Identifying
Top Three Problems within an Organization
The
first step in making a security awareness organization architecture is to
identify what the top three user behaviors are that present the most risk and
vulnerability to an organization. Think about it, if your car broke down on the
side of the road with a flat tire, a broken sunroof, and a missing cup holder
are you going to fix the cup holder first? Of course not! Same applies when
revamping your security awareness architecture. Start with the biggest problem
and then work your way through the list.
The
12 Key Behaviors Analysis
Over the
years these seem to be the top problem behaviors are within their organization.
While some unique, and sometimes amusing, answers have come up, more often than
not they fall within one of the12 following categories.
1- Call help
desk more quickly to report a potential problem or possible attack.
2- Properly
handle and dispose of PII
3- Stop
visiting unapproved / potentially dangerous sites while at work.
4- Stop using
email for abuse or inappropriate purposes.
5- More
resilient to phishing attacks
6- Create
stronger passwords
7- Be aware
of abnormal or suspicious behavior in the workplace
8- Be secure
when working remotely
9- Be more
aware of mobile devices, laptops, and/or tablet security threats
10- Give out
less information online and on social networking sites
11- Be more
aware of secure settings and computer behavior when browsing the internet
12- Be more
aware of shoulder surfing and making sure doors are properly shut behind them.
Each of these
categories represents a very real, and very fixable problem within any
organization but the key is identifying the top three. Identifying the top
three enables you to prioritize and get the most out of your efforts rather
than trying to take on the whole world at once. Also, some of the smaller
problem behaviors may be a side effect of larger issues and thereby will decrease
when the larger issue is resolved.
Who
To Evaluate
Now that we
know what we need to ask, the next question is who has that answer and how do
we make sure we don’t get a biased response/get sent on a wild goose chase? For
example, image that Bob had a horrible experience with identity theft and
happens to be the head of IT. When you ask him what the top 3 problems are you
get the following:
1-
Properly handle and dispose of PII
2-
Give out less information online
3-
More resilient to phishing attacks
Later you
find that the real issues are
1-
Create stronger passwords
2-
More resilient to phishing attacks
3-
Call Help Desk
This is a
problem with any survey type analysis but the way to resolve it is to ask more
than one person. For the purposes of our task we want to ask the stakeholders.
The stakeholders give you an idea of what the top 3 overall- not department
specific- problem behaviors are within the organization. Furthermore, as a
group, the influence of one persons bias/bad experience is minimized for a more
complete overall picture.
Now that the
top 3 have been narrowed down it’s time to go to the CISO to ask (1) why those
problems present a major issue to the company (2) what is the current training
environment doing to address them and (3) what measurements are in place to
look at the success or failure of them?
No comments:
Post a Comment