Guna dari IS Awareness adalah utk merubah perilaku
The purpose of Information Security awareness is to change behaviour.
Policy can only do so much,and no matter how well written and communicated, it will always have gaps. Awareness helps to bridge those gaps by bring people to understand aims and objectives of security. Hopefully with this understanding they will not only follow the letter of policy but the spirit as well.
Awareness – and awareness training – is not the objective; it is just a a step on the way to changing the way people behave.
Security Awareness should be part of a coherent, ongoing plan of teaching staff about various aspects Information Security. In fact a well worked-out course will not only be more effective that a few disjointed episodes such as the occasional “lunch-and-learn” but will give the opportnnity to develop themes and explain not nly the corporate policies but also how Information Security affects our everyday life.
Awareness courses and training does need to be broken out to address the differing needs of the various audiences as well as covering the common ground.
Management needs to be presented with a strategic perspective on security and it should be structured to help them understand their governance rôle. By contrast IT staff need to get a grip on the technology and address many issues in greater depth. Other users may not need such aggressive or in-depth presentations, but they should focus on their job-role and be relevant to their day-to-day activities.
Awareness Training “Good Practices”
- Provide the theoretical context – basic info about information security risks (threats, vulnerabilities, impacts)
- Provide the practical context – basic info on infosec incidents in the news, and ideally within the organization/closer to home
- Generate some motivation for change – draw out the key issues and start discussing possible responses (helps people rationalise and understand)
- Milk the motivation – use hooks such as personal accountability, compliance, good practices and ‘the business value of security’ to turn motivation into action
- Broaden perspectives – consider ‘information’ rather than ‘IT’ for a start! Also novel risks, business context, social context, personal context.
- Reinforce positive behaviours, but stay creative, topical and engaging enough to maintain interest over the long term [and thinking long term means we don’t need to try to address the whole information security field NOW! We can plan it out, build the foundations and work on whatever needs work whenever – see step 1].
- Measure and continuously improve the awareness program. Find out what works well and do more of it. Find out what doesn’t work too well and either change or stop it. Oh and justify the investment.