Information security awareness
This article is written like a personal reflection or opinion essay that states a Wikipedia editor's personal feelings about a topic. (April 2015) (Learn how and when to remove this template message)
Information security awareness is an evolving part of information security that focuses on raising consciousness regarding potential risks of the rapidly evolving forms of information and the rapidly evolving threats to that information which target human behavior. As threats have matured and information has increased in value, attackers have increased their capabilities and expanded to broader intentions, developed more attack methods and methodologies and are acting on more diverse motives. As information security controls and processes have matured, attacks have matured to circumvent controls and processes. Attackers have targeted and successfully exploited individuals human behavior to breach corporate networks and critical infrastructure systems. Targeted individuals who are unaware of information and threats may unknowingly circumvent traditional security controls and processes and enable a breach of the organization. In response, information security awareness is maturing. Cybersecurity as a business problem has dominated the agenda of most chief information officers (CIO)s, exposing a need for countermeasures to today's cyber threat landscape. The goal of Information security awareness is to make everyone aware that they are susceptible to the opportunities and challenges in today’s threat landscape, change human risk behaviors and create or enhance a secure organizational culture.
Information security awareness is one of several key principles of information security. Information security awareness seeks to understand and enhance human risk behaviors, beliefs and perceptions about information and information security while also understanding and enhancing organizational culture as a countermeasure to rapidly evolving threats. For example, the OECD's Guidelines for the Security of Information Systems and Networks include nine generally accepted principles: awareness, responsibility, response, ethics, democracy, risk assessment, security design and implementation, security management, and reassessment. In the context of the Internet, this type of awareness is sometimes referred to as cyber security awareness, which is the focus of multiple initiatives, including the U.S. Department of Homeland Security's National Cyber Security Awareness Month and President Obama's 2015 White House Summit on Cybersecurity and Consumer Protection.
Computer based crimes are not something new to us. Viruses have been with us for well over 20 years; spyware has clocked up more than a decade since the earliest incidents; and large-scale use of phishing can be traced back to at least 2003. One of the reasons researchers agreed upon that the pace at information system is evolving and expanding, the security awareness program among the employees is falling way behind. Unfortunately, however, it seems that the rapid adoption of online services has not been matched with a corresponding embrace of security culture.
Information security awareness is evolving in response to the evolving nature of cyber attacks, increased targeting of personal information and the cost and scale of information security breaches. Furthermore, many individuals think of security in terms of technical controls, not realizing that they as individuals are targets, and that their behavior can increase risks or provide countermeasures to risks and threats.
Determining and measuring information security awareness has highlighted the need for accurate metrics. In response to this need, information security awareness metrics are rapidly evolving in order to understand and measure the human threat landscape, measure and change human understanding and behavior, measure and reduce organizational risk and measure effectiveness and cost of information security awareness as a countermeasure.
Most of the organizations do not want to invest money on information security. A survey conducted by PricewaterhouseCoopers (2014) found that current employees (31%) and former employees (27%) still contribute to information security incidents. The survey results indicated that the number of actual incidents attributable to employees had risen by 25% since the 2013 survey.
The necessity of security awareness program
As of early 2015, CIOs rated information security awareness related issues as top strategic priorities. For example, at a February 2015 Wall Street Journal CIO network event convened to create a prioritized set of recommendations to drive business and policy in the coming year, consensus seemed to form around cybersecurity and delivering change through effective communication with the rest of the business.
While information security awareness and high-profile breaches are at the forefront of most organization's agenda, a recent study of 220 security awareness officers by Lance Spritzner has uncovered three related key findings. First, executive and financial support are necessary for a successful security awareness program. Second, due to the technical nature of traditional security controls and countermeasures, the soft skills necessary to understand and change human behavior are lacking and finally, in terms of a maturity model, security awareness is still in its infancy.
The challenge of measurement
Effectively measuring human risk behavior is difficult because risky behaviors, beliefs and perceptions are often unknown. In addition attacks such as phishing, social engineering, incidents such as data leakage and sensitive data posted on social media sites and even breaches go undetected and unknown making it difficult to determine and measure points of failure. Often, attacks, incidents and breaches are reacted to or reported from outside the compromised organization after attackers have covered their tracks, and thus cannot be researched and measured proactively. In addition, malicious traffic often goes unnoticed because attackers often spy and mimic known behavior in order to prevent any intrusion detection or access monitoring alerts.
A 2016 study developed a method of measuring security awareness . Specifically they measured "understanding about circumventing security protocols, disrupting the intended functions of systems or collecting valuable information, and not getting caught" (p. 38). The researchers created a method that could distinguish between experts and novices by having people organize different security scenarios into groups. Experts will organize these scenarios based on centralized security themes where novices will organize the scenarios based on superficial themes.
- "CIOs Name Their Top 5 Strategic Priorities. The Morning Download: Security Dominates the CIO's Agenda in Era of Risk and Change".
- "oecd.org" (PDF). Retrieved 2015-02-14.
- "U.S. Department of Homeland Security". Retrieved 2015-02-14.
- "President Obama Speaks at the White House Summit on Cybersecurity and Consumer Protection".
- "End-user security culture: A lesson that will never be learnt?". doi.org. Retrieved 2015-04-25.
- "https://scadahacker.com/library/Documents/Insider_Threats/DHS%20-%20Risks%20to%20US%20Critical%20Infrastructure%20from%20Insider%20Threat%20-%2023%20Dec%2013.pdf" (PDF). scadahacker.com. Retrieved 2015-04-25. External link in
- "Improving the information security culture through monitoring and implementation actions illustrated through a case study". doi.org. Retrieved 2015-04-25.
- "Evaluating the Employee Security Awareness Program". iaonline.theiia.org. Retrieved 2015-04-25.
- "The FTC's consumer privacy framework and next steps. - Free Online Library". www.thefreelibrary.com. Retrieved 2015-04-25.
- "CIOs Name Their Top 5 Strategic Priorities".
- "SANS Securing The Human Security Awareness Report".
- Giboney, Justin Scott; Proudfoot, Jeffrey Gainer; Goel, Sanjay; Valacich, Joseph S (2016). "The Security Expertise Assessment Measure (SEAM): Developing a scale for hacker expertise". Computers & Security. 60: 37–51. doi:10.1016/j.cose.2016.04.001.