Internet Security Awareness Training Explained

Internet Security Awareness Training (ISAT) is the training given to members of an organization regarding the protection of various information assets of that organization. ISAT is a subset of general security awareness training (SAT).

Even small and medium enterprises are generally recommended to provide such training, but organizations that need to comply with government regulations (e.g., the Gramm–Leach–Bliley Act, the Payment Card Industry Data Security Standard, Health Insurance Portability and Accountability Act, Sarbox) normally require formal ISAT for annually for all employees.[1] Often such training is provided in the form of online courses.

ISAT, also referred to as Security Education, Training, and Awareness (SETA), organizations train and create awareness of information security management within their environment.[2] It is beneficial to organizations when employees are well trained and feel empowered to take important actions to protect themselves and organizational data. The SETA program target must be based on user roles within organizations and for positions that expose the organizations to increased risk levels, specialized courses must be required.

Coverage

There are general topics to cover for the training, but it is necessary for each organization to have a coverage strategy based on its needs, as this will ensure the training is practical and captures critical topics relevant to the organization. As the threat landscape changes very frequently, organizations should continuously review their training programs to ensure relevance with current trends.[3]

Topics covered in ISAT[4] include:

Being Internet Security Aware means you understand that there are people actively trying to steal data that is stored within your organization's computers. (This often focuses on user names and passwords, so that criminal elements can ultimately get access to bank accounts and other high-value IT assets.) That is why it is important to protect the assets of the organization and stop that from happening.[5]

The general scope should include topics such as password security, Email phishing, Social engineering, Mobile device security, Sensitive data security, and Business communications. In contrast, those requiring specialized knowledge are usually required to take technical and in-depth training courses.[2] Suppose an organization determines that it is best to use one of the available training tools on the market, it must ensure it sets objectives that the training can meet, including confirming the training will provide employees with the knowledge to understand risks and the behaviors needed in managing them, actions to take to prevent or detect security incidents, using language easily understandable by the trainees, and ensuring the pricing is reasonable.[6]

Organizations are recommended to base ISAT training content on employee roles and their culture; the policy should guide that training for all employees[7] and gave the following as examples of sources of reference materials:[8]

The training must focus on current threats specific to an organization and the impacts if that materializes as a result of user actions. Including practical examples and ways of dealing with scenarios help users know the appropriate measures to take. It is a good practice to periodically train customers of specific organizations on threats they face from people with malicious intentions.

Coverage strategy for SAT should be driven by an organization’s policy. It can help truly determine the level of depth of the training and where it should be conducted at a global level or business unit level, or a combination of both. A policy also empowers a responsible party within the organization to run the training.[2]

Importance

Employees are key in whether organizations are breached or not; there must be a policy on creating awareness and training them on emerging threats and actions to take in safeguarding sensitive information and reporting any observed unusual activity within the corporate environment.[9]

Research has shown that SAT has helped reduce cyber-attacks within organizations, especially when it comes to phishing, as trainees learned to identify these attack modes and give them the self-assurance to take action appropriately.[10]

There is an increase in phishing attacks, and it has become increasingly important for people to understand how to these attacks work, and the actions required to prevent these and SAT has shown a significant impact on the number of successful phishing attacks against organizations.[11]

Compliance Requirements

Various regulations and laws mandate SAT for organizations in specific industries, including the Gramm–Leach–Bliley Act (GLBA) for the financial services, the Federal Information Security Modernization Act of 2014 for federal agencies, and the European Union’s General Data Protection Regulation (GDPR).[12]

Federal Information Security Modernization Act

Employees and contractors in federal agencies are required to receive Security Awareness Training annually, and the program needs to address job-related information security risks linked that provide them with the knowledge to lessen security risks.[13]

Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act has the Security Rule,[14] and Privacy Rule[14] requiring the creation of a security awareness training program and ensuring employees are trained accordingly.

Payment Card Industry Data Security Standard

The Payment Card Industry Security Standards Council, the governing council for stakeholders in the payment industry, formed by American Express, Discover, JCB International, MasterCard, and Visa that developed the DSS as a requirement for the payment industry.[8] Requirement 12.6 requires member organizations to institute a formal security awareness program. There is a published guide for organizations to adhere to when setting up the program.

US States Training Regulations

Some States mandate Security Awareness Training whiles other do not but simply recommend voluntary training. Among states that require the training for its employees include:

Training Techniques

Below are some common training techniques, even though some can be blended depending on the operating environment:[3]

Training should be conducted during on-boarding and at least annually for employees or other third parties with access to organizational information systems; the medium is either through face-to-face instruction or online, typically focusing on recognizing attack symptoms and safeguarding sensitive data using several security mechanisms, including passwords, encryption, and secure sessions.[32]

ISAT also teaches and refreshes the memory of participants on various present threats, emerging security threats, attack vectors, organizational policies related information security, and basic principles or norms to maintain security on the internet.

Organizations consider several options when it comes to training media to deliver the security awareness training to users, but research using learning theory, media richness theory, and cognitive load theory has shown that organizations do not need to invest heavily in highly-rich media as that does not lead to improved user behavior; the training content is most important.[33]

SAT services are often coupled with additional tools and services related to a company’s employees including:

See also

Notes and References

  1. Web site: Information Security Awareness Training (ISAT). 4 November 2019. University of Virginia.
  2. 2017-01-01. Security Education, Training, and Awareness. Computer and Information Security Handbook. en. 497–505. 10.1016/B978-0-12-803843-7.00033-8. Caballero. Albert. 9780128038437.
  3. Wilson. M. Hash. J. 2003. Building an Information Technology Security Awareness and Training Program. Gaithersburg, MD. 34. 10.6028/nist.sp.800-50.
  4. Web site: Content ISAT International Students Admissions Test ACER. 2021-03-13. isat.acer.org.
  5. Sharf. Elad. July 2016. Information exchanges: regulatory changes to the cyber-security industry after Brexit: Making security awareness training work. In Computer Fraud & Security. 7. 9–12. 10.1016/S1361-3723(16)30052-5.
  6. Book: Cooper, Michael H.. Proceedings of the 37th annual ACM SIGUCCS fall conference: Communication and collaboration . Information security training . 2009. 217. New York, New York, USA. ACM Press. 10.1145/1629501.1629541. 978-1-60558-477-5. 7117477.
  7. Web site: Cybersecurity Awareness Training for Beginners . awarego.com . 8 November 2022 . 5 June 2023.
  8. Web site: Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and Credit Card Security Standards. 2021-07-05. www.pcisecuritystandards.org.
  9. Payment Card Industry. Security Standards Council. (2014). Best Practices for implementing a Security Awareness Program.https://www.pcisecuritystandards.org/documents/PCI_DSS_V1.0_Best_Practices_for_Implementing_Security_Awareness_Program.pdf?agreement=true&time=1625443073856
  10. Tschakert. Kai Florian. Ngamsuriyaroj. Sudsanguan. Effectiveness of and user preferences for security awareness training methodologies. Heliyon. 2019. 5. 6. e02010. 10.1016/j.heliyon.2019.e02010. free . 2405-8440. 6606995. 31338464. 2019Heliy...502010T .
  11. Book: Carella. Anthony. Kotsoev. Murat. Truta. Traian Marius. 2017 IEEE International Conference on Big Data (Big Data) . Impact of security awareness training on phishing click-through rates . 2017. 4458–4466. IEEE. 10.1109/bigdata.2017.8258485. 978-1-5386-2715-0. 35766007.
  12. Haney. Julie. Lutters. Wayne. Security Awareness Training for the Workforce: Moving Beyond "Check-the-Box" Compliance. Computer. 2020. 53. 10. 91–95. 10.1109/MC.2020.3001959. 0018-9162. 8201414. 34131349.
  13. Web site: Federal Information Security Modernization Act CISA. 2021-07-27. www.cisa.gov.
  14. Web site: 2009-09-10. The Security Rule. 2021-07-05. hhs.gov. United States Office for Civil Rights. en.
  15. Web site: For State Employees - Colorado Governor's Office of Information Technology. 2021-07-27. www.oit.state.co.us.
  16. Web site: 13 FAM 301.1 Mandatory Security Training for All Department Employees. 2021-07-27. fam.state.gov.
  17. Web site: Statutes & Constitution :View Statutes : Online Sunshine. 2021-07-27. www.leg.state.fl.us.
  18. Web site: Bill Resource. 2021-07-27. custom.statenet.com.
  19. Web site: 2013-11-07. Cybersecurity Training for Cook County, Illinois, Employees. 2021-07-27. GovTech. en.
  20. Web site: Bill Resource. 2021-07-27. custom.statenet.com.
  21. Web site: Bill Resource. 2021-07-27. custom.statenet.com.
  22. Web site: 20-07 IT Security Policy. 2021-07-27. doit.maryland.gov.
  23. Web site: Security Training Resources. 2021-07-27. sitsd.mt.gov.
  24. Web site: NVeLearn. 2021-07-27. nvelearn.nv.gov.
  25. Web site: State Security Policies Standards & Procedures. 2021-07-27. it.nv.gov.
  26. Web site: Bill Resource. 2021-07-27. custom.statenet.com.
  27. Web site: State of Ohio Information Security and Privacy > Government > State Government > Security > Training and Awareness. 2021-07-27. infosec.ohio.gov.
  28. Web site: Cybersecurity for Commonwealth Agencies and Employees. 2021-07-27. Office of Administration. en-US.
  29. Web site: Certified Cybersecurity Training Programs, 154. 2021-07-27. dir.texas.gov.
  30. Web site: 2021 Security Awareness Training Division of Technology Services. 2021-07-27. dts.utah.gov.
  31. Web site: Bill Resource. 2021-07-27. custom.statenet.com.
  32. Book: Lincke, Susan. SECURITY PLANNING : an applied approach.. 2016. Springer International. 978-3-319-36560-2. 176–177. 1005117710.
  33. Book: Jenkins. Jeffrey L.. Durcikova. Alexandra. Burns. Mary B.. 2012 45th Hawaii International Conference on System Sciences . Forget the Fluff: Examining How Media Richness Influences the Impact of Information Security Training on Secure Behavior . https://ieeexplore.ieee.org/document/6149222. 2012. Maui, HI, USA. IEEE. 3288–3296. 10.1109/HICSS.2012.285. 978-1-4577-1925-7. 206705398.
  34. Web site: Mezquita. Ty. 2022-01-18. The Hidden Benefits of Awareness Training for MSPs. 2022-01-27. CyberHoot. en-US.