The Role of Education and Awareness in Tackling Insider Threats

Insider threats present a major concern for organizations worldwide. As organizations need to provide employees with authority to access data to enable them to complete their daily tasks, they leave themselves open to insider attacks. This chapter looks at those who fall into the category which can be referred to as insiders and highlights the activity of outsourcing which is employed by many organizations and defines the term insider threat while pointing out what differentiates an accidental threat from a malicious threat. The discussion also considers various methods of dealing with insider threats before highlighting the role education and awareness plays in the process, the importance of tailoring awareness programs, and what the future holds for insider threats within organizations.

Common Mistakes in Delivering Cybersecurity Awareness

Human error is the cause of over 95% of data breaches and the weakest aspect of cybersecurity in nearly all organizations. These errors guarantee that hackers can easily gain access to almost any network in the world and take complete control of systems, data, and more. This chapter outlines the top mistakes organizations make in security awareness and why most companies are failing to properly prepare their users for cyber-attacks. Each point is accompanied by actionable data derived from real-world training program successes and failures.

A Holistic View of Cybersecurity Education Requirements

This chapter sets the scene for the book as a whole, establishing the need for cybersecurity awareness, training, and education in order to enable us to understand and meet our security obligations. It begins by illustrating key elements that ought to form part of cybersecurity literacy and the questions to be asked when addressing the issue. It then examines the problems that have traditionally existed in terms of achieving awareness and education, both at the user level (in terms of lack of support) and the practitioner level (in terms of a skills shortage). The discussion highlights the importance of a holistic approach, covering both personal and workplace use, and addressing the spectrum from end-users through to cybersecurity specialists.

Cybersecurity Curricular Guidelines

The Cybersecurity Curricular Guidelines, a joint effort of the ACM, IEEE Computer Society, AIS SIGSAC, and IFIP WG 11.8, were created to provide developers of cybersecurity curricula with guidelines for material to include. The curricular guidelines have eight knowledge areas, broken down into knowledge units and topics. Underlying cross-cutting concepts provide linkages among the knowledge areas. Disciplinary lenses enable the developer to emphasize the knowledge units appropriate to the goals of the developed curricula. Each knowledge area also includes a list of essential concepts that all curricula should cover to an appropriate depth. The guidelines can be linked to workforce frameworks and certification criteria as well as academic curricula.

The Role of Cybersecurity Certifications

The chapter looks at the burgeoning field of certification for individuals in the field of information security or cybersecurity. Individual information security certifications cover a wide range of topics from the deeply technical to the managerial. These certifications are used as a visible indication of an individual's status and knowledge, used to define experience and status, used in job descriptions and screening, and may define expectations placed on the individual. This chapter examines how these certifications are produced, the subjects they cover, and how they integrate and the various audiences to which the certifications are aimed. The role, the perceived and real value, and benefits of certification within the field of information security both from an individual and an organizational perspective are discussed. Finally, some conclusions on certification are presented.

A Collaborative Cybersecurity Education Program

This chapter presents an implementation of a cybersecurity education program. The program aims to address some issues identified in current cybersecurity teaching in higher education on a European level, like the fragmentation of cybersecurity expertise or resource shortage, resulting in few higher education institutions to offer full degree programs. As a result of the Erasmus+ strategic partnership project SecTech, the program tries to overcome those issues by introducing collaborative development to cybersecurity education. SecTech lays the foundations for a collaborative education program, like the definition of a clear content, module and delivery structure, and the appropriate tool support to facilitate collaboration and content reuse. Additional effort is required to achieve long-term success, including the creation of a community that drives the content creation and maintenance, as well as an independent governance structure to steer the project in the long-term. While the project focuses on European collaboration, a global community is envisioned.

Promoting Cybersecurity Compliance

In a global online economy, organizations are tasked with protecting their cybersecurity assets. Penalties from failing to protect assets, such as customer data, can severely harm an organization and even lead to bankruptcy. Cybersecurity governance programs need to be aware of the laws and regulations affecting their organizations and use applicable standards or frameworks to develop appropriate cybersecurity polices and controls. Compliance programs then need to monitor policy compliance on a continuing basis. This chapter discusses the laws, regulations, and standards that are used to create cybersecurity polices and the typical tools used to measure compliance. In addition, theoretical cybersecurity compliance research is reviewed to highlight supplementary techniques to improve compliance.

Ensuring Core Competencies for Cybersecurity Specialists

Within an organization, it is critical that all employees possess a security awareness and thus play a part in the protection of said organization's information assets. Some employees will have key roles and responsibilities and require specific skills to support them. However, organizations can face challenges in regard to recognizing the required specialized skills as well as where to obtain them. For this reason, whether an organization chooses to hire new staff, developing existing staff, or outsource the activities altogether, it is necessary to know the type and level of expertise required. To this end, this chapter discusses the need for organizations to understand and identify the essential skills related to cybersecurity in order for their employees to develop core competencies in these areas.

Achieving a Security Culture

A security culture can be a competitive advantage when employees uphold strong values for the protection of information and exhibit behavior that is in compliance with policies, thereby introducing minimal incidents and breaches. The security culture in an organization might, though, not be similar among departments, job levels, or even generation groups. It can pose a risk when it is not conducive to the protection of information and when security incidents and breaches occur due to employee error or negligence. This chapter aims to give organizations an overview of the concept of security culture, the factors that could influence it, an approach to assess the security culture, and to prioritize and tailor interventions for high-risk areas. The outcome of the security culture assessment can be used as input to define security awareness, training, and education programs aiding employees to exhibit behavior that is in compliance with security policies.

A Cybersecurity Skills Framework

This chapter traces the evolution of cybersecurity skills requirements and development over the past 40 years, from the early days of computer security (Compusec) to the present day. The development of cybersecurity skills is traced from an initial focus upon national security and confidentiality through to the current recognition as business driver. The main part of the chapter concentrates on the development of a specific skills framework from the Institute of Information Security Professionals. Originally conceived in 2006 and initially used for purposes of membership accreditation, the IISP Skills Framework has since been used extensively by commerce, industry, government and academia in the UK and more widely. Version 2 of the framework was published in 2016, and the chapter discussion outlines both the original structure and the notable changes in the later release. These developments collectively illustrate the ongoing recognition of cybersecurity skills, as well as the evolution of the skills themselves.