respond to discussion 4CR

Respond

Sonia

Discussion #4 – Governance Policies

The concepts of “2.1 Cyber Security Awareness (CSA)” and “2.2 Cyber Security Knowledge Sharing (SKS)” are intricately linked to the Security Awareness Policy.  

Cyber Security Awareness (CSA) is defined in the text as users possessing knowledge and a strong dedication to security. The CSA is indispensable to the cyber security efforts of organizations. Since employee security knowledge varies, it is critical to comprehend cybersecurity best practices.  Adhering to CSA principles, the Security Awareness policy emphasizes employee security commitment and awareness (Alahmari et al., 2022). Conventional training programs are employed to enhance the knowledge of employees. Presentations, workshops, multimedia, email reminders, and screen savers are all provided by these applications. Clear screen policies, password protection, and phishing prevention are suggested as ways to enhance CSA. In support of educating personnel about security policies and best practices, the Security Awareness policy may advocate for and coordinate the execution of training plans (Alahmari et al., 2022).

Notwithstanding uncertainties regarding its effectiveness, Security Awareness Training (SAT) continues to be emphasized as a means of mitigating cybersecurity risks. It emphasizes well-designed training methods with technical solutions, placing security as a secondary objective. According to research, the SAT could aid users in detecting and preventing fraud. Security Education, Training, and Awareness (SETA) programs are examined for their ability to avert security breaches resulting from employee ignorance. Additionally, SAT is suggested for preventing ransomware attacks that encrypt user files. International security organizations such as ISO and NIST deem this technique indispensable (Al-Daeef et al., 2016).

Sharing of Cybersecurity Knowledge (SKS)

  The passage examines Cyber Security Knowledge Sharing (SKS) and emphasizes the significance of instilling information to foster learning. SKS stresses the value of collaboration in the pursuit of cyber security objectives. Security Awareness promotes knowledge sharing among personnel to enhance cyber security. Cyber Security Awareness and Knowledge Sharing are concepts that are reflected in the Security Awareness policy. Enhancing an organization’s cyber security requires employee awareness, training, technological expertise, and collaborative knowledge sharing (Alahmari et al., 2022).

A comprehensive manual on developing an IT security awareness and training program is offered in NIST SP-800.50. The intent and scope of the program outlined in this document established a structure for its advancement and underscored the significance of organizational responsibilities and roles. Training in the classroom, online, and through hands-on experience was also covered. The authors prioritized the importance of consistent program alignment with the values of the organization and ongoing enhancement. The guide emphasized evaluating the program’s effect on cybersecurity awareness and integrating it into the company culture (Wilson et al., 2003).

Constructing a Cybersecurity Culture

According to the text, a cyber security culture could aid in addressing human-related cyber security vulnerabilities. By emphasizing collaboration and knowledge sharing, the Security Awareness policy fosters a robust cyber security culture within the organization (Alahmari et al., 2022).  The Security Awareness and Training Policy at Virginia State University (VSU) outlined guidelines for IT system managers, administrators, and users to ensure the proper protection of university systems and data. The policy addressed various aspects including roles, responsibilities, management commitment, data disposal, coordination, and compliance, with a particular emphasis on sensitive system and data matters. All employees were required to complete security awareness training for the use of VSU information technology resources. Refresher courses were also provided annually. The Technology Services department is responsible for implementing information security awareness and training best practices, which involve continuous training, effective communication, and monitoring compliance (Purpose – Virginia State University 2017).

The choice of Cyber Security Awareness policy and information sources is closely linked to social engineering.  Understanding and implementing a cybersecurity awareness policy is crucial for effectively defending against social engineering attacks. It equips individuals with knowledge, fosters a mindset focused on security, and offers practical tools to effectively identify and address social engineering threats. At Virginia State University, students and staff can introduce cybersecurity risks through their actions, such as clicking on malicious links or neglecting security best practices. An effectively implemented policy fosters a culture of cybersecurity, enabling security personnel to identify and address potential threats. Adhering to regulations is crucial for any organization in preventing penalties and protecting its reputation. A policy also empowers employees with the expertise and capabilities to detect and prevent social engineering attacks, ensuring that unauthorized access and information compromise are effectively thwarted. It fosters a culture of security awareness, making it more difficult for malicious individuals to take advantage of weaknesses.

Jason

Effectiveness of information security awareness methods based on psychological theories 
by Bilal Khan1 , Khaled S. Alghathbar1, 2 , Syed Irfan Nabi1,3 and Muhammad Khurram Khan1  Accepted 24 March, 2011
African Journal of Business Management Vol. 5(26), pp. 10862-10868, 28 October, 2011 Available online at DOI: 10.5897/AJBM11.067 ISSN 1993-8233 ©2011 Academic Journals

Khan et al. (2011)  evaluate the effectiveness of different information security awareness tools and techniques using psychological theories and models as a frame of reference. They also describe how to measure information security awareness in an organization.

They drew on Namjoo et al.’s (2008) definition of Information security awareness, where they defined information security as the individual’s passive involvement and increased interest in certain issues a key component being consciousness-raising and action.

Another strong definition cited by Khan et al ., 2011  was from the Information Security Forum (2003),  it stated that information security awareness can also be defined as “the extent to which every member of staff understands the importance of information security, the levels of information security appropriate to the organization, their security responsibilities, and acts accordingly” (Security Forum, 2003).

The research conducted by Kahn et. al.,  evaluated the effectiveness of information security awareness interventions. They proposed a five step stair model. The steps include: 

1.    Knowledge about information security
2.    Attitude towards information security
3.    Normative belief towards information security 
4.    Intention for Information security
5.    Information security (IS) behavior

Their study also evaluated the effectiveness of information security tools . The following presents a summary of the effectiveness of each tool by (Khan et al., 2011)

1) Educational presentation – “Education is often seen as the key to changing behavior. Different types of awareness campaigns are based on different psychological theories that focus on different aspects of human psychology. Usually the education campaigns target the knowledge aspect of the human and it ignores the motive behind the human behavior”
(Khan et al., 2011).

2) E-mail messaging – “One type of campaign for information security awareness is email messaging. These messages disseminate useful information regarding phishing, social engineering, password management and information security incidents. This method is effective in providing security related information and hence increases information security knowledge of the recipient” (Khan et al., 2011).

3) Group discussions – “One type of information security awareness intervention is an informal meeting in which there is no one way communication. In this meeting, about 15-20 individuals of an organization participate and the participants take full advantage of sharing knowledge and experience” (Albrechsten & Hovden 2010).

4) Newsletter articles – “Newsletter is a monthly or quarterly one to four pages information security report. These reports can be both in electronic or print format. They are distributed among security awareness training. The employees of the organization can acquire the desired training at their own pace” (Khan et al., 2011).

5) Video games – “It is claimed by the researchers that video game is a good technique in motivating players towards adapting the desired behavior as it catches the player’s attention and engages him. However, this method does not have a component of knowledge transfer unless the player has already gained the information security knowledge before starting the game” (Khan et al., 2011).

6) Computer-based training (CBT)- “Computer-based training has several advantages over conventional methods of information security awareness. CBT is available at all times to all employees within the organization and it is an effective method of information making, improve performance and accountability and help determine an organization’s information technology (IT) security awareness and training” ( Khan et al., 2011).

 7) Posters- “Posters are simple and effective reminders of information security that catch end user attention and remind them of basic information security rules. Posters require fewer resources. Catchy slogans and attractive designs greatly contribute to the effectiveness of posters”(Khan et al., 2011).

It was noted in the discussion that “it is beneficial to find out the number of phishing e-mails that have been opened by the employees of the organization. The number of phishing e-mails accessed shows the level of information security awareness. The more is the number of phishing e-mails accessed, the less the level of awareness” (Khan et al., 2011).