Developing a Security Awareness Training Program Outline for InfoTech

Verified

Added on 2023/06/03

AI Summary

This report provides a comprehensive outline for building a security awareness training program, emphasizing the importance of such programs for organizations like Modern InfoTech. It details policy development and enforcement, highlighting potential cost savings and production increases. The report explores various cybercriminal motivations, including financial gain, hacktivism, and cyberwar, and examines the costs associated with cleaning up after a data breach, referencing the Ponemon Institute's findings. It covers organized crime, nation-state attacks, hacking gangs, and hacktivist activities, providing cost estimates for each scenario. The report stresses the importance of education and countermeasures like strong passwords and awareness of phishing and social engineering tactics, concluding that security awareness is a critical defense against social engineering and that people are often the weakest link in information security. Desklib provides access to this and similar solved assignments for students.

INFORMATION SECURITY AWARENESS
Name of the Student
Name of the University
Author’s Note

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Table of Contents
1. What is security awareness training?...............................................................................4
2. Why does your organization need a security awareness program?.................................4
3. Getting management buy-in............................................................................................4
Policy development.........................................................................................................4
Policy enforcement..........................................................................................................5
Cost savings.....................................................................................................................5
Production Increases........................................................................................................6
4. Understanding the threats:..............................................................................................6
Motivations of cybercriminals.........................................................................................6
Money..............................................................................................................................6
Hacktivism.......................................................................................................................7
Cyberwar..........................................................................................................................7
Bragging rights................................................................................................................7
5. Costs of cleaning up after a breach..................................................................................8
Organized crime...............................................................................................................8
Nation-states....................................................................................................................8
Hacking gangs.................................................................................................................9
Hacktivist.........................................................................................................................9
Cyberwar..........................................................................................................................9

References:........................................................................................................................10

BUILDING A SECURITY AWARENESS TRAINING PROGRAM OUTLINE
1. What is security awareness training?
Security awareness training is the training for raising awareness among the
employs, management as well as among the stakeholders of the organization to identify
various threats related to the business and help them to take appropriate action against the
security threats. Security awareness training in today’s digital age is essential for every
organization to deal with security issues (Shaw et al.).
2. Why does your organization need a security awareness program?
The modern InfoTech, one of the leading startup company in the information
sector, needs proper security training for the employees as well as the authorities of the
organization as deals with customer data which needs to be secured (McCrohan, Kathryn
Engel and James W. Harvey). Along with that, the database of the company stores
important information about the organization, transactional data and other important data
as well. In order to ensure that the employees and the stakeholders deal with this data
efficiently it is important to have the proper security guidelines as well as security
awareness program to ensure proper data security.
3. Getting management buy-in
Policy development
The policy has been developed to ensure that it not only meets the organizational
need for data security but strengthen it as well. The policy statements are the following:
 Formal participation as well as security awareness program review by all the full
time and part time faculty and staff

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

 Report on security issues to respective departments in a timely manner with
proper documentation
 Newly hired faculty and staff will also be provided with the training, and that will
be completed within 10 days
 Newly hired faculty and staff will not be entertained to resign from the
organization once training is availed. If so the training cost has to be paid by the
individual
 The training is available in both online and offline mode
 No training material including the audio, video, the document is allowed to
download and distribute with the permission of the organization
 Employees need to provide feedback after the training to assess the program
better and identify opportunities to improve the quality of the program
Policy enforcement
The policy if implemented will bring the following improvement:
 Increased awareness among the employees
 Proper and effective reporting and documentation of security threats
 Reduction in security issues due to lack of knowledge among the employees
Cost savings
The training program will not require huge investment, and the policy has been
developed with reference to that. However, it will help the company to save millions
which the company might need to be addressed if security breaches occur due to lack of
employee knowledge about the cybersecurity issues.

Production Increases
The training will help the employee of modern InfoTech to identify security
issues and techniques to avoid that which will help them to work efficiently and increase
the production.
4. Understanding the threats:
Motivations of cybercriminals
There are several motivations for the cybercriminal to perform cybercrime such as
(Hayden):
 Money
 Popularity
 Entertainment
 Status
Although the money is the major motivation for the cybercriminals, it is not the only
one. The other factors also serve as motivations for the cybercriminals as well.
Money
The money associated with the cybercrimes is worth millions, however depending
on the size and strength of the organizations (Anderson et al.). This might be higher or
lower but what is important here is that whenever organizational data is breached, the
organization in most of the cases is asked to pay a huge amount to get back the data
which brings additional cost well. The smaller companies can even go bankrupt due to
one data breach (Weber). Hence appropriate knowledge about the issue is not only
important but essential as well.

Industrial espionage/trade secrets
It is identified as the theft of business trade secret by the competitive companies
for the competitive advantage (Carlos Roca, Juan José García and Juan José de la Vega).
According to the Economic Espionage Act, this is not only illegal, it is not ethically
permissible and considered a criminal offense as well.
Hacktivism
The Hacktivism is considered important and popular internet activism
(Ratnasingam). The hackers with the rebellious attitude deploy the computer and
computer network aims to promote some social change or some financed political agenda
Cyberwar
When a nation through cybercrimes tries to bring damage to another nation, it is
termed as cyberwar (Jordan and Paul Taylor). In this age of technology, cyberwar is
becoming more popular than the traditional war. It might also be regarded as the virtual
war between two nations.
Bragging rights
When hackers have a more notorious purpose to hack officials or government
agencies, the motivation for the crime is much higher than just the financial gain.
Sometimes hackers also demand full control over the entire organization or the
government through the exploitation of the cybersecurity framework (Armstrong, Helen
L. and Patrick J. Forde). It is termed as the “bragging rights” in the cybercrime context.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

5. Costs of cleaning up after a breach
According to the Ponemon Institute data breach report in 2018, the average cost
of the data breach has increased in the past few years. However, according to the report,
the Costs of cleaning up after a breach will still depend on the nature of the crime
(“Ponemon.org”). The report has been prepared with the responses of the responses of
2,182 interviews from 254 companies in seven countries—Australia, France, Germany,
Italy, Japan, United Kingdom and the United States.
Organized crime
According to the report, in the case of the organized crime, the average cost
ranges from $65 million to $100 million. However, this cost will still depend on the
organization infrastructure and existing strategy for addressing the cybercrime.
Nation-states
The report specifies that as an entire nation is involved in the cybercrime and the
target is also a nation, this type of cybercrimes will require the highest cost than the other
crimes. The Nation-States cybercrime involves various organizations, government as well
as industries both small and large ones and the individuals of the nation too. The average
cost according to the report is approx. $57 billion to $109 billion.
Hacking gangs
This type of crimes according to the report will also require major investment for
cleaning up after a breach as more than one hacking gang will be involved. The average
cost is likely to be $210 million to $425 million.

Hacktivist
The major motivation of the Hacktivist is to bring social change or promote some
political agenda (Klein). The cost might not be a major factor here. However, it will still
require investment from the organizations if the cybercrime occurs. The cost according to
the report will depend on the nature of the organization though. The report specifies that
the recent cybercrime has caused NASA $500,000. Another cybercrime by the Hacktivist
has caused PayPal £3.5m.
Cyberwar
The cyber war is another form of cybercrime that also involves two nations,
organizations or as per the choice of the cyber criminals who are involved in the virtual
war (Clarke and Robert). If one nation is successful in the cyber war against other nation,
it will cost a huge amount of money to the other nation. The average cost of a cyberwar,
according to the report is $600 billion for large companies, for small organizations it is
around $200 million.

References:
Anderson, Ross, et al. "Measuring the cost of cybercrime." The economics of information
security and privacy. Springer, Berlin, Heidelberg, 2013. 265-300.
Armstrong, Helen L., and Patrick J. Forde. "Internet anonymity practices in computer
crime." Information management & computer security 11.5 (2015): 209-215.
Carlos Roca, Juan, Juan José García, and Juan José de la Vega. "The importance of
perceived trust, security and privacy in online trading systems." Information
Management & Computer Security 17.2 (2017): 96-113.
Clarke, Richard Alan, and Robert K. Knake. Cyber war. Tantor Media, Incorporated,
2014.
Hayden, Lance. IT security metrics: A practical framework for measuring security &
protecting data. McGraw-Hill Education Group, 2017.
Jordan, Tim, and Paul Taylor. Hacktivism and cyberwars: Rebels with a cause?.
Routledge, 2017.
Klein, Adam G. "Vigilante media: unveiling Anonymous and the hacktivist persona in
the global press." Communication Monographs 82.3 (2015): 379-401.
McCrohan, Kevin F., Kathryn Engel, and James W. Harvey. "Influence of awareness and
training on cyber security." Journal of internet Commerce 9.1 (2014): 23-41.
Ponemon Study Shows The Cost Of A Data Breach Continues To Increase - News And
Press Releases. Ponemon.Org, 2018, https://www.ponemon.org/news-2/23.
Accessed 13 Oct 2018.
Ratnasingam, Pauline. "The importance of technology trust in web services security."
Information Management & Computer Security 10.5 (2015): 255-260.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Shaw, Ruey Shiang, et al. "The impact of information richness on information security
awareness training effectiveness." Computers & Education 52.1 (2015): 92-100.
Weber, Rolf H. "Internet of Things–New security and privacy challenges." Computer law
& security review 26.1 (2016): 23-30.