Training of Information Security for Common Users Dr. Francisco Eduardo Rivera FAA SALT Conference, February 18, 2004

2 Overview What is training of IS Importance and Background Common Final Users, The Problem Approaches Re-orientation Awareness, Support and Responsibility The scenario approach Conclusion

3 What is Information Security Training? It is not a computer literate training It is not an academic course It is not just for new employees It is not another training It is an urgency! It must be part of the essential policy of the organization

4 InfoSec or Cybersecurity training? Not only for IT experts All workers dealing with Information Cover all aspects Prevention oriented rather than Remedial oriented Practical approach rather than theory Continuously

5 Information security, what for? Protecting assets: Information resources, including computing time and memory destruction alteration corruption misuse Steal of information Avoiding Intruders Keeping Confidentiality and Privacy

6 Possible Consequences Enormous potential costs if Information security is breached Liability Loss of competitive advantages Image damage National interest

7 Information Security has changed From teen hackers To serious and professional hackers Information war The number and quality of attacks Is growing rapidly The speed of spread is growing Distributed and evolving attacks

8 A growing discipline? Maturity The experience The complexity of subject The coverage and inter-discipline The technical details The changing environment More than 500 enterprises Expenditures of more than $5 billion/year

9 Cybersecurity Many organizations involved ACM, NIST, CSI, ISACA, IEEE, ISOC, ISSA, SANS etc. More than 300 universities programs Specialized training and certifications CISSP, CISA, CISM, SSCP, Security+, SCP, GIAC, TICSA A czar, federal agencies: DHA, NSA, OMB, Information Security Act,…

10 The problem The security strength is the strength of the weakest part Traditional: high security in Computer Centers Traditional: centralized control of security management and operations Traditional: users only deal with internal data and no external connection

11 The problem (continuation) The Internet as The extended information resource The standard way of communication The use of network bandwidth for other purposes The connectivity w/Internet Present version is intrinsically insecure The new unsecured wireless networks The holes in operating systems

12 Common Final User Is the employee who manage corporate information through computers and networks, but is not in charge of the function of systems, programs, networks and equipment He/she is not an expert He/she is computer literate Is the most important resource in the organization followed by information

13 General Training Approaches Mission oriented Global covering Cost effective oriented But in the case of Information Security Sense of urgency Implications Practical aspects

14 Specific Training approaches Information classification – mostly academic Information Systems Development Cycle (SDLC) – mostly professional organizations Standards and Models – mostly certification organizations Around specific software packages

15 The NIST approach Security Education, Training and Awareness SETA To divide in three levels of depth Education – Curriculum Training – Organization Awareness – Final users

16 Re-orientation Awareness is not enough! What is important in security? Basic understanding Motivation Basic what to do and what not to do Where to go Recognize problems and importance Prevent Follow Policies

17 Our approach Similar to INIST But some training is also for Final users Based on Awareness, Support and Responsibility

18 Integration Awareness Support Responsibility Prevention through Policies Practical Knowledge Motivation

19 Motivation “Raison d’être” For the organization For the department For his/her specific position Improve system Detect problems Understanding of implications The cost of not doing

20 Prevention It needs responsibility Follow strictly the policies Do some routine tasks Periodical Review Backup Upgrade It needs support from IT and other users

21 Practical Knowledge Identify problems Levels of risk Open to suggestions How to do Passwords Network identification Who to address in case of problem and what to do ( and not to do)

22 Responsibility The new element Who is the owner of information? Final user is not a user but he/she is co-responsible of: Data Management of data Basic security and accessibility

23 The Scenario Approach The field is so large Less technical information and more decision making abilities What are the basic cases? Simple to Complex problems Interaction with other users Rapid response

24 Scenarios (in plural) Illustrate with practical real cases Many variants To identify key issues When to explore? More than one right answer Interactive discussion Graphical presentation

25 Conclusion InfoSec Training is and investment Need to Review periodically To update with new problems Challenging user attitudes in: awareness, support and responsibility Use Plain Language The user is an integral part of the solution

26 Questions ? Comments?