Security Awareness as a Corporate Asset

Security Awareness as a Corporate Asset
Author: Zsolt Bederna, CISA, CRISC, CISM, CGEIT, CISSP, ISO 27001 LA, CEH, ITIL 2011 Foundation
Date Published: 1 December 2020

A recent blog post about culture as a corporate asset discussed the importance of a healthy culture in an organization.1 The base factor of any organizational culture is the people, at any and all levels of the organizational hierarchy. No one is an exception. Furthermore, there are several distinct aspects of culture—and one of them is cybersecurity.

Regarding cybersecurity, a lot of research mentions incidents caused by human error. Indeed, the percent of such incidents is high, which is why people who work in security say that humans are the most significant risk. But if we teach each person why security is essential and how their jobs relate with security, and vice versa, then they may adequately serve the first and the most crucial line of defense in cybersecurity. However, the ability to fulfil this role depends on each stakeholder’s security awareness, which can be an elusive attribute. But it is worth it to try and catch it.

Generally speaking, awareness is composed of attitude and knowledge. Attitude is a feeling or opinion about something or someone, or a way of behaving that is caused by this.”2 Knowledge is more straightforward. However, there are circumstances (e.g., in a stressful situation) when the brain needs to think quickly to apply heuristics instead of applying learning that circumvents general attitude and knowledge of the given person. In this case, some kind of automation (i.e., automatic behavior) steps forward. Yet, this kind of automation more or less strongly relates to attitude and knowledge.

To reach a higher awareness level in normal and even stressful situations, each awareness component should be taught using modes and methods that fit to each individual to reach the maximum effect of an awareness program. However, selecting the best delivery method for each person is not an easy task, as there are a vast number of methods available, differing in resource demand, mode and effectiveness.

Information awareness delivery methods can be distinguished according to their training parameters such as offline vs computer-based training (CBT), instructorless vs instructed, text-based vs gamified and one-person vs grouped. When choosing the proper mix, keep in mind that systematic persuasion through rationality may have long-term and stronger effects on subjects when they think over their decision.

Just delivering awareness training materials as part of the awareness program is not enough. The application of metrics is necessary not only for compliance reasons, but it shows the progress and the impact of the program for management as well. Furthermore, metrics also serve an essential input for risk analysis.

For further insights on these topics, read Zsolt Bederna’s recent 2-part Journal series, “Components of Security Awareness and Their Measurement—Part 1” and “Components of Security Awareness and Their Measurement—Part 2,” ISACA Journal, volume 5, 2020.

ISACA Journal

Endnotes

1 Harisaiprasad, K.; “Culture as a Corporate Assest,” ISACA Now Blog, 30 July 2020, http://ma0.legalisbg.com/resources/news-and-trends/isaca-now-blog/2020/culture-as-a-corporate-asset
2 Cambridge Dictionary, “Attitude,” http://dictionary.cambridge.org/dictionary/english/attitude