. ftp://ftp.isi.edu/in-notes/rfc2196.txt (RFC 2196, "Site Security Handbook").

  5. ftp://ftp.isi.edu/in-notes/rfc2504.txt (RFC 2504, "Users' Security Handbook").

  6. ftp://ftp.isi.edu/in-notes/rfc2828.txt (RFC 2828, "Internet Security Glossary").

  7. ftp://ftp.isi.edu/in-notes/rfc3013.txt (RFC 3013, "Recommended Internet Service Provider Security Services and Procedures").

  8. http://csrc.nist.gov/publications/nistpubs/800-18/Planguide.PDF (NIST SP 800-18 is a security standard used by civilian agencies).

  9. http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf (NIST SP 800-30, "Risk Management Guide for Information Technology Systems").

  10. http://rr.sans.org (The SANS Institute Reading Room has several individual articles that focus on many areas of information security management).

  11. http://www.rfceditor.org (The Internet Engineering Task Force's relevant requests for comments [RFCs] are available from the RFC Editor).

  12. http://www.whitehouse.gov/omb/circulars/a130/a130appendix_iii.html (OMB Circular A-130 Appendix III).

  • + Share This
  • 🔖 Save To Your Account