Information Security Training & Awareness

Monique Hogervorst

(2008)

Monique Hogervorst (2008) Information Security Training & Awareness.

Our Full Text Deposits

Full text access: Open

Full Text - 2.81 MB

Links to Copies of this Item Held Elsewhere

Mathematics Departmental Web Page

Abstract

Information security standards, best practices and literature all identify the need for Training & Awareness, the theory is clear. The surveys studied show that in the real world the situation is different: the focus of businesses is still on technical information security controls aimed at the external attacker. And although threats and vulnerabilities point out that personnel security becomes more important, the attitude of managers and employees does not reflect that. Information Security Training and Awareness is not recognised as contributor to security. This needs changing, which means changing behaviour and attitude. One way of achieving that is giving people the information security knowledge and awareness they need for their role. It seems that the solution is not to be found in technical controls but more on the non-technical side: the side of human resource security and psychology. A psychological model is introduced in this project and applied to information security. This model can be used as a tool to visualise and quantify the forces that impact on information security. The exercise of analysing the driving and restraining forces impacting on security in general and the security of information in particular visualises how forces work together or against each other; and identifies the relationship with business processes. The driving and restraining forces of the information security force field diagram reflect all areas of information security counter measures: technical, procedural and personnel. Visualising the forces enables the information security professional to explain to nonspecialists why an organisation needs to invest, in resources and finances, to secure information. The diagram will point out where investments are most effective and efficient. The information security force field analysis and diagram as introduced in this project, can be a useful new tool for information security professionals to: * communicate effectively to line and senior managers about the link between business processes and information security; * explain how investment in training and awareness can impact on information security and improve security of an organisation; * quantify the level of security of an organisation in comparison with other organisations or in comparison with the previous moment of measuring; * quantify the impact of information security training & awareness. The information security force field diagram will prove that investing in training and awareness is a very cost-effective counter measure: it will increase the overall level of security of an organisation and it decreases the restraining forces and with doing so the driving forces become more effective

Information about this Version

This is a Published version
This version's date is: 15/01/2008
This item is peer reviewed

Link to this Version

https://repository.royalholloway.ac.uk/items/a1a8c204-1a17-d674-269c-00109786893e/1/

Item TypeMonograph (Technical Report)
TitleInformation Security Training & Awareness
AuthorsHogervorst, Monique
DepartmentsFaculty of Science\Mathematics

Deposited by () on 24-Jun-2010 in Royal Holloway Research Online.Last modified on 15-Dec-2010

Notes

References

[CJ-07] John Colley; Put people above technology, says (ISC)2; Info-Security
Magazine May/June 2007

[D-06] Deloitte; 2006 Global Security Survey for the Global Financial Services
Industry

[DPL-05] Director Publication Ltd published for Institute of Directors and the
Department of Trade and Industry; Director’s Guide: Information Security
best practice measures for protecting your business; May 2005

[EDS-04] EDS Limited; Terms of Reference for Client Security Officer; Issue 1.0 11-08-
2004; classified document EDS INTERNAL

[E-06] European Network and Information Security Agency; Information Security
Awareness programmes in the EU: Insight and Guidance for Member States;
September 2006; from ENISA website www.enisa.europa.eu

[EWI-05] EastWest Institute Consortium on Security and Technology, Meeting report of
2nd meeting with the topic Information Security and Identity Management; 1st
December 2005; found on the ENISA website www.enisa.europa.eu

[GD-06] Dieter Gollmann; Computer Security; second edition July 2006

[ISO-05/1] International Standards Organisation; ISO/IEC 27001:2005 Information
Security Management System – Requirements; 18th October 2005

[ISO-05/2] International Standards Organisation;ISO/IEC 17799:2005 Code of Practice
for Information Security Management; 16th June 2005

[KL] Kurt Lewin; The Forces are with you; www.freequality.org

[KL-06] Kurt Lewin; Force Field Analysis and Diagram; last updated September 2006;
from Value Based Management .net

[MA-06] Angus McIlwraith; Information Security and Employee Behaviour, How to
reduce risk through employee education, training and awareness; February
2006 by Gower Publishing

[PS-06] Shirley C. Payne; A guide to security metrics; 19th June 2006; SANS Reading
Room

[PT-05] Thomas R. Peltier, Justin Peltier and John Brackley; Information Security
Fundamentals; 2005.

[PWC-06] Price Waterhouse Coopers; DTI Information Security breaches survey 2006

[TL04] Laura Taylor; Security Awareness and Training; 10th November 2004; article
found at www.intranetjournal.com

[WeS-06] Stephen Wells; Force Field Analysis – Mini Tutorial Quality Management;
attached to report as appendix A; 15-03-2006

[WrS-06] Steve Wright; Measuring the effectiveness of security using ISO 27001; White
Paper published in 2006

Details