2nd Edition

Managing an Information Security and Privacy Awareness and Training Program

By Rebecca Herold Copyright 2010
    568 Pages 38 B/W Illustrations
    by CRC Press

    Starting with the inception of an education program and progressing through its development, implementation, delivery, and evaluation, Managing an Information Security and Privacy Awareness and Training Program, Second Edition provides authoritative coverage of nearly everything needed to create an effective training program that is compliant with applicable laws, regulations, and policies. Written by Rebecca Herold, a well-respected information security and privacy expert named one of the "Best Privacy Advisers in the World" multiple times by Computerworld magazine as well as a "Top 13 Influencer in IT Security" by IT Security Magazine, the text supplies a proven framework for creating an awareness and training program. It also:

    • Lists the laws and associated excerpts of the specific passages that require training and awareness
    • Contains a plethora of forms, examples, and samples in the book’s 22 appendices
    • Highlights common mistakes that many organizations make
    • Directs readers to additional resources for more specialized information
    • Includes 250 awareness activities ideas and 42 helpful tips for trainers

    Complete with case studies and examples from a range of businesses and industries, this all-in-one resource provides the holistic and practical understanding needed to identify and implement the training and awareness methods best suited to, and most effective for, your organization.

    Praise for:

    The first edition was outstanding. The new second edition is even better ... the definitive and indispensable guide for information security and privacy awareness and training professionals, worth every cent. As with the first edition, we recommend it unreservedly..

    Brief History of Corporate Information Security and Privacy Awareness and Training
    Once Upon a Time
    Welcome to the Information Age
    Information Security and Privacy Education
    Current Challenges Bring Changes in Professional Education

    Why Training and Awareness Are Important
    Regulatory Requirements Compliance
    Customer Trust and Satisfaction
    Compliance with Published Policies
    Due Diligence
    Corporate Reputation

    Legal and Regulatory Requirements for Training and Awareness
    Awareness and Training Needs
    Legal Considerations
    Copyright Considerations
    Specific Regulatory Education Requirements

    Incorporating Training and Awareness into Job Responsibilities and Appraisals
    Motivational Factors
    Methods of Security and Privacy Objectives Assessments
    Performance against Specific Privacy and Security Objectives
    Using Appraisal Results
    Considering Security and Privacy within Job Performance as a Whole
    Paying for Performance
    Additional Percentage Element Added to Pay

    Common Corporate Education Mistakes
    Throwing Education Together Too Quickly
    Not Fitting the Environment
    Not Addressing Applicable Legal and Regulatory Requirements
    No Leadership Support
    Budget Mismanagement or No Budget
    Using Unmodified Education Materials
    Information Overload
    No Consideration for the Learner
    Poor Trainers
    Information Dumping
    No Motivation for Education
    Inadequate Planning
    Not Evaluating the Effectiveness of Education
    Using Inappropriate or Politically Incorrect Language

    Getting Started
    Determine Your Organization’s Environment, Goals, and Mission
    Identify Key Contacts
    Review Current Training Activities
    Review Current Awareness Activities
    Conduct a Needs Assessment
    Create Your Road Map
    Elements of an Effective Education Program

    Establish a Baseline
    Hard Data
    Soft Data

    Get Executive Support and Sponsorship
    Executive Security and Privacy Training and Awareness Strategy Briefing
    Provide Examples of Security- and Privacy-Impacting Events
    Case Studies
    Key Business Leader Information Protection Responsibilities

    Identify Training and Awareness Methods
    Adult Learning
    Training Delivery Methods
    Auditorium Presentations to Large Groups
    Remote Access Labs
    Satellite or Fiber-Optic Long-Distance Learning
    Web-Based Interactive Training (such as Webinars)
    Audio Instruction
    Video and DVD
    Workbooks On-the-Job (OTJ)
    Conference Calls
    Outsourced Training and Awareness with Professional
    Educational Services
    Education Provided by Professional Societies
    Government-Sponsored Training
    Awareness Methods

    Awareness and Training Topics and Audiences
    Target Groups
    Mapping Topics to Roles and Target Groups
    Standards and Principles

    Define Your Message
    Customer Privacy
    Laws and Regulations
    Access Controls
    Risk Management

    Prepare Budget and Obtain Funding
    Obtain Traditional Funding if You Can
    Obtain Nontraditional Funding When Necessary
    Final Budget and Funding Thoughts

    Training Design and Development
    Training Methods
    Design and Development
    Choosing Content
    Job-Specific Content and Topics for Targeted Groups
    Learning Activities
    Training Design Objectives

    Awareness Materials Design and Development
    Contrasting Awareness and Training
    Make Awareness Interesting
    Awareness Methods
    Awareness Is Ongoing
    Developing Awareness Activities and Messages
    Monthly Information Security and Privacy Newsletters

    Step 1: Identify Where You Need to Improve, Update, or Create Information Security and Privacy Training and Awareness
    Step 2: Obtain Executive Sponsorship
    Step 3: Communicate Information Security and Privacy Program Overview
    Step 4: Send Target Groups Communications Outlining the Information Security and Privacy Training and Awareness Schedules and Their Participation Expectations

    Deliver In-Person Training
    What to Avoid in Training
    Multinational Training Considerations
    Delivering Classroom Training
    Tips for Trainers
    Visual Aids
    Training in Group Settings
    Case Studies

    Launch Awareness Activities
    Step 1: Identify Areas in Which You Need to Improve, Update, or Create Awareness
    Step 2: Obtain Executive Sponsorship
    Step 3: Communicate the Information Security and Privacy Program Overview
    Step 4: Identify Trigger Events
    Step 5: Identify Target Groups
    Step 6: Identify Your Awareness Methods and Messages
    Step 7: Evaluate Changed Behavior
    Step 8: Update and Perform Ongoing Awareness Plan for Specific Events

    Evaluate Education Effectiveness
    Evaluation Areas
    Evaluation Methods
    Evaluating the Effectiveness of Specific Awareness and Training Methods
    Education Effectiveness Evaluation Framework Activities Checklist

    Leading Practices
    Setting the Standard for Data Privacy and Awareness
    Establishing a Security Culture Through Security Awareness
    Empirical Evaluations of Embedded Training for Antiphishing User Education
    We Are Now the Targets of Thieves!
    Risks from Advanced Malware and Blended Threats
    Case Study: 1200 Users, 11 Cities in 7 Weeks … and They Wanted to Come to Security Awareness Training
    Obtaining Executive Sponsorship for Awareness and Training
    Education and Awareness for Security Personnel
    Aetna’s Award-Winning Security Awareness Program
    Security Awareness Case Study


    Sample Executive Education Sponsorship Memo
    Training Contact Training Data Collection Form
    Effectiveness Evaluation Framework
    Sample Privacy Roles Definitions
    Suggested Privacy Awareness and Training Strategy Announcement as Voice Mail Message
    Privacy Icon or Mascot
    Sample Privacy Training Survey
    Privacy Sample Training Plans
    Advocate and SME Interview Questions to Assist with Privacy Training Development
    Training and Awareness Inventory
    Incorporating Training and Awareness into the Job Appraisal Process Interview/Questionnaire
    Sample Customer Privacy Awareness and Training Presentation
    Designated Security and Privacy–Related Days
    Education Costs Worksheet
    Sample Pre-training/Awareness Questionnaire
    Security Awareness Quiz Questions
    Social Engineering Quiz


    Herold, Rebecca

    The first edition was outstanding. The new second edition is even better - an excellent textbook packed with sound advice and loads of tips to make your security awareness program pull its weight.… engaging and stimulating, easy to read yet at the same time thought-provoking. … chock-full of good ideas, not just theoretical concepts but solid practical advice that can be put to use immediately. A side effect is that there are lots of lists, tables and bullet points but they are well structured and succinctly summarize the key points. …an excellent reference text. Extensive appendices (130 pages) include sample awareness materials and plans, a security glossary, various checklist/questionnaires and references. This is the definitive and indispensable guide for information security and privacy awareness and training professionals, worth every cent. As with the first edition, we recommend it unreservedly.

    This book is remarkable because it covers in detail all the facets of providing effective security awareness training…I can, without reservation, recommend use of this book to any organization faced with the need to develop a successful training and awareness program. It surely provides everything you need to know to create a real winner.
    —Hal Tipton, from the Foreword

    Rebecca Herold has the answers in her definitive book on everything everybody needs to know about how to impart security awareness, training, and motivation. Motivation had been missing from the information security lexicon until Herold put it there in most thorough and effective ways … She demonstrates that security must become a part of job performance rather than being in conflict with job performance… The power of this book also lies in applying real education theory, methods, and practice to teaching security awareness and training … After reading this book, there is no question about the necessary and important roles of security awareness, training, and motivation.
    —Donn B. Parker, CISSP, from the Preface

    Rebecca Herold, an independent computer security advisor, knows privacy. Not all security consultants do. In her latest book, Managing an Information Security and Privacy Awareness and Training Program, Herold has collected her best advice.
    —Privacy Journal

    … perfect for lay and professional audiences, this is a guide not for implementing technical necessities but for getting everybody in an organization on board.
    —Journal of Productive Innovation