Juhani Anttila
Venture Knowledgist Quality Integration
Helsinki, Finland



Abstract: Focusing on security education, this paper describes an e-learning environment that has been constructed to increase information security awareness among employees of a Finnish telecommunications company that is a commercial provider of public services. The design principles based on making the components of the system as simple as possible to produce a system that delivers both functionality and stability.


This paper discusses an e-learning based information security project carried out by a small organization in the telecommunication service sector. The environment was built in close collaboration with the intended users, i.e., the environment and its contents were based on their practical needs.

The development work in a small organization is fairly flexible, and experiences accumulate quickly. The topic area, information security, was selected as it is a key issue for businesses, institutes of education and society at large. Traditionally, the highlight has been on the technical aspects of information security, but during the past few years, human and organizational aspects have assumed an increasingly prominent role in discussions on security [1, 10, and 11].

E-learning based information security education strives to raise the awareness level of all employees. The aim is to equip them with the necessary skills and knowledge to meet the challenges that they may have to face in their everyday work [5].

Methods and techniques used

The results of the information security knowledge of the employees by means of questionnaires and interviews were used to create an educational programme to correct the perceived weaknesses. As teaching material, the programme utilized various organizational guidelines complemented by educational materials compiled at the University of Oulu.

In addition to the actual learning environment and its contents, the organization has also implemented an automatic online assignment sheet for tracking and monitoring learning. This form was designed so that anyone who possessed the necessary skills and knowledge could take the test and be exempted from having to go through the learning material. The system handles registration and also updates registry files, when students pass the test. The environment enables employees to study at their own pace.

Research tends to progress from theory to practice. Having become familiar with information security from various perspectives including the user and end-user perspectives, we decided to go the other way from practice to theory. Our starting point was that, within information security, relevant knowledge usually resides within the organization in question. What an outsider, such as a consultant, can contribute is a model or a general framework for exploring, enhancing and utilizing this knowledge. On this view, pertinent information that is possessed by company employees is collected and analyzed by an outside consultant who introduces a theoretical framework for analysis and may also assist in the utilization of the results of such analysis.

The practice to theory approach is also supported by the fact that all information security events comprise a variety of aspects, some of which are strongly in relief, while others can best be described as weak signals. Even these can be taken into account thanks to the increased computing power of modern computers, which allows the unique features of each information security incident to be analyzed in detail.

This study investigated the information security knowledge of different employee groups using a semi-structured theme interview. At the same time, we were able to establish which areas of information security knowledge needed improvement. This information formed the foundation for the design of the e-learning programme.

Security learning

Understanding information security issues from the technical point of view is an advantage that employees of the case company had [6]. Nevertheless, since they did not have a wider perspective on other aspects of security, such as organizational or end-user related issues, they needed information security training. The problem is that, being small, the company does not have the resources to allow its personnel to take time off from work to participate in security training [7].

One solution is to resort to e-learning and construct an online learning environment. Many e-learning environments are realized by long distance networks, via the Internet, but our solution was to build an intranet-based environment, within the company network. Most e-learning solutions consist of very sophisticated and complicated systems, filled with content that is more entertainment than work-oriented, but we proposed a solution that is both simple and practical.

In the long run, the project reported here aims to develop a five-level solution consisting of different guidelines custom-tailored for different groups. At the first stage of this research, the focus is on guidelines that apply to all user groups. First, a questionnaire on currently prevalent practices is sent to every group. Then, having analyzed the results, the most important guidelines are collected for organizational use using the e-learning environment. It is important that these guidelines are easy to understand and follow - and it would not hurt if they were presented in a humorous way [9].

Requirements for the e-learning environment

The starting point for this project was the fact the organization under study is a profit-seeking commercial enterprise. Aiming at improving the security level of this organization, the project also offers it a competitive edge through the provision of more secure telecommunication services. Technical solutions, although constituting the foundation of security, are insufficient and must be incorporated into a wider approach.

This e-learning project tried to find new, cost-effective, ways of offering security education to company employees. A guiding principle in this undertaking is that the education offered must be meaningful and immediately relevant to the employees. In carrying out their everyday tasks, people tend to place a high value on usability, sometimes at the expense of security. Sadly enough, the significance of information security is often realized only after some mishap occurs.

Another balancing act is frequently observed in the context of e-learning. Striving toward a more exciting and entertaining approach, educators sometimes lose sight of their original purpose, and become entertainers rather than educators.

Presentation and learning

Creating a multimedia e-learning environment requires not only technical and content-related expertise, but also a pedagogical advisor. Chief among the tasks of this advisor is to devise ways of presenting learning materials in a manner that enables learners to assimilate new knowledge into their previous knowledge structures - and thereby understand what they have learned. Another function of the pedagogical advisor is to take account of different learning strategies and styles to maximize individual learning results.

All learners have their own learning strategies. Part of each individual's learning strategy is their learning style, which is an essential element of the learning process. We all have our own strengths, which we rely on when processing information. Some people are characterized as holistic, while others are best described as analytic learners. The difference lies in the way they tend approach a task; holistic learners immediately strive for the big picture, whereas analytically-oriented learners favor a piecemeal approach.

Also our senses play an important part in the learning process. We receive and process information on the basis of our vision, hearing, tactile or kinetic sense. As a result, we have preferences as to how we want learning materials to be presented to us, how we want to see, hear, feel or experience the materials. Schools depend heavily on vision and hearing, at the expense of pupils who learn better by doing things, for instance. Some learners remember things as images, others as stories. A third group consists of learners who like to try things out through trial and error. Some people prefer to discuss things with other people, others teach themselves by talking aloud. Most people have one or more preferred senses for receiving and processing information [7].

Learning styles based solely on one way of learning are very uncommon, as most people have their own learning strategies based on their strengths, habits and preferences. Consequently, a learning environment catering a large target group must be designed to accommodate a range of approaches and styles.

Learning contents

The e-learning environment was divided into five sections:
- Topic-driven learning modules
- Instructions and guidelines
- Learning tasks and exercises
- Glossary of information security
- Feedback

Having set the goal of creating an educational model based on these five sections, the planners had to decide, whether there should be a core learning package for all employees or several packages aimed at the various employee groups. The adopted solution was to create a core learning package consisting of the following learning modules:
- Information security essentials
- Passwords
- Classification of data and information
- Social engineering
- Malicious programmes
- Visitor routines and practices
- Work station security
- Internet and e-mail
- Guidelines for telephony

It proved a crucial point that also senior management completed the core learning package. The construction includes three sections which form an integral part of the organization's self-study programme. These sections are:
- Learning modules for management,
- Learning modules for maintenance personnel, and
- Learning modules for front-end services.

Significance of the automated learning environment

The purpose of the e-learning project was to construct a learning environment that requires no additional hardware or software. In addition, the environment must be accessible from all workstations within the organization [8].

In accordance with this principle, no special software or hardware components were installed on these workstations running on various Windows operating systems. It was only required that the PCs contain standard peripherals like monitor, mouse, keyboard and, importantly, sound card for listening to the recorded samples included in the learning package. No additional video programs were necessary, as the package contained a viewing programme.

These two basic requirements, accessibility and full functionality from all workstations, relate to the levels of programming languages. It is a well-established truth that the lower the level of the used language, the faster the code and the smaller the memory requirement. Such code is also more secure. Nevertheless, implementing any system involves a compromise between automation and reliability, but the old adage "small is beautiful" is well worth bearing in mind.

Essential results

When we set out to design the e-learning environment, it was assumed that the basic information security guidelines of the organization would be well-known by all employees. Therefore, it was a quite a revelation when the first tests in January 2004 indicated that some of the supposedly simple questions proved very hard to answer satisfactorily.

It was also revealed by the theme interviews that a great number of employees had no clear understanding of what information security is. All employee groups tended to describe it in terms of individual or isolated components. Moreover, about half of the interviewees could not explain in what ways information security issues would be relevant to their work. This shows that security education should start by breaking down the definition of information security and analyzing how it affects everyday work.

Feedback relating to the use of the e-learning system was mainly concerned with its technical implementation. Typical comments include "it is slow" and "it takes a long time to start". Generally, the learners either wanted the multimedia components to load quicker or they wanted more functionality, including muting or resolution changes on the fly.

The actual content matter of the programme was not commented on. What little feedback was received indicated that the intended practical approach was appreciated and that the learning topics were experienced as having a practical value. This relative lack of feedback may be explained by the fact that the learners did not have any expectations as to the content matter, since they were unfamiliar with the subject. Also, the design of content may have been better than the technical implementation. In general, the e-learning system was described as an interesting novelty and a number of learners indicated an interest to participate in similar training on other topics as well. With an average of 5 - 6 hours, many learners stated that they had used less time than expected on the tasks [3].

Measuring information security awareness is a difficult undertaking. One way of approaching it is to observe employees while they are working to establish the degree to which they follow the given guidelines. However, this study investigated the topic through an interview conducted among the learners. These interviews started by exploring how the learners understood the concept of information security which, after all, constitutes the foundation of information security awareness. The latter term refers to how well employees and members of society understand various information security threats and the related responsibilities. The results show that a high level of awareness has been achieved when all personnel understand the meaning of information security in its full extent and apply this knowledge in their work [3]. In addition, personnel must also be able to identify and manage a range of information security threats. Finally, they must also know what to do to avert these threats.


The prevailing situation in the organization discussed here was very confusing: IT functions were outsourced, although staff was experts in communication and information technology. In a sense, the organization concentrated all efforts on its core activities while outsourcing administrative routines. As a result, it is hardly surprising that the organization has gone on to transfer it information security services to a national umbrella organization. Currently, the development of the e-learning programme is in the process of being put out on the market as a new product.

Claiming that information security is not a major concern in the small and medium sized business sector is completely wrong. They are as likely to be affected by security breaches as major organizations.

In the present case, the e-learning environment was designed to promote information security awareness, but such environments may be harnessed to accommodate practically any topic of interest to any type of organization.


This paper discussed an e-learning environment for information security education, designed and constructed by a small Finnish telecommunications company. The experiences gathered so far indicate that the implementation of an extensive learning system of this kind must be based on simple solutions that minimize system load.

It became clear during this study that, to be successful, e-learning requires that the designers and tutors are familiar with the learners' needs and learning styles. Diverse ways of presenting the learning materials makes it easier for individuals with different learning styles to take in the information. What renders the entire task more challenging is that the content matter of information security is often fairly abstract, highlighting the importance of careful design and presentation. The education offered must provide a range of possibilities for interaction, because the chosen medium, online teaching markedly lessens personal contact among teachers and learners. Other important aspect includes the provision of support to the learners and ways of creating an inspiring atmosphere conducive to learning. Feedback provided by the teacher is an integral part of learning, and its role is even more important in online teaching, where studies are usually conducted in (relative) isolation from other learners. Time must also be allocated to electronic communication between the participants. And finally, attention must also be given to developing the proficiency of the teachers and promoting their interaction.


[ 1 ] ISO/IEC 17799:2005: Information technology - Security techniques - Code of practice for information security management, ISO, Geneve (2005)
[ 2 ] Epelboin, Y. : "E-learning: putting documents 0n the web - Do and Don't". Workshop in EUNIS 2002. Porto, Portugal. (2002).
[ 3 ] Heikkinen, I., Ramet, T., "e-Learning as a part of information security education development from organisational point of view". Oulu University. Oulu. May (2004) (in Finnish).
[ 7 ] Kajava, J., Varonen, R., Tuormaa, E. Nykanen, M., "Information Security Training through eLearning - Small Scale Perspective". In Eveline Riedling (ed.): VIEWDET 2003. Vienna International Conference on eLearning, eMedicine, eSupport. Vienna University of Technology. Nov. 26. - 28. Vienna, Austria. (2003).
[ 8 ] Kajava, J., Varonen, R., "e-Learning as a Tool: Framework for Building an Information Security Awareness Programme for a Local Teleoperator". Euromedia'2004. Hasselt, Belgium. EUROSIS. Ghent, Belgium. (2004).
[ 9 ] Neal, L., Perez, R., Miller, D., " eLearning and Fun". CHI'04 SIG. ACM. Vienna, Austria. April 26 - 29. (2004).
[ 12 ] Thomson, M.E., von Solms, R., "An Effective Information Security Awareness Program for industry". Information Security - from Small Systems to Management of Secure Infrastructures. IFIP TC-11 Sec'97: WG 11.2 and WG 11.1 Copenhagen, Denmark. (1997).
[ 13 ] Walsh, T., "Measuring the Effectiveness of Computer Security Training". 23th Annual Security Conference and Exhibition. CSI. November 11 - 13. Chicago, Il. (1996).

[This text is based on a paper of Jorma Kajava, Reijo Savola, Rauno Varonen and Juhani Anttila presented at the CIS2006 conference in Guangzhou, China in 2006]