A 120 minutes yearly security education plan for employees

Posted on April 13, 2011 by Anup

Hello,

In your role as the person responsible for Information Security training, do you have a plan that is time-based which specifies that every employee must spend “X” minutes or hours a year on information security education? If you do, or you don’t, you may find the information below useful. This is based on my experience.

Let us consider a security education plan that specifies 120 minutes of security education time per employee. This number is not hard. Before executing this plan, here are some useful tips.

1) Focus on Quality and not Quantity: A good 5 minute security lesson, which is engaging, visually pleasing and thought provoking is much better than a 60 slide presentation with just bullet points. Just think of the best ads on TV that you recall. How long were they? 30 seconds to 60 seconds at the most? What was it that stuck?

2) Continuity: The security education must be continuous, which means, there must be small capsules (drip irrigation comes to mind) delivered frequently so that information security stays in the mental horizon of the employees.

3) Sustainability: You have a budget (time, money and people). The security education program must be executable without straining your resources.

Now, let us see how how these 120 minutes can be best utilized by focusing on QUALITY, CONTINUITY and SUSTAINABILITY. There are creative ways to utilize these 120 minutes, without being overly intrusive into the productive time of employees.

1) 45 minutes of mandatory information security training delivered in a classroom or via e-learning:

This must be the mandatory portion of the education time. No excuses tolerated. If your workforce is huge, then go for e-learning modules that are SCORM or AICC compatible so that you can track attendance. Also, here must be a mandatory quiz at the end of the training, which is not only a useful interactive tool but also helpful in capturing the effectiveness of training.

2) 15 minutes of security education through screen savers

Screen savers are often under utilized but in my opinion one of the most useful tools for quick tips. The best thing about screen savers is that every body sees them, atleast once. Get 12 screen savers, rotate them once a month and this gives approximately 1 to 1 and half minutes of learning time every month to your employees. Let us round that off at 15 minutes of learning time a year.

3) 15 minutes of security education through poster/ wall papers etc.

Same principle as screen savers. Get 12 posters and display them in prominent locations in either hard copy format or put them as desktop wall papers or give them away as laptop stickers or whatever other format that works.

Now, we have covered 75 minutes of learning time, and the 30 minutes through screen savers and posters were not intrusive and the employees recieved this education without they themselves noticing.

4) 30 minutes security education through short videos

Get 6 information security videos on important topics that are not more than 5 minutes long. If they are SCORM compatible, the better. Load them in your Learning Management System or Web server and deliver them once every 2 months. This covers 30 minutes of training time.

5) 20 minutes of security education through quizzes/ surveys

Deliver a security quiz/ survey of 10 minutes each (10 questions per survey will do the trick) by creating interesting multiple response and scenario based questions and deliver them via your web server or a free survey tool. You can create one using Google Docs. Quizzes and Surveys by themselves are learning instruments because they invite the undivided attention of the learner. This covers another 20 minutes.

Now, with the above plan you have covered 125 minutes of education time. This plan is simple, non-intrusive into the work time of the employee, is regular and is sustainable using a medium budget.

Good luck with your security education plan.

Anup Narayanan,

Founder, Information Security Quotient

www.isqworld.com

Posted in information security awareness, information security training, security training courses, security training security awareness | Tagged , , , , , , | Leave a comment

Giving back to the security community – Free security awareness video download

Posted on March 30, 2011 by Anup

Hi All,

My sincere thanks for all the feedback I recieved for the TARS (Threat Awareness and Response Simulation) project where I had asked for topics that could be converted to “threat awareness and response simulation videos” as part of information security training. The earlier posts are available here - http://bit.ly/hAQ04H and http://bit.ly/gMrWlv

As a token of gratitude, please find a video — Information Security Practices while traveling, for download and unrestricted use. The video covers protection of mobile computing devices and safe browsing while traveling and this reflects most of the feedback I recieved as part of the TARS project.

Please visit - http://www.isqworld.com/index.php/community/ and under the TARS project you will find the link for download. 

Warm regards,

Anup Narayanan

www.isqworld.com – Information Security Awareness Materials

www.twitter.com/isqworld – Follow our tweets

Posted in information security awareness, information security training, security training, security training courses, security training security awareness | Tagged , , , , | Leave a comment

Security awareness topics submitted by the community – TARS project

Posted on March 16, 2011 by Anup

Hi All,

I received some valuable feedback on the TARS (Threat Awareness and Response Simulation) project where I had asked for topics that could be converted to “threat awareness and response simulation videos” as part of information security training. The earlier post is available here - http://bit.ly/hAQ04H

Please find the condensed responses below. 

Threat scenario 1:  This can also be categorised under connecting external hard disk is connecting mobile phone’s into systems. The new generation mobile phones have the option to charge from usb. There are generally 2 types of threats because of this. One is data can easily be copied onto mobile phone and the second is virus/malware attack as these phones are even plugged at other places also

Threat scenario 2: Employee is attending a conference in a hotel and there are multiple threat situations. Leaving the laptops, USB drives etc. unattended during the breaks and the temptation to connect to open wireless access points. Similar situations can occur at other public locations too.

Threat scenario 3: Employees innocently permitting olleagues access to applications using their access/login details. The typical scenario is: A logs in to work & Bs system freezes or A requires some form of assistance from B. B comes over to make use of As system but along the line, transfers sensitive data or accesses such data he/she ordinarily would not have sufficient access privileges to. This scenario often happens.

Threat Scenario 4: Another scenario you might want to include in a video might be the use of “unauthorized”/non-office notebooks on corporate networks. Among other things, good intentioned employees sometimes transfer date to continue work over the weekend or at home.

Threat Scenario 5: Social engineering through social networks where by information thieves exploit the tendency of people to disclose too much of their personal lives and work lives. For instance, “Submitted an RFP for a $10 million project” and the profile setting reveals the name of the company the person works for. 

Thank you for your time in participating.

Warm regards,

Anup Narayanan

www.isqworld.com – Information Security Awareness Materials

www.twitter.com/isqworld – Follow our tweets

 

 

 

 

Posted in information security awareness, information security training, security training, security training courses, security training security awareness | Tagged , , , , , , , | Leave a comment

Invitation to participate: Threat Awareness and Response Simulation (TARS) training project

Posted on March 2, 2011 by Anup

Hi,

The purpose of the Threat Awareness and Response Simulation (TARS) project is to create training programs that replicate real life information security threat scenarios and placing the learner in this simulated environment and further enable them to choose the appropriate response. I have created a first sample of a TARS training module that focuses on “Telephone Based Password Social Engineering”. Please view below.

 

Click on the image or this URL to view the video - or click here.

I request the advice and suggestions of the members of the information security community on what other real life threat scenarios can be considered for the TARS project. Some of the topics that I have in mind are,

1) Strangers inside the facility (office) without valid identification – How to question them and alert the security guards?

2) Your colleague is committing an information security violation, for instance, copying information into an external hard disk – How to report it?

3) Your boss committing a fraud – How to report it?

4) You notice classified information about the company posted in a public domain (social networks, blogs, discussion groups) – How to report it?

5) More…

Kindly give your thoughts and suggestions as comments on this post. Your feedback is very much appreciated and any videos that shall be produced based on your suggestions shall be shared with you for free.

Warm regards,

Anup

 

Posted in information security awareness, information security training, security training, security training courses, security training security awareness | Tagged , , , , , | 10 Comments

Information Security Training: Instructing Vs. Enabling?

Posted on February 25, 2011 by Anup

Hi,

When you plan and deliver an information security training, what is your approach? Do you “instruct” or do you “enable”. Here, by “instruct or instructing”, I mean, do you go for an approach, which is,

1) You must be able to recall the policies or portions of it

2) You must know where the policies are?

3) You must NOT DO this, this and this….and you must DO this, this and this….

I would like to ask, how effective this approach is? How much does it motivate the learner. In fact, I myself have delivered these type of training programs and have learnt from my experience that it is not very effective. Rather, I would like to focus on an approach that I wish to define as “enabling”. By this approach, I mean,

1) Focus on helping the learner to “solve real security problems”

2) Examples of real security problems could be – “How to respond when someone asks for a password?”, “How to respond to a phone call asking for sensitive information?”, “How to report an information security incident?”, “How to post information about your job in Facebook without revealing sensitive business information”?

In this approach, which I wish to call TARS (Threat Awareness and Response Simulation), you are placing the learner in the middle of a threat scenario and asking the learner to take a decision. I believe this approach is far more suitable and rewarding for the learner than an instructive approach.

I would be grateful for your feedback on this approach.

Thanks,

Anup

 

 

Posted in information security awareness, information security training, security training courses, security training security awareness | Tagged , , , , , | Leave a comment