Assessment of Need and Method of Delivery for Information Security ...

2 downloads 299 Views 87KB Size Report
The model used is based on various levels of education and a ... real need for information security awareness programs for the general public. However, the ...
Assessment of Need and Method of Delivery for Information Security Awareness Program Wasim A. Al-Hamdani, PhD Division of Computer and Technical Sciences Kentucky State University Frankfort, KY 40601 502-597-6728

[email protected] Security and Protection- Authentication, Insurance, Invasive software, Physical security

ABSTRACT This paper looks at the assessment for quantity of information security awareness programs needed at Kentucky State University as a first step, and then the model is generated for a larger population. The model used is based on various levels of education and a randomly selected sample space. The model is also based on two assessments: the first focuses on information security in general, while the second assessment covers the following topics: Data classification Security job role Awareness programs Spam and virus knowledge Social engineering

General Terms Security

Keywords Information Security, Information Assurance, Information Security Curriculum, Information Assurance Curriculum, Curriculum Development

1. INTRODUCTION Security has been a technically challenging problem with computers almost from the first instance of their operational use. Networking brought greater security challenges and the advent of the “network of networks” (referred to as the Internet) is bringing even greater challenges. Provision of government services over the Internet has become imperative in the new Information Age. When governments use the Internet for service delivery, however, security and privacy are fundamental requirements. [13] Risk management is at the heart of information security. A risk assessment should be a fundamental part of the business development process. Part of the risk management challenge is the fact that information systems are changing quickly, and at the same time security risks also change very quickly as new threats, vulnerabilities and attack tools are introduced. As a consequence, a static risk assessment process is no longer sufficient. Risk management must now be designed as a continuous process that reacts quickly to changes. To accomplish this, risk management should include elements of real-time assessment and response. Awareness as defined in [14], “is not training. The purposes of awareness presentations are simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly.” Awareness implies understanding of risks. Internet threats and vulnerabilities are real. In simple terms, the number of vulnerabilities continues to rise, while hacker tools are becoming more powerful and easier to use. At the same time, prevention is much more difficult because the technology changes rapidly. The Internet is a very attractive target for attackers. Internet attacks are easy to accomplish, difficult to detect, hard to trace, and the risk of getting caught is low.

The sample space was randomly selected from a population of about 49,640 in Franklin County [5] and the results were then generalized for larger populations. The results show that there is a real need for information security awareness programs for the general public. However, the research also shows a large number of instructors needed per 1000 of population to start the information security awareness public program. These primary results have been looked at in two different aspects – the first as “in-class delivery” and the second as “out-class delivery”. The research points out there hold unrealistic results for in-class delivery, hence we must focus on out-class awareness programs.

Categories and Subject Descriptors C.2.0 [Computer Communications Networks]: General – Security and protection D.4.6 [Operating Systems]: Security and Protection - Access controls – Authentication, Cryptographic controls, Information flow controls, Invasive software. H.2.0 [Database Management]: General - Security, integrity, and protection K.3.2 [Computers and Education] - Computer and Information Science Education – Curriculum, Information systems education K.6.5 [Management of Computer and Information Systems]:

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. InfoSecCD Conference’06, September 22-23, 2006, Kennesaw, GA, USA. Copyright 2006 ACM 1-59593-437-5/00/0006…$5.00.

Information security awareness programs could cover the followings topics: password construction, password management, authentication, Internet usage, telephone fraud, physical e-mail

102

Software spies on a computer Spies on what a user is doing Do not know After the compilation, the survey will occur as: Spyware is: Positive Answer Negative Answer Do not know Then the analysis of these results will be: Spyware is: Positive Answer Negative Answer + Do not know

usage and security, private information, virus protection and detection, PC security, software licensing, backups, building access, social engineering, identity theft and home office security. [12, 13, 14] The main purpose for this research is to form a risk assessment of the quantity of information security awareness programs needed (as an expected value) in Kentucky. The research is based on a randomly selected sample space from different populations based in Franklin County and is then generalized in the module. The research, first of all, is based on a single assumption, which is “inclass” awareness programs – meaning all the public will have to set in a class to obtain knowledge on security awareness. The research used two different surveys, both of them general information security awareness topics. The surveys looked at three different levels of Knowledge, which are: MANAGEMENT CONTROLS, OPERATIONAL CONTROLS and TECHNICAL CONTROLS. The first assessment focuses on information security as a general issue, while the second assessment is concerned about data classification, security job role, information security awareness programs, spam and virus knowledge, and social engineering. Questions queried various levels of knowledge, such as information policy existences, understanding assets, varied phishing and other issues.

2.1 Assessments Organization 2.1.1 First Assessment The first assessment was conducted concerning general information security knowledge. Questions were broad in scope. General information about security principles were included, such as: “Phishing is a form of social engineering, characterized by attempts to fraudulently acquire sensitive information, such as passwords and digital signatures.” “E-mail spam is a subset of spam that involves sending out identical messages to thousands (or millions) of recipients.” The assessment has 20 different questions.

The population education levels were varied, with some having high levels of education and others with little; some with information technology backgrounds and others with none; some with computer science backgrounds and others with none. Targeting different levels of education gives the statistical model a clearer view of the population.

2.1.2 Second Assessment The second assessment was conducted concerning more depth information security knowledge, some questions based on “Yes, NO and Do not know” answer, such as: “Do you know what Zero Incident Culture is?” Others questions are multiple chooses such as: “Do you know where to report Spam?”, or ” This picture

The results show there is a real need for information security awareness and limited information security training education for the population subjects of this research. The surveys were designed using the following criteria: What, Whom, What If and Analyze. [6] More specifically, these criteria meant: Establish the goals - What you want to learn Determine the sample - Whom you will interview Create the questionnaire - What you will ask Pre-test the questionnaire, if practical - Test the questions Analyze the data - Produce the reports The potential goals for the survey were: How much of the sample space has general knowledge of information risk? Do we need an information security awareness program? What is the basic assessment of this need, if any?

is for: Just picture, Secure Information Transaction, Start of Spam, Start of Internet, watches after what users do and Do Not Know”. Others are indirect questions based on “Yes, NO and Do Not Know” like: “What is your KSY network Password?” The assessment has 20 different questions.

2.1.3 Assessment Delivery A group of volunteer student distributes 170 surveys for each assessment, the delivery was: inside campus, one high school, and public places; with 130 complete feedback received for each assessment. The two assessments latter mapped to 100 sample space (each) for statistical purposes.

2. CLASSIFICATION OF ASSESSMENT RESPONSE The surveys had different forms of questions, some with multiple answers or five different levels of answers. All answers in the two surveys were compiled at the end to be Positive, Negative and Don’t Know. The last answer is analyzed later as a Negative answer (This answer classified as required an information security awareness program). For example, a question such as:

3. THE FIRST ASSESSMENT The answers are either Positive, Negative or Don’t Know. Before analyzing the questionnaire, the sample space frequency was mapped at 100 sample spaces as shown in Table 1. (See APENDIX A). The categories (Positive Answer, Negative Answer and Don’t Know) are shown in Figure 1(A, B and C).

Spyware is: Hardware Software Hardware/software

103

Figure 2 shows the same as in Figure 1B, an “exponential curve.” Figure 3 shows the normal distribution expected for the second group (Negative answer and Don’t Know or Not Sure).

Figure 1a. Positive answer

Figure 3. The expected normal distribution for Negative answers and Don’t Know or Not Sure answers Figure 1b. Negative answer The combination of these two categories showed us a mean analysis positive answer of = 28.3, with Negative Answer = 52.15 and Don’t Know = 19.55 (combination of both is equal to 71.6).

3.1 Analysis of Variance for all groups Positive Answer = 566, Negative Answer = 1034, Don’t Know Answer = 391 out of a sample space of 2000 questions, and with frequency of 0.283, 0.5215 and 0.1955, respectively. Figure 4 shows the mean points for the three groups. Figure 1c. Don’t Know It is clear from Figure 1B that the curve towered exponentially in this case. For education and awareness program the “ Do Not Know “ means that the person needs to attend the awareness or re awareness program to refresh his/her knowledge, this would combine the negative answer and “Do Not answer” for justification and uniformed the training. Figure 2 shows the combination of Negative answers and Don’t Know answers. Figure 4. The mean points for the three groups Taking that the state of Not Sure means a Negative answer, this means we have only two variables Positive Answer and Negative Answer, which are 566 and 1434, respectively. Figure 5 shows the mean points for the two groups.

Figure 2. Combinations of Negative Answers and Don’t Know or Not sure answers Figure 5 The mean points for two groups

104

attractive packaging techniques. Training is more formal, having a goal of building knowledge and skills to facilitate job performance. A few examples of IT information security awareness materials/activities include promotional specialty trinkets with motivational slogans; a security reminder banner on computer screens, which comes up when a user logs on; information security awareness videotapes; and posters or fliers.

The data is very simple and it is a linear type of relation, as in equation 1:

Y=A+B*Y

….. (1)

4. SECOND ASSESSMENT

An information security awareness program suggests covering the following topics:

Looking at a more detailed statistical survey distributes the questions into five major categories:

An Information Security Awareness program (in Class) suggests covering the following topics [15, 16, and 17]: “Introduction to Security Basis, Personal Computer Security, Organizational Security, Internet Security, Network Security, Total Security, firewalls”

• Data classification • Security job role • Information security awareness program • Spam and virus knowledge • Social engineering Questions have a variety of different levels, such as:

Such a syllabus would require about 30 hours of instructions (as first suggestion), and as a compressed course would need three days (from 8 a.m. to 12 noon, and 1 p.m. to 5 p.m.) Table 3. (see APPENDIX A) shows a simple estimate of information security awareness for 77% of the total population out of 100 people who need awareness education, according to our suggested syllabus.

• • • •

Do you know where to report spam? What is your network password? What is redirecting Web traffic? Does your organization have an existing security policy? Some of the questions are listed in section2.1 The results summary in numbers is shown in Table2. Table2. The Second Assessment Survey Numbers Question Type

Positive

Negative

PEOPLE Attendance out of 100 population

77

Don’t

Class size /person

15-16

Know

Groups out of 100 Æ 75/15

5

Days / course

3

Instruction / hours

120

Data Classification

11

82

69

Security Job Role

12

22

18

Information

14

13

23

Spam and Virus

90

186

74

Social Engineering

35

192

74

Security

6. ESTIMATING INFORMATION SECURITY AWARENESS PROGRAM REQUIRED FOR 100

Hours of teaching number of students / day 5* 3 days / course = 15 day of teaching. (A class size of 15 been selected because it is the best value between the worst case ratio of 2:15 and best case of 1:20 [18])

Awareness Program

A normal faculty load is 12 hours of teaching out of 40 hours/week and 10 hours of office work out of 40 hours/week, which is about one course a week of 25 hours of teaching, as well as other hours for the preparation of other teaching materials. This means he/she could educate the 77% in five weeks. Table 3 (see APPENDIX A) maps the results from above to an estimation of a larger population.

5. ASSESSMENT ANALYSES AND ESTIMATION EFFORTS Combining the two assessment surveys, we get a positive value mean o of 23.15 (≅23%) and a combined negative value of 76.8 (≅77%). These results indicate that there are major risks in information security knowledge and education. Before we could estimate the effort, we need to look at: What type of information security awareness is needed? Which sort of information is to be presented? What depth of information security is needed? Awareness is not training [7]. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly. In awareness activities, the learner is a recipient of information, whereas the learner in a training environment has a more active role. Awareness relies on reaching broad audiences with

105

From Table 3 and for the example, Kentucky State University, it would require five years for a single instructor to perform the information security awareness programs on an average of one course per week. This result is unrealistic, because in each month there are many new threats concerning information security, and in every six months, security awareness should be revised. From TABLE 3, the Franklin County population of 49,640 would require a single instructor about 47,730.76923 years. Table 4 (APPENDIX A) shows the relationship between numbers of instructors needed and the course deliverers. A breaking point in TABLE 4 is 12 weeks. This number is very acceptable for the information security awareness program and its follow-up activities, such as newsletters and posters. TABLE 5 shows the linear number of instructors needed for a population awareness program.

Social engineering After developing a statistical model based on a 100 sample space population, the final results shows that, at best, four instructors are needed to run a 12-week information security awareness program for each 1000 population sampling. The model delivers a very simple function for estimating the number of instructors needed. Furthermore, this paper rejects such “in-class” numbers and suggests a more realistic, efficient program based on “outclass” awareness principles.

Table 5. Linear number of instructor needed for population Population

Instructors

1000

4

10000

40

100000

400

1000000

4000

6. REFERENCES

TABLE 5 could be summarized in a very simple linear equation as in equation 2

[1] NIST Special Publication 800-26 Security SelfAssessment Guide for Information Technology Systems

Number of instructor needed = Population * 0.004 ……. (2)

[2] NIST Special Publication 800-12, An Introduction to Computer Security: The NIST Handbook (Handbook), [3] NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems (Principles and Practices) [4] NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems (Planning Guide).

Using this equation for different populations is shown in Table 6. Table 6. Instructors Required Location

Population

Instructors Required

KSU

5000

State of Kentucky

4,145,922

16583.688

USA

293,655,40 4

1174621.616

20

[5] http://www.louisville.edu/~easchn01/kentucky/ky pop1.html [6] http://www.surveysystem.com/sdesign.htm [7] SP 800-16 Information Technology Security Training Requirements: A Role- and PerformanceBased Model [8] http://quickfacts.census.gov/qfd/states/21000.html (US stat Population) [9] NSTISSI No. 4011 20 June 1994 National Training Standard for Information System Security (INFOSEC) Professionals [10] NSTISSI No. 4012 August 1997 National Training Standard Designated Approving Authority (DAA) [11] NSTISSI No. 4013 August 1997 National Training Standard System Administrators in Information System Security (INFOSEC) [12] NSTISSI No. 4014 August 1997 National Training Standard Information Security Officers (ISSO) [13] http://www.iwar.org.uk/comsec/resources/canadaia/infosecawareness.htm [14] NIST Special Publication 800-50 Building an Information Technology Security Awareness and Training Program [15] http://csrc.nist.gov/ATE/awareness.html [16] NIST Special Publication 800-16

7. DELIVERY METHODS The final numbers in TABLE 6 show that: •

These numbers are based on the simple assumption that “The delivery method is the in-class method.” • These numbers are unpractical for implementation and beyond reality. • The need for a more creative awareness program is essential (as an out-class method). For this, we are subject to use some non-traditional awareness programs (non-class), such as: 1.

Dynamic online classes organized in harmony, leading a certification program nationwide 2. TV programs on nationwide level 3. Video and CD classes 4. Simple guidelines publications All these others should be carefully prepared and Focusing the level of awareness on the general public

5. CONCLUSIONS In security assessment, the statement of need is very important to estimate efforts and costs for a future plan. This paper discussed the statement of need for an information security awareness program. The research in this paper is based on two different surveys. The first was general information security knowledge and the second looked at the information security in the following categories:

[17] Mark Ciampa, Security Awareness: Applying Security in Your World, Course Technology Incorporated, 2004, ISBN 0-619-21312-4 [18] http://nieer.org/resources/policybriefs/9.pdf

Data classification Security job role Information security awareness program Spam and virus knowledge

106

APPENDIX A: Tables

Table 1. First Assessment Survey out of 100 Sample Space Question Sequence

Positive Answers

Negative Answers

Not sure

Question Sequence

Positive Answers

Negative Answers

Not sure

1

4

71

25

11

17

22

61

2

35

63

2

12

12

66

22

3

31

58

11

13

33

45

22

4

32

45

23

14

33

48

19

5

47

38

15

15

29

54

17

6

11

78

11

16

61

31

8

7

57

34

9

17

34

57

9

8

23

26

51

18

22

63

15

9

43

31

26

19

33

60

7

10

6

76

18

20

3

77

20

Table 3. Results from first ESTIMATION MAPPED into larger population with only one instructor Population

Awareness Education

Hours Required

Days Required

Weeks (Single Instructor)

Year

Required

Notes

100

77

120

15

5

0.096154

200

154

240

30

10

0.19231

300

231

360

45

15

0.288462

400

308

480

60

20

0.384615

500

385

600

75

25

0.480769

1000

770

1200

150

50

0.961538

≅1 Year

5000

3850

6000

750

250

5 Year

KSU

10000

7700

12000

1500

500

10 Year

100000

77000

120000

15000

5000

100 Year

1000000

770000

1200000

150000

50000

1000 Year

107

Table 4. The relation ship between the number of instructors and course deliverers

Population

Awareness Education

Number of Weeks needed Two instructor

Number of Weeks needed Three instructor

Number of Weeks needed Four instructor

Required

Number of Weeks needed for One instructor

100

77

5

2.5

1.666667

1.25

200

154

10

5

3.333333

2.5

300

231

15

7.5

5

3.75

400

308

20

10

6.666667

5

500

385

25

12.5

8.333333

6.25

1000

770

50

25

16.66667

12.5

5000

3850

250

125

83.33333

62.5

10000

7700

500

250

166.6667

125

100000

77000

5000

2500

1666.667

1250

1000000

770000

50000

25000

16666.67

12500

108