A wide variety of hardware and software technologies are used to protect and control information, but still it’s important to remember that designers and users of those technologies are humans. When deficiencies related to technologies are detected, imperfections can be eliminated by making necessary arrangements and it is ensured that the same mistake would not be repeated. On the other hand, humans may forget what they have learnt; or may do a behaviour that they know they should not do intentionally or deliberately. Briefly, making mistakes is a behaviour people can not avoid.
The need for information security awareness in fact targets the human element, which is the weakest link in the chain. It is a fact that the weakest link of this chain, which is composed of technology and human in the process of creating, processing and destroying information, is human.
Especially in the changing and developing world conditions, it is necessary to keep the awareness periodically updated in order to protect the information.
People are at the focal point of the social engineering attacks. When system security precautions can not be bypassed by attackers, the most effective way is gaining access right methods with social engineering attacks. The most important way to reduce the risk of success in social engineering attacks is to increase the awareness, knowledge and skill of staff about this subject.
As a result of information security awareness studies it is evaluated that the awareness against phishing attacks increased from 20% to 75%, and success rates of these attacks dropped to single digit percentages.
To ensure employees’ awareness it is important that information security awareness trainings should include following key headings.
- Physical Security
- Desktop Security
- Email Security
- Wireless Usage
- Password and Password Security
- Filesharing and Copyright
- Developing Secure Software
Information security awareness trainings not only provide many things for employees, they also institutionally provide added value to the institution/company.
- Enable employees to identify true security risks and take action in line with these risks.
- Provide employees with up-to-date information on current risks.
- Teach employees that the information on mobile devices and computers of subcontractors and business partners is important and exploitable.
- Provide top management with information about fraud, deception and theft; and information concerning their prevention.
- Teach employees that they should also protect their home computers besides business computers.
- Ensure safe internet use for employees.
- Provide decrease in the number of information security violations and the scope of violation effects.
- Provide decrease in the costs to be incurred due to the works done after information security violations
- Show the importance that your company or institution attaches to information security in order to protect its information and provide competitive advantage.
- Help to create the security culture for your company or institution.
- Ensure security requirements to be taken into consideration in the policy and process identification and project steps
- Support compliance with information security policies, procedures, standards and checklists.
- Ensure the top management’s awareness for that they are at the highest level of responsibility for the security of your company or institution legally.
- Show the management’s commitment to the secure management of information resources.
- Help to the implementation of the regulations quickly
The rewarding of good behavior in the detection or prevention of security incidents would also provide motivation for this issue as well as it would raise awareness.
It is very effective to support the information given in the awareness trainings with various additional studies. For example, poster works, surveys, handbooks and brochures, informational e-mails, and in particular, sharing the results of security testing with relevant employees can be additional supportive elements.
In fact, the awareness training process which requires detailed study in itself, also requires expert knowledge at the same time. In this context, it is useful to get support from experts or organizations who have worked on this subject.