Training of Information Security for Common Users

Dr. Francisco Eduardo Rivera

FAA

SALT Conference, February 18, 2004

2

Overview

What is training of IS Importance and Background Common Final Users, The Problem Approaches Re-orientation Awareness, Support and Responsibility The scenario approach Conclusion

3

What is Information Security Training?

It is not a computer literate trainingIt is not an academic courseIt is not just for new employeesIt is not another trainingIt is an urgency!It must be part of the essential policy of

the organization

4

InfoSec or Cybersecurity training?

Not only for IT expertsAll workers dealing with Information Cover all aspectsPrevention oriented rather than

Remedial orientedPractical approach rather than theoryContinuously

5

Information security, what for?

Protecting assets: Information resources, including computing time

and memory destruction alteration corruption misuse Steal of information

Avoiding Intruders Keeping Confidentiality and Privacy

6

Possible Consequences

Enormous potential costs if Information security is breached

LiabilityLoss of competitive advantagesImage damageNational interest

7

Information Security has changed

From teen hackersTo serious and professional hackersInformation warThe number and quality of attacks

Is growing rapidlyThe speed of spread is growingDistributed and evolving attacks

8

A growing discipline?

MaturityThe experienceThe complexity of subjectThe coverage and inter-disciplineThe technical detailsThe changing environmentMore than 500 enterprisesExpenditures of more than $5 billion/year

9

Cybersecurity

Many organizations involvedACM, NIST, CSI, ISACA, IEEE, ISOC,

ISSA, SANS etc .More than 300 universities programsSpecialized training and certifications

CISSP, CISA, CISM, SSCP, Security+, SCP, GIAC, TICSA

A czar, federal agencies: DHA, NSA, OMB, Information Security Act,…

10

The problem

The security strength is the strength of the weakest part

Traditional: high security in Computer Centers

Traditional: centralized control of security management and operations

Traditional: users only deal with internal data and no external connection

11

The problem (continuation)

The Internet asThe extended information resourceThe standard way of communicationThe use of network bandwidth for other

purposesThe connectivity w/InternetPresent version is intrinsically insecure

The new unsecured wireless networksThe holes in operating systems

12

Common Final User

Is the employee who manage corporate information through computers and networks, but is not in charge of the function of systems, programs, networks and equipment

He/she is not an expertHe/she is computer literateIs the most important resource in the

organization followed by information

13

General Training Approaches

Mission orientedGlobal coveringCost effective oriented

But in the case of Information SecuritySense of urgencyImplicationsPractical aspects

14

Specific Training approaches

Information classification – mostly academic

Information Systems Development Cycle (SDLC) – mostly professional organizations

Standards and Models – mostly certification organizations

Around specific software packages

15

The NIST approach

Security Education, Training and Awareness SETA

To divide in three levels of depthEducation – CurriculumTraining – OrganizationAwareness – Final users

16

Re-orientation

Awareness is not enough!What is important in security?

Basic understandingMotivationBasic what to do and what not to doWhere to goRecognize problems and importancePreventFollow Policies

17

Our approach

Similar to INISTBut some training is also for Final

usersBased on

Awareness, Support and Responsibility

18

Integration

Awareness

Support Responsibility

Prevention through Policies

Practical Knowledge

Motivation

19

Motivation

“Raison d’être”For the organizationFor the departmentFor his/her specific position

Improve systemDetect problemsUnderstanding of implicationsThe cost of not doing

20

Prevention

It needs responsibilityFollow strictly the policiesDo some routine tasksPeriodical

Review BackupUpgrade

It needs support from IT and other users

21

Practical Knowledge

Identify problemsLevels of riskOpen to suggestionsHow to do

PasswordsNetwork identification

Who to address in case of problem and what to do ( and not to do)

22

Responsibility

The new elementWho is the owner of information?Final user is not a user but

he/she is co-responsible of:DataManagement of dataBasic security and accessibility

23

The Scenario Approach

The field is so largeLess technical information and more

decision making abilitiesWhat are the basic cases?Simple to Complex problemsInteraction with other usersRapid response

24

Scenarios (in plural)

Illustrate with practical real casesMany variantsTo identify key issuesWhen to explore?More than one right answerInteractive discussionGraphical presentation

25

Conclusion

InfoSec Training is and investment Need to Review periodicallyTo update with new problemsChallenging user attitudes in:

awareness, support and responsibilityUse Plain LanguageThe user is an integral part of the

solution

26

Questions ?

Comments?