|
Juhani
Anttila
EXPLORING THE USE AN E-LEARNING ENVIRONMENT TO ENHANCE INFORMATION SECURITY AWARENESS IN A SMALL COMPANY Abstract: Focusing on security education, this paper describes an e-learning environment that has been constructed to increase information security awareness among employees of a Finnish telecommunications company that is a commercial provider of public services. The design principles based on making the components of the system as simple as possible to produce a system that delivers both functionality and stability. Introduction This paper discusses an e-learning based information security project
carried out by a small organization in the telecommunication service
sector. The environment was built in close collaboration with the
intended users, i.e., the environment and its contents were based
on their practical needs. E-learning based information security education strives to raise
the awareness level of all employees. The aim is to equip them with
the necessary skills and knowledge to meet the challenges that they
may have to face in their everyday work [5]. The results of the information security knowledge of the employees by means of questionnaires and interviews were used to create an educational programme to correct the perceived weaknesses. As teaching material, the programme utilized various organizational guidelines complemented by educational materials compiled at the University of Oulu. In addition to the actual learning environment and its contents, the organization has also implemented an automatic online assignment sheet for tracking and monitoring learning. This form was designed so that anyone who possessed the necessary skills and knowledge could take the test and be exempted from having to go through the learning material. The system handles registration and also updates registry files, when students pass the test. The environment enables employees to study at their own pace. Research tends to progress from theory to practice. Having become familiar with information security from various perspectives including the user and end-user perspectives, we decided to go the other way from practice to theory. Our starting point was that, within information security, relevant knowledge usually resides within the organization in question. What an outsider, such as a consultant, can contribute is a model or a general framework for exploring, enhancing and utilizing this knowledge. On this view, pertinent information that is possessed by company employees is collected and analyzed by an outside consultant who introduces a theoretical framework for analysis and may also assist in the utilization of the results of such analysis. The practice to theory approach is also supported by the fact that all information security events comprise a variety of aspects, some of which are strongly in relief, while others can best be described as weak signals. Even these can be taken into account thanks to the increased computing power of modern computers, which allows the unique features of each information security incident to be analyzed in detail. This study investigated the information security knowledge of different
employee groups using a semi-structured theme interview. At the same
time, we were able to establish which areas of information security
knowledge needed improvement. This information formed the foundation
for the design of the e-learning programme. Understanding information security issues from the technical point of view is an advantage that employees of the case company had [6]. Nevertheless, since they did not have a wider perspective on other aspects of security, such as organizational or end-user related issues, they needed information security training. The problem is that, being small, the company does not have the resources to allow its personnel to take time off from work to participate in security training [7]. One solution is to resort to e-learning and construct an online learning environment. Many e-learning environments are realized by long distance networks, via the Internet, but our solution was to build an intranet-based environment, within the company network. Most e-learning solutions consist of very sophisticated and complicated systems, filled with content that is more entertainment than work-oriented, but we proposed a solution that is both simple and practical. In the long run, the project reported here aims to develop a five-level
solution consisting of different guidelines custom-tailored for different
groups. At the first stage of this research, the focus is on guidelines
that apply to all user groups. First, a questionnaire on currently
prevalent practices is sent to every group. Then, having analyzed
the results, the most important guidelines are collected for organizational
use using the e-learning environment. It is important that these guidelines
are easy to understand and follow - and it would not hurt if they
were presented in a humorous way [9]. The starting point for this project was the fact the organization under study is a profit-seeking commercial enterprise. Aiming at improving the security level of this organization, the project also offers it a competitive edge through the provision of more secure telecommunication services. Technical solutions, although constituting the foundation of security, are insufficient and must be incorporated into a wider approach. This e-learning project tried to find new, cost-effective, ways of offering security education to company employees. A guiding principle in this undertaking is that the education offered must be meaningful and immediately relevant to the employees. In carrying out their everyday tasks, people tend to place a high value on usability, sometimes at the expense of security. Sadly enough, the significance of information security is often realized only after some mishap occurs. Another balancing act is frequently observed in the context of e-learning. Striving toward a more exciting and entertaining approach, educators sometimes lose sight of their original purpose, and become entertainers rather than educators. Presentation and learning Creating a multimedia e-learning environment requires not only technical and content-related expertise, but also a pedagogical advisor. Chief among the tasks of this advisor is to devise ways of presenting learning materials in a manner that enables learners to assimilate new knowledge into their previous knowledge structures - and thereby understand what they have learned. Another function of the pedagogical advisor is to take account of different learning strategies and styles to maximize individual learning results. All learners have their own learning strategies. Part of each individual's learning strategy is their learning style, which is an essential element of the learning process. We all have our own strengths, which we rely on when processing information. Some people are characterized as holistic, while others are best described as analytic learners. The difference lies in the way they tend approach a task; holistic learners immediately strive for the big picture, whereas analytically-oriented learners favor a piecemeal approach. Also our senses play an important part in the learning process. We receive and process information on the basis of our vision, hearing, tactile or kinetic sense. As a result, we have preferences as to how we want learning materials to be presented to us, how we want to see, hear, feel or experience the materials. Schools depend heavily on vision and hearing, at the expense of pupils who learn better by doing things, for instance. Some learners remember things as images, others as stories. A third group consists of learners who like to try things out through trial and error. Some people prefer to discuss things with other people, others teach themselves by talking aloud. Most people have one or more preferred senses for receiving and processing information [7]. Learning styles based solely on one way of learning are very uncommon, as most people have their own learning strategies based on their strengths, habits and preferences. Consequently, a learning environment catering a large target group must be designed to accommodate a range of approaches and styles. Learning contents The e-learning environment was divided into five sections: Having set the goal of creating an educational model based on these
five sections, the planners had to decide, whether there should be
a core learning package for all employees or several packages aimed
at the various employee groups. The adopted solution was to create
a core learning package consisting of the following learning modules: It proved a crucial point that also senior management completed the
core learning package. The construction includes three sections which
form an integral part of the organization's self-study programme.
These sections are: Significance of the automated learning environment The purpose of the e-learning project was to construct a learning environment that requires no additional hardware or software. In addition, the environment must be accessible from all workstations within the organization [8]. In accordance with this principle, no special software or hardware
components were installed on these workstations running on various
Windows operating systems. It was only required that the PCs contain
standard peripherals like monitor, mouse, keyboard and, importantly,
sound card for listening to the recorded samples included in the learning
package. No additional video programs were necessary, as the package
contained a viewing programme. Essential results When we set out to design the e-learning environment, it was assumed that the basic information security guidelines of the organization would be well-known by all employees. Therefore, it was a quite a revelation when the first tests in January 2004 indicated that some of the supposedly simple questions proved very hard to answer satisfactorily. It was also revealed by the theme interviews that a great number of employees had no clear understanding of what information security is. All employee groups tended to describe it in terms of individual or isolated components. Moreover, about half of the interviewees could not explain in what ways information security issues would be relevant to their work. This shows that security education should start by breaking down the definition of information security and analyzing how it affects everyday work. Feedback relating to the use of the e-learning system was mainly concerned with its technical implementation. Typical comments include "it is slow" and "it takes a long time to start". Generally, the learners either wanted the multimedia components to load quicker or they wanted more functionality, including muting or resolution changes on the fly. The actual content matter of the programme was not commented on. What little feedback was received indicated that the intended practical approach was appreciated and that the learning topics were experienced as having a practical value. This relative lack of feedback may be explained by the fact that the learners did not have any expectations as to the content matter, since they were unfamiliar with the subject. Also, the design of content may have been better than the technical implementation. In general, the e-learning system was described as an interesting novelty and a number of learners indicated an interest to participate in similar training on other topics as well. With an average of 5 - 6 hours, many learners stated that they had used less time than expected on the tasks [3]. Measuring information security awareness is a difficult undertaking.
One way of approaching it is to observe employees while they are working
to establish the degree to which they follow the given guidelines.
However, this study investigated the topic through an interview conducted
among the learners. These interviews started by exploring how the
learners understood the concept of information security which, after
all, constitutes the foundation of information security awareness.
The latter term refers to how well employees and members of society
understand various information security threats and the related responsibilities.
The results show that a high level of awareness has been achieved
when all personnel understand the meaning of information security
in its full extent and apply this knowledge in their work [3]. In
addition, personnel must also be able to identify and manage a range
of information security threats. Finally, they must also know what
to do to avert these threats. The prevailing situation in the organization discussed here was very confusing: IT functions were outsourced, although staff was experts in communication and information technology. In a sense, the organization concentrated all efforts on its core activities while outsourcing administrative routines. As a result, it is hardly surprising that the organization has gone on to transfer it information security services to a national umbrella organization. Currently, the development of the e-learning programme is in the process of being put out on the market as a new product. Claiming that information security is not a major concern in the
small and medium sized business sector is completely wrong. They are
as likely to be affected by security breaches as major organizations. Conclusions This paper discussed an e-learning environment for information security
education, designed and constructed by a small Finnish telecommunications
company. The experiences gathered so far indicate that the implementation
of an extensive learning system of this kind must be based on simple
solutions that minimize system load. References [ 1 ] ISO/IEC 17799:2005: Information technology - Security techniques
- Code of practice for information security management, ISO, Geneve
(2005) [This text is based on a paper of Jorma Kajava, Reijo Savola, Rauno Varonen and Juhani Anttila presented at the CIS2006 conference in Guangzhou, China in 2006] |
|
|
|
|
|
