Cisam Module

)
AM
IS
(C
CISAM
er
ag
an
M
Certified Information Security Awareness
ss
e ne
Manager
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
September 2023
fo
In
Raj Kumar, CEO of Cyber Intelligence Sdn Bhd

d
fie
ti
er
C
1
Copyright © 2020 CyberSecurity Malaysia
)
AM
Copyright Statement
IS
(C
The copyright of this training program material, which may contain proprietary information, is the property of CyberSecurity Malaysia. The training
er
program material should not be disclosed, copied, transmitted or stored in an electronic retrieval system, or published in any form, either wholly or
ag
in part without prior written consent.
an
M
© CYBERSECURITY MALAYSIA, 2021
ss
Registered office: Level 7, Tower 1
ne
Menara Cyber Axis
e
ar
Jalan Impact
4
Aw
63000 Cyberjaya, Selangor
2
20
MALAYSIA
ity
ch
r
cu
ar
Registered in Malaysia – Company Limited by Guarantee
Se
M
Company No. 726630-U
-5
n
io
Disclaimer at
4
The information, related graphics, materials and others contained in this training program material is for training purposes only. While we strive to
rm
keep the information up-to-date and correct at all times, we make no representations or warranties of any kind, express or implied, about the
fo
completeness, accuracy, reliability, suitability or availability with respect to the information, or related graphics contained herein for any purposes.
In
Hence, any reliance you place on such information, products, services, related graphics and others is therefore strictly at your own risk. All such
d
fie
information, products, services, related graphics and others are provided "as is" without warranty of any kind. CyberSecurity Malaysia hereby
disclaims all warranties and conditions with regards to the information, products, services, related graphics and others mentioned. In no event will
ti
er
CyberSecurity Malaysia be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or
C
damage whatsoever arising from loss of data or profits resulting from the use or in any way connected with the use of these documents.
2
)
AM
IS
(C
er
ag
an
M
This training is presented in partnership between
ss
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
3
)
AM
IS
(C
er
ag
an
M
ss
e ne
ar
4
Aw
2
• Mobile devices in silent mode
20
ity
h
r
cu
c
• Active participation in the lab sessions & group
ar
Se
M
activities required
-5
n
io
at
4
• Break times will be advised
rm
fo
In
d
fie
ti
er
C
4
)
AM
IS
(C
er
ag
an
M
Introduction To
ss
e ne
ar
The Course
4
Aw
2
20
ity
h
r
cu
c
ar
Session 1
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
5
Course Objectives
)
AM
IS
(C
er
• Identify current state of your organization’s materials in various formats.
ag
awareness and competence levels.
an
• Evaluate the effectiveness of the program.
M
• Build and maintain a comprehensive
ss
awareness and competence program, • Understanding and overcoming the
ne
obstacles to success.
e
as part of an organization’s information
ar
4
Aw
security program. • Create an effective social engineering
2
20
assessment program.
ity
• Identify awareness, training and
h
r
cu
c
competence needs, develop a training plan,
ar
Se
M
and get organizational buy-in for the
-5
n
funding of awareness and competence
io
at
4
program efforts.
rm
fo
• Study and select awareness topics and

In
identify competence requirements.

d
fie
ti
er
• Develop and implement awareness

C
6
Exam Information
)
AM
IS
(C
er
ag
an
M
• 30 multiple choice questions
ss
ne
• 1 hour 10 minutes, exam duration
e
ar
•
4
Aw
70% passing mark
2
20
ity
• Candidate will be awarded Certified Security Awareness
h
r
cu
c
ar
Manager (CISAM) upon passing
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
7
)
AM
IS
Time Session # Session Title Session Type
(C
8.00am - 9.00am Registration -
er
ag
1 Introduction to the Course
an
Lecture, discussion, brainstorm &
9.00am - 10.15am 2 What is Awareness? exercise
M
ss
3 The Human Factor in Information Security Risk
ne
10.15am - 10.30am Coffee Break
e
Course Schedule - Day 1
ar
The Solution Model to Reduce Information Security Risks Due to
4
4
Aw
Human Factor Lecture, discussion, brainstorm &
2
10.30am - 12.30pm
exercise
20
5 The Plan Stage: Building a Persuasive Business Case
ity
h
r
cu
c
12.30pm - 1.30pm Lunch Break
ar
Se
M
The Plan Stage: Measuring Current Levels & Conducting Needs
6
Assessment
-5
n
io
1.30pm - 3.15pm
exercise
at The Strategize Stage: Qualities of a Good Awareness Management
4
7
System
rm
fo
3.15pm - 3.30pm Coffee Break

In
The Strategize Stage: Strategies for Awareness Creation & Lecture, discussion, brainstorm &
d
3.30pm - 5.00pm 8
Behaviour Modification exercise
ti fie
er
C
8
)
AM
IS
Time Session # Session Title Session Type
(C
8.00am - 9.00am Registration -
er
ag
9 The Strategize Stage: Communication & Commitment Plan
an
9.00am - 10.15am
exercise
M
10 The Strategize Stage: Define Indicators for Measurement
ss
ne
10.15am - 10.30am Coffee Break
e
Course Schedule - Day 2
ar
10.30am - 12.30pm 11 The Execute Stage
4
Aw
2
exercise
20
12 The Measure & Adjust Stage
ity
h
r
12.30pm - 1.30pm Lunch Break
cu
c
ar
13 Obstacles to Success
Se
M
1.30pm - 3.15pm
exercise
-5
n
14 How to Make End-Users Like & Follow Information Security
io
at
4
3.15pm - 3.30pm Coffee Break
rm
15 Simulated Phishing Attack Lecture & demo

fo
3.30pm - 5.00pm
In
CISAM Exam Online

d
tifie
er
C
9
)
AM
IS
(C
er
ag
an
M
What is Awareness?
ss
e ne
ar
(and what it is not?)
4
Aw
2
20
ity
h
r
cu
c
ar
Session 2
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
10
Awareness: A Definition
)
AM
IS
(C
er
Awareness is the “what” component
ag
an
of the education strategy of an
M
ss
organization which tries to change
ne
the behaviour and patterns
e
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
11
)
Awareness vs Training
AM
IS
(C
er
• Awareness is not training
ag
an
• The purpose of awareness is simply to focus attention on
M
security
ss
ne
• Awareness is intended to allow individuals to recognise
e
ar
information security concerns and respond accordingly
4
Aw
2
• Awareness relies on reaching broad audiences with
20
ity
creative packaging techniques
h
r
cu
c
ar
• Training is one of the “how” components to implement
Se
M
security
-5
n
io
• Training is more formal, having a goal of building
at
4
rm
knowledge and skills to facilitate the job performance
fo
In
d
fie
ti
er
C
12
Awareness vs Behaviour
)
AM
IS
(C
er
ag
an
M
ss
ne
Example of Awareness
e
ar
4
“I passed the driving test
Aw
2
20
ity
and so I know the driving
h
r
cu
c
ar
Se
rules ”
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
13
)
AM
IS
(C
er
ag
an
Example of Behaviour:
M
ss
Does that make you a safe driver?
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
14
)
AM
IS
(C
er
ag
an
M
ss
Awareness
ne
I Know
e
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
Behaviourat I Do
4
rm
fo
In
d
fie
Behaviour = Practice / Competence

ti
er
C
15
Case Study: Awareness Alone is
)
AM
Not Enough
IS
(C
er
ag
Client Profile
an
M
ss
ne
• Type of industry: Retail
e
ar
•
4
Aw
No of employees: 5,000
2
20
ity
• Position: Market leader
h
r
cu
c
ar
Se
•
M
Type of information handled: Customer data, intellectual property, credit
-5
n
io
card information & etc
at
4
rm
• Spending on information security awareness: USD75k per annum

fo
In
d
fie
ti
er
C
16
Case Study: Awareness Alone is not Enough
)
AM
IS
(C
er
ag
an
What they told the employees What the employees were doing
M
ss
• Sharing of company / • Customer records were
e ne
customer information is leaked to competitors
ar
4
Aw
wrong • Salary information of top
2
20
ity
• Sensitive information must executives were given to
h
r
cu
c
be safeguarded headhunters
ar
Se
M
• Employee ID cards must • Printouts containing
-5
n
io
be worn and displayed at
at sensitive information were
4
rm
all times seen lying unattended
fo
• Employees were not

In
d
wearing ID cards and

fie
tailgating is a norm
ti
er
C
17
)
AM
Case Study: Problem Analysis
IS
(C
er
Visibility and Clarity
ag
an
When you have too many rules, it gets complicated
M
ss
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
18
)
AM
IS
(C
er
ag
an
M
ss
Let’s Listen To Employees
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
19
)
AM
IS
(C
er
ag
an
Don’t Share Which password?
M
Passwords
Network, email,
ss
desktop,
ne
Facebook…???
e
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
Employee
ti
er
C
20
)
AM
IS
(C
er
Protect
ag
Sensitive
an
I don't think I handle
M
Information any sensitive
ss
ne
information
e
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
HR Manager
ti
er
C
21
)
More Reactions…
AM
IS
(C
er
ag
• “It takes 48-96 hours to get a password
an
reset – What should I do, not do my
M
ss
work?”
e ne
• “I get these annoying “Security Screen
ar
4
Aw
2
Savers” every 90 seconds. Why so much
20
ity
overkill?”
h
r
cu
c
ar
Se
• “We have 100 new employees every
M
-5
n
io
month, whereas the security training is
at
4
rm
once in 6 months. How will you handle
fo
In
these “unaware” employees?”

d
fie
ti
er
C
22
)
AM
IS
Sticking a Few Posters Doesn’t Make a
(C
er
Difference in the Long Run
ag
an
M
ss
e ne
ar
•
4
The poster near the water cooler is
Aw
2
20
great for 2 weeks
ity
h
r
cu
c
Then it BLENDS into the
ar
•
Se
M
-5
environment
n
io
at
4
rm
fo
In
d
fie
ti
er
C
23
C
er
tifie
d
In
fo
rm
at
io
n
Se
cu
4 r ity
-5 Aw
M ar
ar
c e
h ne
20 ss
2 4 M
an
ag
er
(C
IS
AM
)
So What Went Wrong?
24
Question 1
)
AM
IS
(C
er
ag
an
M
I am responsible for
ss
information security
e ne
awareness. How do
ar
people perceive me?
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
25
Question 2
)
AM
IS
(C
er
ag
an
M
Information
ss
Security??????
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
How does your workforce
-5
n
perceive information
io
at
4
security?
rm
Positively or negatively?
fo
In
d
fie
ti
er
C
26
Question 3
)
AM
IS
(C
er
ag
an
M
ss
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
Do you step into your employees’ shoes?

d
fie
ti
er
C
27
Question 4
)
AM
IS
(C
er
ag
an
M
ss
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
Do you engage in instructions or dialogues?

d
fie
ti
er
C
28
)
AM
Analyze this…
IS
(C
er
ag
an
M
It’s our 10th anniversary & the wife
ss
is so happy with the diamond ring
ne
#habib #anniversary #ilovemywife
e
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
29
)
Analyze this…
AM
IS
(C
er
ag
an
M
ss
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
Do you know who your child’s online

In
friends are?
d
fie
ti
er
C
30
)
Analyze this…
AM
IS
(C
er
ag
an
M
ss
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
Are you aware of your surroundings when accessing company

In
sensitive information?
d
fie
ti
er
C
31
)
Analyze this…
AM
IS
(C
er
ag
an
M
ss
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
Shred all papers that contain sensitive information before disposing

ti
er
C
32
)
Analyze this…
AM
IS
(C
er
ag
Hi,
an
I run a Windows 2008 Server, Service
M
Pack 1.0, with MS SQL 2008 for my
ss
external web apps. I am having a
ne
problem with …… and I have installed
e
patch 1.2.3. Can someone help me?
ar
4
Aw
2
Andy Jones
20
ity
Sys Admin
h
r
cu
c
ACME Inc.
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
33
)
AM
So Why Do People Make Such Mistakes?
IS
(C
er
ag
an
M
ss
e ne
Lack of awareness
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
They think it is safe (perception)
M
-5
n
io
at
4
rm
fo
Poor attitude / behaviour

In
d
fie
ti
er
C
34
C
er
tifie
d
In
fo
rm
at
io
n
Se
cu
4 r ity
-5 Aw
M ar
ar
c e
h ne
20 ss
2 4 M
an
ag
er
(C
IS
AM
)
Let’s Have a Debate
35
)
AM
IS
(C
er
ag
an
M
Humans will always Technology will
ss
ne
fail. Let us focus on always fail. Let us
e
getting fail-proof focus on getting
ar
4
Aw
technology. humans fail-proof.
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
36
Technology, Process & People
)
AM
IS
(C
er
ag
an
M
ss
e ne
ar
4
Aw
Information
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
Technology & process are just as good as the people that use
fie
ti
them
er
C
37
)
AM
So What Are We Going to Do?
IS
(C
er
ag
1. Make users “trust” information security as a valuable and
an
M
useful business requirement
ss
ne
2. Make users “trust” the information security team
e
ar
4
Aw
2
3. Make users “behave responsibly” with information
20
ity
h
r
cu
c
ar
Se
M
How will you do it?
-5
n
io
at
4
rm
fo
In
Through a powerful information security awareness

d
fie
& behaviour management program

ti
er
C
38
)
AM
Lab 1 (15 Minutes)
IS
(C
er
ag
an
1. List down at least 5 shortfalls of your current
M
ss
security awareness program in your organization.
e ne
ar
4
Aw
2. Propose how the security awareness program can
2
20
ity
be improved for every shortfall identified.
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
39
)
AM
Summary of Session 2
IS
(C
What did we learn?
er
ag
an
M
1. Difference between awareness & training
ss
e ne
2. Difference between awareness & behaviour
ar
4
Aw
2
20
ity
3. Awareness alone is not enough
h
r
cu
c
ar
Se
M
4. Technology & process alone can’t solve security issues
-5
n
io
at
4
rm
5. Why do people make security mistakes?
fo
In
d
fie
ti
er
C
40
)
AM
IS
(C
er
ag
an
M
The Human Factor In Information
ss
e ne
Security Risks
ar
4
Aw
2
20
ity
h
r
cu
c
Session 3
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
41
Behavioral Factors
)
AM
IS
(C
er
ag
an
Curiosity
M
ss
Self
ne
Obedience /
Preservation
e
Fear
ar
4
Aw
2
Poor
20
ity
h
r
Security
cu
c
ar
Se
M
Inconvenience Behaviour Carelessness / Poor
-5
n
Attitude
io
at
4
rm
fo
In
Lack of
d
Poor Infrastructure
fie
Awareness
ti
er
C
42
C
er
tifie
d
In
fo
rm
at
io
n
Se
cu
4 r ity
-5 Aw
M ar
ar
c e
h ne
20 ss
2 4 M
an
ag
er
(C
IS
AM
)
Brainstorming Session
43
Listen to the HR Manager
)
AM
IS
(C
er
ag
an
M
We use a spreadsheet to process salaries and it
ss
is password protected. If this password is not
ne
shared no one will get the salaries including
e
ar
the CEO.
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
44
An Executive
)
AM
IS
(C
er
ag
an
M
ss
… has left some printouts
ne
unattended for a few hours.
e
ar
The printouts contain some
4
Aw
2
confidential details of the
20
ity
New IT infrastructure plan of
h
r
cu
c
ar
the company
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
45
)
AM
An IT Admin Answering the
IS
(C
Manager’s Call
er
ag
an
M
Sure, the login
ss
Excellent job on the ERP integration.
credentials are…
ne
Can I have the admin login to verify
e
Certain things myself…
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
Manager Subordinate
C
46
)
AM
An Employee Receiving Email from
IS
(C
“Her Bank”
er
ag
an
Oh no I need to quickly
M
click on the link to prevent
ss
my money from being
ne
stolen
e
Dear Valued Customer,
ar
4
Aw
2
20
We believe that someone was
ity
Trying to access your online
h
r
cu
c
banking account without
ar
Se
M
authorization. Please click
-5
n
here to reset your password.
io
at
4
rm
Thank you,
fo
YOUR TRUSTED BANK

In
d
fie
ti
er
C
47
)
AM
Let’s Discuss
IS
(C
er
ag
an
Does Culture Impact Human Approach
M
ss
Towards Information Security?
e ne
ar
4
Aw
2
20
(5 minutes)
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
48
)
Lab 2 (15 Minutes)
AM
IS
(C
er
Watch the Mr Brown video and identify:
ag
an
M
ss
1. The factors that led to the compromise of the
e ne
company’s information security
ar
4
Aw
2
20
ity
h
r
2. The root human behaviours that led to the
cu
c
ar
Se
M
compromise of the company’s information security
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
49
)
AM
IS
(C
er
ag
What did we learn?
an
M
1. Human (behavioural) factors in information security risks
ss
e ne
2. Sample instances of behavioural factors play role in information
ar
4
Aw
security
2
20
ity
h
3. Discussion on cultural impact
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
50
)
AM
IS
(C
er
ag
an
The Solution Model to Reduce
M
ss
ne
Information Security Risks Due
e
ar
4
Aw
2
to Human Factor
20
ity
h
r
cu
c
ar
Se
Session 4
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
51
)
AM
A Security Awareness & Behaviour
IS
(C
Management Model
er
ag
an
M
Management buy-in. Establish
ss
team and priorities. Identify PLAN
ne
needs. Measure current levels.
e
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Conduct evaluation. Collect Develop strategies. Design
Se
MEASURE &
M
feedback. Modify and adjust STRATEGIZE and develop content.
ADJUST
-5
n
for continuous improvement.
io
at
4
rm
fo
In
d
fie
Deliver the
EXECUTE
ti
awareness plan
er
C
52
The Plan Stage
)
AM
IS
(C
er
• Establish project team and assign responsibilities & priorities
ag
an
• Measure current levels & conduct needs assessment
M
ss
• How?
e ne
ar
4
Aw
1. Choose project team and steering committee
2
20
ity
2. Build business case, cost benefit analysis, ROI & etc
h
r
cu
c
ar
3. Obtain management support
Se
M
-5
n
4. Define the target group
io
at
4
5. Measure current level of security awareness and behaviour (competence) or
rm
fo
conduct needs assessment

In
d
fie
ti
er
C
53
)
AM
The Strategize Stage
IS
(C
er
• Design & develop high quality awareness content relevant to
ag
an
the organization
M
ss
• For awareness management:
e ne
1. Coverage
ar
4
Aw
2
2. Format & visibility: verbal, paper & electronic
20
ity
3. Frequency
h
r
cu
c
ar
4. Quality of content
Se
M
-5
n
5. Communication & commitment plan
io
at
4
• For behaviour management:
rm
fo
In
1. Motivational strategies
d
fie
2. Enforcement / disciplinary strategies

ti
er
• Define indicators for measurement

C
54
)
AM
The Execute Stage
IS
(C
er
ag
an
• Having an execution plan
M
ss
• Efficiency
e ne
ar
• Collection of feedback
4
Aw
2
20
ity
• Confirmation of receipt
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
55
)
AM
The Measure & Adjust Stage
IS
(C
er
• Measurement strategy
ag
an
1. Use the selected Security Metrics
M
ss
2. Define sample size
e ne
3. Measure methods
ar
4
Aw
✓ For awareness: interviews, surveys, quizzes, mind-map sessions
2
20
ity
✓ For behaviour: observation, data mining, log review, review of incident
h
r
cu
c
ar
reports, simulated social engineering
Se
M
-5
n
4. Reasonable limitations
io
at
4
rm
5. Behaviour may not always be visible
fo
• Modify & adjust the plan & strategies for continuous improvement
In
d
fie
• Relaunch the program

ti
er
C
56
)
AM
IS
(C
er
What did we learn?
ag
an
M
1. The solution model and the 4 stages:
ss
ne
Plan - Strategize - Execute - Measure & Adjust
e
ar
4
Aw
2
2. The key components of each stage
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
57
)
AM
IS
(C
er
ag
an
M
The Plan Stage -
ss
e ne
ar
4
Aw
Building a Persuasive Business Case
2
20
ity
h
r
Session 5
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
58
Some Questions to Ponder
)
AM
IS
(C
er
1. Is ISO 27001 only for IT companies?
ag
an
M
2. Can you give examples of non-IT companies that
ss
have implemented ISO 27001?
e ne
ar
4
Aw
2
3. What is the benefit of ISO 27001 for non-IT
20
ity
companies?
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
59
A Case Study & Discussion
)
AM
IS
(C
er
ag
an
M
ss
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
Can we implement ISO 27001 for a nasi lemak shop?

ti
er
C
60
A Case Study
)
AM
IS
(C
er
ag
The Secret
Where am I What is my
an
Recipe
opening my next annual revenue
M
shop? forecast?
ss
e ne
ar
4
Aw
2
20
ity
h
r
Who is my raw
cu
c
ar
materials
Se
M
supplier?
-5
What are my
n
cost to deliver
io
at
4
rm
the best nasi
fo
lemak in town?
In
d
What is my
fie
Supplier A: at Supplier B: at
annual revenue
ti
what price? what price?

er
forecast?
C
61
Business Case
)
AM
IS
Should show the management the qualitative and benefits of
(C
er
awareness programs, i.e:
ag
an
M
ss
• Cost-benefit analysis
e ne
• ROI study
ar
4
Aw
2
•
20
Feasibility study
ity
h
r
cu
c
• Project proposal & charter
ar
Se
M
-5
n
• Case studies & in-house security incident statistics
io
at
4
rm
• Project funding request
fo
In
d
fie
ti
er
C
62
Business Benefits
)
AM
IS
(C
er
• Comply with confidentiality, availability, integrity, privacy and
ag
security standards
an
M
ss
• Defend the organization from information leakage
e ne
ar
• Enforce mandatory organisation-wide security policies
4
Aw
2
20
ity
• Provide both a focal point and a driving force for a range of
h
r
cu
c
ar
awareness, training and educational activities relating to
Se
M
information security, a few of which are already in place but
-5
n
io
are not well coordinated or particularly effective
at
4
rm
fo
• To preserve corporate reputation, this is a valuable business asset

In
d
fie
ti
er
C
63
Steering Committee
)
AM
IS
(C
er
• Should be driven by the security or HR team
ag
an
• Team of 5 - 10 volunteers to help plan, execute and maintain the
M
ss
program
e ne
ar
• These volunteers should also be the ambassadors
4
Aw
2
20
ity
• Have mix of departments and roles - HR, Procurement, Facilities,
h
r
cu
c
ar
Finance, BU & etc
Se
M
-5
n
io
• Able to dedicate time to work on the program
at
4
rm
fo
In
d
fie
ti
er
C
64
Stakeholder Analysis
)
AM
IS
(C
er
Current Target
ag
Name Importance Commitment Commitment Engagement Strategies
an
Level Level
M
ss
Keep briefings short and to the point, concentrate on value
ne
Chief Executive Officer High High High
to organization.
e
ar
4
Aw
Show value of project, compliance, project mgmt. keep
Chief Security Officer High High High
2
briefings communications short efficient.
20
ity
h
r
cu
c
Legal / Audit Medium Medium Medium Interested mainly in compliance.
ar
Se
M
-5
This group is key to successful communication. Coordinate
n
Marketing /
io
Medium Blocker Medium with them early to ensure we are following corporate
Communications at
4
communication policy.
rm
Explain value on how you can help educate people on

fo
Human Resource Medium Low Medium

policies. HR important for initial hire training.
In
d
fie
Coordinate with ahead of time, get them on Steering

Committee as they will be the primary interface between
ti
NOC / SOC / Helpdesk Low Medium Medium

er
employees/contractors and any security related questions

or reporting.
C
65
Costing
)
AM
IS
(C
How to obtain the budget? (vary greatly from one organization
er
ag
to another):
an
M
ss
A percentage of the corporate training budget
e ne
ar
• A percentage of the IT budget
4
Aw
2
20
• A percentage of each BU’s budget based on the number of personnel
ity
h
r
cu
c
ar
• Allocation of a set amount per user according to the role and the
Se
M
participation within the program
-5
n
io
at
4
• Allocation of a set amount regardless of the awareness goals and
rm
objectives
fo
In
d
• Explicit allocations based on the defined awareness goals and objectives

fie
ti
er
C
66
Costing - If Budget is Already
)
AM
Allocated
IS
(C
er
ag
an
• It may be necessary to reassess the feasibility of the defined goals &
M
objectives.
ss
e ne
ar
• With an insufficient budget, some of the goals & objectives may have
4
Aw
2
to be curtailed.
20
ity
h
r
cu
c
ar
• Priority should be given to those goals & objectives which were
Se
M
identified as critical for the program.
-5
n
io
at
4
rm
• Eventually, it may be considered asking for additional funding.

fo
In
d
fie
ti
er
C
67
)
AM
Costing - Prepare the Budget
IS
(C
er
ag
• Cost will vary greatly from one organization to
an
M
another, i.e availability of supporting assets,
ss
previous projects & so on
e ne
ar
4
Aw
2
• Table in the next slide contains some of the most
20
ity
h
common cost elements…
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
68
)
AM
Item Description Cost (RM)
IS
(C
Personnel working on the information security awareness initiative. Whether they are
Personnel full or part-time depends largely on the size of the organisation and the importance of 120,000.00
er
information security relative to other priorities
ag
an
M
The operational costs include rent, website maintenance & etc - information security
Operational Cost 100,000.00
ss
awareness materials, posters, briefing papers, office miscellaneous materials
e ne
• Promo material & distribution
ar
costs
4
Aw
2
• Rewards & prizes costs
20
Branded coasters, pens, prizes for information
ity
Advertisement &
security tests, quizzes and competitions, coffee • Advertisement creative cost 30,000.00
h
Promotions
r
cu
c
for brown-bag meetings and so on
ar
Se
•
M
Advertisement media cost
-5
n
io
at • Individual materials cost 1,000.00
4
rm
In the event an organisation organises
Training
fo
awareness training sessions • Training rooms cost per session 800.00

In
d
fie
Further funds may be needed to purchase additional security awareness materials, 50,360.00
Contingency
ti
external training courses and so on (20% of total)

er
C
Total Budget: 302,160.00
69
)
Cost Benefit Analysis
AM
IS
(C
Investment Rationale - To increase the effectiveness in daily operations
er
by lowering the costs related to time spent on corrective controls, per
ag
annum
an
M
ss
Projected Costs
ne
One-Time Cost RM302,160.00
e
ar
External Cost for Training During Project -
4
Aw
2
20
Cost of Employee Time for Training (120 Minutes / Employee / Annum) RM120,000.00
ity
h
r
Project Duration (Months) 12 Months
cu
c
ar
Se
Recurring Cost After Project RM150,000.00
M
-5
n
Projected Benefits
io
at
4
Current Average Total Cost for Corrective Controls (per Annum) RM1,200,000.00
rm
Expected Improvement (%) 22%

fo
In
Cost Reduction in Corrective Controls (per Annum) RM264,000.00

d
fie
Improvement Period (Months) 24 Months

ti
er
C
70
)
Critical Success Factors
AM
IS
(C
er
ag
1. Top management support
an
M
2. Baseline needs to be determined before implementing or re-launching a
ss
program
e ne
ar
4
3. Programs will fail if they don’t reach the target audience
Aw
2
20
ity
h
4. Getting publicity is vital, it will multiply the impact by increasing the
r
cu
c
ar
number of people who hear / see the message
Se
M
-5
n
io
5. Programs will fail if they are counter to organisational culture
at
4
rm
fo
6. Demonstrate how well security awareness efforts are working

In
d
fie
ti
er
C
71
Project Charter
)
AM
IS
(C
• Project Title • Project Goals
er
ag
• Project Manager • Project Objectives
an
M
ss
• Project Sponsor • Project Justification
e ne
ar
• Estimated Costs • Key Milestones
4
Aw
2
20
ity
• Finalize Plan Date • Assumptions & Constraints
h
r
cu
c
ar
Se
M
• Program Launch Date • Critical Success Factors
-5
n
io
at
4
rm
• Project Scope
fo
In
d
fie
ti
er
C
72
)
AM
Preparation for Lab Sessions
IS
(C
er
ag
Pick a company
an
M
ss
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
73
)
AM
Lab 3 (20 Minutes)
IS
(C
er
ag
1. Identify 5 business benefits in having an information security
an
M
awareness program in your organization
ss
ne
2. Prepare a high-level project charter for an information security
e
ar
awareness program
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
74
)
AM
IS
(C
er
What did we learn?
ag
an
M
1. Building a business case
ss
e ne
2. Cost-benefit analysis
ar
4
Aw
2
20
ity
3. Identifying business benefits, steering committee & stakeholders
h
r
cu
c
ar
Se
M
4. Project charter
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
75
)
AM
IS
(C
er
ag
an
M
The Plan Stage -
ss
e ne
ar
Measuring Current Levels
4
Aw
2
20
ity
& Conducting Needs Assessment
h
r
cu
c
ar
Se
M
Session 6
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
76
)
WHO
AM
For lab activity 4:
IS
Defining Target Group
(C
er
1. Determining who is the target of the awareness program
ag
an
M
2. Different targets may require different awareness training:
ss
ne
• General Employees
e
ar
4
Aw
2
20
• IT Staff
ity
h
r
cu
c
ar
• Senior Management
Se
M
-5
n
io
• Janitors / Guards & etc
at
4
rm
fo
• Vendors / Contractors
In
d
fie
ti
er
C
77
Target Group Analysis
)
AM
IS
(C
1. It is necessary to identify specific target groups with similar
er
ag
interests and priorities.
an
M
2. Once identified research should be conducted to understand each
ss
group’s:
e ne
ar
• Level of awareness of information security issues.
4
Aw
2
20
ity
• Level of behaviour of in handling information assets.
h
r
cu
c
ar
Se
M
• The purposes for which they use ICTs.
-5
n
io
at
4
• Key concerns.
rm
fo
In
• Where they currently receive information

d
fie
ti
er
C
78
Sample Steps in Conducting a Target
)
AM
IS
Group Analysis
(C
er
ag
an
M
ss
Identify Target Target groups are those that are impacted by or can influence the
ne
Groups level of awareness of information security issues
e
ar
4
Aw
2
20
A target group might be concerned about the impact on its
ity
Understand the Situation
h
organisation, loss of control, etc
r
cu
c
ar
Se
M
Assign High (H), Medium (M), Low (L) ratings reflecting each target
-5
n
Assess Level of Awareness group’s level of awareness of information security issues and
io
at
4
knowledge of solutions
rm
fo
In
d
Assign High (H), Medium (M), Low (L) ratings reflecting each target
fie
Assess Level of Behaviour

group’s level of behaviour towards information assets
ti
er
C
79
)
AM
IS
How to Measure Awareness Levels?
(C
er
ag
an
• Baseline assessments / Quizzes
M
ss
ne
• Surveys
e
ar
4
Aw
2
20
• Interviews
ity
h
r
cu
c
ar
Se
M
• Online / Internet searches
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
80
)
AM
How to Measure Behaviour Levels?
IS
(C
er
• Observations
ag
an
M
• Simulated social engineering assessments
ss
ne
• Data mining
e
ar
4
Aw
2
20
• Review of logs
ity
h
r
cu
c
ar
• Incident review
Se
M
-5
n
io
• Early-morning walk-through
at
4
rm
fo
In
d
fie
ti
er
C
81
)
AM
Lab 4 (20 Minutes)
IS
(C
er
Identify 3 target groups in your organization and other attributes
ag
based on the table below:
an
M
ss
ne
Target Group Name Employee / Vendor / ITD / Senior Management
e
Lab 4 (15 Minutes)
ar
4
Aw
Description Description of the group
2
20
ity
Why Why this group is targeted?
h
r
cu
c
ar
Se
Assign High (H), Medium (M), Low (L) ratings reflecting target group’s level of
Assess Level of Awareness
M
awareness of information security issues and knowledge of solutions
-5
n
io
at
4
Assign High (H), Medium (M), Low (L) ratings reflecting target group’s level of
Assess Level of Behaviour
rm
behaviour towards handling information assets
fo
Location
In
Where these target group is located?

d
fie
Unique Requirements Language / culturally sensitive

ti
er
When When the program will be deployed and the duration

C
82
)
AM
Lab 5 (15 Minutes)
IS
(C
er
1. Create 5 survey questions to measure current level
ag
an
of your organization’s information security
M
ss
awareness
e ne
ar
2. Question types must be:
4
Aw
2
20
ity
h
r
✓ Multiple choice
cu
c
ar
Se
M
✓ Yes / No
-5
n
io
at
4
✓ Multiple answers
rm
fo
In
d
fie
ti
er
C
83
)
AM
IS
(C
er
ag
an
Sample Survey
M
ss
e ne
ar
4
Aw
http://humanrisksurvey.securityelevate.com
2
20
ity
h
r
This survey can be used by anyone to gauge the human risk level of
cu
c
ar
Se
the individual. The survey questions are quite generic, you can use it
M
-5
n
as a basis to customize for your business
io
at
4
rm
fo
In
d
fie
ti
er
C
84
)
AM
IS
(C
er
ag
What did we learn?
an
M
1. Ways to conduct target group analysis
ss
e ne
ar
2. How to measure awareness & behaviour levels
4
Aw
2
20
ity
3. How to create human risk survey
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
85
)
AM
IS
(C
er
ag
an
M
The Strategize Stage -
ss
e ne
ar
Qualities of a Good Awareness
4
Aw
2
20
ity
Management System
h
r
cu
c
ar
Se
M
Session 7
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
86
)
Coverage
AM
IS
(C
er
• Identify the target workforce / group
ag
an
M
• Tolerable deviation – How much percentage of
ss
e ne
the workforce must receive the training
ar
4
Aw
2
20
• Set realistic expectations
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
87
)
AM
Format & Visibility
IS
(C
er
1. Format – Different types of information security awareness
ag
content
an
M
ss
2. Visibility – Channels through which the content is delivered
e ne
ar
4
Aw
2
Format Visibility
20
ity
h
r
cu
c
ar
Se
Verbal Live training sessions, video conferences
M
-5
n
io
at
4
rm
Electronic Email, intranet, posters, social media
fo
In
d
Paper Posters, cards, quizzes, surveys & etc

fie
ti
er
C
88
)
AM
Frequency
IS
(C
er
ag
1. Gap between 2 awareness deliveries
an
M
ss
2. Critical success factor - the gap should be minimal
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
Which is more effective - drip irrigation or spraying a lot of water
-5
n
io once a day?
at
4
rm
fo
In
d
fie
ti
er
C
89
)
AM
IS
Quality of Content - Impact
(C
er
ag
Visualization
an
M
ss
ne
e
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
Show the impact of poor security awareness & behaviour to the “non-information
security” professional
90
)
AM
IS
Quality of Content - Business
(C
er
ag
Relevance
an
M
ss
e ne
ar
4
Aw
Oh no, my business is held
2
20
responsible if I install this
ity
h
r
pirated software on this PC
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
Show the impact of poor security awareness & behaviour to the “non-information security” professional
91
)
AM
IS
Quality of Content – Clarity
(C
er
& Ease
ag
an
M
ss
ne
Email security So the email security
e
policy.. 5 quick tips.. policy is……..
ar
this is so cool 6 pages long huh??
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
Keep it very simple 92

)
AM
IS
(C
er
Quality of Content - Cultural Factors
ag
an
M
ss
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
Language or terms used, colour and design, character representation

93
)
AM
Lab 6 (20 Minutes)
IS
(C
er
ag
1. Choose one topic & create an awareness poster:
an
M
• Phishing
ss
ne
• Strong password
e
ar
4
Aw
2
•
20
Tailgating
ity
h
r
cu
c
•
ar
Malware
Se
M
-5
n
•
io
Clear desk at
4
rm
fo
2. Create a story board for an awareness video for the topic that you
In
chose
d
fie
ti
er
C
94
)
AM
Lab 6 - Poster Template
IS
(C
er
ag
an
M
ss
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
95
)
AM
IS
(C
What did we learn?
er
ag
an
1. Qualities of a good awareness program:
M
ss
•
ne
Coverage
e
ar
• Format
4
Aw
2
20
ity
• Frequency
h
r
cu
c
ar
Se
M
2. Quality of content:
-5
n
• io
at
4
Impact visualisation
rm
fo
• Business relevance
In
d
fie
• Clarity & ease

ti
er
C
• Cultural factors
96
)
AM
IS
(C
er
ag
an
M
ss
e ne
ar
Strategies for Awareness Creation &
4
Aw
2
20
ity
Behaviour Modification
h
r
cu
c
ar
Se
M
Session 8
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
97
)
AM
Objectives
IS
(C
er
ag
Define strategies:
an
M
ss
ne
1. Awareness creation
e
ar
4
Aw
2
20
2. Behaviour modification
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
98
)
AM
Effective Awareness Training Plan
IS
(C
er
180 Minutes of Awareness Training in a Year
ag
an
M
Awareness Format / Type Duration
ss
e ne
Induction (classroom / e-Learning) 30 minutes (1 time a year)
ar
4
Aw
2
20
Short videos 4 videos x 5 minutes (4 times a year)
ity
h
r
cu
c
ar
Digital posters / e-newsletters 12 x 5 minutes (12 times a year)
Se
M
-5
n
Short quizzes 12 x 3 minutes (12 times a year)
io
at
4
rm
Assessments (baseline / final) 2 x 5 minutes (2 times a year)

fo
In
d
Phishing assessment 4 x 5 minutes (4 times a year)

ti fie
er
C
99
)
AM
IS
(C
er
ag
an
M
ss
e ne
ar
How to Change Behaviour?
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
100
)
AM
IS
(C
er
Debate
ag
an
M
ss
e ne
Awareness can be created using high quality
ar
4
Aw
2
content and training,
20
ity
h
r
cu
c
but how can you change behaviour?
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
101
)
AM
IS
How Can You Change Behaviour?
(C
er
ag
an
M
ss
e ne
ar
What will happen to me if I don’t
4
Aw
2
comply to information security
20
ity
requirements of the company?
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
“ All behaviour is learned through the consequences that follow. If a person likes the
C
consequence, the behaviour will be repeated; if a person does not like the consequence,
the behaviour is less likely to be repeated.” 102
)
AM
Consequences
IS
(C
er
ag
1. Quality of life
an
M
ss
2. Money
e ne
ar
4
Aw
3. Time
2
20
ity
h
r
cu
c
ar
4. Inconvenience
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
103
)
Security Trade-Off vs Inconvenience
AM
IS
(C
er
ag
an
M
ss
e ne
ar
4
Aw
2
20
ity
h
Security
r
cu
c
ar
Trade-Off
Se
M
-5
n
io
at
4
rm
fo
In
d
Personal Inconvenience
fie
ti
er
C
104
)
AM
Security Trade-Off vs Cost
IS
(C
er
ag
an
M
ss
ne
Enforcement or Cost:
e
• Quality of Life
ar
4
Aw
• Career
2
20
ity
• Money
h
r
cu
c
Security
ar
• Time
Se
M
Trade-Off
-5
n
io
at
4
rm
fo
In
d
fie
Enforcement (Cost)
ti
er
C
105
)
AM
Creating Right Balance
IS
(C
er
ag
an
M
ss
Motivational
ne
Strategies
e
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
Disciplinary
In
Strategies
d
fie
ti
er
C
106
)
AM
IS
(C
er
ag
What did we learn?
an
M
ss
ne
1. Awareness criterion & behaviour criterion
e
ar
4
Aw
2. Effective awareness training plan
2
20
ity
h
r
cu
c
3. How to change behaviour?
ar
Se
M
-5
n
4. Consequences & security trade-offs
io
at
4
rm
fo
In
d
fie
ti
er
C
107
)
AM
IS
(C
er
ag
an
M
ss
End of Day 1
e ne
ar
4
Aw
2
20
Thank You
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
108
)
AM
IS
(C
er
ag
an
M
ss
e ne
ar
Communication & Commitment Plan
4
Aw
2
20
ity
h
Session 9
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
109
Develop Communication Plan
)
AM
IS
(C
1. Communications is crucial for the success of any awareness program.
er
ag
2. The communication & commitment curve below shows the importance of
an
communications to achieve the goals.
M
ss
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
110
The Basics of
)
AM
IS
Effective Communication
(C
er
ag
an
1. Reach out to as broad an audience as possible.
M
ss
2. Do not be alarmist or overly negative about a situation.
e ne
3. The goal of any awareness raising initiative should be to change the target group
ar
4
Aw
behaviour in a positive way.
2
20
ity
4. The message delivered, the channels used and the sender of the message must be
h
r
cu
c
influential and credible, otherwise the target group may be less inclined to listen .
ar
Se
M
5. The target groups obtain information from a variety of sources. To engage them
-5
n
io
successfully, more than one communication channel must be used.
at
4
rm
6. Ensure the initiative is flexible and adaptable

fo
In
d
fie
ti
er
C
111
)
Channels of Communication
AM
IS
(C
er
Channel Advantages Disadvantages
ag
an
Brochure / Magazine a) Easier to define message a) Not a static source of
M
content & format information as material
ss
b) Allows for careful study of could be lost
ne
content by target group b) May only appeal to a select
e
ar
c) Established audiences can target group
4
Aw
2
be reached
20
ity
h
Comic a) Instant appeal to certain a) Difficult to incorporate
r
cu
c
ar
target groups like the young messages with more detail
Se
M
b) Message content can be b) May only appeal to a select
-5
n
more abstract in nature target group
io
at
4
rm
CBT / e-Learning / a) Enables training over a) Can be expensive to create
fo
Online Training geographically dispersed training programmes.

In
areas. b) Implies trainee has some

d
fie
b) Message content can be technical knowledge

ti
more detailed already

er
C
112
)
AM
IS
(C
er
ag
an
Email a) Relatively cheap channel to a) Your intended audience may not
M
target mass audience. attend.
ss
b) Allows target group to digest b) Not a proactive channel with the
ne
information in own time target group expected to
e
participate
ar
4
Aw
c) Does not reach those without
2
20
email
ity
h
r
Leaflet / Fact a) Can provide a lot of a) Need to organise distribution
cu
c
ar
Sheet information. channels so your leaflets get the
Se
M
b) Cost effective to produce right audience.
-5
n
io
at b) Not a static source of information
4
as material could be lost
rm
fo
Poster a) Can be attention-grabbing due a) With abundance of information

In
to size and format material, message may be

d
fie
b) Information can be universally overlooked

ti
available when put up on walls b) Must always be updated to make

er
it engaging
C
113
)
AM
IS
(C
er
ag
an
Screensaver a) Places information on the a) Requires development.
M
computer so users are likely b) Inexperienced users may be
ss
to see it unable to install it.
ne
c) Does not reach those without
e
computers
ar
4
Aw
SMS a) Message content can be a) Need to work with telecoms
2
20
delivered straight to the provider
ity
h
target group ensuring b) Effective channel to alert the
r
cu
c
ar
visibility target group of dangers but
Se
M
not raise awareness due to
-5
n
limited content
io
at
4
c) Can be very expensive
rm
Classroom Training a) Has more chance of a) Not a proactive channel with

fo
interesting the audience due the target group expected to

In
d
to the interactive element of participate.

fie
the channel. b) Cannot really reach mass

ti
er
b) Content of message can be audience due to resources

C
more detailed and and logistics involved

customised
114
)
AM
IS
(C
er
ag
an
M
Video - DVD / VCD a) Allows for creative freedom a) May not reach a
ss
ne
with awareness message. technologically naïve
e
b) Professionalism of channel if audience
ar
implemented correctly could
4
Aw
2
help enforce message
20
ity
h
Website a) Can be updated to reflect a) May not reach a
r
cu
c
ar
changes. technologically naïve
Se
M
b) Can present content for audience.
-5
n
multiple audiences. b) Implies trainee has some
io
at
4
c) Can easily link to other technical knowledge already.
rm
information c) Not a proactive channel and
fo
with wealth of websites and

In
information on the Internet

d
fie
available, message may get

ti
overlooked
er
C
115
)
AM
Define Communication Objectives
IS
(C
er
1. Information security communications should effectively involve, enroll and
ag
an
communicate with all key target groups to support successful awareness
M
raising
ss
ne
2. Objectives could be:
e
ar
•
4
Promote the vision for network and information security and its benefits
Aw
2
20
across organzation;
ity
h
r
cu
c
• Actively involve and engage all identified target groups;
ar
Se
M
-5
•
n
Provide affected target groups with an understanding of the information
io
security issues and what those issues will mean to them;
at
4
rm
fo
• Provide an opportunity for target group members to ask questions and

In
address concerns;
d
fie
•
ti
Build energy and momentum to support the creation of the new learning
er
environment
C
116
Sample Communication Goals
)
AM
IS
& Channels
(C
er
ag
an
M
Generate Create Develop Engage in
ss
Target Group
Awareness Understanding Knowledge Solutions
e ne
ar
4
Aw
Group 1 x x x
2
20
ity
h
r
cu
c
ar
Group 2
Se
x x x
M
-5
n
io
at
4
rm
Group 3 x x x
fo
In
Website Presentations Workshops

d
Workshops
fie
Channel Type Email Meetings Face-to-Face

Q&A Sessions
ti
Newsletter Conferences Seminars

er
C
117
Choosing the Awareness Topics
)
AM
IS
(C
er
1. Identifying the topics related to information security that are critical for the
ag
organisation and the target audience
an
M
2. Following are some of the topics:
ss
ne
• Information security policies and procedures.
e
ar
• Workstation security.
4
Aw
2
20
• Website policies.
ity
h
r
cu
c
•
ar
Asset management (e.g. USB flash drives, printing devices, PDA, mobile phones
Se
M
Social engineering.
-5
n
•
io
Third-party and partner security.
at
4
rm
• Information classification and controls.

fo
In
• Incident response.
d
fie
ti
• Email security
er
C
118
)
AM
Identifying Learning Objectives
IS
(C
er
ag
an
Topic Password protection
M
ss
Target
ne
All employees / Contractors / vendors
Group
e
ar
Although the news of computer crimes elicit use of sophisticated tools or
4
Aw
2
techniques, the fact of the matter is that poor passwords are major
20
ity
Background contributors in the holes of information security efforts.
h
r
cu
c
In this module, the learners will be introduced to best practices in
ar
Se
M
creating and maintaining strong passwords.
-5
n
io
1) Learners can explain the difference between a weak and a strong
at
4
password.
rm
2) Learners understand the risks of password sharing with other users.

Learning
fo
In
3) Learners understand the risks of using the same password for access
Objectives
d
with different level of classification/sensitivity.

fie
4) Learners understand that the passwords should never be

ti
er
communicated over the phone, e-mail etc. to ANYONE.

C
119
)
Mapping Topics with Target Group
AM
IS
(C
er
ag
Topic TG 1 TG 2 TG 3 TG 4
an
M
Social Engineering
ss
x x x
ne
Importance of Data
e
ar
Back-up x x
4
Aw
2
20
ity
WiFi Security x x x x
h
r
cu
c
ar
Se
Insider Threat
M
x
-5
n
io
at
4
Firewall Protection x x x
rm
fo
Infosec for Senior

In
Management x x X
d
fie
ti
er
C
120
)
AM
Reinforcement of Knowledge
IS
(C
er
ag
• A security culture can only be built if practice
an
M
becomes habit - awareness training must be
ss
ne
reinforced.
e
ar
4
Aw
2
• It is a best practice to pick a security theme and run
20
ity
h
r
the program with various content and
cu
c
ar
Se
M
communication channels for a minimum 90 days
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
121
Sample Awareness Plan with
)
AM
IS
Reinforcement of Knowledge
(C
er
ag
Security Awareness Theme: Phishing
an
M
ss
2015 January February March
e ne
ar
Phishing Incident Case Reporting Phishing
Topic
4
Aw
Identifying Phishing Email
2
Study Incident
20
ity
h
r
cu
c
ar
Channel
Se
Video (LMS) Infographics Email newsletter
M
-5
n
io Final assessment &
at
4
Baseline assessment &
rm
Measure Online quiz simulated phishing
simulated phishing attack
fo
attack
In
d
fie
Reinforce Email newsletter Email newsletter Flyer distribution

ti
er
C
122
)
AM
Lab 7 (15 Minutes)
IS
(C
er
Pick a security awareness topic.
ag
Identify the learning objectives for the selected topic.
an
M
Topic
ss
Password protection
ne
Target Group All employees / Contractors / vendors
e
ar
4
Aw
Although the news of computer crimes elicit use of sophisticated tools or
2
20
techniques, the fact of the matter is that poor passwords are major contributors in
ity
Background the holes of information security efforts.
h
r
cu
c
In this module, the learners will be introduced to best practices in creating and
ar
Se
maintaining strong passwords.
M
-5
n
io
1) Learners can explain the difference between a weak and a strong password.
at
4
2) Learners understand the risks of password sharing with other users.
rm
3) Learners understand the risks of using the same password for access with
Learning Objectives
fo
different level of classification/sensitivity.

In
4) Learners understand that the passwords should never be communicated over

d
fie
the phone, e-mail etc. to ANYONE.

ti
er
C
123
)
AM
Lab 8 (20 Minutes)
IS
(C
er
Use the security awareness topic from Lab 7
ag
Create the communication plan for the selected topic
an
M
ss
Target Audience Who will be receiving the message
e ne
Communication Channel
ar
The form in which the message will be sent
4
Aw
2
20
The communication needs of the target group
Communication Needs
ity
h
r
cu
c
The content of the communication
ar
Message
Se
M
-5
n
Who is responsible for making this communication
Communication Owner
io
happen
at
4
rm
What we hope to accomplish through this communication
Objectives
fo
In
When the communication on event should take place

Timing/Frequency
d
fie
ti
What will be used to collect feedback

Feedback Tool
er
C
124
)
AM
IS
(C
What did we learn?
er
ag
an
1. The importance of having a solid communications plan
M
ss
2. What should be included in a communications plan
e ne
ar
3. Various channels of communication
4
Aw
2
20
ity
4. Defining communications objectives
h
r
cu
c
ar
Se
M
5. Choosing awareness topics and mapping with target groups &
-5
n
io
channels at
4
rm
6. Assigning roles & responsibilities

fo
In
d
fie
7. Reinforcement of knowledge
ti
er
C
125
)
AM
IS
(C
er
ag
an
M
ss
e ne
ar
Define Indicators for Measurement
4
Aw
2
20
ity
Session 10
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
126
)
AM
Two (2) Things to Measure
IS
(C
er
ag
an
1. Measure the IMPACT of the security
M
awareness program
ss
e ne
ar
4
Aw
2. Measure the DEPLOYMENT of the security
2
20
ity
awareness program
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
127
)
AM
Security Metrics to Measure
IS
(C
the IMPACT
er
ag
an
Security Metric has 2 criterions:
M
ss
ne
1. Awareness Criterion
e
ar
4
Aw
2
2. Behaviour Criterion
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
128
Sample Security Metrics
)
AM
IS
(C
er
ag
Metric Awareness Criterion Behaviour Criterion
an
M
ss
ne
Employees must be able to Employees must actually detect
Phishing Detection
e
identify phishing emails and report phishing emails
ar
4
Aw
2
20
ity
Employees must know the
h
r
Employees must actually create
cu
c
Strong Password method & requirement to
ar
and use strong passwords
Se
M
create strong passwords
-5
n
io
at
4
Employees must know different Employees must actually classify
rm
Information
information classification information in a day-to-day
fo
Classification
In
criteria work
d
ti fie
er
C
129
)
AM
How to Measure Awareness Levels?
IS
(C
er
ag
• Baseline assessments / Quizzes
an
M
ss
ne
• Surveys
e
ar
4
Aw
2
20
• Interviews
ity
h
r
cu
c
ar
Se
M
• Online / Internet searches
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
130
Measuring Behaviour Levels
)
AM
IS
(C
Let’s discuss:
er
ag
an
1. Can behaviour be measured? If so, how?
M
ss
ne
2. Is qualitative and quantitative measurement possible?
e
ar
4
Aw
3. Is 100% accuracy in behaviour measurement a must?
2
20
ity
h
r
cu
c
4. What strategies will you use for measuring behaviour?
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
131
)
AM
How to Measure Behaviour Levels?
IS
(C
er
ag
• Observations
an
M
• Simulated social engineering assessments
ss
ne
• Data mining
e
ar
• Review of logs
4
Aw
2
20
ity
• Incident review
h
r
cu
c
ar
• Early-morning walk-through
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
132
Case Study 1
)
AM
IS
(C
er
1. Tester places 6 USB flash drives in specific locations: rest rooms,
ag
an
conference room & pantry
M
ss
2. The USB flash drives labeled “2022 Staff Bonus”
e ne
ar
3. Within a few minutes each of the flash drives were grabbed by
4
Aw
2
20
employees
ity
h
r
cu
c
ar
4. Employees insert the flash drives into their computers – and the
Se
M
-5
n
tester was able to capture the employees details and computer
io
at
4
rm
details
fo
In
d
fie
ti
er
C
133
)
Case Study 2
AM
IS
(C
er
1. Tester sends a simulated phishing email to the employees
ag
an
2. Expected reaction from the employees:
M
ss
• Not clicking on the link
e ne
ar
• Report the incident to the security team
4
Aw
2
20
ity
3. Result:
h
r
cu
c
ar
• More 70% of the employees clicked on the link
Se
M
-5
n
io
• Less than 1% of the employees actually reported it even though
at
4
rm
more than 90% of the employees opened the email / clicked on

fo
In
the link
d
fie
ti
er
C
134
)
AM
More Examples
IS
(C
er
ag
• Pose as janitors or courier guy
an
M
• Leave printed documents with sensitive information lying around
ss
ne
at public area
e
ar
4
Aw
• Fake phone calls requesting for access to Top Management
2
20
ity
h
• Visits during early mornings and weekends
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
135
)
AM
IS
(C
er
ag
an
M
ss
ne
Metrics to Measure the DEPLOYMENT
e
ar
4
Aw
(next slide)
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
136
)
AM
What is How it is When it is Who
IS
Metric Details
Measured? Measured? Measured? Measures?
(C
er
ag
Primary training is when people are taught all
Who has and has
Reports from awareness material for the first time or in a
an
not completed
Training LMS or sign-in single sitting, usually online computer based
annual security Annually Training team
M
Completion sheets from training (CBT) or onsite workshops.
awareness
ss
onsite workshops
training
e ne
ar
4
Aw
2
20
For a security awareness program to have an
ity
impact it must communicated to people on a
h
r
regular basis. This metric measures other
cu
c
ar
communications methods that repeat and
Se
Types of reinforce lesson objectives from annual
M
Types of
materials training. Examples of such metrics can include:
reinforcement
-5
n
distributed to • Monthly hits to internal security blog or
io
Communication training, who it is
at communicate Monthly Security team website
4
Methods being
program • Monthly newsletters, posters or
rm
communicated to,
screensavers
and how often.
fo
. • Number of attendees for Podcasts /

In
Webcasts
• Number of emails sent
d
fie
ti
er
C
137
Document Lessons Learned
)
AM
IS
(C
er
1. An excellent opportunity for feedback & growth
ag
an
2. Tips for constructive feedback session
M
ss
• Consider limiting time during the session
e ne
• Have team members bring documented ideas to the meeting
ar
4
Aw
2
• Team members should be encouraged to keep logs or diaries during the
20
ity
h
program
r
cu
c
ar
Se
M
• Consider adding a lessons learned section to the status report
-5
n
io
• Strategically schedule the times to capture the lessons learned
at
4
rm
fo
• Consider conducting interviews with other team

In
d
• Conduct in a periodic basis

fie
ti
er
C
138
)
AM
Methods to Collect Feedback
IS
(C
er
ag
• Feedback collection feature in the LMS
an
M
• Surveys (can also be anonymous)
ss
e ne
• Q&A sessions
ar
4
Aw
2
20
• Emails
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
139
)
AM
Lab 9 (15 Minutes)
IS
(C
er
ag
an
Creating Strategies to Measure Current Levels
M
ss
1. Create 3 security metrics that are valid for your
e ne
ar
business
4
Aw
2
20
ity
2. Create the awareness and behaviour criterions
h
r
cu
c
ar
Se
M
3. List down how you will measure the awareness
-5
n
io
at
4
rm
and behaviour criterions for the security metrics
fo
In
d
fie
ti
er
C
140
)
AM
IS
(C
Metric Who
er
Criterion How to Measure Frequency
ag
Name Measures
an
M
Awareness Behaviour Awareness Behaviour
ss
ne
Social Employee is Number of Online quiz Report of Monthly Security
e
Lab 9 (Template)
ar
Engineer able to identify employees suspected Team
4
Aw
ing a social who are able Social
2
20
engineering to identify, Engineering
ity
h
attack while stop and attacks
r
cu
c
ar
also able to report a social
Se
M
stop and engineering
-5
n
report the attack
attack
io
increase
at
4
rm
fo
In
d
fie
ti
er
C
141
)
AM
IS
(C
er
What did we learn?
ag
an
M
1. Critical to measure both the IMPACT & the DEPLOYMENT of the
ss
ne
awareness program
e
ar
4
Aw
2
2. Security metrics have 2 criterions
20
ity
h
r
cu
c
ar
3. Methods to measure awareness and behaviour levels
Se
M
-5
n
io
4. Document lessons learned
at
4
rm
fo
5. Methods to collect feedback

In
d
fie
ti
er
C
142
)
AM
IS
(C
er
ag
an
M
ss
e ne
The Execute Stage
ar
4
Aw
2
20
ity
h
r
cu
c
Session 11
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
143
)
Execution Plan
AM
IS
(C
er
ag
1. After the PLAN & STRATEGIZE stages, create an execution
an
M
ss
plan
e ne
ar
2. Have steering committee review and keep them updated
4
Aw
2
20
3. Execute plan
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
144
)
AM
Before & During Execution
IS
(C
er
1. Confirm the program team
ag
an
M
2. Review work plan
ss
ne
3. Launch & execute plan
e
ar
4
Aw
2
20
4. Deliver communication
ity
h
r
cu
c
ar
5. Document lessons learned
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
145
)
Efficiency
AM
IS
(C
er
ag
1. Efficiency of channels in delivering the program
an
M
2. Emails must reach the target workplace, not got to SPAM
ss
ne
3. Videos must stream at an optimum speed
e
ar
4
Aw
4. Training sessions:
2
20
ity
• Trainer must knowledgeable
h
r
cu
c
ar
Se
M
• Able to articulate the topics well
-5
n
• io
at
4
Use tools and examples
rm
fo
• Encourage discussion
In
d
fie
ti
er
C
146
Confirmation of Receipt
)
AM
IS
(C
er
Proof that the learner received the content
ag
an
M
ss
• A simple “attendance ledger” that can be used for
e ne
ar
classroom training sessions
4
Aw
2
20
ity
h
r
cu
c
• A SCORM or similar system can track attendance if
ar
Se
M
-5
n
io
the content is delivered through an electronic LMS
at
4
rm
fo
In
d
fie
ti
er
C
147
)
AM
IS
(C
What did we learn?
er
ag
an
M
1. Execution plan and checklist
ss
ne
2. Efficiency of execution & confirmation of receipt of awareness
e
ar
4
Aw
content
2
20
ity
3. Note: Handout – Execution Checklist
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
148
)
AM
IS
(C
er
ag
an
M
The Measure
ss
e ne
ar
& Adjust Stage
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
Session 12
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
149
Measuring the Success of
)
AM
IS
the Program
(C
er
ag
an
Four categories that success can be measured:
M
ss
ne
1. Process improvement
e
ar
4
Aw
2. Attack resistance
2
20
ity
3. Efficiency & effectiveness
h
r
cu
c
ar
Se
M
4. Internal protections
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
150
)
AM
IS
(C
er
ag
an
M
Process Improvement
ss
e ne
ar
4
Aw
Deals with the development, dissemination and
2
20
ity
deployment of recommended security guidelines as
h
r
cu
c
ar
well as awareness training
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
151
Process Improvement:
)
AM
IS
Example of Evaluation Metrics
(C
er
ag
an
1. Has the organization developed an overall security
M
policy? Is it readable and concise? (Expected answer:
ss
ne
YES)
e
ar
4
Aw
2
20
2. Is the overall security policy endorsed at the highest
ity
h
levels of the organization? (Expected answer: YES)
r
cu
c
ar
Se
M
-5
n
io
3. What percentage of the employees know that a security
at
4
policy exists? How many have read it? (Expected
rm
fo
change: increase)
In
d
fie
ti
er
C
152
)
AM
IS
(C
er
ag
an
M
ss
Attack Resistance
e ne
ar
4
Aw
2
20
Concerned with recognition of a security event and
ity
h
r
cu
c
resistance to an attack.
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
153
Attack Resistance:
)
AM
IS
(C
er
ag
an
1. To which extent do staff recognize attacks?
M
ss
2. To which extent do staff fall prey to attacks?
e ne
ar
4
Aw
3. What percentage of surveyed individuals recognize a security event
2
20
scenario when tested?
ity
h
r
(Expected change: increase)
cu
c
ar
Se
M
-5
n
4. What percentage of users failed testing to reveal their password?
io
at
4
(Expected change: decrease)
rm
fo
In
d
fie
ti
er
C
154
)
AM
IS
(C
er
ag
an
M
ss
Efficiency & Effectiveness
e ne
ar
4
Aw
2
Focused on efficiency and effectiveness with regard to
20
ity
h
r
security incidents.
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
155
Efficiency & Effectiveness:
)
AM
IS
(C
er
ag
an
1. What percentage of security incidents experienced by
M
individuals had human behaviour as a majority factor in
ss
ne
the root cause? (Expected change: decrease)
e
ar
4
Aw
2
20
2. What percentage of downtime was due to such security
ity
h
r
incidents? (Expected change: decrease)
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
156
)
AM
IS
(C
er
ag
an
M
ss
Internal Protections
e ne
ar
4
Aw
2
Concerned with how well an individual is protected
20
ity
h
r
against potential threats.
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
157
Internal Protections:
)
AM
IS
(C
er
ag
an
1. What percentage of an organisation’s software, partners and
M
suppliers have been reviewed for security (including awareness)?
ss
(Expected change: increase)
e ne
ar
4
Aw
2
2. What percentage of an organisation’s critical data is “strongly”
20
ity
protected, including awareness for data managers, administrators,
h
r
cu
c
etc.? (Expected change: increase)
ar
Se
M
-5
n
io
3. What percentage of an employee’s system scanned had malicious
at
4
software or semi-malicious spyware installed? (Expected change:
rm
fo
decrease)
In
d
fie
ti
er
C
158
)
AM
Measurement Approach
IS
(C
er
ag
For each Security Metrics:
an
M
▪ Audit the awareness criterion
ss
e ne
▪ Audit the behaviour criterion
ar
4
Aw
2
20
ity
▪ Select a suitable sample size which gives confidence in the result
h
r
cu
c
ar
Se
M
▪ Quantity the scores
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
159
Gather Data
)
AM
IS
(C
er
1. Recommended that a combination of qualitative and quantitative
ag
information be captured when collecting data
an
M
2. Data should be continuously captured
ss
e ne
3. Methods to capture data:
ar
4
Aw
2
20
I. Questionnaires & feedback collection
ity
h
r
cu
c
ar
II. Website statistics
Se
M
-5
n
io
III. General observations
at
4
rm
fo
IV. Statistics from data center

In
d
fie
V. Number of reports to IT support

ti
er
C
160
Review Program Objectives
)
AM
IS
(C
er
1. Program objectives need to be revisited in light of the effectiveness
ag
an
results
M
ss
2. Reviewing the objectives allow for a serious assessment to take
ne
place.
e
ar
4
Aw
2
20
3. What has the team achieved?
ity
h
r
cu
c
ar
Se
4. Have the benefits been realized? (if so, celebrate)
M
-5
n
io
at
4
5. If not, what is required to achieve the desired results?
rm
fo
In
6. Do the objectives need to be modified?

d
fie
ti
er
C
161
)
AM
Implement Lessons Learned
IS
(C
er
ag
• Which lessons can be applied to increase the
an
M
effectiveness and success of the program in the
ss
future?
e ne
ar
• The main focus should be to learn from past
4
Aw
2
20
ity
experiences both positive and negative, then to put
h
r
cu
c
ar
that learning into practice.
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
162
Adjust Program
)
AM
IS
(C
er
• Experiences gained since the launch provide the
ag
an
knowledge and understanding to adjust the
M
program to make it more successful
ss
e ne
ar
• Adjustments could involve each and every activity
4
Aw
2
20
ity
and task performed in the context of the program
h
r
cu
c
ar
Se
M
• The key is to make adjustments whilst maintaining
-5
n
io
at
4
the focus on the program objectives and goals
rm
fo
In
d
fie
ti
er
C
163
)
Adjust (Update)
AM
IS
(C
er
• Your technology, your business requirements, and
ag
an
threats are constantly changing.
M
ss
• Update content at least once a year.
e ne
• You and steering committee need to review and
ar
4
Aw
2
20
update training.
ity
h
r
cu
c
• Ensure you have budget allocated for updates
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
164
Re-launch
)
AM
IS
(C
er
• After adjustment based on what was learned, the
ag
an
next step is to re-launch the program (completing
M
the tasks in Stage 3 - Execute)
ss
e ne
ar
• It is an ideal opportunity to follow-up on additional
4
Aw
2
20
topics or to reinforce subjects that have been
ity
h
r
cu
c
covered at an earlier stage
ar
Se
M
-5
n
io
• Learn from previous and on-going experiences, build
at
4
rm
capacity for change and celebrate achievements

fo
In
d
fie
ti
er
C
165
)
AM
Lab 10 (15 Minutes)
IS
(C
er
ag
Create at least 2 evaluation metrics for:
an
M
ss
ne
I. Process improvement
e
ar
4
Aw
2
II. Attack resistance
20
ity
h
r
cu
c
III. Efficiency & effectiveness
ar
Se
M
-5
n
IV. Internal protections
io
at
4
rm
fo
In
d
fie
ti
er
C
166
)
AM
IS
(C
What did we learn?
er
ag
an
1. 4 categories to measure the success of the program:
M
ss
ne
I. Process improvement
e
ar
4
Aw
II. Attack resistance
2
20
ity
h
r
III. Efficiency & effectiveness
cu
c
ar
Se
M
-5
n
IV. Internal protections
io
at
4
rm
2. Other measurement approaches, methods to gather data,

fo
In
reviewing of program objectives, implement lessons learned,

d
adjust the program accordingly and relaunch the program

fie
ti
er
C
167
)
AM
IS
(C
er
ag
an
M
ss
e ne
Obstacles to Success
ar
4
Aw
2
20
ity
h
r
cu
c
Session 13
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
168
)
AM
Lack of Management Support
IS
(C
er
ag
• One of the most essential aspects of a security awareness
an
program and also the most challenging.
M
ss
ne
• For security messages to be effective, they must be supported
e
ar
from the top down.
4
Aw
2
20
ity
h
• Expressing desire to support security initiatives is one thing,
r
cu
c
ar
Se
putting it into action is another.
M
-5
n
io
at
•
4
Managers’ primary goal is to meet their business objectives
rm
and it is often difficult to find room for security issues, no

fo
In
matter how much they believe security is important.

d
fie
ti
er
C
169
)
AM
IS
Implementation of New Technology
(C
er
ag
an
• When new technology is implemented, it often requires a
M
behaviour change or new level of user understanding.
ss
e ne
• Most of the time technology moves faster than or
ar
4
Aw
2
independently from the awareness program.
20
ity
h
r
cu
c
• The awareness team is not up to date nor adequately informed
ar
Se
M
of these types of educational opportunities until it is too late.
-5
n
io
at
4
rm
• This is why it is important for a security awareness program to

fo
In
emphasize internal communications.

d
fie
ti
er
C
170
)
One Size Fits All
AM
IS
(C
er
• Failure to segment audience adequately - appropriate
ag
an
messages are not delivered.
M
ss
• This results in messages being ignored.
e ne
ar
4
Aw
• Information technology users receive hundreds of messages
2
20
ity
every day from a multitude of sources.
h
r
cu
c
ar
Se
M
• It is critical to segment audiences and ensure that people only
-5
n
io
receive the messages they need.
at
4
rm
fo
• A one-size-fits-all strategy might be easier to develop and

In
implement, but it will not be effective.

d
fie
ti
er
C
171
)
Too Much Information
AM
IS
(C
er
• Over-education is quite a common mistake.
ag
an
M
• Individuals have a threshold of how much information they are
ss
ne
willing to accept from any one source.
e
ar
4
Aw
• If individuals are inundated with a constant barrage of
2
20
ity
messages, it is likely to turn their attention away.
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
172
Lack of Organisation
)
AM
IS
(C
er
• Many awareness programs fail to develop consistent processes
ag
an
and strategies for delivering messages to users.
M
ss
• Without a consistent style, theme and delivery, it is difficult for
e ne
the user to engage in the program or even know what to
ar
4
Aw
expect.
2
20
ity
h
r
cu
c
• It is key to develop consistency in communications.
ar
Se
M
-5
n
io
• This will also help establish an identity for the program and
at
4
rm
build a relationship with the audience.
fo
In
d
fie
ti
er
C
173
)
AM
Failure to Follow Up
IS
(C
er
• It is quite common for security awareness programs to be
ag
launched with great enthusiasm only to fizzle out with little
an
M
success.
ss
ne
• Many programs fail to establish and maintain a regular cycle of
e
ar
4
Aw
communication.
2
20
ity
h
r
• Important to establish regular communications so that users
cu
c
ar
Se
receive regular reminders of the key messages.
M
-5
n
io
at
4
• Many programs fail to follow up with their audiences and
rm
solicit feedback.
fo
In
d
• Listen to the audiences and adjust the program based on their

fie
ti
er
needs.
C
174
)
Getting the Message Where It Will
AM
IS
Have an Effect
(C
er
ag
an
• In large communities - it is a real challenge to deliver the right message
M
to the right audience.
ss
e ne
• For example, even if a central IT security team of an MNC has already
ar
4
Aw
developed a thorough communication strategy with a well-maintained
2
20
process for targeted communications, delivering the right messages to
ity
h
r
the right audience can still be very difficult.
cu
c
ar
Se
M
• Email groups based on individual criteria can be helpful, but do not fully
-5
n
io
solve the problem.
at
4
rm
fo
• In some cases, although a particular audience has been identified, it

In
might be a challenge to figure out specifically who belongs in the

d
fie
audience.
ti
er
C
175
Lack of Resources
)
AM
IS
(C
er
ag
• Usually stems from the lack of management support.
an
M
• Without management support, it is difficult to secure
ss
adequate resources; without adequate resources, a
e ne
security awareness program is limited in what it is able to
ar
4
Aw
achieve.
2
20
ity
h
r
• This could also result from a budget cut.
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
176
)
AM
No Explanation of “Why”
IS
(C
er
ag
• Many security awareness programmes fail to educate users on why security
an
is important.
M
ss
•
ne
All other aspects are covered, but unfortunately the information that is
e
most likely to motivate users to change behaviour is omitted.
ar
4
Aw
2
20
• Users who understand why certain types of behaviour are risky are most
ity
h
likely to take ownership of the issue and change their behaviour .
r
cu
c
ar
Se
M
• For example, if guidelines on a new password process with more stringent
-5
n
io
complexity rules are communicated, users will most likely view the new
at
4
process as nothing more than an inconvenience.
rm
fo
•
In
However, if it is also communicated how passwords are cracked and

d
misused and the potential impact this could have, then users are much
fie
more likely to take ownership and follow the new guidelines.

ti
er
C
177
Changing Long-Established
)
AM
IS
Behaviour
(C
er
ag
an
• In many organizations, security is often implemented as an afterthought.
M
ss
ne
• Security is not always integrated from the very beginning, users have
e
ar
months, weeks and even years to develop bad habits.
4
Aw
2
20
ity
• Not only is there a need to educate users on security, but also users need
h
r
cu
c
help to “unlearn” any bad habits.
ar
Se
M
-5
n
• Such users tend to have more difficulty buying into the value of security -
io
at
4
typical thinking is “the organisation has operated just fine for many years
rm
without security”. New security requirements are viewed as unnecessary

fo
In
changes that make their lives more difficult.

d
fie
ti
er
C
178
Security is an ITD Problem, Not
)
AM
IS
Mine…
(C
er
ag
an
• Many users share the perception that security is the sole
M
ss
responsibility of the ITD.
e ne
ar
• They tend to limit their role to the bare minimum of compliance to
4
Aw
2
maintain their jobs rather than the big picture of how to be a part
20
ity
of the solution.
h
r
cu
c
ar
Se
M
• Users must understand that IT staff cannot tackle information
-5
n
io
security alone. at
4
rm
fo
In
d
fie
ti
er
C
179
)
AM
IS
(C
er
What did we learn?
ag
an
Obstacles to success:
M
ss
• Lack of management support
ne
• Implementation of new technology
e
ar
4
Aw
• One size fits all
2
20
ity
• Too much information
h
r
cu
c
ar
• Lack of organization
Se
M
• Failure to follow-up
-5
n
io
at
4
• Getting the message when it will have an effect
rm
• Lack of resources
fo
In
• No explanation of “why”
d
fie
• Changing long-established behaviour

ti
er
C
• Security is an ITD problem, not mine
180
)
AM
IS
(C
er
How to Make End-Users
ag
an
M
ss
Like & Follow
e ne
ar
Information Security
4
Aw
2
20
ity
h
r
cu
c
ar
10 Quick Tips
Se
M
-5
n
io
at
4
Session 14
rm
fo
In
d
fie
ti
er
C
181
)
AM
1 Move from “Attendance” to
IS
(C
er
“Participation”
ag
an
M
Attendance is just a number
ss
ne
Participation is “Involvement”
e
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Are you doing an
Se
M
awareness program to
-5
n
io satisfy the auditor or to
at
4
rm
tick a check-box?
fo
In
d
fie
ti
er
C
182
)
AM
2 Aim for “Sensitization” not
IS
(C
er
“Memorization”
ag
an
M
It’s your responsibility to read the policies
ss
ne
vs.
e
ar
It’s OK if you get the SENSE and INTENT of IT Security
4
Aw
2
20
ity
h
r
cu
c
You can’t expect
ar
Se
M
someone to know how
-5
n
io
at an engine works to
4
rm
pass a driving license

fo
test.
In
d
fie
ti
er
C
183
)
AM
3 Understand How People Make Security
IS
(C
er
Decisions
ag
an
M
Of these two, which terrifies you the most?
ss
ne
Obesity kills more people than sharks
e
ar
4
Aw
2
20
ity
What appears
h
r
cu
c
harmless may be
ar
Se
M
more
-5
n
io
at harmful…think
4
rm
phishing?
fo
In
d
fie
ti
er
C
184
)
AM
4 Engage the Audience, Visualize the Risks
IS
(C
er
ag
an
M
The end-user is not a security expert
ss
Engage them, Visualize the risks for them
e ne
ar
4
Aw
2
20
ity
h
r
“A picture is worth a 1000
cu
c
ar
Se
words” (or)
M
-5
n
io A poster has more impact
at
4
rm
than a security policy
fo
In
d
fie
ti
er
C
185
)
AM
5
Go Beyond Awareness
IS
(C
er
ag
Awareness → Behaviour → Culture
an
Goal: Responsible Information Security Culture
M
ss
e ne
ar
4
Aw
2
When majority of the
20
ity
workforce handles Information
h
r
cu
c
ar
responsibly, you can say that
Se
M
you have a “Responsible
-5
n
io Information Security Culture”
at
4
rm
fo
In
d
fie
ti
er
C
186
)
AM
6
A Little Bit of Fun is OK
IS
(C
er
ag
Security is so much jargon…
an
M
Lighten it a bit
ss
e ne
ar
What the heart accepts, the
4
Aw
2
mind understands and the
20
ity
hands implement…
h
r
cu
c
ar
If you can get the end-user to
Se
M
smile, you have won their
-5
n
io heart…
at
4
rm
fo
In
d
fie
ti
er
C
187
)
AM
7
Think Drip Irrigation
IS
(C
er
ag
Small doses, but more frequent
an
M
…keeps your workforce Security Healthy
ss
e ne
ar
Spread your security
4
Aw
2
20
awareness program around
ity
h
r
the year….10 minutes a month
cu
c
ar
Se
M
is 120 minutes of security
-5
n
awareness session a year…
io
at
4
rm
fo
In
d
fie
ti
er
C
188
)
AM
8 Target the Workforce, not just the
IS
(C
er
Employees
ag
an
M
Who has access to Information Assets?
ss
ne
Employees, Freelance, Contractors, Guards….
e
ar
4
Aw
2
20
ity
h
r
cu
c
Is your security guard and
ar
Se
M
janitor part of the security
-5
n
awareness program?
io
at
4
rm
fo
In
d
fie
ti
er
C
189
)
AM
9
Measure… Manage… Improve…
IS
(C
er
ag
What you cannot measure, you cannot manage…
an
M
What you cannot manage, you cannot improve…
ss
e ne
Awareness score is 87%
ar
4
Aw
2
20
ity
Assess “Awareness” and
h
r
cu
c
MEDIUM HIGH AWARENESS
ar
LOW AWARENESS AWARENESS
“Behaviour”
Se
M
Independently
-5
n
io
Competence score is 65%
at
4
rm
fo
In
LOW COMPETENCE HIGH

d
MEDIUM
fie
COMPETENCE COMPETENCE
ti
er
C
190
)
AM
Stop Instructing, Start Dialogues
IS
10
(C
er
ag
an
Instruction is always one-way
M
When you have dialogues, it
Dialogues are two-way…
ss
shows that you are listening
e ne
to the end-user. That shows
ar
4
Aw
RESPECT
2
20
ity
h
r
cu
c
…you will receive it back.
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
191
)
AM
IS
(C
er
ag
an
What did we learn?
M
ss
1. 10 tips on how to make end-users to like and follow
e ne
information security?
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
192
)
AM
IS
(C
er
ag
an
M
Planning a Simulated
ss
e ne
ar
Phishing Assessment
4
Aw
2
20
ity
h
r
cu
c
ar
Session 15
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
193
C
er
tifie
d
In
fo
rm
at
io
n
Se
cu
4 r ity
-5 Aw
M
How Phishing Works?
ar
ar
c e
h ne
20 ss
2 4 M
an
ag
er
(C
IS
AM
)
194
)
AM
IS
(C
Technical Solutions Are Not
er
ag
an
Doing The Job
M
ss
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
195
)
AM
Phishing Sites are on the rise!
IS
(C
er
ag
an
M
ss
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
Source:APWG
ti
er
C
196
)
AM
What Makes Phishing Work?
IS
(C
er
ag
• Phishing uses tactics that motivate a response - greed, fear, ambition,
an
curiosity
M
ss
• Sometimes simple is dangerous - shipping notifications, funny pictures
e ne
ar
• Employees don’t really know better
4
Aw
2
20
ity
• Deception is key - look-alike URLs, obfuscated file attachment names
h
r
cu
c
ar
Se
M
• Includes a “call to action” (e.g. “Open this now!”, “Click here now!”)
-5
n
io
at
4
• Employees are conditioned to both trust email and be responsive
rm
fo
In
d
fie
ti
er
C
197
)
AM
Traditional Awareness Training vs
IS
(C
Dynamic Training
er
ag
an
M
ss
• Periodic (mostly annual) - but attacks happen 24/7
e ne
• Compliance-driven
ar
4
Aw
2
• A lot for a user to consume & retain
20
ity
h
r
• Sometimes boring
cu
c
ar
Se
M
• Wide array of topics
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
198
Why Phishing Assessment?
)
AM
IS
(C
er
ag
• Recreate the very same attacks that bad guys are
an
M
launching. Excellent way to measure change in behaviour.
ss
ne
1. Measures a high human risk
e
ar
2. Simple, low-cost and easy to repeat
4
Aw
2
20
ity
3. Quantifiable measurements
h
r
cu
c
ar
Se
4. Actionable
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
199
)
AM
Teachable Moment
IS
(C
er
ag
an
• Simulated phishing attacks create a perfect
M
ss
teachable moment
e ne
• The immersive, visceral simulation captures the
ar
4
Aw
2
20
user’s attention
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
200
Teachable moment
)
AM
IS
(C
er
Oops! The email you just responded to was a fake phishing email. Don't worry! It was
ag
sent to you to help you learn how to avoid real attacks. Please do not share your
an
experience with colleagues, so they can learn too.
M
ss
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
201
Some Key Points - 1
)
AM
IS
(C
er
ag
• Remember that while computers do not have
an
M
feelings, people do. Emotion, not technology, is
ss
ne
your biggest challenge
e
ar
4
Aw
• Announce and explain your phishing program
2
20
ity
h
r
ahead of time
cu
c
ar
Se
M
• Start your program with very simple phishing
-5
n
io
at
4
emails, then increase difficulty only after people
rm
fo
are used to the program

In
d
fie
ti
er
C
202
Some Key Points - 2
)
AM
IS
(C
er
ag
• Ensure there are at least 2-3 ways people can detect
an
M
the phish
ss
ne
• Do not embarrass people by releasing names of
e
ar
4
Aw
victims, nor should their names be reported to
2
20
ity
management. Only notify management of repeat
h
r
cu
c
ar
offenders
Se
M
-5
n
io
• No Viagra phishing emails, nor “wall of shame”
at
4
rm
• 90% of victims fail in the first two hours

fo
In
d
fie
ti
er
C
203
How to Phish
)
AM
IS
(C
er
ag
an
M
• URL Shorteners
ss
ne
• E-mail Marketing Solutions
e
ar
•
4
Aw
Cloud Phishing Services
2
20
ity
• Pen Testing Software
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
204
)
AM
Example of Phishing Email
IS
(C
er
ag
an
M
ss
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
205
C
er
tifie
d
In
fo
rm
at
io
n
Se
Another Example
cu
4 r ity
-5 Aw
M ar
ar
c e
h ne
20 ss
2 4 M
an
ag
er
(C
IS
AM
)
206
Click Results
)
AM
IS
(C
er
• If an end user falls victim to an email assessment, you have
ag
an
two general options:
M
ss
e ne
1. Error message/no feedback (Good for a baseline)
ar
4
Aw
2
2. Immediate feedback that explains this was a test,
20
ity
h
what they did wrong and how to protect themselves
r
cu
c
ar
Se
(Good for reinforcing key behaviors)
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
207
Follow Up
)
AM
IS
(C
er
ag
• Send results of test to all employees 24 – 48 hours later
an
M
ss
• Explain results, how they could have detected phishing
e ne
email and what to look for in the future. Include image of
ar
4
Aw
2
phishing email
20
ity
h
r
cu
c
ar
• Include your monthly security awareness newsletter
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
208
C
er
tifie
d
In
fo
rm
at
io
n
Se
cu
4 r ity
-5 Aw
M ar
ar
c e
h ne
20 ss
2 4 M
an
ag
er
(C
IS
AM
)
209
Reaction to Violations
)
AM
IS
(C
er
ag
• First violation: employee is notified and given additional or
an
follow-up training
M
ss
ne
• Second violation: employee is notified and manager is
e
ar
4
Aw
copied
2
20
ity
h
r
cu
c
• Third violation: manager is required to have meeting with
ar
Se
M
employee and report results to security
-5
n
io
at
4
rm
• Fourth violation: employee reported to HR

fo
In
d
fie
ti
er
C
210
The Impact
)
AM
IS
(C
er
ag
1. First phish: 30-60% fall victim
an
M
2. 6-12 months later: Low as 5%
ss
ne
3. The more often the assessments, the more effective the
e
ar
impact:
4
Aw
2
20
ity
• Quarterly: 19%
h
r
cu
c
ar
• Every other month: 12%
Se
M
-5
n
• Monthly: 5%
io
at
4
rm
4. Over time, you will most likely have to increase difficulty

fo
In
of tests
d
fie
ti
er
C
211
Human Sensors
)
AM
IS
(C
er
ag
1. Another valuable metric is how many reported the attack
an
M
ss
2. At some point, may need to develop a policy on what to
ne
report. One example:
e
ar
4
Aw
• Do not report when you know you have a phish; simply
2
20
ity
delete
h
r
cu
c
ar
Se
• Report if you don’t know (think APT)
M
-5
n
io
• Report if you fell victim
at
4
rm
fo
In
d
fie
ti
er
C
212
)
AM
Summary
IS
(C
er
ag
an
• Phishing assessments are a powerful and simple way to measure (and reinforce)
M
behavior change
ss
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
213
)
AM
IS
(C
er
ag
an
M
ss
Simulated Phishing
e ne
ar
Attack Plan
4
Aw
2
20
ity
h
r
cu
c
Phishing Plan Handout (softcopy)
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
214
)
AM
Conclusion
IS
(C
er
• Raising information security awareness is not a one-time effort
ag
an
• Analyze your target group
M
ss
• Prepare a business case
e ne
•
ar
Plan how to measure success
4
Aw
2
20
• Plan and implement the awareness initiative appropriately
ity
h
r
cu
c
•
ar
Keep senior management interested with the initiative
Se
M
-5
•
n
Ensure to have senior management support during the entire
io
at
4
lifecycle of the initiative
rm
fo
• Show results
In
d
• Share success
fie
ti
er
C
215
C
er
tifie
d
In
fo
rm
at
io
n
Se
cu
4 r ity
-5 Aw
M ar
ar
c e
h ne
20 ss
2 4 M
an
ag
er
(C
IS
AM
)
216

Cisam Module

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisam Module

Uploaded by

Copyright:

Available Formats

)

Raj Kumar, CEO of Cyber Intelligence Sdn Bhd

• Study and select awareness topics and

identify competence requirements.

• Develop and implement awareness

3.15pm - 3.30pm Coffee Break

15 Simulated Phishing Attack Lecture & demo

CISAM Exam Online

Behaviour = Practice / Competence

• Spending on information security awareness: USD75k per annum

• Employees were not

wearing ID cards and

these “unaware” employees?”

Do you step into your employees’ shoes?

Do you engage in instructions or dialogues?

Do you know who your child’s online

Are you aware of your surroundings when accessing company

Shred all papers that contain sensitive information before disposing

Poor attitude / behaviour

Through a powerful information security awareness

& behaviour management program

YOUR TRUSTED BANK

conduct needs assessment

2. Enforcement / disciplinary strategies

• Define indicators for measurement

• Relaunch the program

Can we implement ISO 27001 for a nasi lemak shop?

what price? what price?

• To preserve corporate reputation, this is a valuable business asset

Explain value on how you can help educate people on

Human Resource Medium Low Medium

Coordinate with ahead of time, get them on Steering

NOC / SOC / Helpdesk Low Medium Medium

employees/contractors and any security related questions

• Explicit allocations based on the defined awareness goals and objectives

• Eventually, it may be considered asking for additional funding.

awareness training sessions • Training rooms cost per session 800.00

external training courses and so on (20% of total)

Total Budget: 302,160.00

Expected Improvement (%) 22%

Cost Reduction in Corrective Controls (per Annum) RM264,000.00

Improvement Period (Months) 24 Months

6. Demonstrate how well security awareness efforts are working

• Where they currently receive information

Assess Level of Behaviour

Where these target group is located?

Unique Requirements Language / culturally sensitive

When When the program will be deployed and the duration

Paper Posters, cards, quizzes, surveys & etc

Keep it very simple 92

Language or terms used, colour and design, character representation

• Clarity & ease

Assessments (baseline / final) 2 x 5 minutes (2 times a year)

Phishing assessment 4 x 5 minutes (4 times a year)

6. Ensure the initiative is flexible and adaptable

Online Training geographically dispersed training programmes.

areas. b) Implies trainee has some

b) Message content can be technical knowledge

more detailed already

Poster a) Can be attention-grabbing due a) With abundance of information

to size and format material, message may be

b) Information can be universally overlooked

available when put up on walls b) Must always be updated to make

Classroom Training a) Has more chance of a) Not a proactive channel with