Агентство Активного Аудита

т: +38(044) 228-15-88

e-mail: info@auditagency.com.ua

BUSINESS CASE FOR AN INFORMATION SECURITY AWARENESS PROGRAM

Valeriy Sysoev
Project manager at Active Audit Agency
Certified ISO 27001 auditor

1. BACKGROUND

Information and information systems are vital to running our business. From creating new products to fulfilling customer orders we need up-to-date, accurate and reliable information to enable us to operate effectively. We have invested in information security technologies such as antivirus software and firewalls to protest our information assets. However, we a left with significant information security risks as a result of the accidental or deliberate actions and inactions of our people.

As cited in audit reports, periodicals, and conference presentations, it is generally understood by the IT security professional community that people are one of the weakest links in attempts to secure systems and networks. The “people factor” - not technology - is key to providing an adequate and appropriate level of security. If people are the key, but are also a weak link, more and better attention must be paid to this “asset.” A robust and enterprise wide awareness and training program is paramount to ensuring that people understand their IT security responsibilities, organizational policies, and how to properly use and protect the IT resources entrusted to them.

2. PURPOSE OF THIS PAPER

This paper documents the business case for investing in a cost-effective information security awareness program.

We propose an innovative communications program designed to raise awareness of information security concepts, requirements and controls amongst staff, managers and technologists within the organization. By informing our people about information security and motivating them to comply the controls, we will establish a widespread, lasting and deep-rooted “security culture” that will reduce the organization’s security risk and net costs.

Compared to further investment in security technology, the proposed security awareness program is a highly cost-effective means of improving information security controls and, in fact, will derive more value from previous security investments.

The following sections of this paper will demonstrate a number of resulting benefits from implementation of the program.

3. BUSINESS IMPACT

Most organizations realize they are at risk from certain events such as a fire or flood. However, they do not necessarily realize the exposure they suffer from people, especially their own employees. The threats originating from people must therefore be examined by each organization, in order that they know how to address them. The table below shows some of these threats in three categories.

The threats originating from people

According to The Information Security Status Survey 2010 respondents were also invited to provide further information about the ‘most serious’ incidents experienced. An analysis of the top ten most serious incidents (for the 57 environments that provided this data) is presented below.

The Information Security Status Survey 2010

  • Internal misuse / abuse was reported as the sole cause for both the top two most serious incidents.
  • The overall maximum cost for all misuse / abuse incidents reported was US$73.4 million.

When a Security Awareness Program works well, security will be an integrated part of the organization’s products and services:

  • Increased confidence of customers and shareholders in the ability of the organization to provide quality products/services.
  • Better assurance of business continuity.
  • High quality of information for decision making and reporting.
  • Better protection of confidential information from unauthorized staff, competitors and thieves.
  • IT security direct costs are limited to ‘honest’ mistakes
  • Improvement in employee morale, as employees like to work for secure, quality organizations.
  • Adherence with IT security legislation (eg data protection).
  • Avoidance of viruses.
  • The potential to reduce insurance premiums.

4. THE IMPORTANCE OF SECURITY AWARENESS

Information security awareness and training is one of the most critical aspects of any organization’s information security strategy and supporting security operations. This is due to the realization that people are in many cases the last line of defense against threats such as malicious code, disgruntled employees, and malicious third parties. Therefore, people need to be educated on what your organization considers appropriate security-conscious behavior, and also what security best practices they need to incorporate in their daily business activities. Information security awareness and training can also be used as an effective accountability mechanism by overcoming a common obstacle faced by several organizations. This common obstacle is organizations’ inability to hold their personnel accountable for their actions due to not executing information security and awareness programs to address what they do not know or understand.

The effective management of information security requires a combination of technical and procedural controls to protect information assets. However, these controls can be circumvented or abused by employees who disregard their organization’s policies for security behavior. Therefore the implementation of effective security controls is dependent upon creating a security positive environment where employees understand and engage in the behavior that is expected of them. The use of security awareness to create and maintain security-positive behavior is a critical element in an effective information security environment. The Information Security Status Survey provides data on the value of promoting information security activities. The results of question: Is awareness of information security promoted across the enterprise? are shown in Figure 1 opposite:

Information Security Status Survey

Figure 1: Is awareness of information security promoted across the enterprise?

The results suggest that organisations that do not promote information security awareness are more likely to experience a major security incident than those that do promote awareness. Awareness and other security initiatives A security-positive environment is a pre-requisite for certain other security initiatives. For example, a scheme of information classification – whereby staff can assign a label to information that will determine the security controls to be applied to it – is dependent upon all staff understanding and respecting the classification mechanism, which in turn requires staff to understand and respect information security.

Security awareness and training should be focused on the organization’s entire user population.

Users are the largest audience in any organization and are the single most important group of people who can help to reduce unintentional errors and IT vulnerabilities. Users may include employees, contractors, foreign or domestic guest researchers, other agency personnel, visitors, guests, and other collaborators or associates requiring access. Users must:

  • Understand and comply with agency security policies and procedures;
  • Be appropriately trained in the rules of behavior for the systems and applications to which they have access;
  • Work with management to meet training needs;
  • Keep software/ applications updated with security patches; and
  • Be aware of actions they can take to better protect their agency’s information. These actions include, but are not limited to: proper password usage, data backup, proper antivirus protection, reporting any suspected incidents or violations of security policy, and following rules established to avoid social engineering attacks and rules to deter the spread of spam or viruses and worms.

An awareness and training program is crucial in that it is the vehicle for disseminating information that users, including managers, need in order to do their jobs. In the case of an IT security program, it is the vehicle to be used to communicate security requirements across the enterprise.

5. BUSINESS BENEFITS

Information is the lifeblood of an organization. It is an asset of the organization and should therefore be managed and protected. Information, processed by powerful computers and complex networks, supports key business processes. If the information is not available, is incorrect or is given to some unauthorized person then business processes may be disrupted, perhaps severely, and an organization may suffer increased costs, contractual penalties, lost business, reduced staff morale, loss of business confidence or other consequences. Listed below are some example benefits from good security awareness. Where possible these benefits should be made specific to a particular business process which will enable management to understand more directly how security awareness, or lack of it, may impact their organization:

1. Better assurance of business continuity:

The risks of disruption to day to day business are reduced by informing staff about contingency procedures, backup and safekeeping of computerized records.

2. Increased confidence in the organization:

If customers perceive the organization’s services and products as reliable, they will be more inclined to view the organization as a trustworthy business partner to stay with.

3. Higher quality of computerized records:

High quality records provide a basis to make the best business decisions, and will result in a reduction of wasted effort correcting mistakes.

4. Better protection of computerized records:

Well protected records are less likely to fall into the hands of competitors and are less likely to be misused.

5. Damage limited to honest mistakes:

Increased Security Awareness ensures that mistakes are contained within an employee’s area of authorization, are identified, reported, dealt with and corrected.

6. Better protection for employees:

Honest employees will know what is expected of them and can act accordingly, thereby protecting their own integrity even if a serious incident occurs.

7. Adherence with data protection legislation.

For example, the rules of confidentiality in data protection acts must be followed.

8. Lower risk of computer crime:

People attempting to commit a computer crime will have a more difficult time, because staff will begin to ‘close the loopholes’ through adopting secure working practices.

9. Prevention of errors making employees’ jobs easier:

Particularly as it is often claimed that IT security measures make life more difficult. In reality good security measures function as preventive internal controls, helping to eliminate mistakes. Error correction is most often the most time-consuming of all manual processes when dealing with a computerized system. Prevention of mistakes will allow employees to concentrate on the job rather than on the computer system.

10. PC viruses become easier to avoid:

With aware employees the risk of being tempted to run a computer game, or to bring any other type of illegal software into the organization is diminished, thereby greatly reducing the risk of PC viruses.

11. Help reduce the number and extent of information security breaches.

This will reduce costs both directly (e.g. data damaged by viruses) and indirectly (e.g. less need to investigate and resolve breaches).

6. CONCLUSION

In line with our increasing dependence on high quality, up-to-date and complete information to manage the business, information security has become crucially important to us. In the face of increasingly sophisticated technologies and risks, it is vital that employees are aware of, and comply with, their evolving information security obligations. The information security awareness program described in this proposal will strengthen the weakest link in our security infrastructure, our people, and create a stronger security culture. We welcome your support.

Business Case for an Information Awareness Program