Information security awareness

Last updated

Information security awareness is an evolving part of information security that focuses on raising consciousness regarding potential risks of the rapidly evolving forms of information and the rapidly evolving threats to that information which target human behavior. As threats have matured and information has increased in value, attackers have increased their capabilities and expanded to broader intentions, developed more attack methods and methodologies and are acting on more diverse motives. As information security controls and processes have matured, attacks have matured to circumvent controls and processes. Attackers have targeted and successfully exploited individuals human behavior to breach corporate networks and critical infrastructure systems. Targeted individuals who are unaware of information and threats may unknowingly circumvent traditional security controls and processes and enable a breach of the organization. In response, information security awareness is maturing. Cybersecurity as a business problem has dominated the agenda of most chief information officers (CIO)s, exposing a need for countermeasures to today's cyber threat landscape. [1] The goal of Information security awareness is to make everyone aware that they are susceptible to the opportunities and challenges in today's threat landscape, change human risk behaviors and create or enhance a secure organizational culture.

Contents

Background

Information security awareness is one of several key principles of information security. Information security awareness seeks to understand and enhance human risk behaviors, beliefs and perceptions about information and information security while also understanding and enhancing organizational culture as a countermeasure to rapidly evolving threats. For example, the OECD's Guidelines for the Security of Information Systems and Networks [2] include nine generally accepted principles: awareness, responsibility, response, ethics, democracy, risk assessment, security design and implementation, security management, and reassessment. In the context of the Internet, this type of awareness is sometimes referred to as cyber security awareness, which is the focus of multiple initiatives, including the U.S. Department of Homeland Security's National Cyber Security Awareness Month [3] and President Obama's 2015 White House Summit on Cybersecurity and Consumer Protection. [4]

Computer based crimes are not something new to us. Viruses have been with us for well over 20 years; spyware has clocked up more than a decade since the earliest incidents; and large-scale use of phishing can be traced back to at least 2003. One of the reasons researchers agreed upon that the pace at information system is evolving and expanding, the security awareness program among the employees is falling way behind. Unfortunately, however, it seems that the rapid adoption of online services has not been matched with a corresponding embrace of security culture. [5]

Evolution

Information security awareness is evolving in response to the evolving nature of cyber attacks, increased targeting of personal information and the cost and scale of information security breaches. Furthermore, many individuals think of security in terms of technical controls, not realizing that they as individuals are targets, and that their behavior can increase risks or provide countermeasures to risks and threats.

Determining and measuring information security awareness has highlighted the need for accurate metrics. In response to this need, information security awareness metrics are rapidly evolving in order to understand and measure the human threat landscape, measure and change human understanding and behavior, measure and reduce organizational risk and measure effectiveness and cost of information security awareness as a countermeasure. [6]

Most of the organizations do not want to invest money on information security. A survey conducted by PricewaterhouseCoopers (2014) found that current employees (31%) and former employees (27%) still contribute to information security incidents. The survey results indicated that the number of actual incidents attributable to employees had risen by 25% since the 2013 survey. [7] A more recent study, the Verizon Data Breach Investigations Report 2020, discovered similar patterns with 30% of cyber security incidents involving internal actors within a company. [8]

The necessity of security awareness program

A security awareness program is the best solution that an organization can adopt to reduce the security threats caused by internal employees. A security awareness program helps employees to understand that the information security is not an individual's responsibility; it is the responsibility of everyone. The program also explicitly mentions that the employees are responsible for all activities performed under their identifications. Furthermore, the program enforces the standard ways of handling business computers.

Although organizations have not adopted a standard way of providing the security awareness program, a good program should include awareness about data, network, user conduct, social media, use of mobile devices and WiFi, phishing emails, social engineering and different types of viruses and malware. An effective employee security awareness program should make it clear that everyone in the organization is responsible for IT security. Auditors should pay close attention to six areas covered in the program: data, networks, user conduct, social media, mobile devices, and social engineering. [9]

Many organizations make their privacy policies very complicated that the diverse employees always fail to understand those regulations. Privacy Policy is something that should be reminded to the employees whenever they login to the business computer. Privacy Policies should be clearer, shorter and more standardized to enable better comprehension and comparison of privacy practices. [10] Organizations can create interactive sessions for all employees to attend every week to speak about security and threats. Interactive sessions may include awareness about newer threats, best practices and questions & answers.

A security awareness program may not be beneficial if the organization does not penalize the violators. Employees who have found guilty of violating the program should be reported to the higher executives for further action, otherwise the program will not be effective. Information security authorities may perform a gap analysis to find out any deficiencies in the program.

Current state

As of early 2015, CIOs rated information security awareness related issues as top strategic priorities. For example, at a February 2015 Wall Street Journal CIO network event convened to create a prioritized set of recommendations to drive business and policy in the coming year, consensus seemed to form around cybersecurity and delivering change through effective communication with the rest of the business. [11]

While information security awareness and high-profile breaches are at the forefront of most organization's agenda, a recent study of 220 security awareness officers by Lance Spritzner has uncovered three related key findings. First, executive and financial support are necessary for a successful security awareness program. Second, due to the technical nature of traditional security controls and countermeasures, the soft skills necessary to understand and change human behavior are lacking and finally, in terms of a maturity model, security awareness is still in its infancy. [12]

The challenge of measurement

Effectively measuring human risk behavior is difficult because risky behaviors, beliefs and perceptions are often unknown. In addition attacks such as phishing, social engineering, and incidents such as data leakage and sensitive data posted on social media sites and even breaches go undetected and unknown make it difficult to determine and measure points of failure. Often, attacks, incidents and breaches are reacted to or reported from outside the compromised organization after attackers have covered their tracks, and thus cannot be researched and measured proactively. In addition, malicious traffic often goes unnoticed because attackers often spy and mimic known behavior in order to prevent any intrusion detection or access monitoring alerts.

A 2016 study developed a method of measuring security awareness. [13] Specifically they measured "understanding about circumventing security protocols, disrupting the intended functions of systems or collecting valuable information, and not getting caught" (p. 38). The researchers created a method that could distinguish between experts and novices by having people organize different security scenarios into groups. Experts will organize these scenarios based on centralized security themes where novices will organize the scenarios based on superficial themes.

Where simulated phishing campaigns are run regularly, they can provide measures of user compliance. [14]

See also

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cybersecurity, or information technology security is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

<span class="mw-page-title-main">Cybercrime</span> Term for an online crime

A cybercrime is a crime that involves a computer or a computer network. The computer may have been used in committing the crime, or it may be the target. Cybercrime may harm someone's security or finances.

<span class="mw-page-title-main">Social engineering (security)</span> Psychological manipulation of people into performing actions or divulging confidential information

In the context of information security, social engineering is the psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for the purpose of information gathering, fraud, or system access, it differs from a traditional "con" in that it is often one of many steps in a more complex fraud scheme. It has also been defined as "any act that influences a person to take an action that may or may not be in their best interests."

The United States Computer Emergency Readiness Team (US-CERT) is an organization within the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Specifically, US-CERT is a branch of the Office of Cybersecurity and Communications' (CS&C) National Cybersecurity and Communications Integration Center (NCCIC).

A cybersecurity regulation comprises directives that safeguard information technology and computer systems with the purpose of forcing companies and organizations to protect their systems and information from cyberattacks like viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access and control system attacks. There are numerous measures available to prevent cyberattacks.

Pretexting is a type of social engineering attack that involves a situation, or pretext, created by an attacker in order to lure a victim into a vulnerable situation and to trick them into giving private information, specifically information that the victim would typically not give outside the context of the pretext. In its history, pretexting has been described as the first stage of social engineering, and has been used by the FBI to aid in investigations. A specific example of pretexting is reverse social engineering, in which the attacker tricks the victim into contacting the attacker first.

Security controls are safeguards or countermeasures to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. In the field of information security, such controls protect the confidentiality, integrity and availability of information.

The Institute for Information Infrastructure Protection (I3P) is a consortium of national cyber security institutions, including academic research centers, U.S. federal government laboratories, and nonprofit organizations, all of which have long-standing, widely recognized expertise in cyber security research and development (R&D). The I3P is managed by The George Washington University, which is home to a small administrative staff that oversees and helps direct consortium activities.

<span class="mw-page-title-main">Security information and event management</span> Computer security

Security information and event management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware. Vendors sell SIEM as software, as appliances, or as managed services; these products are also used to log security data and generate reports for compliance purposes. The term and the initialism SIEM was coined by Mark Nicolett and Amrit Williams of Gartner in 2005.

<span class="mw-page-title-main">Internet Security Awareness Training</span>

Internet Security Awareness Training (ISAT) is the training given to members of an organization regarding the protection of various information assets of that organization. ISAT is a subset of general security awareness training (SAT).

In computer security, a threat is a potential negative action or event facilitated by a vulnerability that results in an unwanted impact to a computer system or application.

There is no commonly agreed single definition of “cybercrime”. It refers to illegal internet-mediated activities that often take place in global electronic networks. Cybercrime is "international" or "transnational" – there are ‘no cyber-borders between countries'. International cybercrimes often challenge the effectiveness of domestic and international law, and law enforcement. Because existing laws in many countries are not tailored to deal with cybercrime, criminals increasingly conduct crimes on the Internet in order to take advantages of the less severe punishments or difficulties of being traced. No matter, in developing or developed countries, governments and industries have gradually realized the colossal threats of cybercrime on economic and political security and public interests. However, complexity in types and forms of cybercrime increases the difficulty to fight back. In this sense, fighting cybercrime calls for international cooperation. Various organizations and governments have already made joint efforts in establishing global standards of legislation and law enforcement both on a regional and on an international scale. China–United States cooperation is one of the most striking progress recently, because they are the top two source countries of cybercrime.

An insider threat is a malicious threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems. The threat may involve fraud, the theft of confidential or commercially valuable information, the theft of intellectual property, or the sabotage of computer systems.

<span class="mw-page-title-main">Cyberattack</span> Attack on a computer system

A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, or personal computer devices. An attacker is a person or process that attempts to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, societies or organisations and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyber weapon. Cyber attacks have increased with an alarming rate for the last few years

The following outline is provided as an overview of and topical guide to computer security:

Cyber-insurance is a specialty insurance product intended to protect businesses from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities. Risks of this nature are typically excluded from traditional commercial general liability policies or at least are not specifically defined in traditional insurance products. Coverage provided by cyber-insurance policies may include first-party coverage against losses such as data destruction, extortion, theft, hacking, and denial of service attacks; liability coverage indemnifying companies for losses to others caused, for example, by errors and omissions, failure to safeguard data, or defamation; and other benefits including regular security-audit, post-incident public relations and investigative expenses, and criminal reward funds.

A threat actor or malicious actor is either a person or a group of people that take part in an action that is intended to cause harm to the cyber realm including: computers, devices, systems, or networks. The term is typically used to describe individuals or groups that perform malicious acts against a person or an organization of any type or size. Threat actors engage in cyber related offenses to exploit open vulnerabilities and disrupt operations. Threat actors have different educational backgrounds, skills, and resources. The frequency and classification of cyber attacks changes rapidly. The background of threat actors helps dictate who they target, how they attack, and what information they seek. There are a number of threat actors including: cyber criminals, nation-state actors, ideologues, thrill seekers/trolls, insiders, and competitors. These threat actors all have distinct motivations, techniques, targets, and uses of stolen data.

In cybersecurity, cyber self-defense refers to self-defense against cyberattack. While it generally emphasizes active cybersecurity measures by computer users themselves, cyber self-defense is sometimes used to refer to the self-defense of organizations as a whole, such as corporate entities or entire nations. Surveillance self-defense is a variant of cyber self-defense and largely overlaps with it. Active and passive cybersecurity measures provide defenders with higher levels of cybersecurity, intrusion detection, incident handling and remediation capabilities. Various sectors and organizations are legally obligated to adhere to cyber security standards.

The 2018 SingHealth data breach was a data breach incident initiated by unidentified state actors, which happened between 27 June and 4 July 2018. During that period, personal particulars of 1.5 million SingHealth patients and records of outpatient dispensed medicines belonging to 160,000 patients were stolen. Names, National Registration Identity Card (NRIC) numbers, addresses, dates of birth, race, and gender of patients who visited specialist outpatient clinics and polyclinics between 1 May 2015 and 4 July 2018 were maliciously accessed and copied. Information relating to patient diagnosis, test results and doctors' notes were unaffected. Information on Prime Minister Lee Hsien Loong was specifically targeted.

Internet security awareness or Cyber security awareness refers to how much end-users know about the cyber security threats their networks face, the risks they introduce and mitigating security best practices to guide their behavior. End users are considered the weakest link and the primary vulnerability within a network. Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element. This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.

References

  1. "CIOs Name Their Top 5 Strategic Priorities. The Morning Download: Security Dominates the CIO's Agenda in Era of Risk and Change". Wall Street Journal. 4 February 2015.
  2. "oecd.org" (PDF). Retrieved 2015-02-14.
  3. "U.S. Department of Homeland Security" . Retrieved 2015-02-14.
  4. "President Obama Speaks at the White House Summit on Cybersecurity and Consumer Protection". whitehouse.gov via National Archives.
  5. Furnell, Steven (2008). "End-user security culture: A lesson that will never be learnt?". Computer Fraud & Security. 2008 (4): 6–9. doi:10.1016/S1361-3723(08)70064-2.
  6. scadahacker.com(PDF) https://scadahacker.com/library/Documents/Insider_Threats/DHS%20-%20Risks%20to%20US%20Critical%20Infrastructure%20from%20Insider%20Threat%20-%2023%20Dec%2013.pdf . Retrieved 2015-04-25.{{cite web}}: Missing or empty |title= (help)
  7. Da Veiga, Adéle; Martins, Nico (2015). "Improving the information security culture through monitoring and implementation actions illustrated through a case study". Computers & Security. 49: 162–176. doi:10.1016/j.cose.2014.12.006. hdl: 10500/21765 .
  8. "Verizon Data Breach Investigations Report 2020" (PDF). Verizon.{{cite web}}: CS1 maint: url-status (link)
  9. "Evaluating the Employee Security Awareness Program". iaonline.theiia.org. Archived from the original on 2016-03-04. Retrieved 2015-04-25.
  10. "The FTC's consumer privacy framework and next steps. - Free Online Library". www.thefreelibrary.com. Retrieved 2015-04-25.
  11. "CIOs Name Their Top 5 Strategic Priorities".
  12. "SANS Securing The Human Security Awareness Report".
  13. Giboney, Justin Scott; Proudfoot, Jeffrey Gainer; Goel, Sanjay; Valacich, Joseph S (2016). "The Security Expertise Assessment Measure (SEAM): Developing a scale for hacker expertise". Computers & Security. 60: 37–51. doi:10.1016/j.cose.2016.04.001.
  14. R, Kate. "The Trouble with Phishing". National Cyber Security Centre. GCHQ. Retrieved 12 September 2018.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.