Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 104
Security Awareness Overview
ОглавлениеIt's easy to see that in almost every organization, no matter how large or small its workforce, no one single person can possess the knowledge, skills, abilities, and attitudes to successfully do all of the jobs that make that organization successful. By the same token, no one information security professional can keep all of the systems and elements of the IT architecture secure and plan, develop, and teach the security awareness, education, and training programs the rest of the workforce needs. What any of us can do—what you can do—is to take a thumbnail sketch of what such programs need to achieve, share this with management and leadership, and assist where you can with the expertise and talent you do have to make that sketch of a plan become reality. Let me offer you some thoughts about this, from my experiences as an educator, trainer, and information security professional.
Let's start with awareness—the informed recognition that a set of topics, ideas, and issues exists and is important. Awareness shines a different light on the day-to-day, triggering moments of recognition. Awareness shatters the false myths, the explanations that everybody “knows” but have never tested for validity. Simple but compelling examples can do this; even something as simple as “fake phishing” attack emails that you send to your own workforce can, over time, increase the percentage of that workforce that get better at spotting a possible attack and dealing with it immediately and correctly.
Education explains concepts and links them to awareness. Education can be formal, focused around an identified body of content or aimed at the student attaining a credential of some kind attesting to their accomplishment. Informal education can be just as effective and often is well suited to rapidly evolving situations. Education stimulates thinking and creativity. A short course in root cause analysis can start with getting students to recognize the power of simple, open-ended questions.
Training teaches skills and guides learners in becoming increasingly proficient in applying them to realistic situations. Training activities that use “spotters' guides,” for example, can demonstrate packet sniffing and filtering or anti-phishing email screening techniques and then use checklist approaches as the frameworks of labs and exercises to enhance learners' abilities to recognize concepts in action and make informed decisions regarding actions to take.