Building an Information Security Awareness Program

Authors: Bill Gardner, Valerie Thomas
Pages: 214
Publisher: Syngress
ISBN: 0124199674


Are information security awareness programs a good thing or a complete waste of time? The debate around this question has been going on for a while and both sides have had some good arguments (and some bad, too). The authors of this book believe the former, and with this tome aim to show you how to build a security awareness program from the ground up.

About the authors

Bill Gardner is an Assistant Professor at Marshall University. He is also a founding member of the Security Awareness Training Framework, which will be a prime target audience for this book.

Valerie Thomas is a Senior Information Security Consultant for Securicon that specializes in social engineering and physical penetration testing. She led information security assessments for the Defense Information Systems Agency (DISA) before joining private industry.

Inside the book

The fact that the human element is more often then not the weakest link in the infosec chain is rarely disputed, and often exploited by cyber attackers. Social engineering their way into a system, network or building has become the preferred first stage of the actual attack (if you don’t count reconnaissance).

For this reason, investing in infosec awareness training is always a good idea, and especially when one considers the fallout of a potential breach. But the question remains how to create a good program and execute it well.

In this book, the authors point out the benefits of setting up such a program, and note that getting the management to approve and support it is the first and most important step. After explaining the attackers’ different motivations and addressing the issue of the cost of data breaches, they dedicated a chapter to past high-profile targeted attacks (Aurora, Shady RAT, attacks perpetrated by Anonymous members, etc.). They didn’t go into much detail, but enough to allow novices to get an idea of what a targeted attack usually consists of.

The authors explain the various ways everyone in an organization is responsible for security, why current security awareness programs often fail, and which changes are needed.

Different types of social engineering attacks are presented and dissected in an extensive chapter, in which then a step-by-step process that includes the determination of exposure, evaluation of defenses, the approach to the education of employees, and the design and execution of a program is delineated. Physical security also gets a chapter and the same “treatment”.

There are many different training material delivery methods that can be used and, accordingly, different types of training, both formal and informal. Which one(s) is best to use depends on the specifics of your organization, and the authors did a good job explaining the advantages and disadvantages of each.

The issue of how often the training will be executed is also addressed, and helpful examples of training cycles are presented. A chapter is also dedicated to the creating of simulated phishing attacks (how, which tools, who will perform them, which for they will take, etc.).

Chapter 12 is crucial to bring the whole thing together – planning, budget, cost, promotion – and provides three sample plans based on low, moderate, and high budget amounts. Of course, these samples can be changed to fit everyone’s needs.

Finally, the very important questions of how to create usable metrics and measure the effectiveness of an implemented program are answered, and the book ends with “Stories from the front lines,” Q&As with eight infosec professionals about their experiences with setting up a security awareness program for their companies and educational organizations. This chapter serves as sort of a repeat of all the things the reader has learned by this point, and the material is delivered in a very memorable way.

Final thoughts

I have been reading about this subject for a while now and, in my modest opinion, this is one of the best books out there covering it. While the first part of the book mostly covers information that will surely be known to most infosec practitioners, every chapter holds some additional, practical information about each topic.

In a way, the authors have eased into the subject slowly, but with an obvious purpose, and when you reach the later chapters where the actual designing of the plan, choosing of the training, and executing it is addressed, the reader is ready to take all the information in. I especially loved the last chapter.

Don't miss