As of the start of this blog, I am in my second course for my Masters of Science in Cybersecurity. This is an archived posting from the first course.
Topic - Effective Security Awareness and Training Program
Discuss an important factor which would ensure an effective security awareness and training program.
From March 2, 2012
An important factor in ensuring an effective security awareness and training program is fostering an environment where users feel they have a stake in the security situation of the company. If lost productivity is the only risk then the average office worker will not see any danger to checking their webmail and file swapping on P2P sites while on work computers. These high risk activities pose significant security dangers, but that danger may be overlooked by everyone except for the system administrators. Vacca, on page 13, suggests that "perhaps the most direct way to gain employee support is to let employees know that the money needed to respond to attacks and fix problems initiated by users is money that is then not available for raises and promotions" (Vacca, 2009) A further suggestion is that presenting the computer security policies and advice in such a way that reminds employees that the advice and habits can be used to secure their home systems and information.
Mark Wilson and Joan Hash at the National Institute of Standards and Technology also remind that "an organization’s IT security awareness and training program can quickly become obsolete if sufficient attention is not paid to technology advancements" (Wilson and Hash) If the users see that the IT policies and training are becoming, or even just seeming, obsolete then they will put less effort in sticking to the advice and policies. The appearance of being lackadaisy about keeping up with technology suggests to the trainees that they don't need to take the training seriously either.
Vacca, J. R. (2009). Computer and Information Security Handbook. Burlington, MA: Morgan Kaufmann.
Wilson, M. and Hash, J. INFORMATION TECHNOLOGY SECURITY AWARENESS, TRAINING, EDUCATION, AND CERTIFICATION Retrieved from http://www.itl.nist.gov/lab/bulletns/bltnoct03.htm
No comments:
Post a Comment