Too frequently, discussions about improving security center around technology--from patch management to security template deployment. In my experience, the biggest security-related Return on Investment (ROI) comes from end user and administrator training and education. The bad news, of course, is that people are more difficult to configure than software. The good news is that well-trained and educated users and administrators are the single most effective security measure an organization can possess. I've seen the following three methods succeed for security training and education, and companies could extend these methods to other IT areas. Each method has different costs and organization buy-in levels.
Inexpensive: Posters and Propaganda
People are busy, and classroom training is expensive and often forgotten after the class ends. These are valid criticisms of traditional instructor-led training and education. As alternatives, posters and propaganda can be inexpensive yet effective training vehicles if appropriately used. When creating posters, be sure to include the following elements:
- Trigger--the key word or symbol that attracts attention to your poster (e.g., Attention or Warning). Don't overstate the trigger.
- Source--describes the poster's subject. For security training, the source will likely illustrate the vulnerability or threat about which you want to educate users.
- Consequence--informs the viewer what will happen as a result of inaction or compliance with the directions provided. The consequence should be easily understood and accurate. Avoid scaring people.
- Direction--tells the person viewing the poster what he or she needs to do to avoid or comply with the consequence. The directions should be simple and should provide examples if appropriate.
I've successfully used posters to educate users about creating strong passwords. Figure 1, shows a sample password-education poster.
Hang posters in areas where users and administrators spend idle time, such as near elevators and in break rooms, copy rooms, and other common areas. Laminated one-page tip sheets and window decals are also effective propaganda media. Even with professional printing services, you can create this type of training for less than $500. Although compliance that calls for self-directed action isn't ideal (it's often difficult to enforce and to evaluate the outcome), by measuring the change in behavior (e.g., password changes) that the poster calls for, you'll get some idea of your organization's security health and the training's ROI. For example, if you used the poster in Figure 1 and later found that 20 percent of the organization's 6000 employees changed their password in the week after the posters appeared, the approximate immediate ROI would be successful completion of the training for less than $0.42 per employee in the 20 percent subset ($500 / 1200 employees). Although exact calculations are more complicated, this example gives you a general idea of how to calculate the ROI for successful training completion.
Moderately Expensive: The Film Festival
Last year, Microsoft's MSN division hosted the MSN Privacy and Security Film Festival. Over 3 nights, staff members showed three feature films in general release that covered different areas of information privacy and security. A panel of internal and external subject matter experts discussed the privacy and security concerns in each film. The experts talked about which aspects of the film were accurate, which were unrealistic, and how the circumstances of the film might be present in the MSN division.
The idea was to create a safe environment in which to start conversations about privacy and security within the business unit. Many attendees found it easier to analyze privacy and security holes in the film than in their networks; analyzing the film didn't invite recrimination from the division's systems administrators. The expert panel did an excellent job of relating the events in the films to MSN's network and services. (For the record, the three films shown were: Sneakers, Minority Report, and Enemy of the State.)
The key to such an educational effort is to ensure that attendees integrate what they learn from the film and the expert panel into improving, in this case, security and privacy in their job role. If nothing else, the film festival is an excellent way to drive awareness and dispel myths. The cost of this type of an event will vary depending on the number of attendees, whether you pay the experts an honorarium, and the costs of renting equipment or facilities if needed, but in general is less than $1000.
Expensive: The Contest
During a presentation about the value of security training, one company's CIO offered this challenge: How would I provide security training to his entire company on an annual budget of $60,000 with only one or two people working part-time on the project. I responded that I would spend $15,000 to develop solid content about the most important security policies, $10,000 to develop a Web site and Web-based assessment tool, and $35,000 on a BMW.
After I nearly was laughed out of the room, I explained my idea. The BMW is the prize, completion of the assessment is how one becomes eligible for the prize, and the Web site holds the answers to the assessment questions. Employees must correctly answer 25 out of a pool of 100 scenario-based security questions. Each question would have a tip that links to the Web site, which of course contains the crucial information about the company's security policy.
To my surprise, the CIO took me up on my idea, although his company chose to give several smaller prizes, including a trip to Hawaii, a TV, and several gift certificates. He later told me the company had better than 97 percent compliance and anecdotal evidence of behavior change within a month of the contest rollout. The key to this education effort is to create a resource that people will use to respond to the assessment questions and to develop behavior-based scenario questions that target elements of the policy that the company most wants compliance with.
Previous
Register
