Malta Info Security

One of the challenges security analysts face when enforcing security awareness is the fact that employees often complain about the efforts and implications of extra control measures imposed on them. In reality they have a valid point. The more educated your staff is, the chances are that you are probably better off giving them a 'why' they are doing something rather than simply imposing it. This will; without any doubt; have an effect on their behavior.

As Sissel Thomassen correctly states in one of his articles "Targeted training - security aware users", information security has for too long been focusing on technical solutions and implementation of policies. The weakest link and largest information security risk we have always had are people. Time-driven projects and day-to-day activities prevent us from keeping to Information Security rules.

Here are some very valid tips on how attitude and behaviors can change:

1. Define a good Information Security awareness programme including a clear message from top management level to all users with a request to follow the corporate awareness programme.

2. Engage the users to make them feel responsible for Information Security throughout the organisation

3. Get each departmental manager trained to deliver the awareness training specifically tailored to his departments staff

4. Define a set of 'Golden Rules' or 'Information Security Principles'

5. Define several different groups of users and give them more training within the disciplines of integrity and business ethics


That said, awareness is an essential element of the risk management cycle and requires attention at all levels. Therefore if users are not made aware of the risks associated with their information resources they may not understand the need for and support compliance with polices designed to reduce risk.