S 2.312 Design of an information security training and awareness program

Initiation responsibility: IT Security Officer, Head of Personnel, Top Management

Implementation responsibility: Supervisor, IT Security Officer

A good training and awareness-raising programme on information security should involve everyone in the company or government agency. Such a programme should raise or generate awareness of potential threats for all employees in order to prevent security problems and learn from security problems occurring inside and outside the organisation.

It is absolutely necessary to obtain the support of management for the training and awareness-raising measures so that everyone is aware of the emphasis placed on information security and so all required resources are made available (see also S 3.44 Making management aware of information security issues).

The following describes the most important steps in designing a training and awareness-raising programme.

1. Defining the learning goals (derived from the information security objectives)

It is necessary to define the goals to be reached first. It is particularly important to ensure the security objectives of the respective organisation are reflected in these goals. Typical goals of awareness-raising and training programmes on information security include the following:

• attracting attention to information security issues and generating interest in them,
• providing basic knowledge of information security,
• providing the users with the information security knowledge they need for their specialised tasks,
• conveying practical knowledge so that employees react properly in situations that are critical to security,
• achieving permanent changes in behaviour.

In addition, the criteria for measuring the success of the training and awareness-raising programmes should be sketched out, even if they are difficult to describe or quantify at first.

2. Training and raising the awareness of specific target groups

The target group for every measure taken in the area of information security training must be defined in advance because IT users generally have different requirements and experience, and therefore will need to be addressed using different methods some of the time. The following are examples of such target groups:

Management

The whole success of an awareness-raising programme often depends on how well management supports the programme. For this reason, thorough preparation of the awareness-raising measures targeted at management is enormously important.

This target group often has little time available, and all awareness-raising measures should be clear and concise.

Employees

The conduct of the employees has the greatest direct effect on daily information security in the organisation. It must be taken into account that the level of knowledge of information security and IT can vary greatly among employees. For example, software developers have different IT skills than the employees in the Personnel Department, and therefore need to be trained on information security and made aware of this subject in different ways.

Administrators

Administrators and support employees must have in-depth technical knowledge of the IT systems and applications they support so that they are also able to detect and eliminate security problems and prevent them from happening, if possible.

External employees:

In many cases, internal information, applications, and systems are made available to employees in other organisations. Confidentiality agreements are one way to ensure external employees will be aware of the importance of handling the internal information technology securely.

The scope and content of the training programmes for information security must be adapted to the importance and complexity of the IT used by the particular target group. For this reason, the employees in an organisation should be divided into target groups, and appropriate security training measures then selected for each target group.

3. Identifying learning needs

To define the contents of training and awareness-raising measures specifically for certain target groups, it is necessary to identify the learning needs of each group. It should be determined who possesses what level of knowledge of information security and which security measures should be implemented. The following areas should be considered in all cases:

• awareness-raising for all employees, but especially for management,
• training of new employees,
• providing all employees with basic knowledge,
• providing certain groups with special skills and knowledge, such as the group of security specialists or the administrators, for example.

The knowledge requirements should be based on the security objectives of the government agency or company.

4. Defining the content to be learned

All employees should be familiar with all internal policies, rules, and procedures for information security that apply to their workplaces. They should not only know of their existence, but also of their contents, their backgrounds, and their effects on the working environment. It is naturally also important in this regard to ensure that there are not too many specifications, rules, and documents on information security. The set of rules should be short and simple.

• Contents relating to the basics of information security are described in the safeguards S 3.26 Instructing staff members in the secure handling of IT and S 3.5 Training on security safeguards.
• Contents relating to special topics can be defined based on the information in safeguards S 3.45 Planning training contents on information security and S 3.49 Training the IT-Grundschutz methodology. If external providers are used to conduct the training programmes, then the safeguards there can also be used as a checklist to check if the standard seminars offered provide the content required.

To ensure following the information security policies will not be viewed as an obstacle during daily operations, it is necessary to train the employees accordingly in advance. Otherwise, employees may not take the information security precautions required due to tight deadlines, for example. If this happens, then they may eventually be forgotten completely.

The training programmes for information security must be developed in close coordination with the organisation's other training programmes, but especially with the IT training programmes. In this case, the extent to which it is possible to integrate training topics on information security into the IT training programmes should be examined. The advantage of such integration is that information security will then be perceived as an integral component of IT usage. However, the instructors must be adequately qualified to do this. In addition, sufficient time and space must be allotted for information security aspects. Briefly addressing this topic on Friday between 1:00 and 2:00 PM, for example, is simply not sufficient.

5. Selecting the methods and media

It must first be clarified if employees from the organisation or external personnel will be used to perform awareness-raising and training for security issues as well as what form of training will be used (see also S 3.48 Selection of trainers or training providers). Typical forms of training include the following:

• informational forum on the subject of information security in the Intranet,
• employee newsletter,
• e-mails on current security issues, login screen containing security information,
• circulars and magazines on subjects relating to security,
• posters and brochures,
• promotional material on information security,
• internal information events,
• external seminars, trade fairs, and conferences,
• videos handling special topics in information security,
• e-learning programs,
• information security simulations (see S 3.47 Performing simulations on information security).

All training programmes and training materials already available in the company or government agency should be examined to determine whether or not they were successful and could be used as models and if any security topics can be integrated into other training programmes.

Creative and imaginative educational material should be selected for the awareness-raising programmes that motivate the employees to handle business-related information and IT systems responsibly.

When selecting e-learning applications, it must be ensured that these applications do not have any negative effects on the information security of the IT environment in which they will be used. If the e-learning applications will not only be offered in the Intranet, but also on the Internet, then the use of applications containing active content (Java, JavaScript, ActiveX, etc.) should be avoided. If this is not possible, then users should only be able to use the applications on dedicated Internet PCs that are not connected to the network. In general, e-learning applications, just like any other applications, need to be tested before use and should only be approved for use if there are no security concerns.

6. Execution

All training programmes offered should meet the organisation's needs and should be designed modularly so that each target group can be trained adequately and to the extent required.

7. Checking their success and effectiveness

On the one hand, it must be ensured for all training and awareness-raising measures for information security that they were effective and properly adapted to the intended target groups, and on the other hand that they reach all affected employees. People who only work temporarily for the organisation or for a subcontractor should not be forgotten either. Every organisation should have an overview of the qualifications of its employees, for example in the form of training certificates.

Various procedures are available for checking the effectiveness of the training measures.

The classic method is to use questionnaires that allow the participants to evaluate the quality of the training, ask any questions about what they have learned, and point out any problems in understanding. The questionnaires can also be used to determine if additional training is required.

If the employees receive training regularly from external training providers, then the training must be evaluated internally to enable assessment of the level of satisfaction with these providers and evaluation of the learning success.

A visible change in the attitude of the employees towards security safeguards, for example when users log off the IT systems during work breaks or enable a screen saver to protect against unauthorised access, can also be used as a measure of the success of the training measures. However, this information should not be misused to monitor the employees.

The personnel or supervisory board should become involved in the early planning stages of security campaigns because it is also necessary to address common but improper habits of employees. Specific cases of improper behaviour in the organisation should never be addressed in this context, though.

8. Refreshing and expanding knowledge regularly

In many areas subject to rapid development such as IT, knowledge, once acquired, rapidly becomes outdated. New applications and IT systems, but also new threats, vulnerabilities, and possible countermeasures, make it necessary to constantly refresh and expand the employees' knowledge of information security. For this reason, the training programmes offered should not only be directed towards new employees, but should also include refresher and supplementary courses for experienced employees that are offered at regular intervals. In light of this fact, it is also important to update the training concept regularly and adapt it to new conditions when necessary (see also S 2.198 Making staff aware of information security issues for more information).

Review questions:

• Do the training and awareness raising programmes on information security involve all employees?
• Are the training measures for information security developed in close coordination with the organisation's other training programmes, especially with the IT training programmes?
• Does an overview of the qualifications of the employees exist (e.g. in the form of training certificates)?
• Are external providers who conduct training for employees evaluated internally?
• Are the training programmes offered not only directed towards new employees, but do they also include refresher and supplementary courses for experienced employees that are offered at regular intervals?