Introduction
Awareness of Internet security issues is a benefit to all, from the seasoned systems administrator, to the home user paying a bill online or streaming a movie, to users just now learning about computers and the Internet. Managing the security of our personal information, and maintaining ownership of the goods and services we’ve purchased are universal challenges. The Internet community knows few geographical bounds, and foundational cybersecurity awareness is critical to the safety of the general public. Users, defined as those who use an organization’s resources, are often an organization’s weakest link. Intruders focus on taking advantage of users1 to gain access to an organization’s networks and its sensitive information. Through techniques such as phishing, masquerading, or social engineering, intruders attempt to manipulate human emotions. Users may have access to critical data, login credentials, and other information that, if improperly used, could cause harm to an organization. While many organizations have put technical solutions in place to mitigate these malicious activities, security solutions require an embedded culture of cybersecurity awareness to be truly effective.
Development of Cyber Security Awareness Program
Understanding the environment
Before an organization or team can begin designing an awareness program or campaign, it is important to first understand the environment that it operate within. There are many factors to consider, but the primary considerations should be understanding the following:
- Roles and responsibilities
- External or ancillary stakeholders
- Existing policy, regulation, or legislation
- Cybersecurity culture
- The business case
Cybersecurity Culture
Cybersecurity awareness programs introduce users to safe online practices and help them develop skills they will use both at work and in their personal lives. Successful awareness programs unite organizational leaders around a common awareness goal—protect the organization’s information technology related assets and resources. By “buying in” to the security goals of the organization (and building an organizational culture with all employees and users responsible for cybersecurity) organizational leaders increase cybersecurity awareness and create a robust security culture. An organizational cybersecurity culture can be characterized as a facet of the broader organizational culture, which encourages employees and users to fulfil their responsibilities in alignment with the organization security policies.
Components of Cybersecurity Awareness Program
Once the strategy and key components of a cybersecurity awareness program or campaign have been finalized (for example, the needs assessment has been conducted, the awareness campaign strategy is developed, the security awareness program plan is completed, and the materials have been designed), you can begin implementing your cybersecurity awareness program or campaign. Considerations for implementation include communication and socialization of the program, delivering cybersecurity awareness materials and activities, developing and tracking measures of success, and continually revisiting the effectiveness of the program. Below is a summary of components and steps for the development of a cybersecurity awareness program.
Communicate the Awareness Program
To gain support from the users and necessary resources, the cybersecurity awareness program or campaign must be socialized. The components of the program also must be clearly communicated. These communications will outline the expectations as well as the expected results of the program and the value provided to users and/or the constituency.
Conduct Awareness Activities and Execute Awareness
Program Cybersecurity awareness program implementers use various techniques to disseminate information across the organization. The choice is based on organizational culture and needs. How the message gets out depends on the available resources, topics, and the complexity of the message. In all cases, ensure ease of access to awareness program materials; for example, an intranet page with access to awareness materials, training links, and other activities can serve as one-stop shopping for all program updates and information.
Developing Metrics and Monitoring Compliance
Using metrics and objective measurement is important for monitoring performance, considering that the cybersecurity threat landscape is constantly changing. By implementing a comprehensive cybersecurity metrics program, organizations can achieve several goals—including decision making, visibility, and the ability to evaluate your cybersecurity awareness program against industry and regulatory benchmarks. Metrics can be adapted to suit the needs of any target audience, and can be used to improve on cybersecurity policies and cyber security awareness programs. When implementing metrics as part of an awareness program, a key task is to identify what metrics to measure, along with where and how to obtain the raw data. Defining metrics can be difficult, and when developing metrics, organizational considerations should be applied as to what information is collected, how it is collected, and how it is stored. Metrics collected and reported should follow something similar to the SMART goal objectives:
- Specific—Targeted to the area being measured, not a result or an assumption.
- Measurable—Data collected is accurate, complete, and reliable.
- Actionable—Data is easy to understand and actionable.
- Relevant—Measure what is important in the data.
- Timely—Data is available when needed. When measuring specific security areas, organizations may want to address:
- Vulnerability data, such as internal or external vulnerabilities, or vulnerabilities by criticality, severity or priority.
- Cybersecurity policy and compliance adherence, such as exception, configuration, and regulatory compliance tracking
- Training and awareness, such as training completion and tracking.
Monitoring and response, such as number of events/alerts collected and number of events/incidents being reported by constituents For broader metrics associated with an awareness program or campaign, tracked metrics may also include, but are not limited to;
- Website traffic
- Downloads of available cybersecurity materials or information provided for constituents
- Media coverage
- Social media activity
Post Program Activities
To remain relevant, the cybersecurity awareness program should remain current with advancements in technology, changes to the organization or IT infrastructure, shifts in the organizational mission, changes to cybersecurity policies, and most importantly, be continually updated to reflect the changing threat and cyber landscape. The cybersecurity awareness strategy should include mechanisms to ensure the program continues to be not only relevant to the organization but also remains compliant. In the post-implementation phase as described by NIST 800-50, the cybersecurity awareness program should aim at continuous improvement and offering users the latest and most current information available.
Lessons Learned
Feedback from participants and lessons learned from the roll out of an awareness program can help improve the quality of the program. By incorporating feedback, findings, and lessons learned, the program can improve long term. In larger organizations where organizational units are responsible for implementing their own cybersecurity awareness programs, sharing lessons learned, experiences, ideas, and processes that work would benefit the organization as a whole.