Internet Security Awareness Training

Last updated

Internet Security Awareness Training (ISAT) is the training given to members of an organization regarding the protection of various information assets of that organization. ISAT is a subset of general security awareness training (SAT).

Contents

Even small and medium enterprises are generally recommended to provide such training, but organizations that need to comply with government regulations (e.g., the Gramm–Leach–Bliley Act, the Payment Card Industry Data Security Standard, Health Insurance Portability and Accountability Act, Sarbox) normally require formal ISAT for annually for all employees. [1] Often such training is provided in the form of online courses.

ISAT, also referred to as Security Education, Training, and Awareness (SETA), organizations train and create awareness of information security management within their environment. [2] It is beneficial to organizations when employees are well trained and feel empowered to take important actions to protect themselves and organizational data. [2] The SETA program target must be based on user roles within organizations and for positions that expose the organizations to increased risk levels, specialized courses must be required. [2]

Employees and contractors pose threats to organizations that training can help reduce. Figure 3- GAO's Framework of Key Elements To Incorporate at Each Phase of DOD's Insider-Threat Programs (19259572132).jpg
Employees and contractors pose threats to organizations that training can help reduce.

Coverage

There are general topics to cover for the training, but it is necessary for each organization to have a coverage strategy based on its needs, as this will ensure the training is practical and captures critical topics relevant to the organization. As the threat landscape changes very frequently, organizations should continuously review their training programs to ensure relevance with current trends. [3]

Topics covered in ISAT [4] include:

Being Internet Security Aware means you understand that there are people actively trying to steal data that is stored within your organization's computers. (This often focuses on user names and passwords, so that criminal elements can ultimately get access to bank accounts and other high-value IT assets.) That is why it is important to protect the assets of the organization and stop that from happening. [5]

The general scope should include topics such as password security, Email phishing, Social engineering, Mobile device security, Sensitive data security, and Business communications. In contrast, those requiring specialized knowledge are usually required to take technical and in-depth training courses. [2] Suppose an organization determines that it is best to use one of the available training tools on the market, it must ensure it sets objectives that the training can meet, including confirming the training will provide employees with the knowledge to understand risks and the behaviors needed in managing them, actions to take to prevent or detect security incidents, using language easily understandable by the trainees, and ensuring the pricing is reasonable. [6]

Organizations are recommended to base ISAT training content on employee roles and their culture; the policy should guide that training for all employees [7] and gave the following as examples of sources of reference materials: [8]

The training must focus on current threats specific to an organization and the impacts if that materializes as a result of user actions. Including practical examples and ways of dealing with scenarios help users know the appropriate measures to take. It is a good practice to periodically train customers of specific organizations on threats they face from people with malicious intentions. [9]

Coverage strategy for SAT should be driven by an organization’s policy. It can help truly determine the level of depth of the training and where it should be conducted at a global level or business unit level, or a combination of both. A policy also empowers a responsible party within the organization to run the training. [2]

Importance

Employees are key in whether organizations are breached or not; there must be a policy on creating awareness and training them on emerging threats and actions to take in safeguarding sensitive information and reporting any observed unusual activity within the corporate environment. [10]

Research has shown that SAT has helped reduce cyber-attacks within organizations, especially when it comes to phishing, as trainees learned to identify these attack modes and give them the self-assurance to take action appropriately. [11]

There is an increase in phishing attacks, and it has become increasingly important for people to understand how to these attacks work, and the actions required to prevent these and SAT has shown a significant impact on the number of successful phishing attacks against organizations. [12]

Compliance Requirements

Various regulations and laws mandate SAT for organizations in specific industries, including the Gramm–Leach–Bliley Act (GLBA) for the financial services, the Federal Information Security Modernization Act of 2014 for federal agencies, and the European Union’s General Data Protection Regulation (GDPR). [13]

Federal Information Security Modernization Act

Employees and contractors in federal agencies are required to receive Security Awareness Training annually, and the program needs to address job-related information security risks linked that provide them with the knowledge to lessen security risks. [14]

Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act has the Security Rule, [15] and Privacy Rule [15] requiring the creation of a security awareness training program and ensuring employees are trained accordingly.

Payment Card Industry Data Security Standard

The Payment Card Industry Security Standards Council, the governing council for stakeholders in the payment industry, formed by American Express, Discover, JCB International, MasterCard, and Visa that developed the DSS as a requirement for the payment industry. [8] Requirement 12.6 requires member organizations to institute a formal security awareness program. There is a published guide for organizations to adhere to when setting up the program. [8]

US States Training Regulations

Some States mandate Security Awareness Training whiles other do not but simply recommend voluntary training. Among states that require the training for its employees include:

Training Techniques

Below are some common training techniques, even though some can be blended depending on the operating environment: [3]

Training should be conducted during on-boarding and at least annually for employees or other third parties with access to organizational information systems; the medium is either through face-to-face instruction or online, typically focusing on recognizing attack symptoms and safeguarding sensitive data using several security mechanisms, including passwords, encryption, and secure sessions. [33]

ISAT also teaches and refreshes the memory of participants on various present threats, emerging security threats, attack vectors, organizational policies related information security, and basic principles or norms to maintain security on the internet. [33]

Organizations consider several options when it comes to training media to deliver the security awareness training to users, but research using learning theory, media richness theory, and cognitive load theory has shown that organizations do not need to invest heavily in highly-rich media as that does not lead to improved user behavior; the training content is most important. [34]

SAT services are often coupled with additional tools and services related to a company’s employees including:

See also

Related Research Articles

<span class="mw-page-title-main">Computer security</span> Protection of computer systems from information disclosure, theft or damage

Computer security, cybersecurity, digital security or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

<span class="mw-page-title-main">SANS Institute</span> American security company

The SANS Institute is a private U.S. for-profit company founded in 1989 that specializes in information security, cybersecurity training, and selling certificates. Topics available for training include cyber and network defenses, penetration testing, incident response, digital forensics, and auditing. The information security courses are developed through a consensus process involving administrators, security managers, and information security professionals. The courses cover security fundamentals and technical aspects of information security. The institute has been recognized for its training programs and certification programs. Per 2021, SANS is the world’s largest cybersecurity research and training organization. SANS is an acronym for SysAdmin, Audit, Network, and Security.

<span class="mw-page-title-main">Cybercrime</span> Type of crime based in computer networks

Cybercrime encompasses a wide range of criminal activities that are carried out using digital devices and/or networks. These crimes involve the use of technology to commit fraud, identity theft, data breaches, computer viruses, scams, and expanded upon in other malicious acts. Cybercriminals exploit vulnerabilities in computer systems and networks to gain unauthorized access, steal sensitive information, disrupt services, and cause financial or reputational harm to individuals, organizations, and governments.

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

An information security audit is an audit of the level of information security in an organization. It is an independent review and examination of system records, activities, and related documents. These audits are intended to improve the level of information security, avoid improper information security designs, and optimize the efficiency of the security safeguards and security processes. Within the broad scope of auditing information security there are multiple types of audits, multiple objectives for different audits, etc. Most commonly the controls being audited can be categorized as technical, physical and administrative. Auditing information security covers topics from auditing the physical security of data centers to auditing the logical security of databases, and highlights key components to look for and different methods for auditing these areas.

Information security standards or cyber security standards are techniques generally outlined in published materials that attempt to protect the cyber environment of a user or organization. This environment includes users themselves, networks, devices, all software, processes, information in storage or transit, applications, services, and systems that can be connected directly or indirectly to networks.

A cybersecurity regulation comprises directives that safeguard information technology and computer systems with the purpose of forcing companies and organizations to protect their systems and information from cyberattacks like viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access and control system attacks. While cybersecurity regulations aim to minimize cyber risks and enhance protection, the uncertainty arising from frequent changes or new regulations can significantly impact organizational response strategies.

Pretexting is a type of social engineering attack that involves a situation, or pretext, created by an attacker in order to lure a victim into a vulnerable situation and to trick them into giving private information, specifically information that the victim would typically not give outside the context of the pretext. In its history, pretexting has been described as the first stage of social engineering, and has been used by the FBI to aid in investigations. A specific example of pretexting is reverse social engineering, in which the attacker tricks the victim into contacting the attacker first.

A chief information security officer (CISO) is a senior-level executive within an organization responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected. The CISO directs staff in identifying, developing, implementing, and maintaining processes across the enterprise to reduce information and information technology (IT) risks. They respond to incidents, establish appropriate standards and controls, manage security technologies, and direct the establishment and implementation of policies and procedures. The CISO is also usually responsible for information-related compliance. The CISO is also responsible for protecting proprietary information and assets of the company, including the data of clients and consumers. CISO works with other executives to make sure the company is growing in a responsible and ethical manner.

Security information and event management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). SIEM is the core component of any typical Security Operations Center (SOC), which is the centralized response team addressing security issues within an organization.

There is no commonly agreed single definition of “cybercrime”. It refers to illegal internet-mediated activities that often take place in global electronic networks. Cybercrime is "international" or "transnational" – there are ‘no cyber-borders between countries'. International cybercrimes often challenge the effectiveness of domestic and international law, and law enforcement. Because existing laws in many countries are not tailored to deal with cybercrime, criminals increasingly conduct crimes on the Internet in order to take advantages of the less severe punishments or difficulties of being traced.

An insider threat is a perceived threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems. The threat may involve fraud, the theft of confidential or commercially valuable information, the theft of intellectual property, or the sabotage of computer systems.

A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, personal computer devices, or smartphones. An attacker is a person or process that attempts to access data, functions, or other restricted areas of the system without authorization, potentially with malicious intent. Depending on the context, cyberattacks can be part of cyber warfare or cyberterrorism. A cyberattack can be employed by sovereign states, individuals, groups, societies or organizations and it may originate from an anonymous source. A product that facilitates a cyberattack is sometimes called a cyber weapon. Cyberattacks have increased over the last few years. A well-known example of a cyberattack is a distributed denial of service attack (DDoS).

The Indian Computer Emergency Response Team is an office within the Ministry of Electronics and Information Technology of the Government of India. It is the nodal agency to deal with cyber security incidents. It strengthens security-related defence of the Indian Internet domain.

The following outline is provided as an overview of and topical guide to computer security:

Information security awareness is an evolving part of information security that focuses on raising consciousness regarding potential risks of the rapidly evolving forms of information and the rapidly evolving threats to that information which target human behavior. As threats have matured and information has increased in value, attackers have increased their capabilities and expanded to broader intentions, developed more attack methods and methodologies and are acting on more diverse motives. As information security controls and processes have matured, attacks have matured to circumvent controls and processes. Attackers have targeted and successfully exploited individuals human behavior to breach corporate networks and critical infrastructure systems. Targeted individuals who are unaware of information and threats may unknowingly circumvent traditional security controls and processes and enable a breach of the organization. In response, information security awareness is maturing. Cybersecurity as a business problem has dominated the agenda of most chief information officers (CIO)s, exposing a need for countermeasures to today's cyber threat landscape. The goal of Information security awareness is to make everyone aware that they are susceptible to the opportunities and challenges in today's threat landscape, change human risk behaviors and create or enhance a secure organizational culture.

NIST Cybersecurity Framework (CSF) is a set of guidelines for mitigating organizational cybersecurity risks, published by the US National Institute of Standards and Technology (NIST) based on existing standards, guidelines, and practices. The framework "provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes", in addition to guidance on the protection of privacy and civil liberties in a cybersecurity context. It has been translated to many languages, and is used by several governments and a wide range of businesses and organizations.

A threat actor, bad actor or malicious actor is either a person or a group of people that take part in an action that is intended to cause harm to the cyber realm including: computers, devices, systems, or networks. The term is typically used to describe individuals or groups that perform malicious acts against a person or an organization of any type or size. Threat actors engage in cyber related offenses to exploit open vulnerabilities and disrupt operations. Threat actors have different educational backgrounds, skills, and resources. The frequency and classification of cyber attacks changes rapidly. The background of threat actors helps dictate who they target, how they attack, and what information they seek. There are a number of threat actors including: cyber criminals, nation-state actors, ideologues, thrill seekers/trolls, insiders, and competitors. These threat actors all have distinct motivations, techniques, targets, and uses of stolen data. See Advanced persistent threats for a list of identified threat actors.

The Center for Internet Security (CIS) is a US 501(c)(3) nonprofit organization, formed in October 2000. Its mission statement professes that the function of CIS is to " help people, businesses, and governments protect themselves against pervasive cyber threats."

Internet security awareness or Cyber security awareness refers to how much end-users know about the cyber security threats their networks face, the risks they introduce and mitigating security best practices to guide their behavior. End users are considered the weakest link and the primary vulnerability within a network. Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element. This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.

References

  1. "Information Security Awareness Training (ISAT)". University of Virginia. Retrieved 4 November 2019.
  2. 1 2 3 4 5 Caballero, Albert (2017-01-01). "Security Education, Training, and Awareness". Computer and Information Security Handbook: 497–505. doi:10.1016/B978-0-12-803843-7.00033-8. ISBN   9780128038437.
  3. 1 2 Wilson, M; Hash, J (2003). "Building an Information Technology Security Awareness and Training Program". Gaithersburg, MD: 34. doi:10.6028/nist.sp.800-50.{{cite journal}}: Cite journal requires |journal= (help)
  4. "Content | ISAT | International Students Admissions Test | ACER". isat.acer.org. Retrieved 2021-03-13.
  5. Sharf, Elad (July 2016). "Information exchanges: regulatory changes to the cyber-security industry after Brexit: Making security awareness training work". In Computer Fraud & Security. 7: 9–12. doi:10.1016/S1361-3723(16)30052-5.
  6. Cooper, Michael H. (2009). "Information security training". Proceedings of the 37th annual ACM SIGUCCS fall conference: Communication and collaboration. New York, New York, USA: ACM Press. p. 217. doi:10.1145/1629501.1629541. ISBN   978-1-60558-477-5. S2CID   7117477.
  7. "Cybersecurity Awareness Training for Beginners". awarego.com. 8 November 2022. Retrieved 5 June 2023.
  8. 1 2 3 "Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and Credit Card Security Standards". www.pcisecuritystandards.org. Retrieved 2021-07-05.
  9. Liska, Allan (2015), "Building a network security intelligence model", Building an Intelligence-Led Security Program, Elsevier, pp. 124–125, doi:10.1016/b978-0-12-802145-3.00003-x, ISBN   978-0-12-802145-3
  10. Payment Card Industry. Security Standards Council. (2014). Best Practices for implementing a Security Awareness Program.
  11. Tschakert, Kai Florian; Ngamsuriyaroj, Sudsanguan (2019). "Effectiveness of and user preferences for security awareness training methodologies". Heliyon. 5 (6): e02010. Bibcode:2019Heliy...502010T. doi:10.1016/j.heliyon.2019.e02010. ISSN   2405-8440. PMC   6606995 . PMID   31338464.
  12. Carella, Anthony; Kotsoev, Murat; Truta, Traian Marius (2017). "Impact of security awareness training on phishing click-through rates". 2017 IEEE International Conference on Big Data (Big Data). IEEE. pp. 4458–4466. doi:10.1109/bigdata.2017.8258485. ISBN   978-1-5386-2715-0. S2CID   35766007.
  13. Haney, Julie; Lutters, Wayne (2020). "Security Awareness Training for the Workforce: Moving Beyond "Check-the-Box" Compliance". Computer. 53 (10): 91–95. doi:10.1109/MC.2020.3001959. ISSN   0018-9162. PMC   8201414 . PMID   34131349.
  14. "Federal Information Security Modernization Act | CISA". www.cisa.gov. Retrieved 2021-07-27.
  15. 1 2 "The Security Rule". hhs.gov. United States Office for Civil Rights. 2009-09-10. Retrieved 2021-07-05.
  16. "For State Employees - Colorado Governor's Office of Information Technology". www.oit.state.co.us. Retrieved 2021-07-27.
  17. "13 FAM 301.1 Mandatory Security Training for All Department Employees". fam.state.gov. Retrieved 2021-07-27.
  18. "Statutes & Constitution :View Statutes : Online Sunshine". www.leg.state.fl.us. Retrieved 2021-07-27.
  19. "Bill Resource". custom.statenet.com. Retrieved 2021-07-27.
  20. "Cybersecurity Training for Cook County, Illinois, Employees". GovTech. 2013-11-07. Retrieved 2021-07-27.
  21. "Bill Resource". custom.statenet.com. Retrieved 2021-07-27.
  22. "Bill Resource". custom.statenet.com. Retrieved 2021-07-27.
  23. "20-07 IT Security Policy". doit.maryland.gov. Retrieved 2021-07-27.
  24. "Security Training Resources". sitsd.mt.gov. Retrieved 2021-07-27.
  25. "NVeLearn". nvelearn.nv.gov. Retrieved 2021-07-27.
  26. "State Security Policies Standards & Procedures". it.nv.gov. Retrieved 2021-07-27.
  27. "Bill Resource". custom.statenet.com. Retrieved 2021-07-27.
  28. "State of Ohio Information Security and Privacy > Government > State Government > Security > Training and Awareness". infosec.ohio.gov. Retrieved 2021-07-27.
  29. "Cybersecurity for Commonwealth Agencies and Employees". Office of Administration. Retrieved 2021-07-27.
  30. "Certified Cybersecurity Training Programs, 154". dir.texas.gov. Retrieved 2021-07-27.
  31. "2021 Security Awareness Training | Division of Technology Services". dts.utah.gov. Retrieved 2021-07-27.
  32. "Bill Resource". custom.statenet.com. Retrieved 2021-07-27.
  33. 1 2 Lincke, Susan (2016). SECURITY PLANNING : an applied approach. Springer International. pp. 176–177. ISBN   978-3-319-36560-2. OCLC   1005117710.
  34. Jenkins, Jeffrey L.; Durcikova, Alexandra; Burns, Mary B. (2012). "Forget the Fluff: Examining How Media Richness Influences the Impact of Information Security Training on Secure Behavior". 2012 45th Hawaii International Conference on System Sciences. Maui, HI, USA: IEEE. pp. 3288–3296. doi:10.1109/HICSS.2012.285. ISBN   978-1-4577-1925-7. S2CID   206705398.
  35. Mezquita, Ty (2022-01-18). "The Hidden Benefits of Awareness Training for MSPs". CyberHoot. Retrieved 2022-01-27.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.