How to create a security culture in your organization: a recent study reveals the importance of assessment, incident response procedures, and social engineering testing in improving security awareness programs.

• Author: Rotvold, Glenda

[ILLUSTRATION OMITTED]

Information security has become one of the most important and challenging issues facing today's organizations. With pervasive use of technology and widespread connectedness to the global environment, organizations increasingly have become exposed to numerous and varied threats.

Technical controls can provide substantial protection against many of these threats, but they alone do not provide a comprehensive solution. As Kevin Mitnick notes in his book, The Art of Deception: Controlling the Human Element of Security, these technological methods of protecting information may be effective in their respective ways; however, many losses are not caused by a lack of technology or faulty technology but rather by users of technology and faulty human behavior. It stands to reason then that people not only can be part of the problem, but also they can and should be part of the solution. People must be an integral part of any organization's information security defense system.

Keeping information secure is not only the responsibility of information technology (IT) security professionals, but also the responsibility of all people within the organization. Therefore, all users should be aware not only of what their roles and responsibilities are in protecting information resources, but also of how they can protect information and respond to any potential security threat or issue. Security awareness programs address the need to educate all people in an organization so they can help to effectively protect the organization's information assets. But just how well are organizations doing implementing security awareness programs and training their employees?

Security Awareness Study

There are several well-known studies on the topic, including Ernst & Young's "Global Information Security Survey" and CSI/FBI Computer Crime and Security Survey, both done annually. Many of these studies have targeted chief information officers (CIOs), chief security officers (CSOs), and other top-level security professionals and executives in organizations both in the United States and across the globe.

A key difference between these studies and the author's study that is the subject of this article, "Status of Security Awareness in Organizations: An Analysis of Training and Education, Policies, and Social Engineering Testing," is that rather than targeting CIOs and CSOs, this study targets other individuals involved with management of information in various types and sizes of organizations.

The population studied consisted of business professionals (primarily within the United States) including, but not limited to, records, document, and information managers, MIS professionals, legal administrators, archives, administrators, and educators. The survey, therefore, examines security awareness from a different perspective to determine whether similar results would be achieved. The main question is: Do other levels and types of information management professionals have the same level of understanding of security awareness topics, policies, and procedures within their organizations?

The purpose of the study was to investigate the status of security awareness training, IT-related policies, and the use of social engineering testing in business organizations. (The Official (ISC) (2) Guide to the CISSP Exam defines social engineering as: "Successful or unsuccessful attempts to influence a person(s) into either revealing information or acting in a manner that would result in unauthorized access to, unauthorized use of, or unauthorized disclosure of an information system, a network, or data.")

This broad, comprehensive analysis helps provide an analysis of how other levels and types of users perceive security awareness within organizations.

The statistical analysis can help organizations identify potential gaps in their security awareness program, improve their organization's security awareness program, benchmark progress against other organizations, provide insight into components and characteristics of more formalized security awareness programs, and offer insight into the maturity of organizations' security awareness programs. The ultimate goal is to strengthen the human defense security link that guards an organization's information assets.

Rotvold Survey Results

Security Awareness Training: The majority of survey participants (60 percent) reported that...