Venture Knowledgist Quality Integration
EXPLORING THE USE AN E-LEARNING ENVIRONMENT
TO ENHANCE INFORMATION SECURITY AWARENESS IN A SMALL COMPANY
Abstract: Focusing on security education, this paper describes
an e-learning environment that has been constructed to increase information
security awareness among employees of a Finnish telecommunications
company that is a commercial provider of public services. The design
principles based on making the components of the system as simple
as possible to produce a system that delivers both functionality and
This paper discusses an e-learning based information security project
carried out by a small organization in the telecommunication service
sector. The environment was built in close collaboration with the
intended users, i.e., the environment and its contents were based
on their practical needs.
The development work in a small organization is fairly flexible, and
experiences accumulate quickly. The topic area, information security,
was selected as it is a key issue for businesses, institutes of education
and society at large. Traditionally, the highlight has been on the
technical aspects of information security, but during the past few
years, human and organizational aspects have assumed an increasingly
prominent role in discussions on security [1, 10, and 11].
E-learning based information security education strives to raise
the awareness level of all employees. The aim is to equip them with
the necessary skills and knowledge to meet the challenges that they
may have to face in their everyday work .
Methods and techniques used
The results of the information security knowledge of the employees
by means of questionnaires and interviews were used to create an educational
programme to correct the perceived weaknesses. As teaching material,
the programme utilized various organizational guidelines complemented
by educational materials compiled at the University of Oulu.
In addition to the actual learning environment and its contents,
the organization has also implemented an automatic online assignment
sheet for tracking and monitoring learning. This form was designed
so that anyone who possessed the necessary skills and knowledge could
take the test and be exempted from having to go through the learning
material. The system handles registration and also updates registry
files, when students pass the test. The environment enables employees
to study at their own pace.
Research tends to progress from theory to practice. Having become
familiar with information security from various perspectives including
the user and end-user perspectives, we decided to go the other way
from practice to theory. Our starting point was that, within information
security, relevant knowledge usually resides within the organization
in question. What an outsider, such as a consultant, can contribute
is a model or a general framework for exploring, enhancing and utilizing
this knowledge. On this view, pertinent information that is possessed
by company employees is collected and analyzed by an outside consultant
who introduces a theoretical framework for analysis and may also assist
in the utilization of the results of such analysis.
The practice to theory approach is also supported by the fact that
all information security events comprise a variety of aspects, some
of which are strongly in relief, while others can best be described
as weak signals. Even these can be taken into account thanks to the
increased computing power of modern computers, which allows the unique
features of each information security incident to be analyzed in detail.
This study investigated the information security knowledge of different
employee groups using a semi-structured theme interview. At the same
time, we were able to establish which areas of information security
knowledge needed improvement. This information formed the foundation
for the design of the e-learning programme.
Understanding information security issues from the technical point
of view is an advantage that employees of the case company had .
Nevertheless, since they did not have a wider perspective on other
aspects of security, such as organizational or end-user related issues,
they needed information security training. The problem is that, being
small, the company does not have the resources to allow its personnel
to take time off from work to participate in security training .
One solution is to resort to e-learning and construct an online learning
environment. Many e-learning environments are realized by long distance
networks, via the Internet, but our solution was to build an intranet-based
environment, within the company network. Most e-learning solutions
consist of very sophisticated and complicated systems, filled with
content that is more entertainment than work-oriented, but we proposed
a solution that is both simple and practical.
In the long run, the project reported here aims to develop a five-level
solution consisting of different guidelines custom-tailored for different
groups. At the first stage of this research, the focus is on guidelines
that apply to all user groups. First, a questionnaire on currently
prevalent practices is sent to every group. Then, having analyzed
the results, the most important guidelines are collected for organizational
use using the e-learning environment. It is important that these guidelines
are easy to understand and follow - and it would not hurt if they
were presented in a humorous way .
Requirements for the e-learning environment
The starting point for this project was the fact the organization
under study is a profit-seeking commercial enterprise. Aiming at improving
the security level of this organization, the project also offers it
a competitive edge through the provision of more secure telecommunication
services. Technical solutions, although constituting the foundation
of security, are insufficient and must be incorporated into a wider
This e-learning project tried to find new, cost-effective, ways of
offering security education to company employees. A guiding principle
in this undertaking is that the education offered must be meaningful
and immediately relevant to the employees. In carrying out their everyday
tasks, people tend to place a high value on usability, sometimes at
the expense of security. Sadly enough, the significance of information
security is often realized only after some mishap occurs.
Another balancing act is frequently observed in the context of e-learning.
Striving toward a more exciting and entertaining approach, educators
sometimes lose sight of their original purpose, and become entertainers
rather than educators.
Presentation and learning
Creating a multimedia e-learning environment requires not only technical
and content-related expertise, but also a pedagogical advisor. Chief
among the tasks of this advisor is to devise ways of presenting learning
materials in a manner that enables learners to assimilate new knowledge
into their previous knowledge structures - and thereby understand
what they have learned. Another function of the pedagogical advisor
is to take account of different learning strategies and styles to
maximize individual learning results.
All learners have their own learning strategies. Part of each individual's
learning strategy is their learning style, which is an essential element
of the learning process. We all have our own strengths, which we rely
on when processing information. Some people are characterized as holistic,
while others are best described as analytic learners. The difference
lies in the way they tend approach a task; holistic learners immediately
strive for the big picture, whereas analytically-oriented learners
favor a piecemeal approach.
Also our senses play an important part in the learning process. We
receive and process information on the basis of our vision, hearing,
tactile or kinetic sense. As a result, we have preferences as to how
we want learning materials to be presented to us, how we want to see,
hear, feel or experience the materials. Schools depend heavily on
vision and hearing, at the expense of pupils who learn better by doing
things, for instance. Some learners remember things as images, others
as stories. A third group consists of learners who like to try things
out through trial and error. Some people prefer to discuss things
with other people, others teach themselves by talking aloud. Most
people have one or more preferred senses for receiving and processing
Learning styles based solely on one way of learning are very uncommon,
as most people have their own learning strategies based on their strengths,
habits and preferences. Consequently, a learning environment catering
a large target group must be designed to accommodate a range of approaches
The e-learning environment was divided into five sections:
- Topic-driven learning modules
- Instructions and guidelines
- Learning tasks and exercises
- Glossary of information security
Having set the goal of creating an educational model based on these
five sections, the planners had to decide, whether there should be
a core learning package for all employees or several packages aimed
at the various employee groups. The adopted solution was to create
a core learning package consisting of the following learning modules:
- Information security essentials
- Classification of data and information
- Social engineering
- Malicious programmes
- Visitor routines and practices
- Work station security
- Internet and e-mail
- Guidelines for telephony
It proved a crucial point that also senior management completed the
core learning package. The construction includes three sections which
form an integral part of the organization's self-study programme.
These sections are:
- Learning modules for management,
- Learning modules for maintenance personnel, and
- Learning modules for front-end services.
Significance of the automated learning
The purpose of the e-learning project was to construct a learning
environment that requires no additional hardware or software. In addition,
the environment must be accessible from all workstations within the
In accordance with this principle, no special software or hardware
components were installed on these workstations running on various
Windows operating systems. It was only required that the PCs contain
standard peripherals like monitor, mouse, keyboard and, importantly,
sound card for listening to the recorded samples included in the learning
package. No additional video programs were necessary, as the package
contained a viewing programme.
These two basic requirements, accessibility and full functionality
from all workstations, relate to the levels of programming languages.
It is a well-established truth that the lower the level of the used
language, the faster the code and the smaller the memory requirement.
Such code is also more secure. Nevertheless, implementing any system
involves a compromise between automation and reliability, but the
old adage "small is beautiful" is well worth bearing in
When we set out to design the e-learning environment, it was assumed
that the basic information security guidelines of the organization
would be well-known by all employees. Therefore, it was a quite a
revelation when the first tests in January 2004 indicated that some
of the supposedly simple questions proved very hard to answer satisfactorily.
It was also revealed by the theme interviews that a great number
of employees had no clear understanding of what information security
is. All employee groups tended to describe it in terms of individual
or isolated components. Moreover, about half of the interviewees could
not explain in what ways information security issues would be relevant
to their work. This shows that security education should start by
breaking down the definition of information security and analyzing
how it affects everyday work.
Feedback relating to the use of the e-learning system was mainly
concerned with its technical implementation. Typical comments include
"it is slow" and "it takes a long time to start".
Generally, the learners either wanted the multimedia components to
load quicker or they wanted more functionality, including muting or
resolution changes on the fly.
The actual content matter of the programme was not commented on.
What little feedback was received indicated that the intended practical
approach was appreciated and that the learning topics were experienced
as having a practical value. This relative lack of feedback may be
explained by the fact that the learners did not have any expectations
as to the content matter, since they were unfamiliar with the subject.
Also, the design of content may have been better than the technical
implementation. In general, the e-learning system was described as
an interesting novelty and a number of learners indicated an interest
to participate in similar training on other topics as well. With an
average of 5 - 6 hours, many learners stated that they had used less
time than expected on the tasks .
Measuring information security awareness is a difficult undertaking.
One way of approaching it is to observe employees while they are working
to establish the degree to which they follow the given guidelines.
However, this study investigated the topic through an interview conducted
among the learners. These interviews started by exploring how the
learners understood the concept of information security which, after
all, constitutes the foundation of information security awareness.
The latter term refers to how well employees and members of society
understand various information security threats and the related responsibilities.
The results show that a high level of awareness has been achieved
when all personnel understand the meaning of information security
in its full extent and apply this knowledge in their work . In
addition, personnel must also be able to identify and manage a range
of information security threats. Finally, they must also know what
to do to avert these threats.
The prevailing situation in the organization discussed here was very
confusing: IT functions were outsourced, although staff was experts
in communication and information technology. In a sense, the organization
concentrated all efforts on its core activities while outsourcing
administrative routines. As a result, it is hardly surprising that
the organization has gone on to transfer it information security services
to a national umbrella organization. Currently, the development of
the e-learning programme is in the process of being put out on the
market as a new product.
Claiming that information security is not a major concern in the
small and medium sized business sector is completely wrong. They are
as likely to be affected by security breaches as major organizations.
In the present case, the e-learning environment was designed to promote
information security awareness, but such environments may be harnessed
to accommodate practically any topic of interest to any type of organization.
This paper discussed an e-learning environment for information security
education, designed and constructed by a small Finnish telecommunications
company. The experiences gathered so far indicate that the implementation
of an extensive learning system of this kind must be based on simple
solutions that minimize system load.
It became clear during this study that, to be successful, e-learning
requires that the designers and tutors are familiar with the learners'
needs and learning styles. Diverse ways of presenting the learning
materials makes it easier for individuals with different learning
styles to take in the information. What renders the entire task more
challenging is that the content matter of information security is
often fairly abstract, highlighting the importance of careful design
and presentation. The education offered must provide a range of possibilities
for interaction, because the chosen medium, online teaching markedly
lessens personal contact among teachers and learners. Other important
aspect includes the provision of support to the learners and ways
of creating an inspiring atmosphere conducive to learning. Feedback
provided by the teacher is an integral part of learning, and its role
is even more important in online teaching, where studies are usually
conducted in (relative) isolation from other learners. Time must also
be allocated to electronic communication between the participants.
And finally, attention must also be given to developing the proficiency
of the teachers and promoting their interaction.
[ 1 ] ISO/IEC 17799:2005: Information technology - Security techniques
- Code of practice for information security management, ISO, Geneve
[ 2 ] Epelboin, Y. : "E-learning: putting documents 0n the web
- Do and Don't". Workshop in EUNIS 2002. Porto, Portugal. (2002).
[ 3 ] Heikkinen, I., Ramet, T., "e-Learning as a part of information
security education development from organisational point of view".
Oulu University. Oulu. May (2004) (in Finnish).
[ 7 ] Kajava, J., Varonen, R., Tuormaa, E. Nykanen, M., "Information
Security Training through eLearning - Small Scale Perspective".
In Eveline Riedling (ed.): VIEWDET 2003. Vienna International Conference
on eLearning, eMedicine, eSupport. Vienna University of Technology.
Nov. 26. - 28. Vienna, Austria. (2003).
[ 8 ] Kajava, J., Varonen, R., "e-Learning as a Tool: Framework
for Building an Information Security Awareness Programme for a Local
Teleoperator". Euromedia'2004. Hasselt, Belgium. EUROSIS. Ghent,
[ 9 ] Neal, L., Perez, R., Miller, D., " eLearning and Fun".
CHI'04 SIG. ACM. Vienna, Austria. April 26 - 29. (2004).
[ 12 ] Thomson, M.E., von Solms, R., "An Effective Information
Security Awareness Program for industry". Information Security
- from Small Systems to Management of Secure Infrastructures. IFIP
TC-11 Sec'97: WG 11.2 and WG 11.1 Copenhagen, Denmark. (1997).
[ 13 ] Walsh, T., "Measuring the Effectiveness of Computer Security
Training". 23th Annual Security Conference and Exhibition. CSI.
November 11 - 13. Chicago, Il. (1996).
[This text is based on a paper of Jorma Kajava, Reijo Savola, Rauno
Varonen and Juhani Anttila presented at the CIS2006 conference in
Guangzhou, China in 2006]