3rd Information Security and Cyber Defence Conference
Ms. Anett MÁDI-NÁTOR
National Security Authority of Hungary
Head of Information Security Awareness
“How information security awareness programs are able
to change corporate mind-set – a case study”
2013 Balatonőszöd
Table of contents
Multi-level awareness
The case
The study
The evaluation
The conclusion
Information security
awareness – a case
study
Multi-level awareness
Priviledged users
Normal users
System administrators
System developers
Information security
awareness trainers
Information security
awareness – a case
study
The case
A regionally significant
service provider
More than 6000 employees
More than 43 million clients
More than 65 million $ revenue
Decision makers
Users
IT experts
1 month
Information security
awareness – a case
study
The study
Professional content of training –
system hardening methods
including UNIX, Windows, and
network aspects
Pre-session and post-session
questionnaire for assessing the
change of security awareness level
Analysis of answers is based on
statistical methods
Information security
awareness – a case study
Measuring effectiveness of training
itself
Willingness to participate in further information security awareness
trainings
100%
90%
Ratio of willingness
80%
70%
60%
50%
89%
100%
40%
30%
20%
10%
0%
Pre-Session
Post-Session
How safe the IT system of the company is considered by experts
managing it
90%
80%
70%
Ratio of experts
60%
50%
40%
30%
20%
10%
0%
Pre-session
Not safe
15%
Safe
69%
Very safe
16%
Post-session
18%
82%
0%
Would you introduce new/additional security measures to protect
corporate business data?
100%
90%
Ratio of experts
80%
70%
60%
50%
40%
30%
Post-session
20%
10%
0%
Pre-session
Yes
No
Pre-session
Yes
88%
No
12%
Post-session
92%
8%
Introducing new security measures to protect data on client phones
60%
Ratio of experts
50%
40%
30%
20%
Post-session
10%
0%
Pre-session
Yes
No
Pre-session
Yes
59%
No
41%
Post-session
42%
58%
Demand for improving IT security on corporate level
80%
70%
Ratio of experts
60%
50%
40%
30%
20%
Post-session
10%
0%
Pre-session
Yes
No
Pre-session
Yes
59%
No
41%
Post-session
73%
27%
The evaluation
Commitment to professional trainings
Company IT system is considered less
secure than before
A more structured view of security,
relying on the IT Security Dept.
A more concise view of system
weaknesses
A need for change regarding the IT
security concept
Information security awareness
– a case study
The conclusion
Focus of experts moves to
company- and corporatelevel security from securing
end-user devices
Growing demand for expert
knowledge transfer
Information security
awareness – a case study
Solution-driven information
security approach in
practice
3rd Information Security and Cyber Defence Conference
Thank you for your attention
(and the fish)
2013 Balatonőszöd
Download

Information security awareness – a case study