Equally important is the human factor. An important, often underestimated, role is played by the issue of security awareness, by raising the awareness of IT security among employees.
Technologies, processes, rules
Experience has shown that technical solutions alone have only a limited success in improving information security. In addition, there are many areas where it is not possible or not economically feasible to use technical solutions to protect information - for example, in the process of emptying work equipment.
Security Awareness Methods
For this reason, comprehensive holistic information security programs have three different aspects: technologies, processes and organizational arrangements. The success of all three aspects depends strongly on the knowledge and behavior of the employees. Technologies can be virtually worthless if the employees do not use them or do not use them correctly. Processes and organizational regulations only apply if employees know, understand and apply them.
A question of communication
These findings are also reflected in international standards such as ISO 27001 "Information Security Management Systems". The "implementation of programs for training and awareness-raising" is called for as a relevant aspect for a successful certification.
The most important success factors
For these reasons, it is sensible and necessary to train employees in the handling of information comprehensively and to educate them about potential dangers for information security in their daily work. This results in a significantly improved security level and a higher level of security investment.
There are numerous ways to alert employees to information security issues. Which methods are ultimately selected depends on the culture of the company, the existing infrastructure for the transfer of knowledge, as well as the financial resources.
IT Security: "BYOD" presents IT departments with challenges
However, companies should always pay attention not only to selecting a single method: firstly, there are different types of learning among the employees who prefer different methods; on the other hand, a combination of different methods leads to a higher, lasting learning success
As a rule, the participants in a security awareness program will be more or less evenly distributed among the different learning types. For people who prefer to learn more specifically and experimentally, abstract or reflexive methods are less suitable.
This is particularly true for a complex issue such as information security. For an effective knowledge transfer, it is therefore advisable to combine as many methods as possible and to have something available in the program for each type of learning.
In order to successfully implement a security awareness program, the company needs support from the company as well as a program tailored to the needs of its employees. Such a program should include appropriate methods for all target groups identified within the enterprise.
This means that the same learning contents are varied for different target groups, but also that learning contents can vary from group to group. In addition to the goal-oriented preparation of learning contents, their correct communication is also important. Here, the different types of learning should be dealt with, where training should include visual, auditory, haptic and cognitive elements.
How to organize smartphones and tablets from employees
Conclusion
For the successful implementation of a security awareness concept, it is therefore important to ensure that the employees are well-understood and valued. Only if these points are observed, it is possible to achieve the ideal course of the communication as shown in the "communication line" according to Bieger. It is strived that as many people as possible get the levels "do" and "keep" on the communication line, thus resulting in a permanent change of behavior.
The following aspects are essential for the success of security awareness programs
The aim of creating security awareness is to raise the awareness and interest of employees on the subject of information security. In addition, basic and practical knowledge is to be conveyed in a comprehensible manner. The overarching goal is to achieve a sustainable change in the behavior of employees to provide more information security.
No comments:
Post a Comment