when we talk about "safety awareness", what are we talking about?

Posted by lipsius at 2020-02-29

In terms of personal information security awareness, employees generally have a kind of honey confidence, just like 90% of drivers think their driving level is higher than the average. In this paper, I will talk about my understanding of "safety awareness", the value and significance of "safety awareness education" as well as some practical strategies of "safety awareness education" in the enterprise. The safety awareness education discussed in this paper mainly refers to "safety management and employee behavior".

Before we say "information security awareness", what is the goal of information security? As Sun Wei's "security in the snowy night", the goal of information security is "risk control", which is to reduce all kinds of information security risks we face to an acceptable range with limited resource investment.

In the construction of safety system, "safety awareness education" should run through all the time, and it is a high cost-effective safety investment. The threshold for development is very low, as low as having a reliable security engineer. If the effect is good, it can greatly reduce the Unconscious Mistakes of employees in information security. We will discuss the specific cases later. So what is safety awareness? When we talk about safety awareness, what are we talking about? Here you can see a 16 second life example (small video link):

In the small video, it is roughly said that "a car owner suddenly encounters a large-scale deceleration in front of him at the high speed, and then when he notices that there is a heavy-duty truck behind him, he moves aside to avoid it in time, so as to protect his personal and vehicle safety". This is the story that an old driver saves himself based on his own safety awareness. Many places in daily life will involve safety awareness. For example, before didi gets on the bus, make sure that the license plate number is consistent with that displayed on the app. Baidu Encyclopedia said that "the so-called safety awareness is the concept that production must be safe established in people's mind. In production activities, people are alert and alert to all kinds of external environmental conditions that may cause harm to themselves or others. " And as I understand it:

Safety awareness is "perception of risk and active avoidance".

Here "evasion" refers to the avoidance of complying with the rules and trying to avoid.

In life, people usually pay more attention and vigilance because of personal and property safety. In the aspect of personal information security awareness, enterprise employees generally have a kind of honey confidence, just like 90% drivers think their driving level is higher than the average level, most enterprise employees will also think their security awareness is very good, which is often due to their lack of clear understanding of "various information security threats and risks". The fact is that in the work, due to the weak awareness of information security, most of the information security accidents are caused by the negligence or intentional leakage of internal staff, such as "Employees of XX unit of XX enterprise make use of their positions to help people pay for the inquiry of citizen driving information, social security information, etc.", "employees export customer data in batches with the account number of the supervisor for sale", "employees upload the company's personnel information, design draft, code, etc. to the network", "employees leak a large number of business information in the email after being recruited by phishing", "employees log in to the original team public for revenge after leaving the company" "The unknown side of director XX" and the recently reported "the ghost of XX company implanted DDoS Trojan horse to the company's server to receive orders sharp" were published on. In the final analysis, the root of information security problem is that "people are complex".

The biggest role of "information security awareness education" in enterprises is to make employees understand that "what can be done and what can not be done is a risk that needs to be reasonably avoided" in the work, so as to reduce the "unconscious mistakes" of employees.

Note that the first thing to be said here is to reduce "unconscious mistakes", such as improving employees' awareness of preventing phishing, not allowing sharing of work account, adding domain to work computer, etc., while for intentional "conscious mistakes", the role of security awareness education alone is relatively limited. In the construction of the whole set of safety awareness system, you can refer to the dry goods "vipshop information security training system" shared by vipshop safety team. It's really hard to balance security and convenience in solving the problem of employee information security. Alibaba's "no clock in at work, willful access to the Internet, all depends on a" man "for reference.

"Information security awareness education" usually has: regular safety awareness training, safety awareness assessment, daily mail or official account push, posters and wall stickers.

So the question is, if it is to do offline training for employees and only talk about one hour, what should we talk about most? (especially the first information security awareness training for new employees)

My answer is to talk about "cases", which are all kinds of information security cases caused by employees' negligence or intentional disclosure in some industries or enterprises. The reason is very simple. If you have passed the driving license, you will know that during the preparation period, the educational videos put by the vehicle management are all serious traffic accident cases, because only real accidents can give people the most intuitive sense Receive and remind. It should be noted that in case selection, in order to avoid disrespect, internal training can talk about the examples of other units. If it is to talk about the real cases of their own company, usually do not give names and surnames, and focus on the understanding and interpretation of the cases, so as to avoid unnecessary troubles. And some rules and regulations, such as "no one is allowed to do this, no one is allowed to do that". On the off-line safety awareness training, the effect is not good, and the audience is not interested. This part of the content can be put on the similar "employee code" or "employee information security code", combined with the assessment questions, to urge employees to learn and review. It needs to be clear that for the actual case, not only the case itself, in terms of extension and interpretation, it is necessary to make clear the concept, not vague, and then attract the attention of employees by emphasizing the consequences and punishment measures. For example, a case is "how much loss does an employee leak a design draft of a project that causes the company to suffer and then the individual is dismissed". In case interpretation, you should first make clear what is "business secret". If you don't say it, the audience may only associate the source code and design draft with the case. In fact, business secrets can be divided into "technical information" and "business information".

Technical information: source code, production formula, process flow, design drawing, etc.; business information: management method, production and marketing strategy, customer list, source information, etc.

The concept should be clear and easy to understand so that employees can understand clearly, because people usually think that something they don't understand doesn't exist. The consequences should also be emphasized, such as "when an employee makes a mistake, according to the accident situation, the salary will be reduced by 10%, the post will be transferred or even dismissed, and if the circumstances are serious violation of the law, he will be punished by law, etc.". Let the audience realize that these are closely related to their personal interests, so as to take the initiative to understand and pay attention to them. Otherwise, it will be really a story. After the official account is given to the employees, the specific precautions for various safety risks can be solved in the classroom, such as through online courses in different posts, push articles from public companies, daily poster and wall stickers, and so on. If the information security is more valued and the security department is stronger, the information security assessment can also be included in the employee KPI when the time is right. Because I think that education is not only the transmission of knowledge, but also the internalization and application of what we hear. It depends on the curative effect.

I think "enterprise information security awareness training" should be a compulsory course for employees in the workplace, and good security awareness is also the embodiment of employees' excellent workplace literacy. "Safety awareness education" should run through all the time, and it is a high cost-effective safety investment. In terms of security investment, an enterprise should "calculate the general ledger" rather than "calculate the Sub Ledger". The internal security system construction of an enterprise belongs to the "cost center", and this part of the investment will gain benefits in other aspects, which is worth more than the general ledger. In terms of personal information security awareness training, is there any interesting popular science books that are suitable for all employees to read and can be used quickly on the information security of enterprise employees in combination with real case interpretation? I have been looking for a long time. In addition to interpreting various information security scene cases in the workplace in the form of small stories and comics, this book can also tell us how to improve the protection ability of information assets with the minimum management cost for enterprises whose current security management is not standardized. Recommend it to you.

Reprint please indicate the source: sosly rookie notes

WeChat rookie note: sosly official account is also welcome.