Assessment of Need and Method of Delivery for Information Security Awareness Program Wasim A. Al-Hamdani, PhD Division of Computer and Technical Sciences Kentucky State University Frankfort, KY 40601 502-597-6728
[email protected] Security and Protection- Authentication, Insurance, Invasive software, Physical security
ABSTRACT This paper looks at the assessment for quantity of information security awareness programs needed at Kentucky State University as a first step, and then the model is generated for a larger population. The model used is based on various levels of education and a randomly selected sample space. The model is also based on two assessments: the first focuses on information security in general, while the second assessment covers the following topics: Data classification Security job role Awareness programs Spam and virus knowledge Social engineering
General Terms Security
Keywords Information Security, Information Assurance, Information Security Curriculum, Information Assurance Curriculum, Curriculum Development
1. INTRODUCTION Security has been a technically challenging problem with computers almost from the first instance of their operational use. Networking brought greater security challenges and the advent of the “network of networks” (referred to as the Internet) is bringing even greater challenges. Provision of government services over the Internet has become imperative in the new Information Age. When governments use the Internet for service delivery, however, security and privacy are fundamental requirements. [13] Risk management is at the heart of information security. A risk assessment should be a fundamental part of the business development process. Part of the risk management challenge is the fact that information systems are changing quickly, and at the same time security risks also change very quickly as new threats, vulnerabilities and attack tools are introduced. As a consequence, a static risk assessment process is no longer sufficient. Risk management must now be designed as a continuous process that reacts quickly to changes. To accomplish this, risk management should include elements of real-time assessment and response. Awareness as defined in [14], “is not training. The purposes of awareness presentations are simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly.” Awareness implies understanding of risks. Internet threats and vulnerabilities are real. In simple terms, the number of vulnerabilities continues to rise, while hacker tools are becoming more powerful and easier to use. At the same time, prevention is much more difficult because the technology changes rapidly. The Internet is a very attractive target for attackers. Internet attacks are easy to accomplish, difficult to detect, hard to trace, and the risk of getting caught is low.
The sample space was randomly selected from a population of about 49,640 in Franklin County [5] and the results were then generalized for larger populations. The results show that there is a real need for information security awareness programs for the general public. However, the research also shows a large number of instructors needed per 1000 of population to start the information security awareness public program. These primary results have been looked at in two different aspects – the first as “in-class delivery” and the second as “out-class delivery”. The research points out there hold unrealistic results for in-class delivery, hence we must focus on out-class awareness programs.
Categories and Subject Descriptors C.2.0 [Computer Communications Networks]: General – Security and protection D.4.6 [Operating Systems]: Security and Protection - Access controls – Authentication, Cryptographic controls, Information flow controls, Invasive software. H.2.0 [Database Management]: General - Security, integrity, and protection K.3.2 [Computers and Education] - Computer and Information Science Education – Curriculum, Information systems education K.6.5 [Management of Computer and Information Systems]:
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. InfoSecCD Conference’06, September 22-23, 2006, Kennesaw, GA, USA. Copyright 2006 ACM 1-59593-437-5/00/0006…$5.00.
Information security awareness programs could cover the followings topics: password construction, password management, authentication, Internet usage, telephone fraud, physical e-mail
102
Software spies on a computer Spies on what a user is doing Do not know After the compilation, the survey will occur as: Spyware is: Positive Answer Negative Answer Do not know Then the analysis of these results will be: Spyware is: Positive Answer Negative Answer + Do not know
usage and security, private information, virus protection and detection, PC security, software licensing, backups, building access, social engineering, identity theft and home office security. [12, 13, 14] The main purpose for this research is to form a risk assessment of the quantity of information security awareness programs needed (as an expected value) in Kentucky. The research is based on a randomly selected sample space from different populations based in Franklin County and is then generalized in the module. The research, first of all, is based on a single assumption, which is “inclass” awareness programs – meaning all the public will have to set in a class to obtain knowledge on security awareness. The research used two different surveys, both of them general information security awareness topics. The surveys looked at three different levels of Knowledge, which are: MANAGEMENT CONTROLS, OPERATIONAL CONTROLS and TECHNICAL CONTROLS. The first assessment focuses on information security as a general issue, while the second assessment is concerned about data classification, security job role, information security awareness programs, spam and virus knowledge, and social engineering. Questions queried various levels of knowledge, such as information policy existences, understanding assets, varied phishing and other issues.
2.1 Assessments Organization 2.1.1 First Assessment The first assessment was conducted concerning general information security knowledge. Questions were broad in scope. General information about security principles were included, such as: “Phishing is a form of social engineering, characterized by attempts to fraudulently acquire sensitive information, such as passwords and digital signatures.” “E-mail spam is a subset of spam that involves sending out identical messages to thousands (or millions) of recipients.” The assessment has 20 different questions.
The population education levels were varied, with some having high levels of education and others with little; some with information technology backgrounds and others with none; some with computer science backgrounds and others with none. Targeting different levels of education gives the statistical model a clearer view of the population.
2.1.2 Second Assessment The second assessment was conducted concerning more depth information security knowledge, some questions based on “Yes, NO and Do not know” answer, such as: “Do you know what Zero Incident Culture is?” Others questions are multiple chooses such as: “Do you know where to report Spam?”, or ” This picture
The results show there is a real need for information security awareness and limited information security training education for the population subjects of this research. The surveys were designed using the following criteria: What, Whom, What If and Analyze. [6] More specifically, these criteria meant: Establish the goals - What you want to learn Determine the sample - Whom you will interview Create the questionnaire - What you will ask Pre-test the questionnaire, if practical - Test the questions Analyze the data - Produce the reports The potential goals for the survey were: How much of the sample space has general knowledge of information risk? Do we need an information security awareness program? What is the basic assessment of this need, if any?
is for: Just picture, Secure Information Transaction, Start of Spam, Start of Internet, watches after what users do and Do Not Know”. Others are indirect questions based on “Yes, NO and Do Not Know” like: “What is your KSY network Password?” The assessment has 20 different questions.
2.1.3 Assessment Delivery A group of volunteer student distributes 170 surveys for each assessment, the delivery was: inside campus, one high school, and public places; with 130 complete feedback received for each assessment. The two assessments latter mapped to 100 sample space (each) for statistical purposes.
2. CLASSIFICATION OF ASSESSMENT RESPONSE The surveys had different forms of questions, some with multiple answers or five different levels of answers. All answers in the two surveys were compiled at the end to be Positive, Negative and Don’t Know. The last answer is analyzed later as a Negative answer (This answer classified as required an information security awareness program). For example, a question such as:
3. THE FIRST ASSESSMENT The answers are either Positive, Negative or Don’t Know. Before analyzing the questionnaire, the sample space frequency was mapped at 100 sample spaces as shown in Table 1. (See APENDIX A). The categories (Positive Answer, Negative Answer and Don’t Know) are shown in Figure 1(A, B and C).
Spyware is: Hardware Software Hardware/software
103
Figure 2 shows the same as in Figure 1B, an “exponential curve.” Figure 3 shows the normal distribution expected for the second group (Negative answer and Don’t Know or Not Sure).
Figure 1a. Positive answer
Figure 3. The expected normal distribution for Negative answers and Don’t Know or Not Sure answers Figure 1b. Negative answer The combination of these two categories showed us a mean analysis positive answer of = 28.3, with Negative Answer = 52.15 and Don’t Know = 19.55 (combination of both is equal to 71.6).
3.1 Analysis of Variance for all groups Positive Answer = 566, Negative Answer = 1034, Don’t Know Answer = 391 out of a sample space of 2000 questions, and with frequency of 0.283, 0.5215 and 0.1955, respectively. Figure 4 shows the mean points for the three groups. Figure 1c. Don’t Know It is clear from Figure 1B that the curve towered exponentially in this case. For education and awareness program the “ Do Not Know “ means that the person needs to attend the awareness or re awareness program to refresh his/her knowledge, this would combine the negative answer and “Do Not answer” for justification and uniformed the training. Figure 2 shows the combination of Negative answers and Don’t Know answers. Figure 4. The mean points for the three groups Taking that the state of Not Sure means a Negative answer, this means we have only two variables Positive Answer and Negative Answer, which are 566 and 1434, respectively. Figure 5 shows the mean points for the two groups.
Figure 2. Combinations of Negative Answers and Don’t Know or Not sure answers Figure 5 The mean points for two groups
104
attractive packaging techniques. Training is more formal, having a goal of building knowledge and skills to facilitate job performance. A few examples of IT information security awareness materials/activities include promotional specialty trinkets with motivational slogans; a security reminder banner on computer screens, which comes up when a user logs on; information security awareness videotapes; and posters or fliers.
The data is very simple and it is a linear type of relation, as in equation 1:
Y=A+B*Y
….. (1)
4. SECOND ASSESSMENT
An information security awareness program suggests covering the following topics:
Looking at a more detailed statistical survey distributes the questions into five major categories:
An Information Security Awareness program (in Class) suggests covering the following topics [15, 16, and 17]: “Introduction to Security Basis, Personal Computer Security, Organizational Security, Internet Security, Network Security, Total Security, firewalls”
• Data classification • Security job role • Information security awareness program • Spam and virus knowledge • Social engineering Questions have a variety of different levels, such as:
Such a syllabus would require about 30 hours of instructions (as first suggestion), and as a compressed course would need three days (from 8 a.m. to 12 noon, and 1 p.m. to 5 p.m.) Table 3. (see APPENDIX A) shows a simple estimate of information security awareness for 77% of the total population out of 100 people who need awareness education, according to our suggested syllabus.
• • • •
Do you know where to report spam? What is your network password? What is redirecting Web traffic? Does your organization have an existing security policy? Some of the questions are listed in section2.1 The results summary in numbers is shown in Table2. Table2. The Second Assessment Survey Numbers Question Type
Positive
Negative
PEOPLE Attendance out of 100 population
77
Don’t
Class size /person
15-16
Know
Groups out of 100 Æ 75/15
5
Days / course
3
Instruction / hours
120
Data Classification
11
82
69
Security Job Role
12
22
18
Information
14
13
23
Spam and Virus
90
186
74
Social Engineering
35
192
74
Security
6. ESTIMATING INFORMATION SECURITY AWARENESS PROGRAM REQUIRED FOR 100
Hours of teaching number of students / day 5* 3 days / course = 15 day of teaching. (A class size of 15 been selected because it is the best value between the worst case ratio of 2:15 and best case of 1:20 [18])
Awareness Program
A normal faculty load is 12 hours of teaching out of 40 hours/week and 10 hours of office work out of 40 hours/week, which is about one course a week of 25 hours of teaching, as well as other hours for the preparation of other teaching materials. This means he/she could educate the 77% in five weeks. Table 3 (see APPENDIX A) maps the results from above to an estimation of a larger population.
5. ASSESSMENT ANALYSES AND ESTIMATION EFFORTS Combining the two assessment surveys, we get a positive value mean o of 23.15 (≅23%) and a combined negative value of 76.8 (≅77%). These results indicate that there are major risks in information security knowledge and education. Before we could estimate the effort, we need to look at: What type of information security awareness is needed? Which sort of information is to be presented? What depth of information security is needed? Awareness is not training [7]. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize IT security concerns and respond accordingly. In awareness activities, the learner is a recipient of information, whereas the learner in a training environment has a more active role. Awareness relies on reaching broad audiences with
105
From Table 3 and for the example, Kentucky State University, it would require five years for a single instructor to perform the information security awareness programs on an average of one course per week. This result is unrealistic, because in each month there are many new threats concerning information security, and in every six months, security awareness should be revised. From TABLE 3, the Franklin County population of 49,640 would require a single instructor about 47,730.76923 years. Table 4 (APPENDIX A) shows the relationship between numbers of instructors needed and the course deliverers. A breaking point in TABLE 4 is 12 weeks. This number is very acceptable for the information security awareness program and its follow-up activities, such as newsletters and posters. TABLE 5 shows the linear number of instructors needed for a population awareness program.
Social engineering After developing a statistical model based on a 100 sample space population, the final results shows that, at best, four instructors are needed to run a 12-week information security awareness program for each 1000 population sampling. The model delivers a very simple function for estimating the number of instructors needed. Furthermore, this paper rejects such “in-class” numbers and suggests a more realistic, efficient program based on “outclass” awareness principles.
Table 5. Linear number of instructor needed for population Population
Instructors
1000
4
10000
40
100000
400
1000000
4000
6. REFERENCES
TABLE 5 could be summarized in a very simple linear equation as in equation 2
[1] NIST Special Publication 800-26 Security SelfAssessment Guide for Information Technology Systems
Number of instructor needed = Population * 0.004 ……. (2)
[2] NIST Special Publication 800-12, An Introduction to Computer Security: The NIST Handbook (Handbook), [3] NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems (Principles and Practices) [4] NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems (Planning Guide).
Using this equation for different populations is shown in Table 6. Table 6. Instructors Required Location
Population
Instructors Required
KSU
5000
State of Kentucky
4,145,922
16583.688
USA
293,655,40 4
1174621.616
20
[5] http://www.louisville.edu/~easchn01/kentucky/ky pop1.html [6] http://www.surveysystem.com/sdesign.htm [7] SP 800-16 Information Technology Security Training Requirements: A Role- and PerformanceBased Model [8] http://quickfacts.census.gov/qfd/states/21000.html (US stat Population) [9] NSTISSI No. 4011 20 June 1994 National Training Standard for Information System Security (INFOSEC) Professionals [10] NSTISSI No. 4012 August 1997 National Training Standard Designated Approving Authority (DAA) [11] NSTISSI No. 4013 August 1997 National Training Standard System Administrators in Information System Security (INFOSEC) [12] NSTISSI No. 4014 August 1997 National Training Standard Information Security Officers (ISSO) [13] http://www.iwar.org.uk/comsec/resources/canadaia/infosecawareness.htm [14] NIST Special Publication 800-50 Building an Information Technology Security Awareness and Training Program [15] http://csrc.nist.gov/ATE/awareness.html [16] NIST Special Publication 800-16
7. DELIVERY METHODS The final numbers in TABLE 6 show that: •
These numbers are based on the simple assumption that “The delivery method is the in-class method.” • These numbers are unpractical for implementation and beyond reality. • The need for a more creative awareness program is essential (as an out-class method). For this, we are subject to use some non-traditional awareness programs (non-class), such as: 1.
Dynamic online classes organized in harmony, leading a certification program nationwide 2. TV programs on nationwide level 3. Video and CD classes 4. Simple guidelines publications All these others should be carefully prepared and Focusing the level of awareness on the general public
5. CONCLUSIONS In security assessment, the statement of need is very important to estimate efforts and costs for a future plan. This paper discussed the statement of need for an information security awareness program. The research in this paper is based on two different surveys. The first was general information security knowledge and the second looked at the information security in the following categories:
[17] Mark Ciampa, Security Awareness: Applying Security in Your World, Course Technology Incorporated, 2004, ISBN 0-619-21312-4 [18] http://nieer.org/resources/policybriefs/9.pdf
Data classification Security job role Information security awareness program Spam and virus knowledge
106
APPENDIX A: Tables
Table 1. First Assessment Survey out of 100 Sample Space Question Sequence
Positive Answers
Negative Answers
Not sure
Question Sequence
Positive Answers
Negative Answers
Not sure
1
4
71
25
11
17
22
61
2
35
63
2
12
12
66
22
3
31
58
11
13
33
45
22
4
32
45
23
14
33
48
19
5
47
38
15
15
29
54
17
6
11
78
11
16
61
31
8
7
57
34
9
17
34
57
9
8
23
26
51
18
22
63
15
9
43
31
26
19
33
60
7
10
6
76
18
20
3
77
20
Table 3. Results from first ESTIMATION MAPPED into larger population with only one instructor Population
Awareness Education
Hours Required
Days Required
Weeks (Single Instructor)
Year
Required
Notes
100
77
120
15
5
0.096154
200
154
240
30
10
0.19231
300
231
360
45
15
0.288462
400
308
480
60
20
0.384615
500
385
600
75
25
0.480769
1000
770
1200
150
50
0.961538
≅1 Year
5000
3850
6000
750
250
5 Year
KSU
10000
7700
12000
1500
500
10 Year
100000
77000
120000
15000
5000
100 Year
1000000
770000
1200000
150000
50000
1000 Year
107
Table 4. The relation ship between the number of instructors and course deliverers
Population
Awareness Education
Number of Weeks needed Two instructor
Number of Weeks needed Three instructor
Number of Weeks needed Four instructor
Required
Number of Weeks needed for One instructor
100
77
5
2.5
1.666667
1.25
200
154
10
5
3.333333
2.5
300
231
15
7.5
5
3.75
400
308
20
10
6.666667
5
500
385
25
12.5
8.333333
6.25
1000
770
50
25
16.66667
12.5
5000
3850
250
125
83.33333
62.5
10000
7700
500
250
166.6667
125
100000
77000
5000
2500
1666.667
1250
1000000
770000
50000
25000
16666.67
12500
108