Journal Reviews - Security Education, Training and Awareness

Two journal papers containing information about Security Education, Training and Awareness (SETA) were reviewed in producing this article

• Improving Organisational Information Security Management: The Impact of Training and Awareness [1]
• State-of-the-art simulation systems for information security education, training and awareness [2]

The contents of the journals were extracted and summarized.

In both these papers, ‘people’ are looked at as the important link in ensuring the success of any information security policy. Studies that focus on finding technological solutions for vulnerabilities and attacks issues often tend to overlook the human and organizational factors. [3] believes that security is a ‘people’ problem, not only a technology problem. It is people whom implement and manage the information security policies and [3] emphasizes that regardless of the strength of the security systems or policies, there will be threats to information security if the users fail to conform to the policies and systems.

In [1], it was mentioned that there is scope for research on the factors that affect user behaviour and attitudes towards information security. Organization factors, behavioural factors and training have different impacts on information security and according to [1], all these factors contribute to comprehensive information security solutions. Thus, the objective of this research paper has been on finding the critical success factors (CSF) that improve employees’ compliance to the organization’s information security.

For organization factors, the literature reviews were conducted to identify the different models available to identify the success factors in information security. The models mentioned are by [4] whom have developed a model to determine information system security based on preventive efforts, [5] outline some success factors based on current information security literature and security experts' perspectives, [6] highlights the safety factors that prevent incidents from happening and [7] identify user involvement as an influential factor in information security risk in business processes. There were also a few more models discussed in the literature review for the organizational factor. However, in this paper, the research is considered different from the models given as its purpose is to find all the factors that affect the implementation of the security policies – organizational, behavioural and training. The researcher approach was to learn the factors from the employees in the organization whom are practising information security on a daily basis.

As for behaviour factors, two models were looked at, viz. TRA and TPB. Researches show that psychological, social, individual and cultural factors affect employees’ behaviour in the organization. The researchers find that there is a lack of studies done to comprehensively model and test individual beliefs that influence information security behaviour in organizations. In order to identify and investigate the external influences on employees in complying with and implementing the organisational security policy, the existing theory of reasoned action was used in this research. Findings from this research concluded that the best predictor of a person’s behaviour is the intention to perform the behaviour.

Literature reviews conducted for training factors show that; poor IT practices is the main reason for information security failure, most of the developed training programmes are often wasted because employees do not transfer the learned skills and sustain the appropriate behaviour in their work environment, there is limited evidence to verify the effectiveness of the trainings in a real job environment and that lack of security awareness is one of the major concerns of organizations. The researchers believe that it is highly important to improve the effectiveness of training and awareness programmes by encouraging the employees to apply the knowledge learned during the trainings in the work environment. Effective trainings can help users to acquire information and have better understanding on implementing security policies. Training and awareness programmes are tools that can be used to influence the culture of an organization by promoting favourable security practices. By using the training programmes, the view on handling data can be changed so that data protection is given importance. Organizations should also find methods to get effective trainings and awareness techniques that will enhance employees’ perceptions, attitude and motivation. After the training, employees must sustain the acquired knowledge and skills and apply them in their work.

The researchers used quantitative data analysis as their research methodology. Questionnaires were prepared with five parts; part one aimed to collect demographic background information; part two to assess the user’s level of information security awareness; part three assessed the employees’ evaluation of the information security policies of the organisation; part four to discover what factors influence user behaviour toward information security; and part five assessed the evaluation of training and awareness programmes to impact information security management behaviour. Participants of the survey were from health, educational and business sectors.

The findings show that participants give importance to the organizational factors aimed at implementation of information security policy. The most effective factors contributing towards increased compliance with the information security policy in the health sector are communication, sanctions, reward and banishment, strong motivation, positive awareness, efficient feedback mechanisms and appropriate allocation of roles and responsibilities. It was also found that behavioural and training factors do not impose obstacles but are highly influential in promoting the efficiency of health sector employees to adhere to information security practices. In educational sectors, results show that employees do not perform good security habits, and therefore are not motivated to follow information security policies. The lack of belief, attitude, intention, behaviour, and regular and effective trainings are the barriers in for the successful implementation of security policies. It is therefore highly important that these aspects are improved in educational sectors. As in the business sector, communication, sanctions, and reward and banishments found to be effective factors contributing to the application of information security policy. These factors fall under the organizational factors. Lack of intention, behaviour, assessments and inadequate trainings are considered as the barriers in the implementation of information security policies in business sector.

In the conclusion, the researchers highlighted that there is lack of implementation of security policies in business and educational sectors, compared to the health sector. The reasons are that the employees in these sectors do give importance to the policies and present trainings are not effective in meeting the requirements of the policies.

In [2], the authors describe state-of-the-art simulation systems created for information security and information assurance education, training and awareness. As people being the weakest link in information security systems, the authors feel that this link has to be strengthened. When security is compromised, the reactions from anyone to such breaches can be improved by education, interesting practical training and instil awareness on information assurance.

According to [2], high frequencies of security incidents is caused by human errors such as system misconfigurations, security policy breaches and careless systems administration. The researchers of this paper also believe that most of these problems could be avoided by improving the information security education of managers, the training of the system administrators and the general awareness of end users. Simulation systems can be great tools as they provide hands-on experience and interactivity.

The authors focused on simulation tools for information assurance and the activities that transfer the relevant knowledge to the students. Security subjects provided in university education usually focus on theoretical issues. Without sufficient practical teaching, students will have weak knowledge and therefore the use of security laboratory with simulated network scenarios can be advantageous as means to support active learning.

The simulation tools highlighted are CyberProtect, Military Academy Attack/Defense Network, CyberOps: NetWarrior, Cyber DEfense Technology Experimental Research laboratory (DETERlab), CyberCIEGE, NIST IPSec and IKE Simulation Tool, Real-time Immersive Network Simulation Environment (RINSE), The Reconfigurable Cyber-Exercise Laboratory (RCEL), Tele-Lab “IT Security”, Network Security Simulator (NeSSi2), S-vLab, Windows Attack intRusion Emulator (AWARE) and RADICL: A Reconfigurable Attack-Defend Instructional Computing Laboratory.

The tools were compared for their technical features and didactical capabilities. The tools are mostly simulators. Simulators are computer applications that replicate system behaviour under certain prescribed conditions. Other technical specifications compared were whether the tools are remotely usable, has virtualization capability, has mode standalone or client/server, allows scalability and whether licensing is required. It was found that there are not many tools for standalone study. The authors proposed for more developments of such tools, typically for student in Open Universities.

The learning objectives can be wide and have different possibilities. Although some of the tools are complicated, many are found to be of use at generic information security training level; and suitable for even novice students.

In the conclusion, the authors mentioned that not all the security simulators were developed with security education, training and awareness in mind, but they find that most of the tools are suitable to illustrate the different information assurance concepts and ideas.

For future works, the authors believe that it would be desirable that new tools are developed with focus on enabling information assurance concepts teaching, be it for university students or for anyone interested in these subject matters.

After reviewing both these papers, I find that there is a good scope to utilize the security simulation tools to help in the security education, training and awareness programs. The first paper reveals that education, training and awareness are influential contributors in the implementation of security policies. The research on the simulation tools in the second papers shows that these tools can be used to teach students and anyone interested in information security in interactive and practical manner. By using these tools, the trainings can be customized to suit the working environment. By doing this, the trainings will be more effective and the knowledge learnt can be transferred into the work environment. Thus, the objectives of the security programs/policies can be achieved at higher rates.

References

1. N. Waly, et al., "Improving Organisational Information Security Management: The Impact of Training and Awareness," IEEE 14th International Conference on High Performance Computing and Communications, 2012.
2. V. Pastor, et al., "State-of-the-art simulation systems for information security education, training and awareness," IEEE EDUCON Education Engineering - The Future of Global Learning Engineering Education, pp. 1907-1916, 2010.
3. Dhillon, "Current directions in IS security research: towards socio-organizational perspectives," Information Systems Journal, vol. 11, pp. 127-153, 2001.
4. A.Kankanhalli, et al., "An Integrative Study of Information Systems Security Effectiveness," International Journal of Information Management, vol. 23, pp. 139-154, 2003.
5. J. M. Torres, et al., "Managing Information Systems Security: Critical Success Factors and Indicators to Measure Effectiveness," Managing Information Systems Security, pp. 530-545, 2006.
6. J. Reason, "Managing the Risks of Organizational Accidents: a practical guide," ed: Ashgate Publishing, 1997.
7. B. Ives and M.H.Olson, "User involvement and MIS success: a review of research," Management Science, vol. 30, pp. 586-603, 1984.