Cyberoam User Guide
Cyberoam User Guide
Cyberoam User Guide
September 2009
4 Information security awareness in financial organisations
Acknowledgments
Several parties supported and contributed directly or indirectly to this work in a number of ways.
The information includes contributions from members of the ENISA Virtual Working Group (VWG) on
―How to organise awareness raising programmes in financial organisations‖. This VWG and its
members are part of the ENISA Awareness Raising Community.
The initial publication drafted in 2008 was updated in 2009 with valuable insights from recognised
players in the financial institutions arena.
ENISA wishes to acknowledge and thank Mr. Thomas Schlienger of TreeSolution Consulting GmbH,
whose initial support and co-operation have influenced some prevailing aspects of this project, Ms.
Kate Dodds of Sai Global, Mr. Mathieu Gorge of VigiTrust, Mr. Jorge Pinto of Banco Credibom, Mr.
Thomas Schlienger, Ms. Paula Davis of Sai Global, Ms. Sissel Thomassen of InfoSecure, Mr. Stefan K.
Burau of Clariden Leu, Mr. David Prendergast from AIB Group, Mr. Mark Logsdon from Barclays Bank
and Mr. Jan Wessels from Rabobank for their prompt support, valuable input and material provided
for the compilation of this paper.
Finally, the author would also like to acknowledge Ms. Colette Hanley of Betfair, Ms. Isabel Milu of
Banco Credibom, Mr. Luke O'Connor of Zurich Financial Services and Ms. Tone Thingbø of Norges
Bank who contributed to this document with reviews, valuable insights, observations and
suggestions. The content would be incomplete and incorrect without their help.
Information security awareness in financial organisations 5
Contents
ABOUT ENISA ............................................................................ ERROR! BOOKMARK NOT DEFINED.
ACKNOWLEDGMENTS ............................................................................................................... 4
EXECUTIVE SUMMARY......................................................................................................... 7
PART 1: BUSINESS ENVIRONMENT AND MAIN DRIVERS ..................................................... 9
INTRODUCTION ................................................................................................................ 10
PURPOSE ............................................................................................................................11
OBJECTIVES ........................................................................................................................11
AUDIENCES .........................................................................................................................11
BACKGROUND ......................................................................................................................11
FINANCIAL ORGANISATIONS: A DEFINITION ................................................................... 12
ASSESSMENT OF ENVIRONMENT AND MAIN DRIVERS ...................................................... 12
AN INTRODUCTION .................................................................................................................12
REVIEW OF BUSINESS DRIVERS ...................................................................................................13
Focus on the US – Latest news in Awareness Raising Requirements: ID Theft Red Flags Rules ..................16
The State of Banking Information Security 2008 - Survey executive overview ................................................16
FINANCIAL ORGANISATIONS‘ CONCERNS.........................................................................................17
RISKS AND THREATS ...............................................................................................................17
AUDIENCE SEGMENTATION: A DEFINITION ......................................................................................18
Job functions ...................................................................................................................................................18
GEOGRAPHICAL LOCATION ........................................................................................................22
MERGERS AND ACQUISITIONS ....................................................................................................22
MULTICULTURAL ENVIRONMENT ..................................................................................................23
MEDIA CHANNELS/METHOD OF DELIVERY .......................................................................................23
SCALABILITY........................................................................................................................26
LANGUAGES ........................................................................................................................26
PART 2: AWARENESS RAISING PROGRAMMES .................................................................. 30
AWARENESS RAISING PROGRAMMES ............................................................................... 31
ASSESSMENT .......................................................................................................................31
PLANNING AND DESIGNING PHASES ..............................................................................................32
Approval from the board ..................................................................................................................................33
Identify drivers .................................................................................................................................................33
Identify requisites and needs ...........................................................................................................................34
Design the programme ....................................................................................................................................35
Review the design ...........................................................................................................................................36
IMPLEMENTATION PHASE ..........................................................................................................36
Build a platform for delivery .............................................................................................................................36
Assign project resources .................................................................................................................................37
Plan and execute the roll out ...........................................................................................................................38
MEASURE THE SUCCESS AND IMPROVE THE PROGRAMME.......................................................................39
PART 3: GUIDELINES FOR GOOD PRACTICE ...................................................................... 44
GOOD PRACTICE GUIDELINES .......................................................................................... 45
RECOMMENDATIONS ...............................................................................................................45
CONCLUSIONS .................................................................................................................. 48
REFERENCES AND SOURCES FOR FURTHER READING ....................................................... 49
6 Information security awareness in financial organisations
Information security awareness in financial organisations 7
Executive summary
This report targets decision-makers and staff involved in developing information security awareness
programmes in financial organisations, a sector which is increasingly threatened by information
security breaches. The average loss caused by theft of customer information is on the rise, as is the
cost of responding to security incidents. Security breaches in financial organisations not only damage
reputation but also cause heavy financial losses, which can be difficult to recover from.
According to the 2008 report of the UK Financial Services Authority (FSA), financial services firms
could significantly improve their controls to prevent data loss or theft. Moreover, employees are now
considered the single most likely cause of security incidents as confirmed by many international
surveys including the 2007 Global State of Security and the 2008 BERR survey. Technical solutions
are no longer the panacea that they might have been in the past. The effort to mitigate the security
risks evolving around the human element is growing, and constitutes an important financial
commitment for any organisation.
The objectives of this publication are to explain the importance of information security awareness in
financial organisations, to analyse the environment and the business drivers which may impact such
programmes, and to provide a communication framework to better organise an awareness
initiative. Case studies and recommendations are given to help as a starting point for the awareness
raising professionals and teams.
The first part of the report is an assessment of the environment of financial organisations and their
main business drivers. In these environments, information security awareness must integrate with
the ongoing information security and compliance requirements set by legal and industry mandates.
It is extremely challenging to run information security awareness training initiatives and at the same
time ensure business continuity and disaster recovery in such a demanding operational environment.
This is because the flow of data, apart from requiring high levels of protection, cannot be stopped or
reduced even for short periods of time in this type of business.
The paper then focuses on the landscape of international standards, fundamental legislation in place
and certification objectives together with major risks, threats and end-user behaviour with regard to
information security. Several parameters define the awareness strategy to be followed in addition to
those mentioned above, such as audience segmentation, roles and job functions, geographical
location, multiculturalism and so forth.
The second part covers the different phases of implementation of awareness raising programmes in
financial organisations and the assessment of results. To ensure that information security awareness
corresponds to the objectives of a financial institution, it should be a continuing and ever-evolving
process. Factors to be taken into account in the planning, designing, implementation phases are
presented in this chapter together with tools for measuring the success of awareness raising
initiatives.
The third part includes practical advice, recommendations and case studies provided by a number of
private organisations. It is worth noting that the paper was updated in 2009 after receiving valuable
feedback and case studies of large national and international financial institutions.
ENISA hopes that this paper will provide financial organisations with a valuable tool to improve
understanding of the importance of data loss and prepare and implement awareness raising and
training programmes. Providing information security awareness is a huge challenge in itself for any
company; awareness raising in this targeted industry sector is an important first step towards
meeting that challenge.
8 Information security awareness in financial organisations
Secure USB Flash Drives June
Introduction
Governments and regulators have attempted to address information security threats through the
implementation of a range of legislation and regulation such as the Data Privacy laws, Computer
Misuse laws, Sarbanes Oxley and so forth.
Failure to ensure the appropriate use and adequate protection of an organisation‘s information
assets may well result in a breach of one or more of these requirements and may also result in
adverse publicity relating to the misuse of information or resources - with an associated potential
loss of consumer and shareholder confidence. Penalties are increasingly draconian and varied in
form; for example SOX fines can be up to $15m with accompanying actions against company officers
and Basel II has the potential to result in increased capital adequacy requirements with costly
implications for profitability.
Most security risks are driven in practice by the lack of a well-defined and managed information
security culture, with errors and breaches frequently caused by human error and a failure to follow
procedure. The UK Department for Business,
Enterprise and Regulatory Reform (BERR)
reported in their 2008 Information Security
Breaches Survey that 47% of UK large
businesses suffered from staff misuse of
information systems (1).
In 2007 the Financial Crime and Intelligence Division (FCID) of the Financial Services Authority in
the UK handled 187 financial crime cases, of which 56 involved data loss. Due to the nature of their
business, mismanagement of data security could constitute a significant risk to financial
organisations They generally hold large volumes of personal and financial data about their
customers, such as names, addresses, dates of birth, bank account details, transaction records,
PINs, national insurance numbers and so on (2). Safeguarding this personal and financial data is a
key responsibility of the financial services industry.
Additional technology alone will not solve these issues; a more holistic approach is needed that
incorporates behaviour and culture, as well as technology. While policies and technical controls are
certainly a critical part of any information security (IS) programme, these measures alone cannot
deliver sufficient assurance that information is protected in practice. In order to be effective,
information security awareness programmes are reliant on the actions of individuals within the
organisation. Employees are, of course, the real perimeter of the organisation‘s network and their
behaviour is a vital aspect of the total security picture.
(1) BERR, 2008 Information Security Breaches Survey, 2008, available at http://www.security-survey.gov.uk
(last visited on 22 July 2008).
(2) Financial Services Authority, Data Security in Financial Services, United Kingdom, April 2008.
Information security awareness in financial organisations 11
Research and analysis conducted by ENISA suggest that effective employee awareness, where
employees not only understand their obligations but routinely act upon them, is one of the most
effective ways of managing the information security risk faced by any large organisation today.
Purpose
ENISA considers the poor state of data security as a serious and widespread issue. It recognises
that effective employee awareness for managing information security risks is crucial, especially
within financial organisations. This white paper aims to provide an introduction to the importance of
information security in this specific industry sector. It also aims to provide valuable tips on
preparing and implementing information security awareness initiative.
Objectives
Audiences
This white paper is for use by staff and decision-makers in financial organisations, when
undertaking information security awareness raising programmes. It also seeks to raise awareness of
the importance and criticality of endorsing information security awareness within their organisation.
Background
The Awareness Raising (AR) Community is a subscription-free community open to experts who have
an interest in raising information security awareness within their organisations. The AR Community
was launched in February 2008 and is designed to engage with the Awareness Raising Section of
ENISA in its mission to foster a culture of information security — with the aim of supporting the
Section in its activities.
Contributors to this paper offer a diverse range of skills, and knowledge, as well as differing
interests, a range of areas of expertise and a variety of business priorities. Their combined analysis
allows the AR Community to play a key role in the exchange of information security good practice
across Europe.
Being a point of contact for matters related to information security awareness, the AR Community
invited members to take part in Virtual Working Groups (VWG) to explore in further detail relevant
topics aiming at producing white papers.
This paper relies on studies and analyses conducted by the ENISA VWG ―How to organise awareness
raising programmes in financial organisations‖, ENISA staff and through information that is publicly
available or has been supplied to ENISA by appropriate organisations.
12 Information security awareness in financial organisations
We refer to financial organisations in a generic way to indicate retail and wholesale banks,
investment firms, insurance companies (life and general), financial advisers, credit unions and
payment service providers of any size.
There has been much talk of information security incidents and data breaches in financial
organisations in the last year. Of course, most of us will have focused our discussion on the banks as
they are the centrepiece of the financial world. However it is worth noting that due to the current
regulatory climate, all financial organisations are currently reviewing their approach towards
information security and especially towards security education for staff at all levels of seniority. This
phenomenon includes credit card associations, merchants from the retail industry, payment service
providers as well as insurance organisations.
These actors of the financial world are subject to multiple legal and industry frameworks regulating
how they should educate staff on dealing with information and how to protect sensitive information.
Whilst some frameworks offer clear guidelines as to why, how and how often information security
education must take place, others remain vague. Financial
organisations must all consider the following important questions:
What legal and industry frameworks apply to my financial
organisation and to our way of doing business?
Does our current information security strategy allow the
organisation to take a pro-active approach towards security
in order to meet compliance requirements as well as
industry security mandates?
How do our information security awareness programmes
and staff education initiatives compare with the demands of
financial industry best practices?
Is information security awareness approved and fully
endorsed by senior management?
Has information security awareness been positioned as a
business enabler and, if not, how can my organisation turn
information security awareness initiatives from a cost centre
to a return on investment and productivity enhancement
tool?
nevertheless, be part of an ongoing security and compliance process: education first, then
remediation and, where applicable, official accreditation/compliance and, finally, accreditation
maintenance through ongoing information security awareness initiatives. Maintaining this iterative
process is very important for financial markets as they are fundamental to the world‘s critical
infrastructure (CI) and therefore much scrutinised by consumers, businesses and Governments.
The financial industry is typically governed by two types of mandates: legal mandates and industry
frameworks. Whilst there is some level of convergence between both elements, such that compliance
with industry guidelines may become a legal requirement, most financial legal frameworks are
independent of industry frameworks that regulate the design, development and implementation of
information security awareness initiatives in financial institutions. Notwithstanding this aspect, one
should however note that in the last five
years, the industry has clearly seen common
objectives between legal and industry
frameworks emerge with regard to
information security for financial institutions.
This is due to the fact that the number of
identity theft incidents has soared and major
breaches have occurred primarily in the UK
and in the US. This is relevant as these two
countries are the key global financial centres
and have, as a consequence, been leading
the way in developing legislation and
regulation to tackle these problems. In
addition, the requirement to notify security
breaches has been imposed in many
jurisdictions worldwide and is becoming the
norm across the globe. For instance, the
concept of Senate Bill 1386 in California (SB
1386), which details when and how consumers, authorities and the media need to be notified of data
breaches, was used as a model for similar state legislation in the US where over 40 states now have
notification laws. A number of countries in the EU, including the UK and Ireland, are exploring similar
avenues. This is important to note because if notification of security breaches becomes a legal
requirement, then more efforts are likely to be accorded to preventing breaches in the first place.
This also means that all staff within financial institutions will need to become all the more aware of
information security threats and will require formal education in the risks associated with processing
financial data.
The main driver for compliance with legislation and industry mandate is the fear of penalties and
prosecution for failure to comply (which may involve civil or criminal law suits). Whilst there is rarely
any direct financial or legal (―safe harbour‖ type) rewards for compliance, it can result in reduced
insurance costs in some cases.
are making use of industry frameworks to protect sensitive data and ensure continuity of operations
within this ecosystem. Technically, this is achieved by focusing on reducing legal exposure,
protecting public relations and the reputation of the brand by protecting consumer financial assets
and the identity of each individual customer.
The Payment Card Industry Data Security Standard (PCI DSS) is probably one of very few security
standards which actually dedicate a full control objective to information security awareness training
(requirement 12.6). It includes requirements for information security awareness programmes and
touches on multiple layers of the financial organisations industry from the card associations to other
entities such as the acquiring banks, payment service providers, merchants and any third party in
this chain which might store, process and transmit credit card information. As such, compliance to
the requirements of PCI DSS will be expected from most high street retailers as well as any corner
shop able to take credit card payment. The standard applies to all entities worldwide. It consists of
12 high-level requirements each associated with a set of policy, procedure, technical controls and
skills transfer requirements. Requirement 12.6 states that an entity ―needs to implement a formal
security awareness programme, and educate employees upon hire at least once annually on the
importance of cardholder data security‖. It also covers how compliance with the rule is to be checked
for the most stringent level of PCI DSS (level 1) which requires an annual on-site audit to be
performed by Qualified Security Assessors (QSAs). An entity ―needs to be able to demonstrate
through training records that all staff in scope have been trained. In addition, you need to be able to
produce the security awareness material and show that it has been updated on a regular basis to
reflect changes in your own cardholder data environment as well as new requirements within the
standard‖. From a more holistic perspective, all entities are responsible for raising awareness levels
of those downstream in the PCI chain, such that acquiring banks are responsible for promoting the
standard to all of its merchants which in itself requires a security awareness raising project.
ISO/IEC 27001, the international standard for information security originating from BS7799, and
complemented by ISO/IEC 27002 and 27005, is also gaining traction and includes a provision for
information security awareness programmes. Although the ISO/IEC 27001 framework can be applied
to any organisation, it is not unusual to see financial organisations it as a benchmark for good
information security practices with a view to complying with a wide range of legal and regularly
frameworks, including PCI DSS (note: the UK Post Office delivered a presentation at a recent PCI
DSS seminar stating how they used ISO/IEC 27001 as the basis for PCI DSS Compliance since
implementing an information management system (ISMS) will go some way to cover a large number
of PCI DSS compliance requirements).
At a more fundamental level, whilst some of the newer members are still refining their data
protection and retention regimes, the European Directive on Data Protection of 1995 has been
adopted in most EU countries. Whether you consider for example the Irish Data Protection Act, the
UK Data Protection Act, the Portuguese Data Protection Law, the German Datenschutzgesetz or the
French Act‘s, Loi n° 78-17 du 6 Janvier 1978 relative à l'informatique, aux fichiers et aux libertés,
most European legal frameworks governing data protection include clauses whereby organisations
are required to ―take appropriate security measures to safeguard the good name of the company, its
employees, affiliates and customers‖ and insists on protecting ―key data including any financial
information‖ it may hold (3). The means recommended for achieving that goal is security awareness
programmes.
In Ireland, this has been very well communicated by the Office of the Data Protection Commissioner.
A number of banks and insurance organisations have registered with the Office and developed
security awareness programmes for staff and even for their customers, the end-consumers. Some
(3) Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the
free movement of such data, OJ L 281 of 23.11.1995. Also in the Irish Data Protection (Amendment) Act 2003,
Article 2 ―(a) "personal data" shall mean any information relating to an identified or identifiable natural person
("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by
reference to an identification number or to one or more factors specific to his physical, physiological, mental,
economic, cultural or social identity‖, available at http://www.dataprotection.ie/documents/legal/act2003.pdf.
Information security awareness in financial organisations 15
banks, such as Ulster Bank, have rolled out basic education programmes for their merchants to help
them with PCI compliance whilst others are actively engaging with employees in a bid to raise
security awareness levels.
Traditionally, financial institutions have always tended to be ahead of the game with regard to
information security awareness programmes, along with some government institutions, the IT and
pharmaceutical sectors. However, initiatives
have remained focused around ad hoc training
seminars dealing with fraud and identity theft or
on social engineering. This type of effort is no
longer sufficient (if it ever was) to meet legal
and industry mandates or to reassure
consumers. Consumers expect that their
financial information is kept safe as a matter of
fact and that their financial assets are protected
even in the event of a network information
security breach suffered by the bank. In other
words, whilst consumers may not fully
understand the ramifications and demands of
putting in place security strategies, controls and
safeguards, they still expect financial institutions to protect the money they have entrusted to them.
This is called trust.
Financial institutions have to provide a controlled and secure environment for consumers. However
there are noticeable regional and industry variations in the way legal and industry frameworks
mandating information security awareness training are applied to the target ―markets‖ of a given
financial institution. This is often a major challenge for large international financial organisations who
must understand the local regional legal mandates in order to incorporate them into a wider
corporate information security awareness strategy which will allow them to ensure that internal
corporate security standards are met whilst compliant with national and country-specific legal
requirements.
Best practice to develop such an awareness strategy within financial organisations usually involves
several steps:
Step1 – Categorise the business into country/zones subject to similar legislations and
industry frameworks in order to make the project more manageable.
Step 2 – Identify data protection and data retention frameworks applying to each category.
Step 3 – Define a full specification for information security awareness mandates for each
category.
Step 4 – Perform a gap analysis against existing awareness programmes and update
programmes to address legal/industry mandates.
Step 5 – Deliver updated programme to all categories.
Step 6 – Make steps 1 to 5 an ongoing process subject to annual reviews (at least).
The development of such strategies and programmes take it as given that an Acceptable Usage
Policy for corporate communications tools is in place and that a data classification schema has also
been approved by the board governing what constitutes confidential, sensitive and public data for
the financial organisation.
Most financial institutions will include key topics in their programmes: protection of personal data,
details of monitoring techniques used by the organisation (which is a requirement under the EU Data
Protection Directive), and guidelines for data transfer (such as from EU to US). Attention may also
be given to notification mechanisms whereby notification for incidents taking place in the US will be
16 Information security awareness in financial organisations
mandatory and notification in the EU will be internal to the security team first. The team will then
work with the local data protection enforcers to ensure they notify when required.
Financial organisations are also typically good at measuring success rates of information security
awareness programmes. They tend to use matrix-based measurements which include reach (has the
organisation reached out to all its staff across all territories?), understanding (has the target
audience fully understood what is required of them, why and how to improve security?) as well as
behavioural change (ensuring that bad security habits are no longer in use and that all staff are fully
security aware).
It is also worth considering the fact that most large financial organisations are in a position to take a
holistic approach towards information security awareness. Senior decision makers who must become
involved in this process remain the prime point of contact/target for government and industry
frameworks enforcers and as such will want to foster a culture of information security using the
measurable and long term vision for information security awareness described above. This means
that they will be looking to ensure that the programmes are sustainable (i.e. a long term programme
that will evolve as the financial organisation‘s business model may change and reflect on emerging
threats as well as new legal and industry mandates), consistent (always and fairly applied to all staff
regardless of seniority or rank), efficient (measured for effectiveness and improved on an ongoing
basis) and transparent (fully communicated to all staff including penalties for non compliance with
information security requirements as detailed in the awareness programme).
Focus on the US – Latest news in Awareness Raising Requirements: ID Theft Red Flags
Rules
According to the 2008 State of Banking Information Security survey, customer education remains
insufficient (5). The survey argues that ―To secure this trust, they must demonstrate proactive
(4) See McGlasson, Linda, ‗ID Theft Red Flags Rule: How to Help Your Business Customers Comply‘,
BankInfoSecurity.com, 8 September, 2008
http://www.bankinfosecurity.com/articles.php?art_id=960andrf=090908eb
Information security awareness in financial organisations 17
efforts to educate customers about online banking safety and the risks of identity theft – including
phishing, which occurs via email and telephones outside of the institutions, but still can cause untold
damage and erode customer confidence‖.
This shows that education and awareness raising for financial organisations needs to be carried out
internally as well as externally to foster a platform of trust and allow for compliance and governance
mandates to be adhered to on a pro-active basis.
Following the research and analysis conducted by ENISA it was possible to identify some of the
major corporate concerns relating to data security.
Market confidence: maintaining confidence
in the financial system (6).
Consumer protection and awareness: data
loss could have a significant impact on
individuals.
Data leakage: to limit data leakage,
organisations could, for example, establish
information security policies and regulate
the use of mobile devices.
Lost data and support costs: an information
security policy could help financial
organisations recuperate stolen or lost data,
which can occur even when security
measures are in place, decreasing the costs
of ownership and support.
Challenges of complying with regulatory and security standards: having enterprises take care
of data security will help in complying with the three aspects of information security
(confidentiality, availability and integrity) and some security standards and/or compliance
framework (such as ISO/IEC 27001, PCI DDS and so forth).
Reduction of financial crime.
Given the structure of financial organisations, the procedures they are required to follow, the
frequent use of third parties to provide specialised services (for sending bulk mailings, providing IT
services and so forth) and the ability to access, store and transmit sensitive information quickly,
easily and efficiently, the number of possible risks and threats is almost infinite. The following can be
identified.
Data leakage (7): it is not possible to estimate the effects of valuable data leaking out of an
organisation, but the problem is growing.
Information loss: it is most likely when sensitive information (for instance customer and/or
employee data) falls into the wrong hands, it is kept and eventually re-used for personal use,
even when marked as confidential. This can possibly result in legal liability.
Information confidentiality: when information falls into the wrong hands, the financial
institution suffers a much greater loss than simply the replacement of the cost of, for
(5) See ‗The State of Banking Information Security 2008 - Survey Executive Overview‘, BankInfoSecurity.com,
available at http://www.bankinfosecurity.com/whitepapers.php?wp_id=143 (last visited 20 November 2008).
(6) Financial Services Authority, Data Security in Financial Services, United Kingdom, April 2008.
(7) Heiser, Jay, Understanding data leakage, Gartner, 21 August 2007; ‗Data-leak security proves to be too hard
to use‘, Infoworld.com, available at http://www.infoworld.com/article/08/03/06/10NF-data-loss-prevention-
problem_1.html (last visited on 2 June 2008).
18 Information security awareness in financial organisations
A large part of the planning of a training and awareness campaign in an organisation is to ensure
that the programme is delivered efficiently and effectively and that the content is easily understood.
It must be in a format everybody can understand.
Job functions
Staff need to be divided into target groups depending on job function. Each target group will have
different requirements for training and awareness. Applicable content needs to be arranged in
modules and delivered efficiently. Their availability and place of work (i.e. mobile workers, home
workers and so on) must be considered when defining the content.
To allow a targeted training programme, it is necessary to group people into different job
functions/target groups and define the business risks for the different target groups to enable
appropriate training.
When designing an awareness programme, it is imperative that all the roles are clearly defined and
match them to information security topics. The tables below provide a list of roles and related
description and a sample of a model with the roles down the left-hand side and across the top the
information security topics that they may need to be aware of:
Role Description
Senior Executives Need to be aware of information governance issues as well as the legal frameworks,
risks and liabilities (including personal liabilities). They are typically time-poor and
unwilling to undertake the same awareness activities as the general population.
Short and much focussed awareness activities are best with clear links between
information security and the protection of the organisation‘s reputation.
Clerical and These employees often work to strict transaction processing schedules and targets.
administrative staff in Careful consideration may need to be given to the organisation and scheduling of
back office and training in these areas. It is be important to liaise with managers regarding the
support functions scheduling of training and facilitated group training sessions may not be appropriate
as there would be too big an impact on ‗business as usual‘. Most staff in these
areas do not work outside of the office and do not make extensive use of portable
20 Information security awareness in financial organisations
Role Description
devices. This narrows the range of information security topics that need to be
covered and, therefore, reduces the duration of the overall training requirement.
Call centre staff As with clerical and administrative staff, the scheduling of training is likely to be
critical in a call centre environment where prompt response to customer calls is of
prime importance. Again, liaison with call centre management will be important.
Again, most staff in these areas don‘t work outside of the office and do not make
extensive use of portable devices thus reducing the scope of the training
requirement. Data protection and confidentiality, as well as awareness of social
engineering is, however, likely to be vital.
Branch staff for retail Many employees in branches do not have access to their own dedicated workstation
financial services and in some retail banks tellers do not even have intranet access. Access to
technology-based training is often via shared PCs or managers‘ PCs and, therefore,
requires careful scheduling in order to maintain service levels whilst achieving
training objectives.
In retail banking, it is also common for more geographically remote branches to
have limited bandwidth and challenges accessing the corporate intranet –
consideration may, therefore need to be given to optimising delivery of web-based
training for this environment.
Sales staff and remote These employees are likely to access the corporate intranet remotely from portable
workers computing devices. They have some particular training needs over and above those
in the general population including:
Information security out of the office (security of mobile devices and so on)
Remote access procedures
Travel Security.
Investment banking Investment banks tend to have performance and compensation-orientated cultures.
Presenting the rationale for the training is critical in this group. It is also important
to ensure that the training is of the minimum duration possible, that it can be
studied in manageable chunks and that the training can be bookmarked so that
learners can return to the point where they left the training without needing to
repeat any content.
Senior management sponsorship from within the business unit is typically critical for
the success of an information security training programme within this audience
group.
Marketing Marketing personnel are in charge of public relationships as well as the institution
image. They need to know what types of information they can and cannot use
whether it‘s preparing a campaign or interfacing with media in case of an incident.
IT Staff IT staff should be made aware of the organisation security strategy and what types
of controls are mandatory as well as what type of evidences need to be generated in
order to insure compliance.
Some of the information security topics mentioned below may vary for each role depending on the
policies of the financial organisation. A bank may permit home working for certain clerical staff, for
example. Thus there could be variations in policy that would change the awareness required by that
role.
Also, certain topics may be broken down into subsections (―handling customer data‖ is an important
subset of handling sensitive information and may be worthy of its own section) or topics may
Information security awareness in financial organisations 21
intersect with other topics (―equipment security‖ would be present in ―mobile working‖ awareness,
for instance).
Senior Clerical & Call Branch Sales staff & Investment Marketing IT Staff
Executives administrative centre staff for remote banking
staff in back staff retail workers
office and financial
support services
functions
Physical
security
Workplace
security (for
example
office,
branch and
so forth)
Equipment
security
Internal
controls
Recognising
& reporting
security
breaches
Privacy
Business
continuity
Mandatory
regulations
Data
protection &
privacy
Retention,
storage &
disposal of
sensitive
information
Handling
customer
data
Portal
devices
Removable
media
Software
(licensing)
Passwords
Back ups
Malicious
code
Mobile &
home
working
Use of
Internet &
Email
Third parties
(i.e. vendors
& visitors)
Social
engineering
Figure 2: Roles match to security topics. Illustrative only.
22 Information security awareness in financial organisations
Geographical location
The awareness programme must be constructed to meet the challenges associated with acquisitions
and mergers. Programme design must be modular to prevent having to change large portions of
content while exploiting opportunities to improve the programme overall. The following should be
taken into consideration:
Different company cultures: the company may have a variety of cultures and the content
may have to be adapted slightly to cater for new requirements.
Information security awareness in financial organisations 23
New companies/other processes/other business risks: the risk profile may change because of
business merger, and parts of the awareness content may need to be changed or amended.
Company profile: intranet style and logos may change. The awareness programme must be
sufficiently flexible to adapt content to the new company profile.
Management: the awareness programme must be acceptable to new senior and line
management. It is, therefore, important that a message from the board accompanies the
programme showing senior management commitment and stakeholder commitment to it.
Multicultural environment
The media channels and method of delivery, as well as the message and its sender, must be
influential and credible. Otherwise the target group may be less inclined to listen. To engage the
audience successfully, more than one communication channel must be used.
The following section details some of the main media channels and method of delivery available to
help raise users‘ awareness as part of an information security related initiative. Moreover, it suggests
using a blend of approaches:
Targeted modular training: see Audience segmentation above. It is important that the
awareness programme is built up using individual modules. This will allow appropriate
training to different target groups, at the same time as some of the content can be re-used
in different programmes.
Use of workshop/e-learning: experiences with implementations show that the best approach
for encouraging discussion, and subsequent adoption of the learning in the operational
environment, is to run departmental workshops so that the content of the awareness
programme can, under the line managers‘ control, form part of a departmental work plan
developed during workshop. This way the employees will have the opportunity to discuss the
local business risks and related awareness content with one another and the line manager at
their work place.
Use of e-learning has proven to be more effective where staff are physically located in
different areas and where e-learning is already in use within the organisation. The e-learning
version should support the workshop awareness programme using the same content to
ensure all employees throughout the organisation have a consistent level of information
security awareness training. E-learning has also proven to be effective where specific
training is required for defined target groups.
24 Information security awareness in financial organisations
Use of different content: using a combination of film clips, right/wrong scenarios, learning
material, games and self-test questions, has proven to be successful in delivering
information security awareness
training. Showing film clips of
incidents helps people to
Investment bank - to change behaviours, training
associate rules with the more needs to be interactive
practical elements of their jobs.
Where a lighter approach and An investment bank explained that its primary objective is
format is offered, people feel to achieve regulatory compliance in a cost-effective way.
more relaxed and will not need a This is not possible without the creation of clear policies
lot of additional learning that set out what individuals should and should not do.
material in order to understand Without this foundation, enforcement and discipline
business risks, how to deal with become hard if things break down. The bank has, as far as
incidents that happen and, more possible, included information security points in existing
importantly, how incidents can policies and training, rather than creating new ones.
be prevented from happening in Policies themselves are not effective unless staff
the first place. understand them. The bank‘s security team gives induction
Awareness vs. Training: presentations to all new joiners that explain the bank‘s
Awareness is defined in NIST security policies. This face-to-face contact gives staff an
Special Publication 800-16 as opportunity to discuss possible issues with the security
follows: ―Awareness is not team. Feedback from the training shows that interaction is
training. The purpose of critical to challenging people‘s attitudes and helping them
learn. If people are asking questions, they are thinking and
awareness presentations is
considering the information. A room full of silent people is
simply to focus attention on unlikely to be learning much. Sharing war stories and
security and understand why relevant experiences helps staff see how security threats
security is important. Awareness might affect them.
presentations are intended to
allow individuals to recognise IT The bank has found that induction training alone is not
enough. It is important that staff receive frequent
security concerns and respond
reminders that reinforce key messages in a coherent way.
accordingly. In awareness Critical to this reinforcement has been getting senior
activities, the learner is the management to lead by example; they, rather than the
recipient of information, security team, are the best people to promote the
whereas the learner in a training importance of the messages.
environment has a more active
The security team uses a variety of techniques to reinforce
role. Awareness relies on
awareness messages on an ongoing basis. Quizzes and
reaching broad audiences with
prizes get a good response level from staff; they get
attractive packaging techniques. people thinking, and are well received within the business.
Training is more formal, having Again, interaction with staff is vital. For example, posters
a goal of building knowledge and that are passive reminders and ultimately require no
skills to facilitate the job individual action are often ignored in practice. Intranet
performance‖ ( ).
9
articles and sites are good ways to promote messages to
those that already actively use them. However, for people
who do not visit them (the majority of staff), they are not
an effective mechanism.
(9) NIST, Information technology security training requirements: A role- and performance-based model, NIST —
SP 800-16, USA, 1998, available at http://csrc.nist.gov/publications/nistpubs/800-16/800-16.pdf (last visited on
21 July 2008).
Information security awareness in financial organisations 25
Future
situation
Right
Change in
Security Awareness
behaviour
Change in
attitude
Increased
Wrong
Current
situation knowledge
Time
Figure 3: – Information security as second nature.
Awareness programmes start with awareness, build eventually to training, and evolve into
education. They should be customised for the specific audience they are targeting. Thus it
will be very important to define the users who will attend both programmes. Different
methods could be used to define the target audience. ENISA developed a simple tool to
identify better a target group and capture the related data, as described in the section
―Define target group‖ (11).
(10) NIST, Information technology security training requirements: A role- and performance-based model, NIST —
SP 800-16, USA, 1998, available at http://csrc.nist.gov/publications/nistpubs/800-16/800-16.pdf (last visited on
21 July 2008).
(11) Herold, Rebecca, Information security and privacy awareness program, Auerbach Publications, USA, 2005;
NIST, Building an information technology security awareness program, NIST — SP800-50, NIST, 2003, available
at http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf (last visited on 17 July 2008).
26 Information security awareness in financial organisations
Introduction
programme
Level 1
6 Golden Rules
20-45 minutes
1 2 3 4 5 6
Theft of
Social Privacy Information laptops and Mobile Security at
engineering Classification PDAs working home
Level 2
Time
Customer Digital
Information Social Information Travelling Authentication
leakage networking Protection abroad
Scalability
The issue of scalability is fundamental to successfully reaching a growing global audience. It might
further encourage the modular approach to awareness (segmentation of the audience and the
message).
Languages
Getting a message through to people and making sure they understand the message presents
another challenge. The formal business language in a company may not be sufficient and understood
by all employees and the most effective way of delivering a workshop and e-learning content is to do
it in their local languages. Therefore it is very important to consider that in one geographical location
there may be several languages. The following should be taken into consideration:
Different languages within the same country
o One country – several languages
Different languages between countries
o International operations
Corporate language
Different variations of the same language
o For example business English vs. plain English
Information security awareness in financial organisations 27
An insurance company explained why information security is important to their business. They collect,
store, and process significant amounts of financial, medical, and personal information. This information is
their number one asset; confidentiality breaches could put their reputation at risk, as well as exposing them
to harmful litigation. Unfortunately, the threats (such as identity theft and scams) are rising; this makes
staff awareness vital.
The main challenge has been to develop an approach that is suitable for over 10,000 employees speaking
many different languages. To counteract this, the company engaged an external provider to help them build
suitable training plans and materials. To create the greatest impact with staff, training materials were
translated into the local mother tongues of the countries concerned.
There is a continual programme to adjust and promote the key messages. The objectives of this are to try
to change people‘s behaviour and perception of risk. Numerous techniques are used to reach the audience,
since different people learn by different mechanisms.
The most effective technique has been face-to-face time with staff through workshops and training
sessions. Being able to put a face to a name or function is more personable and people are more receptive
to messages being face-to-face. The training is mandatory. Senior management actively support the
awareness schemes, making sure training events are at convenient times for the business and promoting
them to staff. There is good attendance at sessions since missing the events results in escalation to the
employee‘s manager. This senior management support across the business has proved to be critical to the
success of the awareness programme.
Other non-interactive mechanisms, such as intranet articles, emails, posters and publications, are used to
reinforce important messages. However, it has proved difficult to gauge how many people have read or
understood the messages and people can easily ignore them. So, they are used as a complement to, rather
than a substitute for, classroom training.
The main measure of the impact of the awareness training is feedback and questionnaires completed on or
shortly after training sessions. This feedback gives a good insight into the impact of the training on the
individual. Generally this has been positive, with the vast majority saying that they have learned something
new and will try to change their behaviours.
Other ways to test awareness, such as checking the strength of passwords or mocking up social
engineering type situations to gauge responses, have been considered. However, these are not used, due
to concerns about dependence on other variables (such as the mood of the person), privacy and
entrapment.
The company is now focused on ensuring that training continues to engage people; e-learning modules are
being developed to add variety. A continual process is underway to enhance the relevance of the material
to staff, so they can see the benefits and understand the risks more clearly.
28 Information security awareness in financial organisations
In response to recent incidents that have attracted national and international press attention steps were
taken to initiate a Group wide global Privacy Program and to improve the general Information Risk
Management (IRM) awareness material.
The Programme goal is to move the bank to a position where it can actively demonstrate its compliance to
privacy laws and regulations and proactively manage its privacy risk profile. This includes producing
materials for measurable awareness and training campaigns, and developing a two-year communications
plan for each Business Unit.
A critical success factor was to ensure that they could effectively communicate privacy messages to more
than 150,000 staff to drive cultural change across the Group. To achieve this they worked with an external
strategic communication agency, to create and release a global awareness campaign. The ―Think Privacy‖
campaign has been translated into multiple languages and distributed across our global business. Awareness
materials were used all over the Banks buildings, including in the toilets, lifts, on the security barriers, on
desks and being handed out on a 1-2-1 basis in lift lobbies, all carrying the key privacy messages.
To drive the adoption of the ―Think Privacy‖ campaign the programme created a Training and Awareness
Toolkit. This toolkit acts as an implementation aid outlining the process for creating privacy messages,
planning a campaign, producing material and measuring the effectiveness of the campaign.
Measuring the effectiveness of the campaigns is key to the success of the programme. To ensure behavioural
change is taking place following the implementation of the new privacy practices they have used both pre
and post campaign surveys, focus groups and are monitoring the performance of privacy metrics. Early
results have confirmed a steep rise in awareness across the Group.
The IRM Awareness Raising campaign has three elements: a film, a mandated training package and an
awareness raising package for third party suppliers.
The IRM Awareness Raising campaign has three elements: a film, a mandated training package and an
awareness raising package for third party suppliers.
Information security awareness in financial organisations 29
They already had produced an awareness film that had become dated so it was decided to produce a new film
that was fresh, innovative, and entertaining in order to keep the attention of the viewer whilst delivering the
key messages:
The new film, subtitled in 5 languages, and associated campaign materials were based around a ―Corporate
Security Drama‖ and included references to a wide variety of film genres. These separate genres which the film
incorporated are viewable independently as modules on the Group‘s Intranet, along with the main film, which
was also distributed on DVD.
A series of posters and e-shots were designed as film posters to reflect each genre and promote the issues
raised in that genre-specific film. These were released at various times and places to remind people about the
messages within the film and to direct people to their IRM Intranet site.
Building on the success of the film and the central character in it, a mandated computer based training (CBT)
package was created. It was more conservative in its approach, but was of the same length – 20 minutes - the
maximum length advised by e-learning experts. It is as interactive as possible in order to make the training
process a more enjoyable and effective experience when compared to the ‗click next‘ type CBT packages. To
ensure consistency it uses very similar messages to those used in the film. The CBT is delivered to the desktop
via their Learning Management System.
Despite all this work they were acutely aware that there was a gap in their coverage, i.e. raising the IRM
awareness of third party suppliers. The team identified an opportunity to work with colleagues who interface
with third parties to create a CBT package that closes this gap.
The Group has identified a number of key learning points. In no particular order there is a list of their top 5:
Ensure your messages are simple and clear. Don‘t over complicate them with technical jargon or assume
technical knowledge. Your messages must be short otherwise users won‘t read them.
If possible, make your messages and the way you deliver them stand out from the ‗corporate crowd‘. Avoid
using colleagues in your material. At some point they‘ll leave and date your material, and your audience will
spend more time looking at them and less time on the actual message.
Identify, engage and manage your stakeholders early. Consider giving some thought to including
those who could make the delivery of the project difficult in your stakeholder list. Persuade them to
provide input and agree the messages.
Identify your delivery channels early and engage with the key stakeholders in those areas to avoid
delays in delivering your product. Don‘t make assumptions about technology and technology builds
especially in large companies.
Think holistically about your campaign. If making a film, consider producing other materials to support
it and the messages it contains.
30 Information security awareness in financial organisations
The first step is to analyse the actual information security awareness and culture and to identify the
main business drivers. If the culture does not fit with the organisation‘s targets, the culture must be
changed. If it fits, it should be reinforced. The necessary controls such as an information security
training programme or an awareness campaign must be chosen (planning and design) and realised
(implementation). The success of the controls taken must then be evaluated and learning specified
(measuring success and programme improvement). The process is illustrated in Figure 5.
Assessment
Communication
Goals
Learning
4.
an
A
Pl
ct
Improvement
1.
Design
ck
Evaluation
2.
he
D
C
Implementation o
3.
Monitoring
Operation
Figure 5: Overall Strategy for raising information security awareness in financial organisations.
Assessment
The need for information security awareness is widely recognised. In order to make a substantial
contribution to the field of information security and to choose the appropriate controls, it is
necessary to have a set of methods for its study. Despite the fact that information security
awareness and culture can be measured, not many financial organisations have tried to quantify the
value of awareness programmes.
(12) ENISA, A New Users’ Guide: How to Raise Information Security Awareness, 2008, available at
http://www.enisa.europa.eu/pdf/deliverables/new_ar_users_guide.pdf
32 Information security awareness in financial organisations
According to Gartner, there are four main categories against which information security awareness
can be measured (13):
1. Process improvement (development, dissemination and deployment of recommended
information security guidelines as well as awareness training),
2. Attack resistance (recognition of information security event and resistance to an attack),
3. Efficiency and Effectiveness (efficiency and effectiveness with regard to information security
incidents),
4. Internal Protections (how well is an individual protected against potential threats).
In practice, a wide variety of instruments targeting these four categories are used today to assess
information security awareness, but there is little consensus on the most effective measures.
According to one ENISA study, the most popular source of information on actual behaviours is
internal or external audit (14). The research shows that many survey respondents use their
experience of information security incidents as a metric. Relatively few respondents find input
metrics (for example number of visitors to intranet site, number of leaflets distributed) helpful. The
most used measures of this type are the number of staff receiving training and qualitative feedback
from staff on the programme. Roughly a third of respondents used each of these metrics.
Given the ease with which process improvement measures can be captured, the number of
respondents using them is low. Organisations also appear to find it very difficult to put effective
quantitative metrics in place. For example, only one third of respondents included questions on
information security awareness in staff surveys. They then measure awareness levels before and
after initiatives take place. Respondents following this quantitative approach highlight issues with the
complexity of collecting and processing this data. Given a carefully designed and tested
questionnaire, a staff survey on information security awareness provides valuable insights into the
factors driving secure behaviour including leadership behaviour, know-how, attitude and motivation.
Some case studies report excellent results by using surveys in financial institutes ( 15).
Bearing in mind the difficulties in comprehending all human behaviour and culture, the use of a
combination of measurement tools and methods, as proposed by experts in organisational culture,
would seem advisable. These allow verification of the results obtained by other methods. The
financial organisations are thus able to pick the appropriate methods to assess their information
security culture.
A grounded analysis framework allows the financial organisation to systematically analyse its
information security culture, to quickly identify weaknesses and improvement actions and also to
prove progress when improving an information security culture.
When planning an information security awareness programme there are several factors which should
be taken into account. In this section we will look at the most important issues, why they are
important and how to deal with them.
(13) ENISA, Information security awareness initiatives: Current practice and the measurement of success, 2007,
available at http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_measuring_awareness.pdf
(14) ENISA, Information security awareness initiatives: Current practice and the measurement of success, 2007,
available at http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_measuring_awareness.pdf
(15) Schlienger, T. and S. Teufel, Tool supported Management of Information Security Culture: An application to a
Private Bank, The 20th IFIP International Information Security Conference (SEC 2005) - Security and Privacy in
the Age of Ubiquitous Computing, Makuhari Messe, Chiba, JAPAN, Kluwer Academic Press, 2007.
Information security awareness in financial organisations 33
The most critical success factor in any project with organisation-wide focus is to obtain executive
commitment. This is one of the most powerful levers inside any organisation since executive support
not only provides funding, but also provides an example to all levels of the organisation.
The test results from the self-test are recorded and MIS is
Some control frameworks, like CobiT, available to show overall participation and the average
also emphasise the need for user scores achieved. It was decided not to measure individual
training and awareness. results to avoid privacy concerns across the different
countries.
Other possible reasons for launching an
34 Information security awareness in financial organisations
awareness programme are changes in the institution's policies, implementation of new systems,
employee know-how, corporate values, audit findings, results from risk analysis and so on.
It is important to remember that different areas of the organisation have different needs. The
programme manager should meet with top management in order to identify what kind of information
their employees should receive regarding information security. For example, if the employees are
not aware of the organisation‘s information security policy that should be the first action of the
programme.
The drivers should be included in the programme so that there is good general awareness of why the
organisation is investing resources in the project.
There are different types of requisites, needs and constraints to be identified before programme
design.
Depending on the size of the institution, the project managers might want to look at different
geographical and cultural details, for instance country-specific laws and languages in the first case
and cultural values in the second case.
International Swiss private bank – Information security culture assessment & awareness
programme
Information Security (IS) is an important issue for private banks. A number of steps, such as staff
information and clear desk flyers, have been and are being taken to address and improve the quality of
information security. However, to ensure that the required level of security is maintained, staff trainings are
a vital part of this process.
The management has requested suggestions on steps that can be taken to implement a security awareness
programme and seeks assistance in a companywide rollout of this programme.
Firstly, the IS-culture was assessed by means of a quantitative staff survey. Different subcultures have been
identified. This is the effect of a merger which resulted in the creation of one company.
Secondly, countermeasures were defined in order to raise the maturity level of IS awareness. These
measures were realised within a global awareness programme.
For the successful realisation of this IS awareness programme two factors were essential: first that key
people from Marketing & Communications as well as from Human Resources were part of the project team;
second that the executive board members were fully committed. Indeed, these two factors were crucial for
the success of this IS awareness programme. In addition, it was important to use a unique IS awareness
brand. A unique branding was created for all communication measures such as the e-learning programme,
posters, flyers, management workshops and the intranet portal. The branding was represented by a photo
which was created thanks to the active cooperation of employees. It was a true eye catcher solution. While it
perfectly represented the programme it also raised the consciousness for the project. Hence, the programme
was very well perceived by the staff.
In a next step it is planned to evaluate the outcome of the IS awareness programme through another
quantitative assessment approach. Furthermore an IS awareness management process is going to be
installed to constantly optimise the IS awareness level at the bank.
Information security awareness in financial organisations 35
The requisites and constraints relating to end users need to be identified and related to each other in
order to build more effective training curricula that align with the institutions' objectives. All these
points should be validated with the Human Resources department.
After finishing the information security awareness programme it is time to present it to the board
and top management for reviewing and final sign-off.
At this time, special care should be taken to show that the programme‘s objectives are directly
connected to the organisation‘s objectives and explicitly support them.
Implementation phase
This section of the report covers how to deploy a successful awareness campaign and considers:
Building a platform for delivery.
Assigning project resources.
Planning and executing the roll out.
One of the key challenges for any IS training project is the roll out, administration and management
of the various learning solutions that will ultimately make up the full awareness programme.
Most organisations that are seeking to deploy comprehensive and ongoing awareness solutions
implement a learning management system (LMS). These systems typically:
Track employee usage of e-learning, recording progress, completion rates and other
performance data such as test scores.
Produce a range of management reports that can be accessed by administrators and
managers at the centre and in the regions.
Import and export data from and to other applications (for instance the HR system).
Allow for user profiling in order that content can be assigned to users according to pre-
defined characteristics (for example job role and/or preferred language).
Manage the roll-out of learning solutions across the business in order to minimise impact on
business and network resources.
A learning management system allows the organisation to deliver a range of awareness solutions to
a variety of target audiences while allowing the system administrator to track usage and completion
rates and to assign content to individuals based on, for example, their job role or department.
These systems are purpose built and are particularly effective when large, complex and ongoing
awareness initiatives are being implemented.
Although students can self-enrol in most LMSs, the full potential of the system is best realised when
the database is pre-populated with appropriate student data. In particular, pre-population of the
database allows the administrator to control the assignment of learning materials to pre-defined
groups of students and hence to carefully manage the roll out of courses. Also, if the database is
pre-populated, tracking and reporting (particularly of students who have been assigned to, but have
not completed courses) is much easier.
Information security awareness in financial organisations 37
Adequate resourcing of large-scale information security awareness initiatives is critical for their
success. Outlined below are some of the key roles and responsibilities that would typically be
required for the completion of a project of this nature.
Project manager Monitors progress against plan. Involved throughout the project –
Co-ordinates internal resources. participates in regular progress
Manages the relationship with meetings.
vendors.
Subject Matter Expert Agrees the overall approach to Involved in the early stages of the
the content of the awareness project in defining requirements
programme. and reviewing content
Approves content. Subsequently, occasional contact
with instructional designers and
developers to maintain
relationship and identify any
future developments that are
required.
LMS Administrator Maintains the LMS. The time commitment for the LMS
Produces management Administrator depends upon how
information and reports frequently changes to the
configuration of the system are
required and what the MI and
reporting requirements are.
IT Help Desk Provides support to users once IT Help Desk should provide
the programme is rolled out. support to users regarding the
operation of the LMS and any e-
learning courseware as part of the
routine Help Desk duties.
It can be helpful to provide a short
training session for Help Desk staff
during the implementation.
Corporate Communications Provides support and advice Involved in the early stages of
regarding internal marketing each deliverable approving visual
issues, branding and so forth. identity, styles etc.
IT and /or HR Representative Provides interface to HR systems Involved in the initial set up and
for pre-population of the LMS pre-population of the LMS
38 Information security awareness in financial organisations
There are several key factors to consider when planning the roll out of a comprehensive awareness
programme:
The roll out plan should include pilot testing of all materials before ―going live‖. Pilot
programmes should test the effectiveness of the content of the learning tools from an
instructional perspective. Importantly, where technology-based training is being delivered,
there needs to be pilot testing from a technical perspective to ensure that the training functions
adequately in all of the proposed business environments.
Where a learning management system is being used to manage any or all of the roll out, there
should be sufficient time to ensure that it contains all of the required student data, and that
invitation and reminder emails have been drafted, tested and approved. Roll outs can often fail
because learners experience difficulty accessing the content via the LMS or because email
invitations are not clear or helpful.
A phased roll out (other than in the most urgent of circumstances) is usually preferable to a
―big bang‖ approach because:
o It minimises the impact on network resources for technology-based training
o It minimises the impact on ―business as usual‖ for the organisation
o It allows for issues to be identified and addressed on a rolling basis so that they are not
experienced by large sections of the target population
The roll out should prioritise any areas of the business that are considered high risk from an
information security perspective.
Consideration should be given, in global organisations, to the requirement for language
versions of any training content. Ideally, the roll out strategy should allow for the full
completion and testing of a ―base‖ language version (usually the main business language of the
organisation) prior to the development of further language versions. This approach ensures
standardisation and consistency across languages and minimises the management,
administrative and financial overhead of maintaining multiple language versions during the
development phase.
The roll out should be planned around other known initiatives within the business (such as
major training initiatives, product launches, financial year ends and so forth) so as to minimise
competition for the attention of the intended audience groups. Liaison with Learning &
Development, HR and internal communications departments will usually yield much useful
information about other initiatives.
o The visible commitment of senior managers within the business units to the aims and
objectives of the awareness programme is a critical success factor. Any awareness
initiative should therefore begin with events (presentations, briefings and so forth) to
engage the attention and active support of senior management. Many large
organisations take a cascade approach to management communications, providing
managers with their own presentation packs or ―meetings in a box‖ to drive the
message down the management line.
o High quality learning tools often fail to have impact in organisations because of a lack
of internal marketing and PR. Information security is not a topic of inherent interest to
many employees yet their ―buy-in‖ to the key messages of any awareness campaign is
critical to bringing about any meaningful behavioural change and embedding a culture
of security. The active support of the Internal Communications department should be
sought in ―selling‖ information security and security awareness to the target
population. Typically this can be achieved using a variety of internal communication
Information security awareness in financial organisations 39
tools and channels to create the initial ―launch campaign‖ as well as ongoing
communications to help maintain levels of awareness.
o If the planned programme included external vendors and suppliers it is important to
ensure that they:
Have strong internal procedures and project management capabilities to ensure
delivery of solutions on time, on budget and to the desired quality.
Have an appropriate combination of learning and development expertise and
subject matter expertise to deliver effective learning solutions.
Consideration should be given to providing feedback to managers and the wider
target audience about the successes and impacts of the training campaign so
that individual employees are aware of the outcomes of their learning activity
and can be encouraged to see the time investment as worthwhile.
Full service bank — Creating an enterprise-wide security training and awareness campaign
covering both general users and technical specialists.
This project, for a global financial institution, was designed to bring about a step change in information
security training and awareness at an enterprise level. With 50,000 employees in over a dozen countries,
the brief was to reach all employees and deliver training customised to meet varying job roles and
responsibilities.
After a detailed consultancy phase a three-strand solution was recommended. This comprised general
information security training and awareness for non-technical employees with concurrent training for
managers and executives. The solution was delivered in several languages via a Learning Management
System, complete with evaluation tools, and a follow up programme of refresher training.
In addition, a detailed series of workshops and support materials was developed for technical and security
employees, comprising a core curriculum covering secure application development, access controls and
intrusion management for developers, technical architects and systems administrators. These were
delivered across several international locations, but with stranded material reflecting particular job roles and
responsibilities. The training initiatives were combined with an overall internal marketing campaign.
Deliverables included a detailed communication campaign with tag lines, newsletters, presentations ―in a
box‖, executive briefings and a revamped information security portal for the corporation.
The Outcome...
Reduced vulnerability and heightened awareness of business critical security issues and responsibilities
across the enterprise.
Measuring success provides valuable information about the efficiency and effectiveness of the
controls implemented. It helps to evaluate the controls taken,
to define necessary follow-up and also to legitimate investment
in information security awareness. This is especially important
in applying for the following year‘s budget. Evaluation of a
campaign or training programme is essential to understand its
effectiveness, as well as to use the data as a guide to adjust the
initiative to make it more successful.
awareness training programme was implemented know-how test can assess the learning goals
reached.
A large commercial bank has a central information security function. This team is responsible for driving
awareness training across the world. They aim to get basic messages about security across to a large,
geographically dispersed audience. They also need to send specific messages to smaller groups of staff with
key roles in systems or security.
A big challenge faced by the bank has been how to measure awareness levels and the effectiveness of its
awareness programme. Ideally, the bank wants to measure the change in people‘s behaviours. This is
difficult to assess quantitatively. However, measurement is critical to targeting training efforts at weak
areas, so the bank has invested in identifying practical metrics and key performance indicators.
A particularly successful technique has been the use of computer-based training (CBT). A centralised CBT
library includes training courses and captures test results from the automated testing of staff. All new
employees must complete the training as part of their induction. The training is updated regularly, and all
staff must complete the updated training. Reports analyse the extent of completion of CBT training and the
scores in tests; the central team monitor these and act on any significant trends.
Password scans provide a useful direct quantitative measure of the attitude and behaviour of staff. The
bank periodically runs software that scans password files on key systems and analyses the strength of
individual passwords. The number of staff using easily guessable passwords is a key indicator of security
awareness.
Other techniques that have proved effective include simulated phishing emails and competitions. These
have made the targeted staff think carefully about why they are asked to be secure. They have also
provided helpful statistics for trend analysis.
There are plans to introduce a new survey to gauge the level of security awareness and behaviours within
the bank. An independent third party will gather responses from a random sample of staff (rather than self-
select). This will enable the bank to use the survey results to draw statistically valid conclusions across the
business.
Initially, the bank monitored incidents to assess security awareness. However, root cause analysis has
shown there are many different factors behind each incident, so the number of incidents is not a true
reflection of security awareness. In addition, the frequency of incidents is so low that trend analysis is not
meaningful. For these reasons, incident statistics are no longer used to measure awareness.
When measuring success, qualitative and quantitative instruments can be put in place. Regardless of
the measure used, it is important that any organisation address these issues (16):
(16) ENISA, Information security awareness initiatives: Current practice and the measurement of success, 2007,
available at http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_measuring_awareness.pdf
Information security awareness in financial organisations 41
Measures
Availability Processing
of indicators
Some measures are too hard to It is important to process
gather for the payback they give. information once it has been
gathered.
Evaluation can evidence change and improvement in an information security culture and also
reinforce organisational learning thereby encouraging continuous improvement and a strong
information security culture.
42 Information security awareness in financial organisations
Selling security can be a bit like selling insurance – who needs it until after a break-in? International Financial
Institution is actually trying to prevent the break-in in the first place but people need to be sufficiently
motivated to act in a secure way.
The Information Security department is developing their Information Security Standards consistently with
ISO 27002 and BS 7799. These are very detailed and target primarily IT staff so the Standards for All
booklet was created addressing the needs of non-IT employees. This booklet covers the main Do‘s and
Don‘ts around acceptable use of IT systems including their security expectations and supports a number of
policies. As the name suggests this is developed for all staff to read.
eLearning / CBT
The Information Security department has put a lot of effort into their annual eLearning course which serves
as an awareness initiative in its own right and includes a test of understanding at the end. It is mandated so
they also have a record kept of each staff member‘s course completion which can be used, for example, in
the event of a disciplinary case to evidence whether the Institution‘s IS expectations have been explained to
a user around specific topics.
For new starters this eLearning option is much more effective in explaining the security culture than reading
policies so it is also forming a key part of the induction process.
Intranet
Intranet provides fresh content each month which is flagged on the front page. Information there aims to be
relevant, newsworthy and eye-catching to as many staff as possible. The IS department tries to make this
useful outside of the workplace, where possible, such as risks associated with social network sites despite
them being blocked from work. These have to be easy to understand and jargon-free as much as possible.
Topics covered include for instance, ―financial scams & phishing‖, ―Security threats‖ and ―10 things every
employee should know‖.
Presentations
Presentations are provided on a request basis to internal teams, but they also ensure that Information
Security is a key part of the IT graduates induction process.
Other Controls
Cross-cut shredders are installed around offices replacing the old confidential waste bins.
Print on demand not only cuts down printing costs but it also reduces the amount of printed output left lying
around. The user has to go to the printer and present or swipe their staff card before anything is printed and
anything not printed is deleted. This has also proved useful in disciplinary cases showing who printed a
document. Both the shredding and print on demand projects support the Clean Desk policy as well as
recycling and ―green‖ initiatives.
Laptops have hard disk encryption and software which enforces encryption for permitted users to write to CD
or USB, is employed.
Blackberry devices are policy managed so they have limited user configuration capability and the kill-pill
functionality to wipe the device once we‘re notified of loss or theft. A voice biometric system is in place for
automated password resets cutting the number of Helpdesk calls and is available 24 hours a day, 365 days a
year.
Information security awareness in financial organisations 43
Communication
Appropriate communication to suit different audiences – general users, IT staff and managers – is important
especially when there are language & translation barriers too
As Security Professionals we need to recognise the different audiences we have and tailor our messages to
suit each.
Competing for ―air-space‖ internally is one of the main challenges. Staff is bombarded with a number of
financial, legal, regulatory and compliance messages, anti money laundering, general bank training, etc.
Security may be everyone‘s responsibility but it‘s not everyone‘s main job or prime focus.
Targeted awareness training of key teams such as IT is top of the agenda. There are also call centres, postal
and facilities, HR, and Management. The IS department of the Institution is currently developing a training
program specifically for the IT Teams which will consist of a catalogue of presentations and handouts on key
topics and are also looking to adopt the e-Learning mechanism.
Objectives
The long term aim is to get more specific details set in Staff Objectives so that all staff can show where they
have contributed and are sufficiently motivated to comply. Motivation is key to this whole subject.
44 Information security awareness in financial organisations
Recommendations
# Recommendations
Internal audit and 7 Conduct internal audit and compliance reviews of data security on a
compliance regular basis.
46 Information security awareness in financial organisations
# Recommendations
While recruiting personnel, conduct high level vetting for all staff.
Staff recruitment 8 Keep in mind that junior, temporary and call centre staff often have a
and vetting wider access to personal and financial data.
Even if under pressure to fill vacancies quickly to maintain a good level of
customer service, ensure that appropriate vetting is always carried out.
Define within the corporate information security policy if third parties, for
Third parties 9 instance call centres, archiving firms and IT consultancies, can access
personal and financial data and how.
Awareness and Information security awareness is never an IT business only. The most
training initiatives’ 11 important aspects of an awareness programme are communication,
setup marketing and training. It is therefore strongly recommended to set up
an interdisciplinary project group with members of the internal
communication department, marketing department, human resources
department, physical and information security department.
# Recommendations
security.
Figure 7: Recommendations.
48 Information security awareness in financial organisations
Conclusions
Recent incidents involving data loss have forced many organisations to consider how they can
significantly improve their data security. In particular, safeguarding personal and financial data is a
key responsibility for the financial services industry. The mismanagement of data security is a
significant risk for financial organisations due to the nature of their business as they generally hold
large volumes of personal and financial data about their customers, such as names, addresses, dates
of birth, bank account details, transaction records, PIN, national insurance numbers and so on. Thus,
the financial services industry needs to pay close attention to how they handle this type of data.
Financial organisations are becoming more aware of the potential costs of losing data. However,
corporate information security policies, procedures and controls are not enough to prevent data loss
through lack of employee awareness about the risks related to handling information.
Effective training and awareness mechanisms are crucial in these organisations as the risks to which
they are exposed, for instance identity theft, money laundering, market abuse may all result in
considerable inconvenience and possible financial loss to the victims as well as damage to the
organisation itself.
ENISA hopes that this paper will provide financial organisations with a valuable tool to understand
the importance of data loss and prepare and implement awareness raising and training programmes.
Information security awareness in financial organisations 49
Directive 95/46/EC on the protection of individuals with regard to the processing of personal data
and on the free movement of such data, OJ L 281 of 23.11.1995.
ENISA, A New Users’ Guide: How to Raise Information Security Awareness, 2008, available at
http://www.enisa.europa.eu/pdf/deliverables/new_ar_users_guide.pdf
ENISA, Information security awareness initiatives: Current practice and the measurement of
success, 2007, available at
http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_measuring_awareness.pdf
ENISA, Raising Awareness in Information Security – Insight and Guidance for Member States, 2005,
available at http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_cd_awareness_raising.pdf
Financial Services Authority, Data Security in Financial Services, United Kingdom, April 2008.
Herold, Rebecca, Managing an Information Security and Privacy Awareness and Training Programme,
Boca Raton: Auerbach, USA, 2005.
Herold, Rebecca, Information security and privacy awareness program, Auerbach Publications, USA,
2005.
McGlasson, Linda, ‗ID Theft Red Flags Rule: How to Help Your Business Customers Comply‘,
BankInfoSecurity.com, 8 September, 2008
http://www.bankinfosecurity.com/articles.php?art_id=960andrf=090908eb
NIST, Building an information technology security awareness program, NIST — SP800-50, NIST,
2003, available at http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf (last visited
on 17 July 2008).
NIST, Information technology security training requirements: A role- and performance-based model,
NIST — SP 800-16, USA, 1998, available at http://csrc.nist.gov/publications/nistpubs/800-16/800-
16.pdf (last visited on 21 July 2008).
ISBN-13: 978-92-9204-026-0
DOI:10.2824/13112
52 Information security awareness in financial organisations
TP-80-09-807-EN-N
ISBN-13 978-92-9204-026-0