Читать книгу Security Awareness For Dummies - Ira Winkler - Страница 36

When people think of security awareness programs, often the first things that come to mind are computer-based training (CBT) and phishing simulations. When implementing a program, the person responsible for a security awareness program typically chooses a vendor and then determines which of the vendor’s products to use. Awareness programs should be a strategy for effectively addressing the risk associated with user actions. Products are potential tactics, which may or may not address a piece of a strategy. Though some tactics are common, they are not a strategy to address user risk. If you want a program instead of a product, there has to be more than just a choice of which products to roll out.

Consider what you would say, when asked about a technical security program, if a security engineer said they were buying a firewall and antimalware. Clearly, both of those products are required, but they don’t make for a complete security program, because attackers can bypass these products or find flaws in the implementation of the products. They leave too many other vulnerabilities addressed, even if they individually function perfectly.

With awareness, focusing solely on implementing products is also an incomplete approach. You need to determine how to roll out the entire program. You need to identify the components of the program and its metrics, the organization’s subcultures, and more. As mentioned previously in this chapter, if you’re incomplete in how you implement an awareness program, you will reach only a small population of users and in ways that may not impact them. Part 2 of this book covers the appropriate process.

If a system exists to simplify implementation of phishing and CBT, it represents the implementation of products and not the implementation of a comprehensive awareness program. If your goal is just to implement a Check-the-Box awareness program, however, product implementation is likely all you need.