Common Secure Information Security Awareness

ICC’s Common Secure Information Security Awareness programme and materials are there to help Clients and their users understand information security risks and practice safe online behaviour. The programme aims to provide organization users at all levels with practical tips and tools to improve their online safety. Common Secure services allow Clients to to use professional, multi-lingual user awareness campaign materials for continuous awareness reinforcement.

ICC has either created or researched and gathered publically available materials from professional organizations such as the Anti Phishing Working Group (APWG), the European Union Agency for Network and Information Security (ENISA), the U.S. Department of Homeland Security Stop. Think. Connect. campaigns, the U.S. Federal Trade Commission and others. It has also created customised materials for individual Clients. This material is subject to reuse with Client branding – and can be re-branded for a Client information security awareness campaign.

Recommendations

Far too often, security awareness programs are an afterthought; someone is randomly assigned the responsibility of awareness without the time, resources, or support they need to be successful. In addition, security awareness can often be just a “checkbox” function for compliance purposes, designed either to meet an audit requirement or to make people acknowledge policies for accountability reasons. SANS (Securing the Human) proposes three approaches to this problem:

  • Mindset: People in our industry, from executives on down, often view cybersecurity as purely a technical or IT issue. We need to do a better job educating leadership that cybersecurity is also a human problem. As long as we continue to only invest in technical solutions, we will continue to lose the security battle.
  • Roadmap: We often find that leadership understands that people’s behaviors are a risk to the organization. The problem is when leadership feels that an awareness program is not the solution. Awareness officers need to demonstrate they have a proven roadmap to creating a secure culture, a roadmap based not only on learning theory, behavior modeling, and change management, but also on the lessons learned from others.
  • Metrics: It’s hard to demonstrate the effectiveness of awareness when you can’t measure human risk, nor demonstrate the impact you are having. This is beginning to change as our community develops new ways to measure secure behaviors and cultures. Methods to accomplish this include knowledge assessments, culture surveys, and additional behavioral measurements. Ultimately, stronger metrics are needed to help tell our story and demonstrate the value of awareness.

 

See also: Stay Safe: An Inter-Agency Cyber Security Event. 22 October 2019