2nd Edition
Managing an Information Security and Privacy Awareness and Training Program
Starting with the inception of an education program and progressing through its development, implementation, delivery, and evaluation, Managing an Information Security and Privacy Awareness and Training Program, Second Edition provides authoritative coverage of nearly everything needed to create an effective training program that is compliant with applicable laws, regulations, and policies. Written by Rebecca Herold, a well-respected information security and privacy expert named one of the "Best Privacy Advisers in the World" multiple times by Computerworld magazine as well as a "Top 13 Influencer in IT Security" by IT Security Magazine, the text supplies a proven framework for creating an awareness and training program. It also:
- Lists the laws and associated excerpts of the specific passages that require training and awareness
- Contains a plethora of forms, examples, and samples in the book’s 22 appendices
- Highlights common mistakes that many organizations make
- Directs readers to additional resources for more specialized information
- Includes 250 awareness activities ideas and 42 helpful tips for trainers
Complete with case studies and examples from a range of businesses and industries, this all-in-one resource provides the holistic and practical understanding needed to identify and implement the training and awareness methods best suited to, and most effective for, your organization.
Praise for:
The first edition was outstanding. The new second edition is even better ... the definitive and indispensable guide for information security and privacy awareness and training professionals, worth every cent. As with the first edition, we recommend it unreservedly..
—NoticeBored.com
Brief History of Corporate Information Security and Privacy Awareness and Training
Once Upon a Time
Welcome to the Information Age
Information Security and Privacy Education
Current Challenges Bring Changes in Professional Education
Why Training and Awareness Are Important
Regulatory Requirements Compliance
Customer Trust and Satisfaction
Compliance with Published Policies
Due Diligence
Corporate Reputation
Accountability
Legal and Regulatory Requirements for Training and Awareness
Awareness and Training Needs
Legal Considerations
Copyright Considerations
Specific Regulatory Education Requirements
Incorporating Training and Awareness into Job Responsibilities and Appraisals
Motivational Factors
Methods of Security and Privacy Objectives Assessments
Performance against Specific Privacy and Security Objectives
Using Appraisal Results
Considering Security and Privacy within Job Performance as a Whole
Paying for Performance
Additional Percentage Element Added to Pay
Challenges
Common Corporate Education Mistakes
Throwing Education Together Too Quickly
Not Fitting the Environment
Not Addressing Applicable Legal and Regulatory Requirements
No Leadership Support
Budget Mismanagement or No Budget
Using Unmodified Education Materials
Information Overload
No Consideration for the Learner
Poor Trainers
Information Dumping
No Motivation for Education
Inadequate Planning
Not Evaluating the Effectiveness of Education
Using Inappropriate or Politically Incorrect Language
Getting Started
Determine Your Organization’s Environment, Goals, and Mission
Identify Key Contacts
Review Current Training Activities
Review Current Awareness Activities
Conduct a Needs Assessment
Create Your Road Map
Elements of an Effective Education Program
Establish a Baseline
Hard Data
Soft Data
Get Executive Support and Sponsorship
Executive Security and Privacy Training and Awareness Strategy Briefing
Provide Examples of Security- and Privacy-Impacting Events
Case Studies
Key Business Leader Information Protection Responsibilities
Identify Training and Awareness Methods
Adult Learning
Training Delivery Methods
Auditorium Presentations to Large Groups
Remote Access Labs
Satellite or Fiber-Optic Long-Distance Learning
Web-Based Interactive Training (such as Webinars)
Audio Instruction
Video and DVD
Workbooks On-the-Job (OTJ)
Conference Calls
Outsourced Training and Awareness with Professional
Educational Services
Education Provided by Professional Societies
Government-Sponsored Training
Awareness Methods
Awareness and Training Topics and Audiences
Target Groups
Mapping Topics to Roles and Target Groups
Standards and Principles
Define Your Message
Customer Privacy
Laws and Regulations
Access Controls
Risk Management
Prepare Budget and Obtain Funding
Obtain Traditional Funding if You Can
Obtain Nontraditional Funding When Necessary
Final Budget and Funding Thoughts
Training Design and Development
Training Methods
Design and Development
Choosing Content
Job-Specific Content and Topics for Targeted Groups
Learning Activities
Training Design Objectives
Awareness Materials Design and Development
Contrasting Awareness and Training
Make Awareness Interesting
Awareness Methods
Awareness Is Ongoing
Developing Awareness Activities and Messages
Monthly Information Security and Privacy Newsletters
Communications
Step 1: Identify Where You Need to Improve, Update, or Create Information Security and Privacy Training and Awareness
Step 2: Obtain Executive Sponsorship
Step 3: Communicate Information Security and Privacy Program Overview
Step 4: Send Target Groups Communications Outlining the Information Security and Privacy Training and Awareness Schedules and Their Participation Expectations
Deliver In-Person Training
What to Avoid in Training
Multinational Training Considerations
Delivering Classroom Training
Tips for Trainers
Visual Aids
Training in Group Settings
Case Studies
Launch Awareness Activities
Step 1: Identify Areas in Which You Need to Improve, Update, or Create Awareness
Step 2: Obtain Executive Sponsorship
Step 3: Communicate the Information Security and Privacy Program Overview
Step 4: Identify Trigger Events
Step 5: Identify Target Groups
Step 6: Identify Your Awareness Methods and Messages
Step 7: Evaluate Changed Behavior
Step 8: Update and Perform Ongoing Awareness Plan for Specific Events
Evaluate Education Effectiveness
Evaluation Areas
Evaluation Methods
Evaluating the Effectiveness of Specific Awareness and Training Methods
Education Effectiveness Evaluation Framework Activities Checklist
Leading Practices
Setting the Standard for Data Privacy and Awareness
Establishing a Security Culture Through Security Awareness
Empirical Evaluations of Embedded Training for Antiphishing User Education
We Are Now the Targets of Thieves!
Risks from Advanced Malware and Blended Threats
Case Study: 1200 Users, 11 Cities in 7 Weeks … and They Wanted to Come to Security Awareness Training
Obtaining Executive Sponsorship for Awareness and Training
Education and Awareness for Security Personnel
Aetna’s Award-Winning Security Awareness Program
Security Awareness Case Study
APPENDICES:
Sample Executive Education Sponsorship Memo
Training Contact Training Data Collection Form
Effectiveness Evaluation Framework
Sample Privacy Roles Definitions
Suggested Privacy Awareness and Training Strategy Announcement as Voice Mail Message
Privacy Icon or Mascot
Sample Privacy Training Survey
Privacy Sample Training Plans
Advocate and SME Interview Questions to Assist with Privacy Training Development
Training and Awareness Inventory
Incorporating Training and Awareness into the Job Appraisal Process Interview/Questionnaire
Sample Customer Privacy Awareness and Training Presentation
Designated Security and Privacy–Related Days
Education Costs Worksheet
Sample Pre-training/Awareness Questionnaire
Security Awareness Quiz Questions
Social Engineering Quiz
Biography
Herold, Rebecca
The first edition was outstanding. The new second edition is even better - an excellent textbook packed with sound advice and loads of tips to make your security awareness program pull its weight.… engaging and stimulating, easy to read yet at the same time thought-provoking. … chock-full of good ideas, not just theoretical concepts but solid practical advice that can be put to use immediately. A side effect is that there are lots of lists, tables and bullet points but they are well structured and succinctly summarize the key points. …an excellent reference text. Extensive appendices (130 pages) include sample awareness materials and plans, a security glossary, various checklist/questionnaires and references. This is the definitive and indispensable guide for information security and privacy awareness and training professionals, worth every cent. As with the first edition, we recommend it unreservedly.
—NoticeBored.comThis book is remarkable because it covers in detail all the facets of providing effective security awareness training…I can, without reservation, recommend use of this book to any organization faced with the need to develop a successful training and awareness program. It surely provides everything you need to know to create a real winner.
—Hal Tipton, from the ForewordRebecca Herold has the answers in her definitive book on everything everybody needs to know about how to impart security awareness, training, and motivation. Motivation had been missing from the information security lexicon until Herold put it there in most thorough and effective ways … She demonstrates that security must become a part of job performance rather than being in conflict with job performance… The power of this book also lies in applying real education theory, methods, and practice to teaching security awareness and training … After reading this book, there is no question about the necessary and important roles of security awareness, training, and motivation.
—Donn B. Parker, CISSP, from the PrefaceRebecca Herold, an independent computer security advisor, knows privacy. Not all security consultants do. In her latest book, Managing an Information Security and Privacy Awareness and Training Program, Herold has collected her best advice.
—Privacy Journal… perfect for lay and professional audiences, this is a guide not for implementing technical necessities but for getting everybody in an organization on board.
—Journal of Productive Innovation