Security Awareness

​​​​​According to a recent Washington Post article, seven employees of the Federal Deposit Insurance Corporation (FDIC) "inadvertently" downloaded the personal information of more than 160,000 individuals in separate instances while resigning from the agency. Executive response to these incidents, under Congressional questioning, was "dismissive" and "nonchalant."

Were the employees unaware of the security implications of th​​eir actions? Were executives unaware of their role in fostering a culture of security?

As the authors of this ​month's articles, papers, sessions, and books contend, security awareness is, first and foremost, a fundamental part of good business practice. Developing and sustaining a culture of security awareness enables all employees to understand their place in the risk equation, enabling an enterprise to maximize its financial and strategic goals.

Each month we off free resources on our security spotlight topics. We also offer additional resources to the ASIS membership. Not a member? Join Today!
  
» View Past Security Spotlight Topics​​


Free Resources

Workplace Security Essentials: A Guide for Helping Organizations Create Safe Work Environments
Purchase the BookElsevier Butterworth-Heinemann, April 2014
Author: Eric Smith, CPP, Director of Security Services, Denver Health

The author shapes both of these chapters through the analogy of karate. Like karate students, enterprises have to learn what parts of their (body) business need the most protection and are the most vulnerable to attack. One of the first steps of organizational self-defense is to recognize that security is an integral part of the business and identify key assets—"the things that make your workplace tick." Therefore, security is a vital element of the overall organization and its function, and security awareness needs to be converted into action. Purchase the book.

The two chapters give specific examples on how to create security awareness, making the following points:

  • The main point of awareness is to develop an understanding among employees of the effects of lax security.
  • Once an employee airs a complaint, it serves as notice of a problem, meaning that there is now foreseeability, which could create liability for the company if it is not addressed.
  • Security education and awareness training (SEAT) must be reinforced over time.
  • Creating an environment of honesty and integrity means creating a workplace where employees feel valued and appreciated.

"How to Build a Culture of Security"culturesecurity.jpg
Security Management, December 2015
Author: Thomas Trier, Security Intelligence Consulting, LLC

Lapses in security awareness by a company's employees and leaders can be costly, asserts the author, so executives, including security executives, must lead by example. Developing a strong security culture involves the completion of several steps leading to company-wide security awareness:

  • Assess the current security program to evaluate past and present practices following an eleven-step methodology.
  • Prepare a blueprint for the future to include a mission, objectives, and a manual of operations.
  • Train all employees, including security officers, by communicating how the security program affects their operations. 
  • When violations occur, impose discipline while being fair, firm, and consistent.

Employee Education to Combat the Threat of Social Engineering (PDF)
White Paper, 2013
ASIS International Utilities Security Council

Masters of social engineering take advantage of the human desire to be helpful, to trust people, to fear getting into trouble, and to be willing to cut corners. Understanding this ability to manipulate employees can inform the training and awareness process, according to the authors. They discuss types of training and tools that can assist, including the security awareness maturity model. They list ways to ensure that employees become engaged with the following security awareness objectives:

  • Communicate a shared sense of security to business objectives.
  • Ensure employees understand that awareness and vigilance is demanded from them.
  • Ensure that employees understand the need for loyalty.
  • Communicate the company's core values and set the tone from the top.
  • Show the benefits of complying with security policies and the risks for not complying.


New Security Awareness Standard Development
Webinar, Recorded April 18, 2016
ASIS/(ICS)2/ISACA Joint Standards Development
Speakers: Sue Carioti, ASIS Director, Standards and Guidelines
Marc Siegel, ASIS Commissioner, Global Standards Initiative

The webinar opens with statements by representatives of each participating association​, defining their audiences and programs. Carioti then explains the purpose of  standards, noting that they are voluntary and driven by best practices and consensus. She defines the roles of those involved in the standards-setting process and the timetable.

Siegel then describes the specific goals of the security awareness standard initiative, including the following:

  • Understand how cyber and physical security issues overlap in organizations and how they can develop a security culture together, both top-down​ and bottom-up.
  • Explore how employees can understand and take ownership of their place in the risk equation and identify corrective opportunities before breaches happen.
  • Develop different layers of awareness and response, giving the standard the flexibility to adapt to organizational factors.
​​NOTE: Individuals interested in participating in the development of this standard may contact ASIS International by logging onto www.asisonline.org/standards

 Not Yet a Member? Join Today!


Members Only Resources

The 7 Habits of Highly Effective Secure Awareness Programs
Seminar Session 3149, September 2013
Speakers:  Ira Winkler, President and Co-Founder, Secure Mentem
Samantha Manke, Chief Knowledge Officer, Secure Mentem

Through his experiences in penetration testing, Winkler drew conclusions about why security awareness training fails. It's not stupid users, he postulates. It's incompetent security professionals who assume that security should be obvious or just require common sense.  Employees can be trained and tested on a set body of security knowledge. But security awareness is about changing people's behavior—doing the right thing in the first place, even if that behavior seems obvious to a security professional.

Manke presented the results of a study she conducted among twelve members of a security awareness special interest group from Fortune 500 companies. The process included one-on-one interviews with the members and surveys of their company's security and non-security employees. She noted contradictions between what the subjects told her in interviews and the survey results, which, she said, were "overly positive." Nonetheless, the results lead to a number of conclusions:

  • None of the subjects had metrics to support the effectiveness of their security awareness programs.
  • All struggled to gain support (funding) from upper management.
  • Creativity and participatory training are keys to successful security awareness programs.

The two concluded by listing seven habits that can infuse new approaches to security awareness training.

Protection of Assets: Security Management
ASIS International, 2012
Managing Editor: Michael Knoke, CPPPOA.jpg

After defining security awareness, the chapter explores the different levels of awareness appropriate for a company's various audiences, including executives, managers, supervisors, employees, and visitors. The bulk of the content defines the goals that persons who receive security awareness training should be able to internalize, including the following:

  • Understand the relationship between security and successful operations.
  • Recognize the connection between security program objectives and security measures.
  • Convey to employees entrusted with trade secrets that the information is indeed secret and valuable.
  • Use security awareness programs to prepare employees on how to respond to emergencies and non-routine issues such as cyber attacks.

The chapter concludes with techniques, materials, and resources for developing and delivering awareness programs as well as measuring the outcomes. Obstacles to success—such as departmental or employee indifference, the naïve belief that nothing will happen, and the low credibility of the security department—are also explored. Purchase the volume.

Building a Corporate Culture of Security (Feb 2016)
Elsevier Butterworth-Heinemann, February 2016
Author:  John Sullivant, CPP, President & Principal Consultant, S3E Security Consultants corporateculturesecurity.jpg

The author begins by acknowledging that some executives resent paying employees for nonproductive work—security awareness training—unless there is a tangible return on investment. That thinking, he adds, plays into why such training is needed: it reduces turnover by motivating employees, and increases organizational resilience by underscoring intelligent and mindful actions. It also creates benchmarks for assessing the current level of competency in comparison to performance expectations (using the ASIS Foundation's Enterprise Security Competency model).                

Sullivant also presents a "Meaningful and Useful Training Development Model" that outlines job performance standards and competency demands. He works through the steps of the model and discusses specific types of security awareness training, including the following:

  • Design executive management security awareness seminars that focus on strategic issues.
  • Train employees assigned to the corporate crisis management center on how to perform associated duties.
  • Train engineers, scientists, laboratory technicians, and field personnel on how to use and test environmental monitoring devices, analyze and interpret results, and take appropriate emergency response actions as needed.

He concludes by defining various course designs, including drills and exercises that test employees' ability to respond effectively to evacuations and test the effectiveness of command and communications.
Purchase the book.


Sources of Information on Security Awareness
Information Resources Center (IRC) Security Databases & Library Catalog​

The Security Database & Library Catalog of the IRC has hundreds of records on Security Awareness, including references to books, Security Management articles, Annual Seminar recorded sessions, and other documents.  Print items are available onsite in the O.P. Norton Information Resources Center (IRC) at ASIS.
  
For more help and search suggestions, see "Search Tips" on the website, or email the librarians with questions.