Security Awareness

Designing a Security Awareness Program

In the security awareness program design phase, we have to keep in mind to bring in front of our audience an extensive coverage of the security threads spectrum. Starting with widely applicable aspects and topics and also taking into account the security policy, it would be preferred the materials to be presented in an intuitive and clear form. The rules included in the content referring the threats and security measures must be easy to understand and the message should have, where possible, a real-life reason. One example here can be the use of personal computer in the context of working from home.

Education efforts should be conducted as an on-going program to ensure that training and knowledge is not just delivered as an annual activity, rather it is used to maintain a high level of daily attention and vigilance. Here, monthly checks, posters and awareness emails are very effective to create a wide angle security environment and show real efforts in establishing a certain level of awareness.

mindsett security awareness platorm

Mindsett Security Your Human Factor Security Partner ...

With implementation support, custom software applications, and several different types of exercises, we support our customers in creating a culture of security company-wide.

When stepping ahead with methodology and plan development, it is a must to consider the following main aspects:
• Identify compliance or audit standards, that organization must adhere to.
• Establish security awareness team.
• Provide structures to identify roles, responsibilities and map everything in a process.
• Determine the content of training and applicability, based on our target.
• Determine short term as well as long term targets.
• Adding references to home computer security, family and daily life.
• Set delimitation on potential security breaches generated by the human factor.
• Developing a set of best practice rules, which cover these breaches, and think how to raise personal motivation.
• The set of rules must be introduced through a descriptive part.
• Communicate the objectives in an effective manner.
• Trainings must contain interactive elements.
• Establishing a feedback mechanism, to measure the impact and to help you design the next steps of the program.
• Link the awareness content update and program maintenance in the company procedures

The program content must be designed wisely, and have a hierarchal approach. You can start with three levels of depth in cyber security awareness. This will create audience segmentation, and help you communicate the required educational content to every segment more effectively.

First segment can be all personnel in the facility, or organization. For financial institutions, it is recommended that general security training for all personnel include defining what constitutes cardholder data (CHD), sensitive authentication data (SAD) and the organization’s responsibility to safeguard both.

Second segment is management. Management training should include more detailed information on the impact of a security breach. Thus, it is critically important to include specific content relevant to the area of responsibility and how easily an attack can have huge negative impact over the organization.

First segment can be all personnel in the facility, or organization. For financial institutions, it is recommended that general security training for all personnel include defining what constitutes cardholder data (CHD), sensitive authentication data (SAD) and the organization’s responsibility to safeguard both.

Third segment is specialized roles, like IT administrators, developers and accounting staff. Everyone have privileged access to database and core network is included in this segment. They will require more detailed security awareness training that includes understanding how the systems are configured and what needs to be done for the protection of sensitive information.

The most important step in the development of a formal security awareness program is assembling a security awareness team. This team is responsible for the development, delivery, and maintenance of the security awareness program. Sometime is better to have the team staffed with personnel from different areas of the organization, different geographical regions and with different responsibilities in the organization..