S 3.47 Performing simulations on information security

Initiation responsibility: IT Security Officer, Top Management

Implementation responsibility: IT Security Officer

Security training measures are often perceived as being dull. Therefore, the desired learning effect often is not achieved. A role play is remembered longer and more vividly than material presented on transparencies or a blackboard. Simulations and role plays can help to make the basic threats clearer and point out typical vulnerabilities as well as possible solutions in the employees' own working environments.

Simulations can be based on practical examples, for example based on current incidents taken from the media, or they can be contracted to training service providers. In this case, the contents of the simulations must be adapted to the organisation, as far as possible. This makes it easier for the employees to identify with the solutions provided. Simulations of security incidents that can impair business-critical processes, for example, are also excellent preparation for the employees in case of a real incident.

As with the training courses, it is also very important when planning such simulations to tailor the subject matter to specific target groups. The participants should be able to recognise the relevance of the role plays, and their working environments should benefit directly from the role plays.

A positive and constructive atmosphere should be maintained during all efforts made to draw the attention of the users to the importance of information security. On the one hand, a fear of security incidents may cause employees to ignore security problems, and on the other hand, may lead to panic reactions.

Example:

The employees of an airline company simulated the failure of their check-in program and tested alternative solutions. Several months later, an incident occurred that severely limited the availability of the airline's fleet, and therefore impaired the check-in procedure as well. Even though the emergency was different from the one simulated, the employees were well prepared to handle the emergency and were able to react much more effectively than the employees of their competitors who had not performed simulations of comparable emergencies.

Review questions:

© Federal Office for Information Security. All rights reserved.