The security awareness and training program has several objectives: 1) ensure employees understand their role in protecting company information assets; 2) educate employees on the value of information security; and 3) teach employees how to recognize and report potential violations. The program covers topics such as security policies, user responsibilities, and incident reporting. It aims to provide ongoing training for existing employees and raise security awareness through less formal methods. The success of the program requires long-term commitment of resources and funding.

1. Security Awareness
and Training Program

2. Objectives of the security awareness
program
• Employees recognize their responsibility for
protecting the enterprise’s information assets
• Employees understand the value of
information security
• Employees recognize potential violations and
know who to contact
• The level of security awareness among
existing employees remains high

3. Protecting Enterprise’s Information
Assets
• Employees are told the who, what, where,
when, why, and how of information security,
they are only there to do their job.
• Information security must be presented to
them as a function of their job.

4. Employees Understand the Value of
Information Security
• The next step is making the employee
understand how information has value and
that personal, legal, and financial losses as
well as damage to reputation can occur if the
information is not properly protected.
• The value of information is best conveyed
through real-life examples that relate to how
most employees operate.

5. • Instead of complaining about necessary
security functions whose ultimate purpose is
to protect the employee, the employee’s
work, and the organization’s information and
processing assets, it makes sense to find more
efficient processes that will allow the
employee both the opportunity to perform
security functions as well as the time to
perform the job.

6. Employees Recognize Potential
Violations and Know Who to Contact
• Key to educating a user is making that user
aware of the warning signs to look for that
indicate a potential security breach.
• Human nature makes most of us trusting.
• When someone unfamiliar is walking alone
around the office, it is not typical that anyone
would walk up to him, ask him who he is and
if he needs help.

7. Training must include:
• Security policy (e-mail, Internet)
• Confidentiality, integrity, and availability
• User ID and password requirements
• Appropriate use of resources
• Virus scanning and reporting
• Social engineering
• Use of encryption
• Individual responsibility
• Information classification and handling

8. • Threat by industry
• Incident reporting
• The information security organization
• Internet access
• Physical security
• Chain mail
• Information transmission, storage, and processing
• Information security programs
• Security monitoring programs
• Verbal communication in public
• Use of cellular phones

9. The Level of Security Awareness
among Existing Employees Remains
High
• Training is more formalized, typically in a
classroom or conference setting where the
objective is to gain knowledge about a
particular subject.
• Awareness is a passive mechanism that occurs
through less formal methods such as posters,
themes, and objects such as key rings and
cups.

10. PROGRAM CONSIDERATIONS
• Effectiveness is based on long-term
commitment of resources and funding
• Benefits are difficult to measure in the short
term
• Scoping the target audience, both new and
existing employees
• How to effectively reach them