Security awareness

Last updated September 14, 2024

Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical, and especially informational, assets of that organization. However, it is very tricky to implement because organizations are not able to impose such awareness directly on employees as there are no ways to explicitly monitor people’s behavior. That being said, the literature does suggest several ways that such security awareness could be improved.^[1] Many organizations require formal security awareness training^[2] for all workers when they join the organization and periodically thereafter, usually annually.^[3] Another main force that is found to have a strong correlation with employees’ security awareness is managerial security participation. It also bridges security awareness with other organizational aspects.^[4]

Coverage

Topics covered in security awareness training include:^[5]

The nature of sensitive material and physical assets they may come in contact with, such as trade secrets, privacy concerns and government classified information
Employee and contractor responsibilities in handling sensitive information, including review of employee nondisclosure agreements
Requirements for proper handling of sensitive material in physical form, including marking, transmission, storage and destruction
Proper methods for protecting sensitive information on computer systems, including password policy and use of two-factor authentication
Other computer security concerns, including malware, phishing, social engineering, etc.
Workplace security, including building access, wearing of security badges, reporting of incidents, forbidden articles, etc.
Consequences of failure to properly protect information, including potential loss of employment, economic consequences to the firm, damage to individuals whose private records are divulged, and possible civil and criminal penalties

Security awareness means understanding that there is the potential for some people to deliberately or accidentally steal, damage, or misuse the data that is stored within a company's computer systems and throughout its organization. Therefore, it would be prudent to support the assets of the institution (information, physical, and personal) by trying to stop that from happening.

According to the European Network and Information Security Agency, "Awareness of the risks and available safeguards is the first line of defence for the security of information systems and networks."^[6]

"The focus of Security Awareness consultancy should be to achieve a long term shift in the attitude of employees towards security, whilst promoting a cultural and behavioural change within an organisation. Security policies should be viewed as key enablers for the organisation, not as a series of rules restricting the efficient working of your business."^[7]

Measuring security awareness

In a 2016 study, researchers developed a method of measuring security awareness.^[8] Specifically they measured "understanding about circumventing security protocols, disrupting the intended functions of systems or collecting valuable information, and not getting caught" (p. 38). The researchers created a method that could distinguish between experts and novices by having people organize different security scenarios into groups. Experts will organize these scenarios based on centralized security themes where novices will organize the scenarios based on superficial themes.

Related Research Articles

Computer security is the protection of computer software, systems and networks from threats that may result in unauthorized information disclosure, theft of hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

The following outline is provided as an overview of and topical guide to human–computer interaction:

An information security audit is an audit of the level of information security in an organization. It is an independent review and examination of system records, activities, and related documents. These audits are intended to improve the level of information security, avoid improper information security designs, and optimize the efficiency of the security safeguards and security processes.

A red team is a group that pretends to be an enemy, attempts a physical or digital intrusion against an organization at the direction of that organization, then reports back so that the organization can improve their defenses. Red teams work for the organization or are hired by the organization. Their work is legal, but can surprise some employees who may not know that red teaming is occurring, or who may be deceived by the red team. Some definitions of red team are broader, and include any group within an organization that is directed to think outside the box and look at alternative scenarios that are considered less plausible. This can be an important defense against false assumptions and groupthink. The term red teaming originated in the 1960s in the United States.

Competence is the set of demonstrable characteristics and skills that enable and improve the efficiency or performance of a job. Competency is a series of knowledge, abilities, skills, experiences and behaviors, which leads to effective performance in an individual's activities. Competency is measurable and can be developed through training.

Information assurance (IA) is the practice of assuring information and managing risks related to the use, processing, storage, and transmission of information. Information assurance includes protection of the integrity, availability, authenticity, non-repudiation and confidentiality of user data. IA encompasses both digital protections and physical techniques. These methods apply to data in transit, both physical and electronic forms, as well as data at rest. IA is best thought of as a superset of information security, and as the business outcome of information risk management.

Physical information security is the intersection or common ground between physical security and information security. It primarily concerns the protection of tangible information-related assets such as computer systems and storage media against physical, real-world threats such as unauthorized physical access, theft, fire and flood. It typically involves physical controls such as protective barriers and locks, uninterruptible power supplies, and shredders. Information security controls in the physical domain complement those in the logical domain, and procedural or administrative controls.

Information security management (ISM) defines and manages controls that an organization needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities. The core of ISM includes information risk management, a process that involves the assessment of the risks an organization must deal with in the management and protection of assets, as well as the dissemination of the risks to all appropriate stakeholders. This requires proper asset identification and valuation steps, including evaluating the value of confidentiality, integrity, availability, and replacement of assets. As part of information security management, an organization may implement an information security management system and other best practices found in the ISO/IEC 27001, ISO/IEC 27002, and ISO/IEC 27035 standards on information security.

Computer security software or cybersecurity software is any computer program designed to influence information security. This is often taken in the context of defending computer systems or data, yet can incorporate programs designed specifically for subverting computer systems due to their significant overlap, and the adage that the best defense is a good offense.

A view model or viewpoints framework in systems engineering, software engineering, and enterprise engineering is a framework which defines a coherent set of views to be used in the construction of a system architecture, software architecture, or enterprise architecture. A view is a representation of the whole system from the perspective of a related set of concerns.

Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA protects personal data—which may include personal identification or financial assets—from being accessed by an unauthorized third party that may have been able to discover, for example, a single password.

Internet Security Awareness Training (ISAT) is the training given to members of an organization regarding the protection of various information assets of that organization. ISAT is a subset of general security awareness training (SAT).

In computer security, a threat is a potential negative action or event enabled by a vulnerability that results in an unwanted impact to a computer system or application.

An information security operations center is a facility where enterprise information systems are monitored, assessed, and defended.

An insider threat is a perceived threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems. The threat may involve fraud, the theft of confidential or commercially valuable information, the theft of intellectual property, or the sabotage of computer systems.

Social hacking describes the act of attempting to manipulate outcomes of social behaviour through orchestrated actions. The general function of social hacking is to gain access to restricted information or to a physical space without proper permission. Most often, social hacking attacks are achieved by impersonating an individual or group who is directly or indirectly known to the victims or by representing an individual or group in a position of authority. This is done through pre-meditated research and planning to gain victims’ confidence. Social hackers take great measures to present overtones of familiarity and trustworthiness to elicit confidential or personal information. Social hacking is most commonly associated as a component of “social engineering”.

Information security awareness is an evolving part of information security that focuses on raising consciousness regarding potential risks of the rapidly evolving forms of information and the rapidly evolving threats to that information which target human behavior. As threats have matured and information has increased in value, attackers have increased their capabilities and expanded to broader intentions, developed more attack methods and methodologies and are acting on more diverse motives. As information security controls and processes have matured, attacks have matured to circumvent controls and processes. Attackers have targeted and successfully exploited individuals human behavior to breach corporate networks and critical infrastructure systems. Targeted individuals who are unaware of information and threats may unknowingly circumvent traditional security controls and processes and enable a breach of the organization. In response, information security awareness is maturing. Cybersecurity as a business problem has dominated the agenda of most chief information officers (CIO)s, exposing a need for countermeasures to today's cyber threat landscape. The goal of Information security awareness is to make everyone aware that they are susceptible to the opportunities and challenges in today's threat landscape, change human risk behaviors and create or enhance a secure organizational culture.

Operational technology (OT) is hardware and software that detects or causes a change, through the direct monitoring and/or control of industrial equipment, assets, processes and events. The term has become established to demonstrate the technological and functional differences between traditional information technology (IT) systems and industrial control systems environment, the so-called "IT in the non-carpeted areas".

Internet security awareness or Cyber security awareness refers to how much end-users know about the cyber security threats their networks face, the risks they introduce and mitigating security best practices to guide their behavior. End users are considered the weakest link and the primary vulnerability within a network. Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element. This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.

The Personal Information Protection Law of the People's Republic of China referred to as the Personal Information Protection Law or ("PIPL") protecting personal information rights and interests, standardize personal information handling activities, and promote the rational use of personal information. It also addresses the transfer of personal data outside of China.

References

↑ Hwang, Inho; Wakefield, Robin; Kim, Sanghyun; Kim, Taeha (2021-07-04). "Security Awareness: The First Step in Information Security Compliance Behavior". Journal of Computer Information Systems. 61 (4): 345–356. doi:10.1080/08874417.2019.1650676. ISSN 0887-4417.
↑ Maritime Security Awareness Training
↑ Assenza, G. (2019). "A Review of Methods for Evaluating Security Awareness Initiatives". European Journal for Security Research. 5 (2): 259–287. doi:10.1007/s41125-019-00052-x. S2CID 204498135.
↑ Hwang, Inho; Wakefield, Robin; Kim, Sanghyun; Kim, Taeha (2021-07-04). "Security Awareness: The First Step in Information Security Compliance Behavior". Journal of Computer Information Systems. 61 (4): 345–356. doi:10.1080/08874417.2019.1650676. ISSN 0887-4417.
↑ "The 20 Best Security Awareness Training Topics for 2024".
↑ "OECD Guidelines for the Security of Information Systems, 1992".
↑ Vacca, John R. (2012-11-05). Computer and Information Security Handbook. Newnes. ISBN 978-0-12-394612-6.
↑ Giboney, Justin Scott; Proudfoot, Jeffrey Gainer; Goel, Sanjay; Valacich, Joseph S (2016). "The Security Expertise Assessment Measure (SEAM): Developing a scale for hacker expertise". Computers & Security. 60: 37–51. doi:10.1016/j.cose.2016.04.001.

External links

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] Hwang, Inho; Wakefield, Robin; Kim, Sanghyun; Kim, Taeha (2021-07-04). "Security Awareness: The First Step in Information Security Compliance Behavior". Journal of Computer Information Systems. 61 (4): 345–356. doi:10.1080/08874417.2019.1650676. ISSN 0887-4417.

[2] Maritime Security Awareness Training

[3] Assenza, G. (2019). "A Review of Methods for Evaluating Security Awareness Initiatives". European Journal for Security Research. 5 (2): 259–287. doi:10.1007/s41125-019-00052-x. S2CID 204498135.

[4] Hwang, Inho; Wakefield, Robin; Kim, Sanghyun; Kim, Taeha (2021-07-04). "Security Awareness: The First Step in Information Security Compliance Behavior". Journal of Computer Information Systems. 61 (4): 345–356. doi:10.1080/08874417.2019.1650676. ISSN 0887-4417.

[5] "The 20 Best Security Awareness Training Topics for 2024".

[6] "OECD Guidelines for the Security of Information Systems, 1992".

[7] Vacca, John R. (2012-11-05). Computer and Information Security Handbook. Newnes. ISBN 978-0-12-394612-6.

[8] Giboney, Justin Scott; Proudfoot, Jeffrey Gainer; Goel, Sanjay; Valacich, Joseph S (2016). "The Security Expertise Assessment Measure (SEAM): Developing a scale for hacker expertise". Computers & Security. 60: 37–51. doi:10.1016/j.cose.2016.04.001.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]