Research

Publication Date: 7 December 2009 ID Number: G00172484

Speed Security Awareness Program Development by Using External Resources

Andrew Walls

The effectiveness of a security awareness and communications program is determined, in great part, by the quality of the content and materials used in training activities. Use Gartner's overview of awareness products and services to identify products and services that can be leveraged to improve the impact of your investment in awareness activities. Key Findings
Extensive resources are available to augment internal staff capabilities or to provide complete security awareness and communications programs. Information security teams rarely include staff with significant skills in training development or marketing communications. Organizations that must demonstrate compliance with legislative or industry regulation must provide user education that covers all applicable aspects of the regulation.

Recommendations
Minimize development time and costs by purchasing commercial products and services for general security and risk management and regulatory compliance training. Assess the quality and availability of internal staff resources for the development and implementation of security awareness activities before investing in internal development and implementation. Increase the efficiency of programs focused on the demonstration of regulatory compliance by using targeted awareness products. Effective training sessions and materials require more than technical knowledge of information security on the part of the developer or presenter. If internal staff are involved in awareness development and presentation, then identify and develop the requisite capabilities in instructional design and training session leadership.

2009 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Reproduction and distribution of this publication in any form without prior written permission is forbidden. The information contained herein has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information. Although Gartner's research may discuss legal issues related to the information technology business, Gartner does not provid e legal advice or services and its research should not be construed or used as such. Gartner shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice.

TABLE OF CONTENTS
Analysis ....................................................................................................................................... 3 1.0 Overview.................................................................................................................... 3 2.0 Typical Components of an Awareness Program ......................................................... 3 2.1 Group Events ................................................................................................ 3 2.2 Individual Training ......................................................................................... 4 2.3 Environmental Media ..................................................................................... 4 2.4 Trinkets ......................................................................................................... 5 2.5 Program Support ........................................................................................... 5 3.0 Vendor Products and Services ................................................................................... 6 3.1 CBT............................................................................................................... 9 3.2 Live Training.................................................................................................. 9 3.3 Video............................................................................................................. 9 3.4 Webcast/Podcast........................................................................................... 9 3.5 Guides/Manuals ............................................................................................ 9 3.6 Portal ............................................................................................................ 9 3.7 Posters ........................................................................................................ 10 3.8 Newsletters ................................................................................................. 10 3.9 LMS ............................................................................................................ 10 3.10 Training Administration and Presentation ................................................... 10 3.11 Trinkets ..................................................................................................... 10 Recommended Reading ............................................................................................................. 11

LIST OF TABLES
Table 1. Representative Vendors.................................................................................................. 7

LIST OF FIGURES
Figure 1. Awareness Vendors..................................................................................................... 11

Publication Date: 7 December 2009/ID Number: G00172484 2009 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 2 of 12

ANALYSIS

1.0 Overview
The effectiveness of a security awareness and communications program is determined, in great part, by the quality of the content and materials used in training activities. Information security teams rarely possess or have access to the range of skills and capabilities required to develop effective awareness content or materials. As a result, homegrown awareness materials and programs are often technically accurate, but poorly structured as vehicles to drive understanding or changes in staff behavior. What types of vendor products and services can be used to improve the effectiveness of awareness programs? Use Gartner's overview of awareness products and services to identify products and services that can be leveraged to improve the impact of your investment in awareness activities.

2.0 Typical Components of an Awareness Program

Although security awareness programs are often referred to as training programs, most programs incorporate materials and activities that are outside of the bounds of traditional training. Modern awareness programs have evolved into a combination of training and marketing. This combination has enabled security managers to deploy a broad range of activities and media focused on guiding staff behavior to comply with applicable regulations and policies. The list of activities and materials presented below is neither prescriptive nor comprehensive. Creativity and novelty are vital components of an effective awareness and communications program, but cannot replace the quality and accuracy of program content. Gartner recommends that security awareness programs incorporate the three R's: Repeat Because people forget. Reinforce Use complementary messages to reinforce the same principle. Refresh Use different delivery mechanisms, because people "switch off" after too much repetition using the same method. Use the list below to analyze the makeup of your current awareness program and to identify new approaches that can expand and improve the impact of the existing activities and materials.

2.1 Group Events

Classroom training: Classroom training is a common element in many training programs, not just security awareness. This method mimics the teaching and learning activities and methodologies used in many academic institutions and typically includes the following materials and activities: Leader guides Presenter(s) use leader guides/manuals containing scripted activities (for example, structured discussions, lectures and role plays) to guide participants through relevant topics and issues. Participant workbooks Workbooks/manuals are provided to participating staff to guide their interaction during the training event and as a take-away reference to support ongoing learning.

Publication Date: 7 December 2009/ID Number: G00172484 2009 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 3 of 12

Visual presentations Event leaders can use presentation software (for example, PowerPoint) to display talking points, data analysis and conceptual graphics to reinforce and supplement verbal content. Role-play scenarios and scripts Structured scenarios with multiple, defined roles guide participants into improved understanding of security principles in work situations. Video Videos are an effective way to present complex social situations in a short period of time and to highlight locations and facilities that are inaccessible to participants. Security Fairs and Briefings: Security fairs are informal events that include a diverse range of activities, lectures and materials presented in an entertaining and dynamic manner. Often, multiple activities are conducted simultaneously. Security fairs can last for a few hours or a few days, depending on the size and availability of the audience and the quantity of content available for presentation. Typical activities and materials include: Games Competitive situations can be used to encourage deep engagement by participants in the awareness material and message. Games can incorporate individuals and groups, computer-based training (CBT) or live interaction. Popular group participation games include those modeled on popular television quiz shows, as well as treasure hunts (for information) and trivia contests. Tradeshows Vendors can support the awareness program while marketing their services and products by setting up a tradeshow booth with appropriate staff to answer questions and discuss security issues with participants. A variety of vendor products and services (for example, safe manufacturers, penetration testers, surveillance systems, endpoint protection and home security vendors) can increase participation more than a strict focus on traditional information security control vendors. Presentations Security fairs provide an excellent opportunity for senior business leaders to speak with participants concerning security issues. Presentations can be formal (such as lecture mode) or informal (for example, Q&A or discussion panel).

2.2 Individual Training

CBT: CBT is very popular for training related to regulatory compliance that requires the tracking of staff participation and completion of content. Although it is possible to construct custom CBT modules for use in a learning management system (LMS see below for a discussion), the majority of CBT content is vendor-supplied content with mild customization. CBT can be presented through vendor-managed portals and in-house LMS or Web services. Workbooks: Self-paced instruction based on print media workbooks has diminished in popularity in favor of CBT; however, print media workbooks can be an effective educational tool for appropriate audiences and content. Workbooks can also be used in combination with other learning mechanisms, such as CBT or group events.

2.3 Environmental Media

Posters and handbills: Posters and handbills have featured prominently in many highly effective security awareness campaigns sponsored by national governments (for example, World War II posters asserting that "Loose lips sink ships!"). Posters and

Publication Date: 7 December 2009/ID Number: G00172484 2009 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 4 of 12

handbills provide persistent reminders of security principles and practices, and can be placed strategically to promote appropriate practices at high-risk locations (for example, "No tailgating" messages placed at controlled physical entry points). Newsletters: Regular publication and distribution of topical content via print or online media can remind staff of security threats and practices, effectively extending the influence of periodic live events and individual training. Newsletter content must be selected and structured to encourage continuing consumption by staff. Newsletters market security awareness; they don't simply provide information. Accordingly, content must focus on issues and concerns that are of interest to the reader, and care must be exerted to create an attractive visual appearance. E-mail bulletins and alerts: E-mail bulletins and alerts can highlight emerging threats and new security requirements. They are also effectively used to report the results of policy enforcement actions and security breaches. As with newsletters, the message must be structured to suit the medium. Emphasize short, to-the-point messages with pointers to sources for more-detailed information. E-mail readership may be improved if the nominal source of the e-mail changes over time and includes senior executives outside the security or IT organization. Screen savers: Corporate screen savers can be used to communicate short security messages.

2.4 Trinkets
The term "trinkets" is used to describe low-value items that carry a security message and that can be given away to staff. The educative value of trinkets is very low, but they are effective at "softening" the image and reputation of the security team. In some cases, popular trinkets can provide a persistent presentation of contact data for incident reporting or URLs for security information. Whenever possible, use a unifying logo, mascot or color theme with trinkets to tie the various elements of the overall awareness program into a consistent appearance or theme. Some of the more-common examples of trinkets include: Mouse pads Pens Notepads Business cardholders Puzzles Toys

2.5 Program Support

LMSs: An LMS provides a platform for the development and presentation of online training materials and assessments, as well as for recording staff use of awareness content. It is rare that the cost of an LMS can be justified on the basis of security awareness requirements; however, the analytical reporting available through an LMS is a valuable tool for improving the focus and impact of awareness training and for informing personnel managers of the level of participation of their staff in training activities. LMS functionality can be obtained as a service or through licensed, in-house implementations. The LMS defines how content must be structured for presentation (see "Magic Quadrant for Corporate Learning Systems").
Publication Date: 7 December 2009/ID Number: G00172484 2009 Gartner, Inc. and/or its Affiliates. All Rights Reserved. Page 5 of 12

Assessment tools: Staff comprehension of security content and the ability to apply security principles in typical job situations are critical measures of the effectiveness of security awareness training activities and materials. Assessment of staff comprehension and performance can be conducted through automated logging and analysis of user activities (see "Toolkit: Sample Security Awareness Metrics Catalog") and by direct testing of staff. Both approaches must be structured to assess knowledge and behaviors specifically targeted by awareness materials and activities. Portals: Security awareness portals can provide an integrated collection of security information to diverse audiences. Portals can link to training modules, policies and standards, and other internal and external information sources. Portals can directly present information about current security activities (for example, malware alerts and security updates) and resource directories of security staff and publications. Many security teams maintain internal portals that provide security information to staff. Several vendors provide material that can be displayed in internal portals, while others provide both public and private, customizable portals accessible via the Internet.

3.0 Vendor Products and Services

Table 1 provides a representative list of vendors and the various products and services that they provide. Although many vendors provide unique capabilities and product sets, the products and services available in the market can generally be clustered as indicated below. These product/service groups focus on the structure of the offering and not on the content. Although some vendors are dedicated to the security awareness market (for example, The Security Awareness Company and TerraNova), many vendors focus on a specific aspect of security, such as Health Insurance Portability and Accountability Act (HIPAA) regulatory compliance (for example, ComplyNow). In addition to commercial organizations, there are several governmental and educational organizations that provide security awareness materials to the public at no cost (for example, Multi-State Information Sharing and Analysis Center [MS-ISAC] and Educause). Multilingual materials and localization services are available to varying extents from most vendors. URLs for vendors and a short description of products and services are provided in Table 1.

Publication Date: 7 December 2009/ID Number: G00172484 2009 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 6 of 12

Table 1. Representative Vendors

Company Name Awareity ComplyNow Computer Security Institute (CSI) Cosaint Covetrix Educause Website www.awareity.com www.complynow.com www.gocsi.com/awareness www.cosaint.net www.covetrix.com https://wiki.internet2.edu/confluence/di splay/itsg2/Cybersecurity+Awareness +Resource+Library www.globallearningsystems.com www.hrcertification.com www.infosecuritylab.com www.infosecuregroup.com www.infragardawareness.com Description Awareity provides an LMS and knowledge management system with modules focused on security awareness and compliance with various U.S. regulations (HIPAA). ComplyNow offers HIPAA compliance training and "train the trainer" materials. CSI is a member-based professional organization that offers various services and materials to promote security awareness. Cosaint training includes hosted or in-house (if you have an LMS) solutions focusing on compliance issues (Payment Card Industry Data Security Standard and HIPAA). Covetrix emphasizes stock and custom video presentations, backed up by automated e-mail reminders. Educause is an international association focused on IT in higher education. It offers a collection of resources provided by member organizations, including an annual poster and video competition for student-generated security awareness materials. Global Learning Systems markets Web-based CBT (single course) with multiple, customizable sections. As the name implies, HRcertification.com programs are purely for certification against specific standards that relate to the management of human resources (such as HIPAA). InfoSecurityLab markets CBT modules and workshop materials to conduct live training, supported by posters and other print materials. InfoSecure provides multiple CBT modules and Train-the-Trainer materials for live workshops. InfraGard is sponsored, in part, by the U.S. government. It provides a basic awareness course with a certification program and a range of customizable courses. It is affiliated with the Center for Information Security Awareness. LRN course content focuses on regulatory compliance and corporate ethics. MediaPro provides modules for use in an LMS for security and privacy issues. MS-ISAC provides a variety of resources for public and private organizations. Materials are available for guiding security professionals as well as general user populations. Native Intelligence markets a wide range of CBT modules on security topics backed up by print materials and trinkets. The NIST Computer Security Division offers a large collection of awareness resources.

Global Learning Systems HRcertification.com InfoSecurityLab InfoSecure InfraGard

LRN MediaPro MS-ISAC Native Intelligence National Institute of Standards and Technology (NIST)

www.lrn.com www.mediapro.com www.msisac.org www.nativeintelligence.com http://csrc.nist.gov/groups/SMA/ate/m aterials.html#01

Publication Date: 7 December 2009/ID Number: G00172484 2009 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 7 of 12

Company Name Safelight Sage Data Security SCIPP International

Website www.securityadvisors.com www.sagedatasecurity.com www.scippinternational.org

Description Safelight provides a series of courses focused on various audiences, including users, developers and IT administrators. Sage Data Security offers a portal service with customizable training content, manuals and policies. SCIPP offers hosted or licensed training modules that target general, regulatory and industry-specific security topics in multiple languages. Training is certified under a variety of regulatory schemes and standards (mostly U.S.). Security Awareness Incorporated provides scripted materials for leading various workshops on security topics. It also offers posters, trinkets and a single video. Security Mentor provides an LMS with content provided via the Web on a subscription model. Training is delivered in frequent, short modules. StaySafeOnline.org is the coordination and publication site of the National Cyber Security Alliance. It provides materials in support of security awareness activities, as well as links to free content from commercial partners. TerraNova provides a wide range of products and services for promoting awareness. It offers customization based on client policies/guidelines of print, video, CBT and live presentation. The Security Awareness Company is a full-spectrum organization delivering customizable products and services for most aspects of an awareness program, including event management for awareness events. TraceSecurity provides security awareness content modules that work within its own learning management system. The LMS tracks staff participation in the awareness program. WeComply focuses on regulatory compliance training with training modules on HIPAA, copyright, customer-proprietary network information and the Gramm-Leach-Bliley Act. It also provides moregeneral modules on privacy, information security, trade secrets, e-mail and Internet, and records management.

Security Awareness Incorporated Security Mentor StaySafeOnline.org

www.securityawareness.com www.securitymentor.com www.staysafeonline.org

TerraNova The Security Awareness Company TraceSecurity WeComply

www.terranovasite.com www.thesecurityawarenesscompany.c om www.tracesecurity.com www.wecomply.com

Source: Gartner (December 2009)

Publication Date: 7 December 2009/ID Number: G00172484 2009 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 8 of 12

3.1 CBT
Licensing of CBT modules is the single, most common product offering (20 out of 26 vendors offer CBT modules). Most vendors support a range of LMS formats and content format standards (for example, the Sharable Content Object Reference Model or SCORM see Note 1). The depth and breadth of the available CBT curricula vary. A few vendors offer extensive content libraries (TerraNova, The Security Awareness Company and Native Intelligence), while others offer a few modules (Awareity, InfraGard and TraceSecurity) or a single module (Global Learning System). The content of these modules includes generic awareness topics (password management and laptop security), regulatory compliance, and industry-specific security topics (healthcare, education and national critical infrastructure). Several companies offer customization and development services for unique CBT modules (Global Learning System, InfraGard, Native Intelligence, Sage Data Security, TerraNova and The Security Awareness Company).

3.2 Live Training

Several vendors provide professional trainers to lead awareness events using materials and content created by the vendor (Computer Security Institute, Safelight, TerraNova and The Security Awareness Company). Train-the-trainer services are available from these vendors as well.

3.3 Video
Video is a popular medium with most of the not-for-profit organizations providing awareness materials (Educause, NIST and MS-ISAC). Of particular interest are the videos available from Educause, as an outcome of its annual student contest for short videos promoting security awareness. Commercial videos are available from Covetrix, InfoSecure, Native Intelligence, Security Awareness Incorporated, TerraNova and The Security Awareness Company. The commercial vendors also offer customization of videos to include organization-specific messages and logos.

3.4 Webcast/Podcast
Webcasts and podcasts are new media variants of traditional newsletters and live presentations. The Security Awareness Company, MS-ISAC and Educause are the only organizations that market webcasts; however, the vendors that provide security portals (see below) tend to offer webcasts as part of their portal functionality.

3.5 Guides/Manuals
Many of the vendors offer a variety of print manuals and guides for users and training leaders. In general, leader and participant guides are available as part of live training and train-the-trainer services and occasionally as separate products (Awareity, InfoSecure, InfoSecurityLab, Security Awareness Incorporated and The Security Awareness Company).

3.6 Portal
We've identified three vendors that market security awareness portals (Computer Security Institute, Sage Data Security and Security Mentor). Portals can be customized with content selected by the client organization. Gartner anticipates that portals will evolve into awareness-asa-service platforms that incorporate many of the materials and activities that can be conveyed digitally (CBT, newsletters, videos and so on).

Publication Date: 7 December 2009/ID Number: G00172484 2009 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 9 of 12

3.7 Posters
Posters and handbills are available from commercial and not-for-profit vendors as both standalone media and as part of a coordinated training and awareness curriculum. Educause, MSISAC, NIST and StaySafeOnline.org all offer files that can be printed in various physical formats for use as posters or handbills. In some cases (depending on file format), these materials can be customized with logos and contact information. InfoSecurityLab, Native Intelligence, TerraNova and The Security Awareness Company offer stock and custom posters as files and in printed media.

3.8 Newsletters
Many vendors offer newsletters as a subscription service. Newsletter content can be delivered through e-mail, portal or file attachments. A few vendors also offer customized newsletters. The frequency of newsletter distribution is variable and can be selected by the client.

3.9 LMS
As mentioned earlier, an LMS is rarely acquired solely for the promotion of security awareness. A few of the vendors that offer CBT modules primarily market an LMS and use the modules to increase the value of the LMS for the client (for example, Trace Security).

3.10 Training Administration and Presentation

TerraNova and The Security Awareness Company offer support services for the management of security training events and sessions, such as security fairs and tradeshows. Security teams that lack experience in event management can leverage vendor experience to create effective events. The availability of event management services that focus on security awareness is limited to a certain extent by geography.

3.11 Trinkets
Native Intelligence, Security Awareness Incorporated, TerraNova and The Security Awareness Company all maintain catalogs of trinkets that can be customized to suit client requirements.

Publication Date: 7 December 2009/ID Number: G00172484 2009 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 10 of 12

Figure 1. Awareness Vendors

Source: Gartner (December 2009)

RECOMMENDED READING
"Improve the Impact of Security Awareness Training by Aligning Metrics and Training Design" "Q&A: What Basic Content Should Be Included in a Security Awareness Program?" "Toolkit: Sample Security Awareness Metrics Catalog" "How to Build an Enterprise Security Awareness Program"

Publication Date: 7 December 2009/ID Number: G00172484 2009 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 11 of 12

"Magic Quadrant for Corporate Learning Systems"

Note 1 SCORM
SCORM is a collection of standards and technical specifications developed by the Advanced Distributed Learning (ADL) initiative sponsored by the U.S. Department of Defense. The standard was initially released in 2001 and has evolved through multiple updates. Support for the SCORM standard has grown as a result of the Department of Defense's announcement in 2003 that all training purchased by the department must comply with SCORM. Detailed information concerning SCORM can be obtained from the ADL website . The objectives of SCORM are to provide accessibility, interoperability, durability and reusability of training content. In pursuit of this objective, ADL has developed relationships with other standards-setting organizations that focus on Web-based instruction, including the Alliance of Remote Instructional Authoring & Distribution Networks for Europe, the IMS Global Learning Consortium, and the Institute of Electrical and Electronics Engineers. Not all vendors of LMS and Web-based training content have embraced SCORM, but many of the dominant LMS solutions (such as Blackboard) have adopted the standard.

REGIONAL HEADQUARTERS
Corporate Headquarters 56 Top Gallant Road Stamford, CT 06902-7700 U.S.A. +1 203 964 0096 European Headquarters Tamesis The Glanty Egham Surrey, TW20 9AW UNITED KINGDOM +44 1784 431611 Asia/Pacific Headquarters Gartner Australasia Pty. Ltd. Level 9, 141 Walker Street North Sydney New South Wales 2060 AUSTRALIA +61 2 9459 4600 Japan Headquarters Gartner Japan Ltd. Aobadai Hills, 6F 7-7, Aobadai, 4-chome Meguro-ku, Tokyo 153-0042 JAPAN +81 3 3481 3670 Latin America Headquarters Gartner do Brazil Av. das Naes Unidas, 12551 9 andarWorld Trade Center 04578-903So Paulo SP BRAZIL +55 11 3443 1509

Publication Date: 7 December 2009/ID Number: G00172484 2009 Gartner, Inc. and/or its Affiliates. All Rights Reserved.

Page 12 of 12