Technology Supported Web-based It Security Awareness Training

Abstract

Research has indicated that a significant portion of information security breaches in Organizations are caused by employees, whether intentional or non-intentional. To mitigate this, organizations have set-up ICT security awareness programs. These awareness programs are meant to empower employees with knowledge and skills that enable them identify, prevent and know how to react to potential information security incidents. However due to lack of standard metrics that measure impact of awareness initiatives, insufficient delivery methods, awareness material content generalization and lack of standard metrics for tracking delivery and deployment, it has become difficult for organizations to monitor, measure and appraise the success and effectiveness of the ICT security awareness program. It is therefore essential to have a diverse ICT Security Awareness Program with a set of methods to deliver, assess, educate, reinforce, and measure its effectiveness. This study discusses how this can be accomplished by using technology to automate and reinforce a comprehensive Security Awareness program that will meet the above needs. The research aims to investigate the effect of simulated phishing attacks on the motivation of users to undertake a security awareness training and demonstrate how metrics derived from the automated solution can be used to measure the levels of security awareness in an organization. In this study we conducted weighted surveys through online questionnaires on staff in an organization that uses PowerPoint presentations for their awareness program. The survey questions were designed to measure a set of basic characteristics of the organization’s security awareness posture; it provided several metrics to measure the risk and awareness levels in an organization. We also ran phishing simulations targeting employees. The simulations were able to identify which users fell victim and clicked on the phishing emails and also showed that users who fell victim proceeded to undertake the online Security awareness that was initiated thereafter the successful attack. This empowered staff to be familiar with the most common attack scenarios in the simulation, and the awareness training thereafter empowered them with countermeasures to take, that can prevent them from being compromised. The study also provided management with visibility on the most vulnerable staff and departments, where awareness training should be focused and intensified