opexxx/eLearning

## eLearning
Auf dem Weg zur Arbeit
Am Arbeitsplatz
Incident Reporting
Auf dem Weg nach Hause
Geschäftsreise / Bahn / ÖVM
Klassifizierung von Daten
Verschlüsselung (SMIME/PGP/SecureFileShare) bzw. sicherer Datentransfer
Sichere Passwörter
Clear Desk Policy
AUP /Compliance (copyright, software beschaffung und lizenzen)
Privacy bzw umgang mit schützenswerten (klassifizierten) Daten
Viren/Trojaner/Malware
e-Mail Hygiene / Phishing / spear Phishing
Mobile Geräte / Verlust von Firmeneigentum

#Informationssicherheit
Warum ist Informationssicherheit wichtig?
Schlüsselbegriffe (Information, Informationssicherheit, Bedrohungen, Schwachstellen, Risiken, ISMS, CIA)
Allgemeine Anforderungen und Empfehlungen
Passwortsicherheit
Spam, Phishing, Spear Phishing, Vishing und Social Engineering
Richtlinien für einen sauberen Schreibtisch und einen sauberen Bildschirm
Schadsoftware
Fernarbeit und Geschäftsreisen
Sicheres Surfen im Internet
Nutzung sozialer Medien
Politik der Informationssicherheit
Externe und interne Anforderungen
Beispiele für Bedrohungen und Vorfälle
Rollen und Verantwortlichkeiten, IS-Team
Benachrichtigung und Reaktion auf Vorfälle
Klassifizierung, Kennzeichnung und Handhabung von Informationen
Übertragung von Informationen
Passwort- und Authentifizierungspolitik
Richtlinie zur akzeptablen Nutzung  (AUP)
- Ausrüstung (Wechseldatenträger, Drucker und Scanner, BYOD und mobile Geräte, Spezialausrüstung, Authentifizierungshardware und anderes)
- Unternehmensdienste (Unternehmensdateispeicher, internes Portal, Unternehmens-E-Mail, Plattformen für die Zusammenarbeit
(z. B. MS Teams), Videokonferenzdienste, Fernzugriff und andere)
- Online-Dienste (persönliche E-Mails, Cloud-Speicher, Notizen, Dokumente, Planer und Kalender, Übersetzer, soziale Medien und Messenger usw.)
- Schatten-IT
Änderungsmanagement (Zugriffsrechte, neue Software und Hardware)
Datensicherung und -wiederherstellung
Geschäftskontinuität
Physische Sicherheit (Ausweise, Zugangskontrolle, Sicherheitsbereiche, Schlüsselverwaltung, Besucher, Evakuierungsplan, E und andere)
Arbeiten in Sicherheitsbereichen
Fotografieren, Audio- und Videoaufnahmen und Live-Streaming am Arbeitsplatz
Medienpolitik und Öffentlichkeitsarbeit
"Awareness policy" / Sensibilisierungspolitik
Sonstige Strategien und Verfahren

#Datenschutz
Warum ist Datenschutz / Privatsphäre wichtig?
Schlüsselbegriffe (personenbezogene Daten, Verarbeitung, für die Verarbeitung Verantwortlicher, Auftragsverarbeiter, gemeinsam für die Verarbeitung Verantwortliche, PIMS, Privatsphäre)
Allgemeine Anforderungen
Grundsätze in Bezug auf die Verarbeitung von personenbezogenen Daten
Rechtmäßigkeit der Verarbeitung
Rechte der betroffenen Person
Datenschutzpolitik / Privacy Policy
Gesetzgebung, Regulierung und Aufsichtsbehörden
Geldbußen (weltweit, länder- und branchenbezogen)
Rollen und Verantwortlichkeiten, Rolle des DSB/DPM
Meldung von Datenschutzverletzungen
Überwachung der Mitarbeiter / Privatsphäre im Arbeitsleben
Datenschutzhinweise und Einwilligungen
Aufzeichnungen über Verarbeitungstätigkeiten
Aufbewahrungsfrist
Beantwortung von Anfragen
Datenschutz-Folgenabschätzung (DPIA)
Datenübermittlung
Übermittlung personenbezogener Daten in Drittländer
Sicherheit der personenbezogenen Daten
Datenschutz durch Technik und datenschutzfreundliche Voreinstellungen

Sonstige Strategien und Verfahren:

- ISO 27001 (7.3 Bewusstsein, A.7.2.2 Bewusstsein für Informationssicherheit, Ausbildung und Schulung)
- CIS-Kontrolle 14: Schulung des Sicherheitsbewusstseins und der Fertigkeiten
- PCI DSS (12.6) / Best Practices für die Implementierung eines Programms zur Förderung des Sicherheitsbewusstseins
- ISF SoGP (PM2 Security Awareness/Education)
- NIST SP 800-50 / NIST SP 800-16
- NIST Cybersecurity Framework (PR.AT Bewusstseinsbildung und Schulung)
Schaffung einer Kultur, in der das erwartete Sicherheitsverhalten in die regulären täglichen Aktivitäten eingebettet ist und in der alle relevanten Personen wirksame risikobasierte Entscheidungen treffen und kritische und sensible Informationen, die in der gesamten Organisation verwendet werden, vor einer Gefährdung schützen. (ISF SoGP)
- CISO und IS-Team
- Audit und Compliance, Risikomanagement, Recht, IT, HR
- DPO/DPM, Datenschutzteam
- C-Ebene
- Alle Mitarbeiter (Onboarding)
- Mitarbeiter, die sensible Informationen verarbeiten
- IT
- C-Ebene
- Warum ist Informationssicherheit wichtig?
- Schlüsselbegriffe (Information, Informationssicherheit, Bedrohungen, Schwachstellen, Risiken, ISMS, CIA)
- Politik der Informationssicherheit
- Ziele der Informationssicherheit
- Grundsätze der Informationssicherheit
- Rollen und Verantwortlichkeiten (CISO und IS-Team, IS-Ausschuss und andere)
- Politiken und Verfahren
- Benachrichtigung und Reaktion auf Vorfälle
- Zusätzliche Materialien und Feedback


PM2.1.1
A security, education, training and awareness (SETA) programme should be established to promote and embed expected security behaviour throughout the organisation and establish a security-positive culture.
PM2.1.2
The SETA programme should be:
a) endorsed by executive management (to demonstrate management commitment and lead by example)
b) the responsibility of a particular individual, organisational unit, working group or committee
c) supported by a documented set of objectives based on realistic expectations
d) focused on relevant information risks (e.g. risks that are new, increasing or high)
e) delivered in short, easy to consume units and at frequent intervals
f) subject to project and change management disciplines
g) kept up to date with current practices and requirements
h) focused on changing individuals' behaviour (e.g. by engaging with them on a personal level)
i) monitored and evaluated to determine the extent of behaviour change and the programme's
overall effectiveness.
A SETA programme is a multi-layered approach to addressing poor security behaviour; it involves the delivery of:


– – –
education: imparting in-depth knowledge on a security topic
training: imparting skills and competencies that employees can deploy to behave in a secure manner
awareness: producing content to communicate security issues and solutions to change, promote and sustain good security behaviour.

PM2.1.3
Objectives for the SETA programme should be set, which include:
a) ensuring awareness objectives are specific, measurable, achievable, realistic and time-bound (often
referred to as SMART objectives)
b) raising awareness of information risk and information security
c) minimising information risk and reducing the frequency and impact of information security incidents
d) embedding expected security behaviour of individuals
e) empowering individuals to make effective risk-based decisions (e.g. having a stop and think attitude
when confronted with an unfamiliar or complex business situation, identifying risks and evaluating them before acting).
PM2.1.4
Creation of the SETA programme should be driven by risk, and include:
a) identifying areas of the organisation that have significant human vulnerabilities (e.g. a job role that might be
particularly susceptible to social engineering-based attacks)
b) aligning the programme with business requirements
c) identifying groups of individuals segmented by different risk profiles (e.g. based on their seniority, access to
critical or sensitive information or the business unit in which they work)
d) assessing the information risks (including trends and patterns) associated with each identified group of
individuals
e) consideration of different types of inappropriate behaviour (e.g. malicious, negligent or
accidental behaviour).
Inappropriate behaviour of individuals with authorised access to the organisation's information and systems can introduce significant risk. Based on the intention, risky behaviour can be described as:
– malicious behaviour, which involves a combination of motive to cause harm and a conscious decision to act
inappropriately (e.g. copying business files before taking employment with a competitor, leaking sensitive
information or misusing information for personal gain)
– negligent behaviour, which does not involve a motive to cause harm, but does involve a conscious decision to
act inappropriately (e.g. using unauthorised services or devices to save time, increase productivity or enable
remote working)
– accidental behaviour, which does not involve a motive to harm or a conscious decision to act inappropriately (e.g.
emailing sensitive information to the wrong (unauthorised) recipients, opening malicious email attachments or publishing personal information on publicly available servers).

PM2.1.5
The SETA programme should target expected security behaviour by:
a) promoting the programme to individuals throughout the organisation, including executive management,
business representatives, IT specialists and external individuals
b) identifying and empowering role models in the organisation as 'information security champions' (i.e.
individuals who exhibit expected security behaviours and lead by example on a regular basis)
c) promoting the use of mentoring schemes to reduce risky behaviour by providing multiple perspectives on a
problem or task
d) tailoring the programme to address the risk profile of different groups (e.g. raising awareness of whaling
campaigns with senior executives or 419 scams with financial assistants)
e) considering the effect cognitive biases may have on individual decision making (e.g. clicking on a malicious
link in a phishing email due to lack of concentration brought on by stress)
f) delivering the programme using different types of intervention for the different groups of individuals
g) paying particular attention to high-risk individuals (e.g. senior executives and individuals with special
access privileges) who might be targeted by sophisticated threats, such as hacking groups, nation states or investigative journalists.
Weaknesses in the capacity of the subconscious mind mean that humans make use of cognitive shortcuts to reduce effort required in decision making, which are known as heuristics. These heuristics can result in cognitive bias (e.g. anchoring, herd behaviour, decision fatigue or affect heuristic), which lead to poor judgement or errors in decision making.
Cognitive bias affects information security as it increases vulnerability to a variety of social engineering attacks, such as spear phishing, whaling, baiting, tailgating, smishing or vishing, and heightens the likelihood of human error.
PM2.1.6
A behavioural baseline should be established, so that minimum required security behaviours can be identified, which includes:
a) collecting evidence of positive security behaviour from relevant sources (e.g. alerts from tools such as DLP,
results of phishing campaigns and feedback from awareness initiatives)
b) interacting with employees to ascertain their attitude towards information security (e.g. through focus
groups or personal interviews).
Internal factors that influence security behaviour include:
– attitude: the feelings towards a particular topic, including what an individual feels is right or wrong
– motivation: the reason to act in a certain way
– proficiency: the degree of practical awareness, knowledge and skills to manage key risks.
External factors that influence security behaviour include:

– – –
communication: internal branding and marketing for information security, style of messaging and language used capabilities: accessibility and usability of security-related tools, technologies, policies and procedures
leadership: senior leaders' impact, support and example setting.

PM2.1.7
The SETA programme should be designed and delivered by dedicated, specialist learning and development professionals, supported by:
a) information security specialists
b) subject matter experts (e.g. sales and marketing who can design innovative and engaging campaigns)
c) communications and design specialists who can provide ideas for styles and methods for conveying messages
d) human resource specialists who have knowledge of who is influential within various groups
e) psychologists who have experience of how people work and what motivates them.
PM2.1.8
The SETA programme should be designed and delivered by:
a) testing the current employee awareness and understanding to better design and tailor the programme
b) providing targeted information security education/training that reflects the needs of individuals (e.g. using
presentations, structured workshops, virtual environments, websites, videos and e-learning)
c) supplying specialised security awareness material on an ongoing basis (e.g. brochures, newsletters,
booklets, posters and intranet-based digital content)
d) using key messages, tone and approaches that are relevant and meaningful to each group of individuals
e) providing individuals with tools and techniques to help embed behavioural change, such as online tutorials
and self-evaluation material
f) designating individuals in each business unit or department (e.g. one or more business owners, local
security coordinators or information security champions) to promote awareness messages and support behavioural change.
PM2.1.9
Expected security behaviour should be encouraged by:
a) defining expected security-related behaviour (e.g. considering risks before acting, consulting others for
help, protecting critical and sensitive information, and maintaining a clear desk)
b) incorporating information security into regular day-to-day activities (e.g. by considering security
requirements in planning decisions and budgeting activities, and including the consideration of
information risk in business decisions, meetings and audits)
c) making security awareness messages personal (e.g. by helping individuals protect their computers at
home, highlighting how threats can impact individuals as well as the organisation and emphasising how
individuals can make a difference in managing information risk)
d) involving users in protecting important information (e.g. as part of a specific exercise or during meetings,
asking them what the risks are to information, why they are considered to be risks and what suggestions
they have to reduce the risks)
e) delivering SETA content in an engaging manner (e.g. using gamification, running roadshows or staging an
annual security awareness day)
f) reinforcing good security behaviours with acknowledgements (e.g. recognition in internal communications,
payment of a commensurate financial reward or positive reflections in annual appraisals).
PM2.1.10
As part of their participation in the SETA programme, individuals should:
a) be updated regularly with information security messages using a broad range of communication methods
(e.g. email, collaboration platforms, text messages, e-book readers, media players and intranets)
b) confirm their adherence to the information security policy (and other related policies) on a regular basis
(e.g. by selecting a confirmation dialogue box as part of the login process for their computer, when starting
business applications or upon accessing the organisation's intranet)
c) be tested on their knowledge of information security throughout the year (e.g. using questionnaires, e-learning tools and interviews).

PM2.1.11
The effectiveness of the SETA programme should be monitored and evaluated by:
a) developing and gathering metrics for each SETA initiative (i.e. percentage of online e-learning modules
completed, number of attendees at training workshops or percentage of individuals that comply with
security guidelines)
b) analysing the outputs of SETA initiatives and evaluating them against the behavioural baseline to determine
their level of influence over security behaviour
c) reviewing the level of information security awareness on a regular basis (e.g. quarterly)
d) assessing the levels of security awareness and changes in employee behaviour (e.g. by performing spot
checks, determining the strength of user passwords/passphrases, testing willingness to open unknown
attachments and identifying unusual activity)
e) obtaining feedback from users (e.g. what worked well and what needs to be improved).
f) demonstrating return on investment (e.g. using expected reductions in losses due to inappropriate human
behaviour and the cost of the SETA programme annually).
PM2.1.12
The SETA programme should be evaluated to identify:
a) the extent to which the objectives of the programme have been met b) opportunities to improve skills and behaviour of individuals
c) recommendations for improving the security awareness programme.
	Auf dem Weg zur Arbeit
	Am Arbeitsplatz
	Incident Reporting
	Auf dem Weg nach Hause
	Geschäftsreise / Bahn / ÖVM
	Klassifizierung von Daten
	Verschlüsselung (SMIME/PGP/SecureFileShare) bzw. sicherer Datentransfer
	Sichere Passwörter
	Clear Desk Policy
	AUP /Compliance (copyright, software beschaffung und lizenzen)
	Privacy bzw umgang mit schützenswerten (klassifizierten) Daten
	Viren/Trojaner/Malware
	e-Mail Hygiene / Phishing / spear Phishing
	Mobile Geräte / Verlust von Firmeneigentum

	#Informationssicherheit
	Warum ist Informationssicherheit wichtig?
	Schlüsselbegriffe (Information, Informationssicherheit, Bedrohungen, Schwachstellen, Risiken, ISMS, CIA)
	Allgemeine Anforderungen und Empfehlungen
	Passwortsicherheit
	Spam, Phishing, Spear Phishing, Vishing und Social Engineering
	Richtlinien für einen sauberen Schreibtisch und einen sauberen Bildschirm
	Schadsoftware
	Fernarbeit und Geschäftsreisen
	Sicheres Surfen im Internet
	Nutzung sozialer Medien
	Politik der Informationssicherheit
	Externe und interne Anforderungen
	Beispiele für Bedrohungen und Vorfälle
	Rollen und Verantwortlichkeiten, IS-Team
	Benachrichtigung und Reaktion auf Vorfälle
	Klassifizierung, Kennzeichnung und Handhabung von Informationen
	Übertragung von Informationen
	Passwort- und Authentifizierungspolitik
	Richtlinie zur akzeptablen Nutzung (AUP)
	- Ausrüstung (Wechseldatenträger, Drucker und Scanner, BYOD und mobile Geräte, Spezialausrüstung, Authentifizierungshardware und anderes)
	- Unternehmensdienste (Unternehmensdateispeicher, internes Portal, Unternehmens-E-Mail, Plattformen für die Zusammenarbeit
	(z. B. MS Teams), Videokonferenzdienste, Fernzugriff und andere)
	- Online-Dienste (persönliche E-Mails, Cloud-Speicher, Notizen, Dokumente, Planer und Kalender, Übersetzer, soziale Medien und Messenger usw.)
	- Schatten-IT
	Änderungsmanagement (Zugriffsrechte, neue Software und Hardware)
	Datensicherung und -wiederherstellung
	Geschäftskontinuität
	Physische Sicherheit (Ausweise, Zugangskontrolle, Sicherheitsbereiche, Schlüsselverwaltung, Besucher, Evakuierungsplan, E und andere)
	Arbeiten in Sicherheitsbereichen
	Fotografieren, Audio- und Videoaufnahmen und Live-Streaming am Arbeitsplatz
	Medienpolitik und Öffentlichkeitsarbeit
	"Awareness policy" / Sensibilisierungspolitik
	Sonstige Strategien und Verfahren

	#Datenschutz
	Warum ist Datenschutz / Privatsphäre wichtig?
	Schlüsselbegriffe (personenbezogene Daten, Verarbeitung, für die Verarbeitung Verantwortlicher, Auftragsverarbeiter, gemeinsam für die Verarbeitung Verantwortliche, PIMS, Privatsphäre)
	Allgemeine Anforderungen
	Grundsätze in Bezug auf die Verarbeitung von personenbezogenen Daten
	Rechtmäßigkeit der Verarbeitung
	Rechte der betroffenen Person
	Datenschutzpolitik / Privacy Policy
	Gesetzgebung, Regulierung und Aufsichtsbehörden
	Geldbußen (weltweit, länder- und branchenbezogen)
	Rollen und Verantwortlichkeiten, Rolle des DSB/DPM
	Meldung von Datenschutzverletzungen
	Überwachung der Mitarbeiter / Privatsphäre im Arbeitsleben
	Datenschutzhinweise und Einwilligungen
	Aufzeichnungen über Verarbeitungstätigkeiten
	Aufbewahrungsfrist
	Beantwortung von Anfragen
	Datenschutz-Folgenabschätzung (DPIA)
	Datenübermittlung
	Übermittlung personenbezogener Daten in Drittländer
	Sicherheit der personenbezogenen Daten
	Datenschutz durch Technik und datenschutzfreundliche Voreinstellungen

	Sonstige Strategien und Verfahren:

	- ISO 27001 (7.3 Bewusstsein, A.7.2.2 Bewusstsein für Informationssicherheit, Ausbildung und Schulung)
	- CIS-Kontrolle 14: Schulung des Sicherheitsbewusstseins und der Fertigkeiten
	- PCI DSS (12.6) / Best Practices für die Implementierung eines Programms zur Förderung des Sicherheitsbewusstseins
	- ISF SoGP (PM2 Security Awareness/Education)
	- NIST SP 800-50 / NIST SP 800-16
	- NIST Cybersecurity Framework (PR.AT Bewusstseinsbildung und Schulung)
	Schaffung einer Kultur, in der das erwartete Sicherheitsverhalten in die regulären täglichen Aktivitäten eingebettet ist und in der alle relevanten Personen wirksame risikobasierte Entscheidungen treffen und kritische und sensible Informationen, die in der gesamten Organisation verwendet werden, vor einer Gefährdung schützen. (ISF SoGP)
	- CISO und IS-Team
	- Audit und Compliance, Risikomanagement, Recht, IT, HR
	- DPO/DPM, Datenschutzteam
	- C-Ebene
	- Alle Mitarbeiter (Onboarding)
	- Mitarbeiter, die sensible Informationen verarbeiten
	- IT
	- C-Ebene
	- Warum ist Informationssicherheit wichtig?
	- Schlüsselbegriffe (Information, Informationssicherheit, Bedrohungen, Schwachstellen, Risiken, ISMS, CIA)
	- Politik der Informationssicherheit
	- Ziele der Informationssicherheit
	- Grundsätze der Informationssicherheit
	- Rollen und Verantwortlichkeiten (CISO und IS-Team, IS-Ausschuss und andere)
	- Politiken und Verfahren
	- Benachrichtigung und Reaktion auf Vorfälle
	- Zusätzliche Materialien und Feedback


	PM2.1.1
	A security, education, training and awareness (SETA) programme should be established to promote and embed expected security behaviour throughout the organisation and establish a security-positive culture.
	PM2.1.2
	The SETA programme should be:
	a) endorsed by executive management (to demonstrate management commitment and lead by example)
	b) the responsibility of a particular individual, organisational unit, working group or committee
	c) supported by a documented set of objectives based on realistic expectations
	d) focused on relevant information risks (e.g. risks that are new, increasing or high)
	e) delivered in short, easy to consume units and at frequent intervals
	f) subject to project and change management disciplines
	g) kept up to date with current practices and requirements
	h) focused on changing individuals' behaviour (e.g. by engaging with them on a personal level)
	i) monitored and evaluated to determine the extent of behaviour change and the programme's
	overall effectiveness.
	A SETA programme is a multi-layered approach to addressing poor security behaviour; it involves the delivery of:


	– – –
	education: imparting in-depth knowledge on a security topic
	training: imparting skills and competencies that employees can deploy to behave in a secure manner
	awareness: producing content to communicate security issues and solutions to change, promote and sustain good security behaviour.

	PM2.1.3
	Objectives for the SETA programme should be set, which include:
	a) ensuring awareness objectives are specific, measurable, achievable, realistic and time-bound (often
	referred to as SMART objectives)
	b) raising awareness of information risk and information security
	c) minimising information risk and reducing the frequency and impact of information security incidents
	d) embedding expected security behaviour of individuals
	e) empowering individuals to make effective risk-based decisions (e.g. having a stop and think attitude
	when confronted with an unfamiliar or complex business situation, identifying risks and evaluating them before acting).
	PM2.1.4
	Creation of the SETA programme should be driven by risk, and include:
	a) identifying areas of the organisation that have significant human vulnerabilities (e.g. a job role that might be
	particularly susceptible to social engineering-based attacks)
	b) aligning the programme with business requirements
	c) identifying groups of individuals segmented by different risk profiles (e.g. based on their seniority, access to
	critical or sensitive information or the business unit in which they work)
	d) assessing the information risks (including trends and patterns) associated with each identified group of
	individuals
	e) consideration of different types of inappropriate behaviour (e.g. malicious, negligent or
	accidental behaviour).
	Inappropriate behaviour of individuals with authorised access to the organisation's information and systems can introduce significant risk. Based on the intention, risky behaviour can be described as:
	– malicious behaviour, which involves a combination of motive to cause harm and a conscious decision to act
	inappropriately (e.g. copying business files before taking employment with a competitor, leaking sensitive
	information or misusing information for personal gain)
	– negligent behaviour, which does not involve a motive to cause harm, but does involve a conscious decision to
	act inappropriately (e.g. using unauthorised services or devices to save time, increase productivity or enable
	remote working)
	– accidental behaviour, which does not involve a motive to harm or a conscious decision to act inappropriately (e.g.
	emailing sensitive information to the wrong (unauthorised) recipients, opening malicious email attachments or publishing personal information on publicly available servers).

	PM2.1.5
	The SETA programme should target expected security behaviour by:
	a) promoting the programme to individuals throughout the organisation, including executive management,
	business representatives, IT specialists and external individuals
	b) identifying and empowering role models in the organisation as 'information security champions' (i.e.
	individuals who exhibit expected security behaviours and lead by example on a regular basis)
	c) promoting the use of mentoring schemes to reduce risky behaviour by providing multiple perspectives on a
	problem or task
	d) tailoring the programme to address the risk profile of different groups (e.g. raising awareness of whaling
	campaigns with senior executives or 419 scams with financial assistants)
	e) considering the effect cognitive biases may have on individual decision making (e.g. clicking on a malicious
	link in a phishing email due to lack of concentration brought on by stress)
	f) delivering the programme using different types of intervention for the different groups of individuals
	g) paying particular attention to high-risk individuals (e.g. senior executives and individuals with special
	access privileges) who might be targeted by sophisticated threats, such as hacking groups, nation states or investigative journalists.
	Weaknesses in the capacity of the subconscious mind mean that humans make use of cognitive shortcuts to reduce effort required in decision making, which are known as heuristics. These heuristics can result in cognitive bias (e.g. anchoring, herd behaviour, decision fatigue or affect heuristic), which lead to poor judgement or errors in decision making.
	Cognitive bias affects information security as it increases vulnerability to a variety of social engineering attacks, such as spear phishing, whaling, baiting, tailgating, smishing or vishing, and heightens the likelihood of human error.
	PM2.1.6
	A behavioural baseline should be established, so that minimum required security behaviours can be identified, which includes:
	a) collecting evidence of positive security behaviour from relevant sources (e.g. alerts from tools such as DLP,
	results of phishing campaigns and feedback from awareness initiatives)
	b) interacting with employees to ascertain their attitude towards information security (e.g. through focus
	groups or personal interviews).
	Internal factors that influence security behaviour include:
	– attitude: the feelings towards a particular topic, including what an individual feels is right or wrong
	– motivation: the reason to act in a certain way
	– proficiency: the degree of practical awareness, knowledge and skills to manage key risks.
	External factors that influence security behaviour include:

	– – –
	communication: internal branding and marketing for information security, style of messaging and language used capabilities: accessibility and usability of security-related tools, technologies, policies and procedures
	leadership: senior leaders' impact, support and example setting.

	PM2.1.7
	The SETA programme should be designed and delivered by dedicated, specialist learning and development professionals, supported by:
	a) information security specialists
	b) subject matter experts (e.g. sales and marketing who can design innovative and engaging campaigns)
	c) communications and design specialists who can provide ideas for styles and methods for conveying messages
	d) human resource specialists who have knowledge of who is influential within various groups
	e) psychologists who have experience of how people work and what motivates them.
	PM2.1.8
	The SETA programme should be designed and delivered by:
	a) testing the current employee awareness and understanding to better design and tailor the programme
	b) providing targeted information security education/training that reflects the needs of individuals (e.g. using
	presentations, structured workshops, virtual environments, websites, videos and e-learning)
	c) supplying specialised security awareness material on an ongoing basis (e.g. brochures, newsletters,
	booklets, posters and intranet-based digital content)
	d) using key messages, tone and approaches that are relevant and meaningful to each group of individuals
	e) providing individuals with tools and techniques to help embed behavioural change, such as online tutorials
	and self-evaluation material
	f) designating individuals in each business unit or department (e.g. one or more business owners, local
	security coordinators or information security champions) to promote awareness messages and support behavioural change.
	PM2.1.9
	Expected security behaviour should be encouraged by:
	a) defining expected security-related behaviour (e.g. considering risks before acting, consulting others for
	help, protecting critical and sensitive information, and maintaining a clear desk)
	b) incorporating information security into regular day-to-day activities (e.g. by considering security
	requirements in planning decisions and budgeting activities, and including the consideration of
	information risk in business decisions, meetings and audits)
	c) making security awareness messages personal (e.g. by helping individuals protect their computers at
	home, highlighting how threats can impact individuals as well as the organisation and emphasising how
	individuals can make a difference in managing information risk)
	d) involving users in protecting important information (e.g. as part of a specific exercise or during meetings,
	asking them what the risks are to information, why they are considered to be risks and what suggestions
	they have to reduce the risks)
	e) delivering SETA content in an engaging manner (e.g. using gamification, running roadshows or staging an
	annual security awareness day)
	f) reinforcing good security behaviours with acknowledgements (e.g. recognition in internal communications,
	payment of a commensurate financial reward or positive reflections in annual appraisals).
	PM2.1.10
	As part of their participation in the SETA programme, individuals should:
	a) be updated regularly with information security messages using a broad range of communication methods
	(e.g. email, collaboration platforms, text messages, e-book readers, media players and intranets)
	b) confirm their adherence to the information security policy (and other related policies) on a regular basis
	(e.g. by selecting a confirmation dialogue box as part of the login process for their computer, when starting
	business applications or upon accessing the organisation's intranet)
	c) be tested on their knowledge of information security throughout the year (e.g. using questionnaires, e-learning tools and interviews).

	PM2.1.11
	The effectiveness of the SETA programme should be monitored and evaluated by:
	a) developing and gathering metrics for each SETA initiative (i.e. percentage of online e-learning modules
	completed, number of attendees at training workshops or percentage of individuals that comply with
	security guidelines)
	b) analysing the outputs of SETA initiatives and evaluating them against the behavioural baseline to determine
	their level of influence over security behaviour
	c) reviewing the level of information security awareness on a regular basis (e.g. quarterly)
	d) assessing the levels of security awareness and changes in employee behaviour (e.g. by performing spot
	checks, determining the strength of user passwords/passphrases, testing willingness to open unknown
	attachments and identifying unusual activity)
	e) obtaining feedback from users (e.g. what worked well and what needs to be improved).
	f) demonstrating return on investment (e.g. using expected reductions in losses due to inappropriate human
	behaviour and the cost of the SETA programme annually).
	PM2.1.12
	The SETA programme should be evaluated to identify:
	a) the extent to which the objectives of the programme have been met b) opportunities to improve skills and behaviour of individuals
	c) recommendations for improving the security awareness programme.