Creating an Effective Information Security Training, Education and Awareness

Programme

Annual ISACA Kampala Chapter Information Security Workshop

Prof. Venansius Baryamureeba

• Background

• Paradigm shift impact

• Urgent Concerns

• Information Security Threats

• Current Training Focus

• Training and awareness change

• What can be done?

• Focus of Training Needs

Contents

Background

• Information Security What is it? Safe guarding information from

unauthorized access whether digital or non digital Is a more serious issue due to advancement in

technology and more use of digital information More and more information is becoming virtual and

in the hands of the unknown

• Paradigm shift • Work habits (physical –> ubiquitous)

• Personal security –> organizational security

Paradigm shift impact

• There is a rise in social media use and cloud based services

Increases the risks of being attacked through social avenues

Provides an opportunity for the unknown to use and interact with your data, information

• Economical and social aspects • Hacking has become a job for people

• Hacking is used for revenge, fighting capitalism and something for people to feel proud of

Urgent Concerns

• Work life and social life are intertwined Social web applications are becoming the norm for

collaboration and communication Less regulation in the mix of work and social life Tracking what your colleagues are sharing and

exchanging Working from home or ubiquitous working is on the

increase

• Policies and strategies • Privacy controls and copyright • Access to the ever growing amounts of personal data on

people’s profile • Assurance on proper use of personal data by custodians

Information Security Threats

• Hacking • Click jacking attacks and malware • Agile nature of organizations• Privacy and copyright abuse • Managing social media and work life • Virtual neighbor (who exactly is that?)• Data leakage through mobile devices • Security department and other

organizational departments not talking • Ignorance

Current Training Focus

• Security policies and training Focus solely on technology and software that runs it Less attention on the humans that use it, develop it,

sell it and the environment around it Advanced employee behavior during use of

technology

• Organizational security strategies • Training has not entirely focused on the specific

security strategies developed for the organization

• Security of work processes and practices has not been offered priority

Training and awareness change

Information Security Training

Paradigm Shift

Agile nature of organizations

Agile nature of organizations

Advancement in Information Technology

Advancement in Information Technology

Economical AspectsEconomical AspectsSocial Aspects

Focus on Humans

What can be done?

Organizations need to

Organizations need to

evaluate their

evaluate their

understanding of

understanding of

Information Security

Information Security

Constantly develop and Constantly develop and redevelop training based redevelop training based

on level of awarenesson level of awareness

Effective Effective Information Information

Security Training Security Training and and

AwarenessAwarenessOrg

an

izati

on

s n

eed

O

rgan

izati

on

s n

eed

to

dete

rmin

e t

he

to d

ete

rmin

e t

he

gap

s in

In

form

ati

on

g

ap

s in

In

form

ati

on

S

ecu

rity

Secu

rity

19/07/12

Enhanced Information

Security

Information Security

Awareness

Appropriate content to appropriate

people

Information Security

Benchmarking

Focus on People’s

attitudes and behaviors

Engaging and Interactive

Scenario based

MakeTraining

Culturally Relevant

Focus of Training needs

Thank you

Any Questions

19/07/12