Information security

training John Harrison from SAINT (Security Alliance for the Internet and New Technologies) takes a fresh look at some of the training issues in relation to security and provides advice on and an insight into what an organisation can do to effectively address their security training requirements.

Why is security training important? This may sound like an obvious question, but it is important to look at what problems security training is likely to address effectively. Training is a ‘people’ issue – again, an obvious statement, but so often we overlook the obvious. The SANS Institute conducted a survey in 1999 amongst 1,850 computer security experts and managers to identify the seven top management errors that lead to computer security vulnerabilities. At the top of this list they found that management ‘assign untrained people to maintain security and provide neither the training nor the time to make it possible to do the job’. Things have moved on since 1999, so we must be doing better than this – or are we? To allow you to judge, visit the SANS Institute website at www.sans.org/newlook/resources, where all seven errors are listed, and ask yourself: do any of these apply to my organisation? The first key message, which is as true today as it was in 1999, is that information security training should involve everyone, and extend well beyond the needs of the IT department. Closer to home and more recently, the DTI sponsored the Security Breaches Survey 2002 (www.security-survey.gov.uk), which indicated that information security has never been a higher priority at the board level (73 per cent compared to 53 per cent in 2000), but relatively few businesses are translating this priority into effective action. The survey went on to reveal the level of under-investment in IT security, with only 27 per cent of UK companies investing more than one per cent of their IT budget in security measures, whereas the global benchmark is three to five per cent. Perhaps the most telling result is that only 27 per cent of UK companies have a security policy, which is a fundamental aspect of good information security. The survey includes advice on the top ten actions for the board, with the first bulleted item being to ‘make sure your business creates a security-aware culture by educating staff about security risks and their responsibilities’. This is another endorsement for security training and awareness.

Security training and security awareness – what is the difference? Information security is, above all, a business issue, which involves people, processes and technology. As already shown, many in the security industry would advise organisations wishing to improve their security that if they only have the resources to do one new thing, then they should be directed at ‘security awareness’. But how does this differ from ‘security training’ and does it matter? To find out, we can look at some of the models that came out of the ‘quality’ drive in the 1980s. The ‘learning cycle model’ (see Figure 5.3.1) shows how a person moves from being subconsciously incompetent towards the goal of being subconsciously competent. Take, for example, riding a bike: people start by not being aware of whether they can ride or not (1), to falling off and realising they cannot (2), to getting their balance for the first time (3) to riding without thinking about it (4). The most important point about this model is that as you move round from 1 to 4, each transition normally requires more effort than the one before – for example, moving from 1 to 2 can often be done quickly and with little effort. I would argue that ‘security awareness’ facilitates moving from 1 to 2; ‘security training’ facilitates moving from 2 to 3 and ‘practice’ facilitates moving from 3 to 4. It is also worth noting that over time people move from 4 back to 1 as, particularly in the case of security, new vulnerabilities and countermeasures are continually evolving, hence the cliché: ‘security is a journey not a destination’. However, security awareness is about more than simply helping people realise there is a problem; it must also address motivational aspects to persuade people to take the next steps around the learning cycle. The second model addresses the question: ‘How do you get anyone to expend effort to change?’ (see Figure 5.3.2). This shows that the second key message is that the relevance of information security training must be clear to both the individual and the employer. This can be done in many ways, not least through the inclusion of information security within personal objectives and job descriptions that are tailored to the needs of the business. To summarise, security awareness can be thought of as creating the aspiration, whilst security training can be seen as one important means of achieving this aspiration. They are complementary and both are necessary for creating a security-aware culture by helping people move round the security learning cycle.

Who should be trained, how, and what should they be trained in? The answers to the ‘who’, ‘how’ and ‘what’ questions will depend on the individual and on the needs of your business, but the following points are relevant.

Who needs to be trained? It is not glib to say that everyone in an organisation at some time or another should receive some sort of information security training. In some organisations it is not unusual for every employee to have a security-related item in their job description and, where appropriate, to have specific relevant personal objectives. I know of one organisation where over 80,000 employees had an objective to undergo security training, which for logistical and cost reasons was delivered by a combination of video and an interactive computer-based course, which was assessed and discussed at their annual appraisal. The advice is, therefore, to examine your own organisational structure and to review the security training needs of each role within the business. To ensure relevance it is important to understand the ‘what’ aspect of training, which is discussed later.

How should the training be conducted? One example of how to conduct the training has already been given where distance learning was used effectively. Training courses are also very effective, both external and in-house, and on some of the more technical training it is important to provide hands-on training facilities. There are many vendor-specific technical training courses, and consulting firms can be employed to run courses on almost any aspect of information security. In some cases, vendors provide road shows where they offer free training at various locations around the country, with a view to demystifying the security aspects of their products and, therefore, helping build trust and confidence in them. Self-help training is facilitated by the numerous websites offering security guidelines, many of which are described and linked to the SAINT website at www.intellectuk.org/saint.

A good example of self-help guidelines, written in plain English and primarily for the SME market, are the AEB web security guidelines, which can be found at www.intellectuk.org/ publications/business_guidance_papers/web_sec_guidelines.pdf. These guidelines are complementary to ISO/IEC 17799 and provide a framework for developing and implementing effective security measures to manage the security risks that could affect a website and e-business processes. Another good example is the guide from the US National Cyber Security Alliance, which can be found at www.staysafeonline.info, again providing guidance in plain language for the cyber-citizen and small business. How this training is managed is another important consideration, and a good vehicle for this would be within the general Investors in People standard being adopted by many organisations. Further information on this quality standard can be found at www.iipuk.co.uk.

What training is required? This question is perhaps the most complex to deal with, as what training is required depends on the individual, their role within an organisation and the aspirations of both the individual and the organisation. A good starting point, however, is to look at possible structures for determining what training is needed. A logical place to start would be to organise training around the ‘information security policy’ of the organisation, where, for example, all desktop users could be trained on the Internet usage policy. The major flaw in this approach is that, according to the DTI sponsored security survey, only 27 per cent of organisations have a security policy – so what about the remaining 73 per cent? BS 7799 is another logical place to start, Part 1 of which is a code of practice for information security management. This was adopted in 2000 as an international standard ISO/IEC 17799. It describes a large number of controls that an organisation can adopt to safeguard the confidentiality, integrity and availability of its information. Training based on the ten major sections of BS 7799 (Part 1) would provide a structure that would support the adoption of good information security practice within an organisation, noting that one of the major sections addresses the need to create security policies. However, perhaps the most significant example of leadership in security comes from the OECD (Organisation for Economic Co-operation and Development) guidelines for the security of systems and networks, published in July 2002. These guidelines are aimed at promoting a culture of security and identify nine principles to help create this culture. It is worth noting that BS 7799 (Part 2) provides a process framework for implementing a number of these principles. These guidelines can be downloaded from the OECD website at www.oecd.org/pdf/M00033000/M00033182.pdf. Given the scope of the OECD membership, and their position as a global authority, adoption of these nine principles must eventually be the long-term aim and aspiration of most organisations around the world. This is the third time in this article that creating a culture of security has been a stated aim, and it is also the third key message, which is that any security training should play a part in creating a security-aware culture.

What training structure would be the most effective in

the long term? This section proposes that an effective structure for security training should be one that is based on the nine principles described in the OECD guidelines. These guidelines state that: ‘All participants will be aided by awareness, education, information sharing and training that can lead to adoption of better security understanding and practices.’ The OECD guidelines are not detailed within this article, so it is recommended that the following section is read in conjunction with the guidelines (the nine principles are clear and concise, being described in three pages).

Principle 1 – Awareness The need for security awareness has already been described in some detail within the opening sections of this document. The guidelines expand on the importance of risk awareness as the first line of defence and of people understanding the consequences arising from the abuse of information systems and networks. raining should therefore ensure that people in all roles clearly understand these risks, and what they need to do to mitigate them.

Principle 2 – Responsibility This has been touched on earlier in terms of including the relevance of information security within an individual’s personal objectives and job description. The guidelines promote good management practices in terms of ensuring that individuals are aware of their responsibility and are accountable. Training should therefore be provided to help ensure people have the necessary skills and knowledge for them to discharge this responsibility.

Principle 3 – Response This recognises that security incidents will occur and that it is important to respond to them in a co-operative and timely manner. This raises an important point in terms of co-operation, because ideally training would need to inform on other people’s misfortunes – that is, learning from other people’s mistakes. However, information sharing is recognised as being difficult due to the potential loss of reputation arising from the risk of unsympathetic media reporting. Training should therefore attempt to include content from shared information on sensitive issues such as incidents. The introduction of Information Sharing and Analysis Centres (ISACs) in the US is one attempt to do this (see https://www.it-isac.org) as an example within the IT sector.

Principle 4 – Ethics This is fundamental to changing the culture in terms of making people recognise that their action or inaction may harm others. In the US, information security is now being taught at school level in order to change the perception that ‘hacking is cool’. Organisations are also promoting ethical codes of conduct and the Institute of Directors (IoD), in particular, have published a code of ethics relating to information security. Training should therefore be provided on codes such as these and delivered to all people in an organisation. A good place to start is induction training.

Principle 5 – Democracy This can often be taken for granted in the UK, but it addresses the need for information security to be compatible with the essential values of a democratic society. One aspect of this relates to privacy and the right of a state to access information on an individual. Two pieces of UK legislation that relate to this aspect are the Data Protection Act 1998 and the Regulation of Investigatory Powers Act 2000. Training should therefore be provided to help people understand the relevant legislation, both in terms of their rights and what is illegal.

Principle 6 – Risk assessment Participants are encouraged to conduct risk assessments in this section of the guidelines. Risk is a term used by many but, arguably, understood by few. For example, what is the difference between risk assessment and risk management, and how do you undertake them? Training should be given on risk and how it relates to the individual’s role within the organisation. I would argue that this is a key topic and that it needs to be taught at all levels and to all roles within an organisation, as it is a prime mover towards a security-aware culture.

Principle 7 – Security design and implementation I would argue that this is one of the most fundamental principles of the OECD guidelines where it states that systems, networks and policies need to be properly designed, implemented and co-ordinated to optimise security. I firmly believe that this offers one of the greatest opportunities for improvement as this principle is often neglected – evidenced by the DTI security survey, which stated ‘Yet, only 14 per cent of UK businesses (32 per cent of large businesses) always document how security requirements are being addressed in the design of IT projects and 25 per cent (8 per cent of large businesses) never do’. Training should be provided on how security can be designed into IT systems and networks, as well as on implementing and maintaining them in a secure manner. Suppliers and users should teach their staff how to do it, and clients should teach their staff how to procure systems and services that will be secure.

Principle 8 – Security management The guidelines state that participants should adopt a comprehensive approach to security management. The obvious candidate on which this can be based is the BS 7799 code of practice for information security management, which is discussed briefly earlier in this article and elsewhere in this article. Training should be provided against the background of the structure and approach for good information security management as described in BS 7799 Part 1 (ISO/IEC 17799:2000).

Principle 9 – Reassessment This relates to the transition from stage 4 to 1 in the learning cycle described earlier, which reminds us that new and changing threats and vulnerabilities are continuously being discovered, prompting the need to continually review the appropriate countermeasures. Security training should, therefore, not be a single event for any individual, but should be provided continuously to meet the needs of the changing environment. This also applies to security awareness, as it is important to continuously re-enforce the need for good security practice. Otherwise there is a risk of complacency, especially if no significant incidents occur.

Conclusion It is recognised that not all the points of advice provided above will apply to everyone, but it is hoped that with the right prioritisation the reader can go away and act on at least one piece of advice or comment in this article. BS 7799 Part 1 offers the same approach in listing over 200 controls that can be adopted to ensure good information security management. However, it stresses that not all the controls will be relevant to all organisations. In order to remain impartial, it is not appropriate for this article to recommend specific training packages. However there are many resources on the Internet that one can access for specific advice, including the vendor of the information systems used and the many public service sites, some of which are mentioned in this article. There have been three key messages identified:  Information security training should involve everyone and extends well beyond the needs of the IT department.  The relevance of the information security training must be clear to both the individual and the employer.  Any security training should play a part in creating a security-aware culture. These may seem obvious to many, but we are not always very good at doing the obvious when it comes to information security. John Harrison advises on e-business security at Smart421 and works with Intellect, an ICT trade association with over 1000 members (www.intellectuk.org), and SAINT (Security Alliance for the Internet and New Technologies) in developing and promoting good practice in information security. Smart421, as an active member of Intellect, has supported his work on many Intellect security projects, including the Alliance for Electronic Business (AEB) Web Security Guidelines and SAINT. John spent over a year developing SAINT before the prospectus was launched by the Minister for E-Commerce, and is now on the executive board of SAINT. For further information contact: John Harrison, Associate, eBusiness Security, Smart421 (Smart solutions for the 21st century), North Felaw Maltings, 48 Felaw Street, Ipswich, Suffolk IP2 8HE. Tel: +44 (0)1473 421 421; Fax: +44 (0)1473 421 422; Mobile: +44 (0) 7860 425 321; Email: jharrison@smart421.com; Website: www.smart421.com