Training of Information Security for Common Users
Dr. Francisco Eduardo Rivera
FAA
SALT Conference, February 18, 2004
2
Overview
What is training of IS Importance and Background Common Final Users, The Problem Approaches Re-orientation Awareness, Support and Responsibility The scenario approach Conclusion
3
What is Information Security Training?
It is not a computer literate trainingIt is not an academic courseIt is not just for new employeesIt is not another trainingIt is an urgency!It must be part of the essential policy of
the organization
4
InfoSec or Cybersecurity training?
Not only for IT expertsAll workers dealing with Information Cover all aspectsPrevention oriented rather than
Remedial orientedPractical approach rather than theoryContinuously
5
Information security, what for?
Protecting assets: Information resources, including computing time
and memory destruction alteration corruption misuse Steal of information
Avoiding Intruders Keeping Confidentiality and Privacy
6
Possible Consequences
Enormous potential costs if Information security is breached
LiabilityLoss of competitive advantagesImage damageNational interest
7
Information Security has changed
From teen hackersTo serious and professional hackersInformation warThe number and quality of attacks
Is growing rapidlyThe speed of spread is growingDistributed and evolving attacks
8
A growing discipline?
MaturityThe experienceThe complexity of subjectThe coverage and inter-disciplineThe technical detailsThe changing environmentMore than 500 enterprisesExpenditures of more than $5 billion/year
9
Cybersecurity
Many organizations involvedACM, NIST, CSI, ISACA, IEEE, ISOC,
ISSA, SANS etc .More than 300 universities programsSpecialized training and certifications
CISSP, CISA, CISM, SSCP, Security+, SCP, GIAC, TICSA
A czar, federal agencies: DHA, NSA, OMB, Information Security Act,…
10
The problem
The security strength is the strength of the weakest part
Traditional: high security in Computer Centers
Traditional: centralized control of security management and operations
Traditional: users only deal with internal data and no external connection
11
The problem (continuation)
The Internet asThe extended information resourceThe standard way of communicationThe use of network bandwidth for other
purposesThe connectivity w/InternetPresent version is intrinsically insecure
The new unsecured wireless networksThe holes in operating systems
12
Common Final User
Is the employee who manage corporate information through computers and networks, but is not in charge of the function of systems, programs, networks and equipment
He/she is not an expertHe/she is computer literateIs the most important resource in the
organization followed by information
13
General Training Approaches
Mission orientedGlobal coveringCost effective oriented
But in the case of Information SecuritySense of urgencyImplicationsPractical aspects
14
Specific Training approaches
Information classification – mostly academic
Information Systems Development Cycle (SDLC) – mostly professional organizations
Standards and Models – mostly certification organizations
Around specific software packages
15
The NIST approach
Security Education, Training and Awareness SETA
To divide in three levels of depthEducation – CurriculumTraining – OrganizationAwareness – Final users
16
Re-orientation
Awareness is not enough!What is important in security?
Basic understandingMotivationBasic what to do and what not to doWhere to goRecognize problems and importancePreventFollow Policies
17
Our approach
Similar to INISTBut some training is also for Final
usersBased on
Awareness, Support and Responsibility
18
Integration
Awareness
Support Responsibility
Prevention through Policies
Practical Knowledge
Motivation
19
Motivation
“Raison d’être”For the organizationFor the departmentFor his/her specific position
Improve systemDetect problemsUnderstanding of implicationsThe cost of not doing
20
Prevention
It needs responsibilityFollow strictly the policiesDo some routine tasksPeriodical
Review BackupUpgrade
It needs support from IT and other users
21
Practical Knowledge
Identify problemsLevels of riskOpen to suggestionsHow to do
PasswordsNetwork identification
Who to address in case of problem and what to do ( and not to do)
22
Responsibility
The new elementWho is the owner of information?Final user is not a user but
he/she is co-responsible of:DataManagement of dataBasic security and accessibility
23
The Scenario Approach
The field is so largeLess technical information and more
decision making abilitiesWhat are the basic cases?Simple to Complex problemsInteraction with other usersRapid response
24
Scenarios (in plural)
Illustrate with practical real casesMany variantsTo identify key issuesWhen to explore?More than one right answerInteractive discussionGraphical presentation
25
Conclusion
InfoSec Training is and investment Need to Review periodicallyTo update with new problemsChallenging user attitudes in:
awareness, support and responsibilityUse Plain LanguageThe user is an integral part of the
solution
26
Questions ?
Comments?