Information security awareness

Information security awareness is an evolving part of information security that focuses on raising consciousness regarding potential risks of the rapidly evolving forms of information and the rapidly evolving threats to that information which target human behavior. As threats have matured and information has increased in value, attackers have increased their capabilities and expanded to broader intentions, developed more attack methods and methodologies and are acting on more diverse motives. As information security controls and processes have matured, attacks have matured to circumvent controls and processes. Attackers have targeted and successfully exploited individuals human behavior to breach corporate networks and critical infrastructure systems. Targeted individuals who are unaware of information and threats may unknowingly circumvent traditional security controls and processes and enable a breach of the organization. In response, information security awareness is maturing. Cybersecurity as a business problem has dominated the agenda of most chief information officers (CIO)s, exposing a need for countermeasures to today's cyber threat landscape. The goal of Information security awareness is to make everyone aware that they are susceptible to the opportunities and challenges in today's threat landscape, change human risk behaviors and create or enhance a secure organizational culture.

Background
Information security awareness is one of several key principles of information security. Information security awareness seeks to understand and enhance human risk behaviors, beliefs and perceptions about information and information security while also understanding and enhancing organizational culture as a countermeasure to rapidly evolving threats. For example, the OECD's Guidelines for the Security of Information Systems and Networks include nine generally accepted principles: awareness, responsibility, response, ethics, democracy, risk assessment, security design and implementation, security management, and reassessment. In the context of the Internet, this type of awareness is sometimes referred to as cyber security awareness, which is the focus of multiple initiatives, including the U.S. Department of Homeland Security's National Cyber Security Awareness Month and President Obama's 2015 White House Summit on Cybersecurity and Consumer Protection.

Computer based crimes are not something new to us. Viruses have been with us for well over 20 years; spyware has clocked up more than a decade since the earliest incidents; and large-scale use of phishing can be traced back to at least 2003. One of the reasons researchers agreed upon that the pace at information system is evolving and expanding, the security awareness program among the employees is falling way behind. Unfortunately, however, it seems that the rapid adoption of online services has not been matched with a corresponding embrace of security culture.

Evolution
Information security awareness is evolving in response to the evolving nature of cyber attacks, increased targeting of personal information and the cost and scale of information security breaches. Furthermore, many individuals think of security in terms of technical controls, not realizing that they as individuals are targets, and that their behavior can increase risks or provide countermeasures to risks and threats.

Determining and measuring information security awareness has highlighted the need for accurate metrics. In response to this need, information security awareness metrics are rapidly evolving in order to understand and measure the human threat landscape, measure and change human understanding and behavior, measure and reduce organizational risk and measure effectiveness and cost of information security awareness as a countermeasure.

Most of the organizations do not want to invest money on information security. A survey conducted by PricewaterhouseCoopers (2014) found that current employees (31%) and former employees (27%) still contribute to information security incidents. The survey results indicated that the number of actual incidents attributable to employees had risen by 25% since the 2013 survey. A more recent study, the Verizon Data Breach Investigations Report 2020, discovered similar patterns with 30% of cyber security incidents involving internal actors within a company.

The necessity of security awareness program
A security awareness program is the best solution that an organization can adopt to reduce the security threats caused by internal employees. A security awareness program helps employees to understand that the information security is not an individual's responsibility; it is the responsibility of everyone. The program also explicitly mentions that the employees are responsible for all activities performed under their identifications. Furthermore, the program enforces the standard ways of handling business computers.

Although organizations have not adopted a standard way of providing the security awareness program, a good program should include awareness about data, network, user conduct, social media, use of mobile devices and WiFi, phishing emails, social engineering and different types of viruses and malware. An effective employee security awareness program should make it clear that everyone in the organization is responsible for IT security. Auditors should pay close attention to six areas covered in the program: data, networks, user conduct, social media, mobile devices, and social engineering.

Many organizations make their privacy policies very complicated that the diverse employees always fail to understand those regulations. Privacy Policy is something that should be reminded to the employees whenever they login to the business computer. Privacy Policies should be clearer, shorter and more standardized to enable better comprehension and comparison of privacy practices. Organizations can create interactive sessions for all employees to attend every week to speak about security and threats. Interactive sessions may include awareness about newer threats, best practices and questions & answers.

A security awareness program may not be beneficial if the organization does not penalize the violators. Employees who have found guilty of violating the program should be reported to the higher executives for further action, otherwise the program will not be effective. Information security authorities may perform a gap analysis to find out any deficiencies in the program.

Current state
As of early 2015, CIOs rated information security awareness related issues as top strategic priorities. For example, at a February 2015 Wall Street Journal CIO network event convened to create a prioritized set of recommendations to drive business and policy in the coming year, consensus seemed to form around cybersecurity and delivering change through effective communication with the rest of the business.

While information security awareness and high-profile breaches are at the forefront of most organization's agenda, a recent study of 220 security awareness officers by Lance Spritzner has uncovered three related key findings. First, executive and financial support are necessary for a successful security awareness program. Second, due to the technical nature of traditional security controls and countermeasures, the soft skills necessary to understand and change human behavior are lacking and finally, in terms of a maturity model, security awareness is still in its infancy.

The challenge of measurement
Effectively measuring human risk behavior is difficult because risky behaviors, beliefs and perceptions are often unknown. In addition attacks such as phishing, social engineering, and incidents such as data leakage and sensitive data posted on social media sites and even breaches go undetected and unknown make it difficult to determine and measure points of failure. Often, attacks, incidents and breaches are reacted to or reported from outside the compromised organization after attackers have covered their tracks, and thus cannot be researched and measured proactively. In addition, malicious traffic often goes unnoticed because attackers often spy and mimic known behavior in order to prevent any intrusion detection or access monitoring alerts.

A 2016 study developed a method of measuring security awareness. Specifically they measured "understanding about circumventing security protocols, disrupting the intended functions of systems or collecting valuable information, and not getting caught" (p. 38). The researchers created a method that could distinguish between experts and novices by having people organize different security scenarios into groups. Experts will organize these scenarios based on centralized security themes where novices will organize the scenarios based on superficial themes.

Where simulated phishing campaigns are run regularly, they can provide measures of user compliance.