Internet Security Awareness Training

Internet Security Awareness Training (ISAT) is the training given to members of an organization regarding the protection of various information assets of that organization. ISAT is a subset of general security awareness training (SAT).

Even small and medium enterprises are generally recommended to provide such training, but organizations that need to comply with government regulations (e.g., the Gramm–Leach–Bliley Act, the Payment Card Industry Data Security Standard, Health Insurance Portability and Accountability Act, Sarbox) normally require formal ISAT for annually for all employees.^[1] Often such training is provided in the form of online courses.

ISAT, also referred to as Security Education, Training, and Awareness (SETA), organizations train and create awareness of information security management within their environment.^[2] It is beneficial to organizations when employees are well trained and feel empowered to take important actions to protect themselves and organizational data.^[2] The SETA program target must be based on user roles within organizations and for positions that expose the organizations to increased risk levels, specialized courses must be required.^[2]

Employees and contractors pose threats to organizations that training can help reduce.

Coverage

There are general topics to cover for the training, but it is necessary for each organization to have a coverage strategy based on its needs, as this will ensure the training is practical and captures critical topics relevant to the organization. As the threat landscape changes very frequently, organizations should continuously review their training programs to ensure relevance with current trends.^[3]

Topics covered in ISAT^[4] include:

• Appropriate methods for protecting sensitive information on personal computer systems, including password policy
• Various computer security concerns, including spam, malware, phishing, social engineering, etc.
• Consequences of failure to properly protect information, including potential job loss, economic consequences to the firm, damage to individuals whose private records are divulged, and possible civil and criminal law penalties.

Being Internet Security Aware means you understand that there are people actively trying to steal data that is stored within your organization's computers. (This often focuses on user names and passwords, so that criminal elements can ultimately get access to bank accounts and other high-value IT assets.) That is why it is important to protect the assets of the organization and stop that from happening.^[5]

The general scope should include topics such as password security, Email phishing, Social engineering, Mobile device security, Sensitive data security, and Business communications. In contrast, those requiring specialized knowledge are usually required to take technical and in-depth training courses.^[2] Suppose an organization determines that it is best to use one of the available training tools on the market, it must ensure it sets objectives that the training can meet, including confirming the training will provide employees with the knowledge to understand risks and the behaviors needed in managing them, actions to take to prevent or detect security incidents, using language easily understandable by the trainees, and ensuring the pricing is reasonable.^[6]

Organizations are recommended to base ISAT training content on employee roles and their culture; the policy should guide that training for all employees^[7] and gave the following as examples of sources of reference materials:^[8]

• National Institute of Standards and Technology (NIST) Special Publication 800-50, Building an Information Technology Security Awareness and Training Program
• International Standards Organization (ISO) 27002:2013, Information technology—Security techniques—Code of practice for information security controls
• International Standards Organization (ISO) 27001:2013, Information technology — Security techniques — Information security management systems
• COBIT 5 Appendix F.2, Detailed Guidance: Services, Infrastructure and Applications Enabler, Security Awareness

The training must focus on current threats specific to an organization and the impacts if that materializes as a result of user actions. Including practical examples and ways of dealing with scenarios help users know the appropriate measures to take. It is a good practice to periodically train customers of specific organizations on threats they face from people with malicious intentions.^[9]

Coverage strategy for SAT should be driven by an organization’s policy. It can help truly determine the level of depth of the training and where it should be conducted at a global level or business unit level, or a combination of both. A policy also empowers a responsible party within the organization to run the training.^[2]

Importance

Employees are key in whether organizations are breached or not; there must be a policy on creating awareness and training them on emerging threats and actions to take in safeguarding sensitive information and reporting any observed unusual activity within the corporate environment.^[10]

Research has shown that SAT has helped reduce cyber-attacks within organizations, especially when it comes to phishing, as trainees learned to identify these attack modes and give them the self-assurance to take action appropriately.^[11]

There is an increase in phishing attacks, and it has become increasingly important for people to understand how to these attacks work, and the actions required to prevent these and SAT has shown a significant impact on the number of successful phishing attacks against organizations.^[12]

Compliance Requirements

Various regulations and laws mandate SAT for organizations in specific industries, including the Gramm–Leach–Bliley Act (GLBA) for the financial services, the Federal Information Security Modernization Act of 2014 for federal agencies, and the European Union’s General Data Protection Regulation (GDPR).^[13]

Federal Information Security Modernization Act

Employees and contractors in federal agencies are required to receive Security Awareness Training annually, and the program needs to address job-related information security risks linked that provide them with the knowledge to lessen security risks.^[14]

Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act has the Security Rule,^[15] and Privacy Rule^[15] requiring the creation of a security awareness training program and ensuring employees are trained accordingly.

Payment Card Industry Data Security Standard

The Payment Card Industry Security Standards Council, the governing council for stakeholders in the payment industry, formed by American Express, Discover, JCB International, MasterCard, and Visa that developed the DSS as a requirement for the payment industry.^[8] Requirement 12.6 requires member organizations to institute a formal security awareness program. There is a published guide for organizations to adhere to when setting up the program.^[8]

US States Training Regulations

Some States mandate Security Awareness Training whiles other do not but simply recommend voluntary training. Among states that require the training for its employees include:

• Colorado (The Colorado Information Security Act, Colorado Revised Statutes 24-37.5-401 et seq.)^[16]
• Connecticut (13 FAM 301.1-1 Cyber Security Awareness Training (PS800))^[17]
• Florida (Florida Statutes Chapter 282)^[18]
• Georgia (Executive Order GA E.O.182 mandated training within 90 days of issue)^[19]
• Illinois (Cook County)^[20]
• Indiana (IN H 1240)^[21]
• Louisiana (Louisiana Division of Administration, Office of Technology Services p. 52: LA H 633)^[22]
• Maryland (20-07 IT Security Policy)^[23]
• Montana (Mandatory cyber training for executive branch state employees)^[24]
• Nebraska^[25]
• Nevada (agency-by-agency state employee requirement - State Security Standard 123 – IT Security)^[26]
• New Hampshire
• New Jersey ( NJ A 1654)^[27]
• North Carolina
• Ohio (IT-15 - Security Awareness and Training)^[28]
• Pennsylvania^[29]
• Texas^[30]
• Utah^[31]
• Vermont
• Virginia^[32]
• West Virginia (WV Code Section 5A-6-4a)

Training Techniques

Below are some common training techniques, even though some can be blended depending on the operating environment:^[3]

• Interactive video training  – This technique allows users to be trained using two-way interactive audio and video instruction.
• Web-based training – This method allows employees or users to take the training independently and usually has a testing component to determine if learning has taken place. If not, users can be allowed to retake the course and test to ensure there is a complete understanding of the material.  
• Non-web, computer-based training – Some organizations prefer not to use the internet or have locations without internet connectivity; hence this technique provides them an effective way to load training programs onto computers for users.
• Onsite, instructor-led training – This is a very popular technique for security awareness training but not efficient for large organizations. Some organizations use this method for the initial on-boarding training with employees as most require them to be onsite for on-boarding.

Training should be conducted during on-boarding and at least annually for employees or other third parties with access to organizational information systems; the medium is either through face-to-face instruction or online, typically focusing on recognizing attack symptoms and safeguarding sensitive data using several security mechanisms, including passwords, encryption, and secure sessions.^[33]

ISAT also teaches and refreshes the memory of participants on various present threats, emerging security threats, attack vectors, organizational policies related information security, and basic principles or norms to maintain security on the internet.^[33]

Organizations consider several options when it comes to training media to deliver the security awareness training to users, but research using learning theory, media richness theory, and cognitive load theory has shown that organizations do not need to invest heavily in highly-rich media as that does not lead to improved user behavior; the training content is most important.^[34]

SAT services are often coupled with additional tools and services related to a company’s employees including:

• Dark Web Monitoring Services – Detecting if any company email addresses or domains involved in a data breach, notifying administrators of data exposed tied to an employee's email address.
• Policy Compliance – Guiding users through cybersecurity governance policies. Send out policies to your users to acknowledge and to track and report on compliance.
• Risk Assessments – Assess and identify your company or customer’s threats and vulnerabilities. ^[35]

See also

• Access control
• Computer Security
• Cybersecurity Awareness
• Information Assurance
• Information Security
• Information Security Awareness
• Internet Security
• Network Security
• Phishing
• Physical Security
• Security
• Security Awareness
• Security controls
• Security management
• Social engineering

References

1. "Information Security Awareness Training (ISAT)". University of Virginia. Archived from the original on 4 November 2019. Retrieved 4 November 2019.
2. Caballero, Albert (2017-01-01). "Security Education, Training, and Awareness". Computer and Information Security Handbook: 497–505. doi:10.1016/B978-0-12-803843-7.00033-8. ISBN 9780128038437.
3. Wilson, M; Hash, J (2003). "Building an Information Technology Security Awareness and Training Program". Gaithersburg, MD: 34. doi:10.6028/nist.sp.800-50. {{cite journal}}: Cite journal requires |journal= (help)
4. "Content | ISAT | International Students Admissions Test | ACER". isat.acer.org. Retrieved 2021-03-13.
5. Sharf, Elad (July 2016). "Information exchanges: regulatory changes to the cyber-security industry after Brexit: Making security awareness training work". In Computer Fraud & Security. 7: 9–12. doi:10.1016/S1361-3723(16)30052-5.
6. Cooper, Michael H. (2009). "Information security training". Proceedings of the 37th annual ACM SIGUCCS fall conference: Communication and collaboration. New York, New York, USA: ACM Press. p. 217. doi:10.1145/1629501.1629541. ISBN 978-1-60558-477-5. S2CID 7117477.
7. "Cybersecurity Awareness Training for Beginners". awarego.com. 8 November 2022. Retrieved 5 June 2023.
8. "Official PCI Security Standards Council Site - Verify PCI Compliance, Download Data Security and Credit Card Security Standards". www.pcisecuritystandards.org. Retrieved 2021-07-05.
9. Liska, Allan (2015), "Building a network security intelligence model", Building an Intelligence-Led Security Program, Elsevier, pp. 124–125, doi:10.1016/b978-0-12-802145-3.00003-x, ISBN 978-0-12-802145-3
10. Payment Card Industry. Security Standards Council. (2014). Best Practices for implementing a Security Awareness Program.
11. Tschakert, Kai Florian; Ngamsuriyaroj, Sudsanguan (2019). "Effectiveness of and user preferences for security awareness training methodologies". Heliyon. 5 (6): e02010. Bibcode:2019Heliy...502010T. doi:10.1016/j.heliyon.2019.e02010. ISSN 2405-8440. PMC 6606995. PMID 31338464.
12. Carella, Anthony; Kotsoev, Murat; Truta, Traian Marius (2017). "Impact of security awareness training on phishing click-through rates". 2017 IEEE International Conference on Big Data (Big Data). IEEE. pp. 4458–4466. doi:10.1109/bigdata.2017.8258485. ISBN 978-1-5386-2715-0. S2CID 35766007.
13. Haney, Julie; Lutters, Wayne (2020). "Security Awareness Training for the Workforce: Moving Beyond "Check-the-Box" Compliance". Computer. 53 (10): 91–95. doi:10.1109/MC.2020.3001959. ISSN 0018-9162. PMC 8201414. PMID 34131349.
14. "Federal Information Security Modernization Act | CISA". www.cisa.gov. Retrieved 2021-07-27.
15. "The Security Rule". hhs.gov. United States Office for Civil Rights. 2009-09-10. Retrieved 2021-07-05.
16. "For State Employees - Colorado Governor's Office of Information Technology". www.oit.state.co.us. Retrieved 2021-07-27.
17. "13 FAM 301.1 Mandatory Security Training for All Department Employees". fam.state.gov. Retrieved 2021-07-27.
18. "Statutes & Constitution :View Statutes : Online Sunshine". www.leg.state.fl.us. Retrieved 2021-07-27.
19. "Bill Resource". custom.statenet.com. Retrieved 2021-07-27.
20. "Cybersecurity Training for Cook County, Illinois, Employees". GovTech. 2013-11-07. Retrieved 2021-07-27.
21. "Bill Resource". custom.statenet.com. Retrieved 2021-07-27.
22. "Bill Resource". custom.statenet.com. Retrieved 2021-07-27.
23. "20-07 IT Security Policy". doit.maryland.gov. Retrieved 2021-07-27.
24. "Security Training Resources". sitsd.mt.gov. Retrieved 2021-07-27.
25. "NVeLearn". nvelearn.nv.gov. Retrieved 2021-07-27.
26. "State Security Policies Standards & Procedures". it.nv.gov. Retrieved 2021-07-27.
27. "Bill Resource". custom.statenet.com. Retrieved 2021-07-27.
28. "State of Ohio Information Security and Privacy > Government > State Government > Security > Training and Awareness". infosec.ohio.gov. Retrieved 2021-07-27.
29. "Cybersecurity for Commonwealth Agencies and Employees". Office of Administration. Retrieved 2021-07-27.
30. "Certified Cybersecurity Training Programs, 154". dir.texas.gov. Retrieved 2021-07-27.
31. "2021 Security Awareness Training | Division of Technology Services". dts.utah.gov. Retrieved 2021-07-27.
32. "Bill Resource". custom.statenet.com. Retrieved 2021-07-27.
33. Lincke, Susan (2016). SECURITY PLANNING : an applied approach. Springer International. pp. 176–177. ISBN 978-3-319-36560-2. OCLC 1005117710.
34. Jenkins, Jeffrey L.; Durcikova, Alexandra; Burns, Mary B. (2012). "Forget the Fluff: Examining How Media Richness Influences the Impact of Information Security Training on Secure Behavior". 2012 45th Hawaii International Conference on System Sciences. Maui, HI, USA: IEEE. pp. 3288–3296. doi:10.1109/HICSS.2012.285. ISBN 978-1-4577-1925-7. S2CID 206705398.
35. Mezquita, Ty (2022-01-18). "The Hidden Benefits of Awareness Training for MSPs". CyberHoot. Retrieved 2022-01-27.