Raising awareness on IS issues

Yaroslav Yasenkov, Security Vision

Building an effective information security system in an organisation is impossible without implementing an employee awareness raising process. We at Security Vision are already using tools to raise employee awareness, and we would like to share a methodology for implementing this process, which can be applied to an organisation of any size and field of activity.

Why teach?

Some organisations underestimate the importance of the information security training and awareness process for employees. However, the high importance of this process is due to the following reasons:

• Erroneous or malicious actions of workers are one of the main methods of realising cyber-attacks;
  
• Training of workers in companies from some industries is mandatory to ensure the company is compliant with regulations;
  
• Competent employee actions will minimise both material and reputational damage to the company arising from cyber-attacks.

In support of the first argument, we can refer to public reports of well-known companies in the field of information security. According to Positive Technologies' report for Q4 2023, 56% of successful attacks on organisations used social engineering techniques. IBM in its Cost of Data Breach Report 2023 indicates that phishing and compromised accounts were the most common initial attack vectors. The leadership of these methods has not changed since 2022, but phishing has moved to the top of the list with a 16% share, while compromised accounts have dropped to 15%. Also IBM in its report provides financial damage estimates for different attack vectors, and for phishing such an estimate reached 4.76 million US dollars, and the most ‘expensive’ were attacks initiated by malicious insiders. The damage estimate from the latter reached USD 4.90 million.

Speaking about regulatory and legal acts, the requirements for the implementation of the awareness-raising process are given in a number of such documents. Measures on the need to raise awareness of employees are set both in top-level information security standards and in sectoral regulations. An example of a top-level standard here is GOST R ISO/IEC 27001-2021, which establishes the following measures:

• Regular training and communication of information security policies and procedures to employees;
  
• Implementing a process to take action against employees who have committed information security breaches.
  

Financial organisations are also required to provide information security awareness to employees in accordance with GOST 57580.1-2017. This standard imposes the following requirements on the financial organisation:

• Education, practical training (retraining) of the financial organisation's employees responsible for the application of information security measures;
  
• Awareness raising (instruction) of the financial organisation's employees in the field of information protection.
  

Measures in the field of employee training are also established by regulatory documents in the field of personal data. The following requirement is contained in the text of the Federal Law dated 27.07.2006 No. 152-FZ ‘On Personal Data’:

• Familiarisation or training of employees with the requirements for personal data protection, the operator's policy on personal data processing, as well as local acts on personal data processing.

How to teach?

The implementation of the awareness raising process can be divided into several key stages:

1. Defining objectives;
   
2. Allocation of personnel who will be responsible for the process;
   
3. Identification and grouping of the target audience;
   
4. Selecting tools;
   
5. Working out a timeline;
   
6. Implementing the process;
   
7. Evaluating the results of implementation.
   

Defining objectives

When defining the goals of awareness raising implementation, start from the goals that your organisation or business unit has. The goal may be to reduce information security risks or to comply with the regulatory requirements we described in the first section of this article. When setting goals for measurable results of the awareness raising process, the SMART (specific, measurable, achievable, relevant and time-bound) methodology should be taken into account. Here are some examples of such goals:

• Communicating to all personnel the requirements of local regulations in the field of information security adopted in the organisation;
  
• Increasing staff knowledge of IS terms, methods of work of the IS unit to unite efforts to prevent incidents;
  
• Communicating to staff the procedure to be followed in the event of an IS incident, taking into account their role and the structure of the organisation.
  

Identifying the personnel who will be responsible for the process

The following roles are key to implementing the awareness process. They are all important and involved at different stages of the process lifecycle, and there is no restriction on multiple roles being combined by one person.

The unit IS specialist is the one who can formulate objectives, identify the target audience and select training topics based on the needs and threats to which the organisation is exposed. The cybersecurity officer may help develop content or take on general oversight to better oversee the development of training materials and tailor it to the needs of the organisation.

IT department specialist. Without the involvement of such a specialist, it will not be possible to create relevant training materials, as the tasks of developing documentation, instructions on how to use the organisation's information systems are often in the hands of IT department employees. Besides, the IT support service is also a part of the IT department, and an important part of training materials will be information about communication with this service.

HR Specialist. These specialists are directly involved in the training processes at all stages of an employee's employment with the company.

Legal department specialist. Such a specialist will allow to reveal more precisely the issues of legislation, as well as the issues of responsibility of employees for the actions performed.

Identification and grouping of the target audience

Identifying and grouping the target audience employees is paramount when developing an awareness process. Different groups of workers use different tools, different information systems in their work, and have different competences. Therefore, without knowing one's target group, it is not possible to prepare relevant training materials. An example of a possible initial grouping of workers is shown in Table 1:

Table 1 - grouping of workers

Once workers have been grouped according to their job responsibilities and competences, the division of training materials can begin. An example of such a possible division is given in Table 2:

Table 2 - Matrix of target audience groups and training topics

Choice of tools

The success of the awareness-raising process depends largely on the way in which the material is delivered to employees. The method of training should not be limited to a standardised induction with a signature on an awareness log. The scope, target audience and objectives of the awareness raising should be taken into account. But in any case, the method of training should be interesting for the target audience.

Posters and mailings. This method includes the following training materials: posters, paper handouts, newsletters. The advantages of this method are that in a small material it is possible to include key points from different IS areas at once, and it is also convenient to use this method to remind employees about urgent issues (for example, the need to undergo mandatory training) and about changes in the organisation's information security requirements and processes. The main disadvantage of this method is that employees lose sensitivity to such materials over time and it is impossible to guarantee that all employees are familiarised with the information material.

Instructional training. This method can be conducted in the format of a seminar or master class, with an IS specialist personally acting as the instructor. The advantage of teaching under the guidance of an IS specialist is that the instructor is able to perceive signals from the participants and determine how to change the instruction, answer questions live. But this method does not scale well to a large number of trainees, without a significant increase in the number of instructors.

Video instruction. Pre-recorded video can be used as a way to teach. This method minimises the load on instructors and helps the employee to familiarise themselves with the material at their own pace. However, this method does not allow to qualitatively assess the results of training, and just like the first method does not guarantee the quality of familiarisation of the trainees with the training materials.

Gamification-based learning. Such methods are more interactive and are a more effective alternative to the traditional learning methods described above. This method does not require the constant involvement of the instructor, and employees can be trained at their own pace. This method combines graphical ways of displaying training materials, as well as the ability to immediately assess the quality of learning through interactive surveys or tests. This way of training is most conveniently realised on the basis of LMS (Learning Management System) or, in other words, learning management systems. LMS allow you to: fully manage the process of raising awareness, set up access to educational content in the right order, check and track the knowledge of students, create criteria for evaluating the results, get full analytics on the educational process. Wide customisation possibilities of the Security Vision platform can also be used here to implement an LMS system on its basis and automate the process of awareness raising.

Working out the calendar plan

The planning of the calendar plan of the awareness raising process should take into account the business activity and workload of the departments and, if possible, should be coordinated with all participating departments. For example, complex training materials for the finance department should not be launched at the same time as the financial year ends. Time should also be built in for corrective action, as regular updates to materials are needed to keep them up to date with the latest changes in regulatory requirements and to correct any errors identified.

Implement an awareness raising process

Attention should be given to the fact that IS training is provided to employees at least at the following points in time:

1. Employee onboarding;
   
2. During the Post Incident Action phase;
   
3. At regular intervals throughout the year.
   

When an employee joins, it is necessary to induct them into the cyber security culture that is built within the organisation. As a result of this induction training, the employee should be given contact details of people they can contact on IS issues, basic instructions on how to properly work with the information systems and information security tools available to them. As well as information on responsibility for committing malicious acts.

In the event of an information security incident, the reasons for its occurrence should be analysed and thought should be given to how to avoid a recurrence of such an event in the future. You should find out what information the responsible person did not have, how you can improve the training materials. The results of this analysis should be taken into account in the corrective action phase of the awareness raising process.

Training should be carried out on a regular basis, as the composition of the company will inevitably change over time and it is not possible to cover all IS issues in a single induction training session. Also, one should not forget the folk wisdom: ‘Repetition is the mother of learning’.

Evaluation of implementation results

After the implementation of the awareness raising process, it is necessary to regularly evaluate its effectiveness by analysing that the results obtained during the implementation stages have not lost their relevance. Make changes if necessary. Cyclically repeat the process to strive for 100% fulfilment of the objectives.