SP-014: Awareness and Training Pattern

Diagram:

Your browser does not support SVG files! We recommend you upgrade to the latest version of Firefox so you receive patterns with hyper-linked controls.

Legend: Awareness and training pattern for end users focused on AT and PS families of controls.

Description: Awareness and training should cover basic IT security for all end users, with targeted content based on job roles to supplement the basic materials. Typical training materials would include:

  • Relevant elements of organisation policies such as password protection, protecting your computer, and use of portable devices like USB storage
  • Acceptable usage policies that cover areas such as permitted internet access and email use
  • Responding to common security incidents and how to report security concerns
  • Data security and document handling including protecting information outside the organisation
  • Internet safety and malware
  • Phishing and email security
  • Physical and workplace security including visitors
  • Specific compliance materials depending on industry such as Anti Money Laundering for financials
It is recommended to build an information library or portal on the organisation intranet that can be referenced by targeted awareness messages, this provides a long term resource that can be incrementally updated and maintained, providing a valuable resource for staff to access as needed. Testing should be used on a regular basis to ensure that users have necessary knowledge for their job role, and the results are used to deliver training to remedy knowledge gaps. Reporting on test results provides evidence for certification, and allows the overall program to be modified in conjunction with information on emerging threats and risks.

Methods to measure the success of awareness campaigns should be based on click-through metrics for emails, page views and page times for the intranet portal or library, and success rates for multiple choice tests on the topic concerned. Consider if there are also ways you might track behaviour changes related to the awareness message, e.g. clean desk checks before and after an awareness campaign on the topic

Employment and 3rd party contracts are an important means to enforce security awareness and training, and induction days can be used to deliver training for new staff members, along with links to further information. Careful thought on use of physical media to reinforce messages is recommended to prevent habituation.

Assumptions: None.

Typical challenges: Choose a provider for awareness content which can reduce the amount of time to create a library of materials. Identify high risk job roles for additional targeted messages and training. Align the content and format to organisation culture, make sure that the style of messages resonates with the audience, work with internal communications team in your organisation.

Indications: All organisations should maintain an awareness and training program.

Contra-indications: None.

Resistance against threats: The 'human factor' is a crucial part of maintaining information security. Without addressing awareness and training for staff and 3rd parties it is unlikely you will meet your security goals.

References:
Human factors in information security- ...lays out the case for managing the human side of information security just as carefully as the technical side....awareness is the most cost-effective form of security control
Managing the Human Factor in Information Security: How to Win Over Staff and Influence Business Managers (Paperback) by David Lacey
NIST 800-50 Building an Information Technology Security Awareness and Training Program
ENISA report Information security awareness initiatives: Current practice and the measurement of success
ENISA's ten security awareness good practices

Related patterns: None

Classification: People

Release: 08.02

Authors: Russell Wing

Reviewer(s): TBD

Control details

AT-01 Security Awareness And Training Policy And Procedures
AT-02 Security Awareness
AT-03 Security Training
AT-04 Security Training Records
PL-04 Rules Of Behavior
PS-01 Personnel Security Policy And Procedures
PS-02 Position Categorization
PS-06 Access Agreements
PS-07 Third-Party Personnel Security
PS-08 Personnel Sanctions
RA-03 Risk Assessment