Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical, and especially informational, assets of that organization. However, it is very tricky to implement because organizations are not able to impose such awareness directly on employees as there are no ways to explicitly monitor people’s behavior. That being said, the literature does suggest several ways that such security awareness could be improved.[1] Many organizations require formal security awareness training[2] for all workers when they join the organization and periodically thereafter, usually annually.[3] Another main force that is found to have a strong correlation with employees’ security awareness is managerial security participation. It also bridges security awareness with other organizational aspects.[4]
Coverage
Topics covered in security awareness training include:[5]
- The nature of sensitive material and physical assets they may come in contact with, such as trade secrets, privacy concerns and government classified information
- Employee and contractor responsibilities in handling sensitive information, including review of employee nondisclosure agreements
- Requirements for proper handling of sensitive material in physical form, including marking, transmission, storage and destruction
- Proper methods for protecting sensitive information on computer systems, including password policy and use of two-factor authentication
- Other computer security concerns, including malware, phishing, social engineering, etc.
- Workplace security, including building access, wearing of security badges, reporting of incidents, forbidden articles, etc.
- Consequences of failure to properly protect information, including potential loss of employment, economic consequences to the firm, damage to individuals whose private records are divulged, and possible civil and criminal penalties
Security awareness means understanding that there is the potential for some people to deliberately or accidentally steal, damage, or misuse the data that is stored within a company's computer systems and throughout its organization. Therefore, it would be prudent to support the assets of the institution (information, physical, and personal) by trying to stop that from happening.
According to the European Network and Information Security Agency, "Awareness of the risks and available safeguards is the first line of defence for the security of information systems and networks."[6]
"The focus of Security Awareness consultancy should be to achieve a long term shift in the attitude of employees towards security, whilst promoting a cultural and behavioural change within an organisation. Security policies should be viewed as key enablers for the organisation, not as a series of rules restricting the efficient working of your business."[7]
Measuring security awareness
In a 2016 study, researchers developed a method of measuring security awareness.[8] Specifically they measured "understanding about circumventing security protocols, disrupting the intended functions of systems or collecting valuable information, and not getting caught" (p. 38). The researchers created a method that could distinguish between experts and novices by having people organize different security scenarios into groups. Experts will organize these scenarios based on centralized security themes where novices will organize the scenarios based on superficial themes.
See also
References
- ↑ Hwang, Inho; Wakefield, Robin; Kim, Sanghyun; Kim, Taeha (2021-07-04). "Security Awareness: The First Step in Information Security Compliance Behavior". Journal of Computer Information Systems. 61 (4): 345–356. doi:10.1080/08874417.2019.1650676. ISSN 0887-4417.
- ↑ Maritime Security Awareness Training
- ↑ Assenza, G. (2019). "A Review of Methods for Evaluating Security Awareness Initiatives". European Journal for Security Research. 5 (2): 259–287. doi:10.1007/s41125-019-00052-x. S2CID 204498135.
- ↑ Hwang, Inho; Wakefield, Robin; Kim, Sanghyun; Kim, Taeha (2021-07-04). "Security Awareness: The First Step in Information Security Compliance Behavior". Journal of Computer Information Systems. 61 (4): 345–356. doi:10.1080/08874417.2019.1650676. ISSN 0887-4417.
- ↑ https://caniphish.com/security-awareness-training-topics
- ↑ "OECD Guidelines for the Security of Information Systems, 1992".
- ↑ Vacca, John R. (2012-11-05). Computer and Information Security Handbook. Newnes. ISBN 978-0-12-394612-6.
- ↑ Giboney, Justin Scott; Proudfoot, Jeffrey Gainer; Goel, Sanjay; Valacich, Joseph S (2016). "The Security Expertise Assessment Measure (SEAM): Developing a scale for hacker expertise". Computers & Security. 60: 37–51. doi:10.1016/j.cose.2016.04.001.