Thursday, December 12, 2019
Role of Information Security Education and Training Within Enterprises
Question: Describe the role of information security education and training within enterprises. Answer: Information security practices helps to protect information from any kind of undesired disclosure. It also provides helps to ensure the integrity of the information and also provides accessibility only to the authorized individuals. Information security also ensures accountability for the access and utilization of the information. As per the article by Amankwa, Loock and Kritzinger (2015) information security has the ability to identify threats from operational, physical and human factors. Therefore, it helps enterprises to implement appropriate technical, physical, procedural and human related control over the important and confidential information. Thus, information security practices within the organization provide additional value to an enterprise by reducing and avoiding the possibility of unauthorized access. It also allows organization to modify their present information system, which almost every enterprise heavily depend upon in present business environment. Technical evaluation in the sector of information security control has become a major issue for every organization to handle. Information security tools like firewalls, anti-virus proved extremely useful for every organization to protect information from any type of external threats. However, proper exploitation of the implemented information system requires error free human control. In addition, as technology is continuously evolving, it started to demand specific knowledge regarding security of the information system. Therefore, it has become a necessary for every organization to provide training regarding the human centric control of the implemented information security system (Galliers and Leidner 2014). Furthermore, information security system associated with several types of rules and regulations that every enterprise has to follow. Otherwise, this can actually become an illegal offence committed by the organization, which can have major negative impact on the overall image of the company. Figure 1: Information security foundation (Source: Whitman and Mattord 2013) As per the article by Adelsberger, Collis and Pawlowski (2013) information security education will allow employees of an organization gain knowledge about appropriate compliance requirements, legislation and ethical practices. Since, security education can provide the necessary information regarding the understanding of compliance requirements, ethical obligation and potential threats. Hence, information security training and education allows employees or management of an enterprise to identify the security priority and align it with the business strategies so that the enterprise can able to formulate standard procedures and policies, which will help to secure the information that has the potential to provide competitive advantage in the market. Furthermore, enterprises try to implement information security system, as it brings additional values. Billett et al. (2015) mentioned, Even the best technological controls are worthless in the hands of poorly trained or unmotivated staff. Information management has become one of the most crucial factors in present business environment, as every organization is looking to implement strategy so that it can able to secure organizational information of the enterprise. Therefore, importance of training and education for all the employees are also becoming very important. Training and education important for create awareness regarding the kind of threat an organization might have to face. Otherwise, information system technological tool might not have the expected amount of impact. As per the study by Ahmad, Maynard and Park (2014) many organizations are starting to invest huge amount of money to increase its present level of information security. Zafar (2013) mentioned that human factor is among the weakest link regarding organizational implementation of security system. Therefore, information security training and education have a positive and direct effect on the overall understanding of ethical obligation and compliance regulation towards the information security. Training and education reduce the possibility of inside threats also. The United States Office of Management and Budget highlighted that inadequacy of security and privacy education as the prime risk impeding the adequate protection of government information. According to the study by Merkow and Breithaupt (2014), 47% of information security professionals express their disappointment that enterprise are not providing necessary training and education regarding the information security system. However, the above discussion established the fact that training and education regarding information security is not only important but also necessary for the enterprises in order to keep its information secure from any type of unauthorized access. In addition, training and education in the information security also allows employees to utilize the system much more effectively. Therefore, it improves the effectiveness of the internal process of the organization as well. Training and education in the information security also helps enterprises to have a clear idea about what kind of usage of the information is allowed in the ethical practices. As a result, in reduces the chances of human error that can increase the probability of misuse of the information. Proposed set of recommendation for training and education within the enterprise: The above discussion established the fact that information security is one of the prime concerns for every organization. Since, it not only helps enterprises to store information but also allows develop strategies that can help to gain competitive advantage in the market. However, as the technology is improving, several risks are also coming up that can actually break the information system of the enterprise. Hence, it can steal important confidential data of the organization, which eventually force the organization to face huge amount of losses. Hence, training and educating employees is extremely important so that they can able to manage crisis much more effectively. Hence, the recommended training or education program will have to perform several steps to create high level of effectiveness. The recommended steps described as follows: Introduction of the implemented system: The training and education program regarding the information security will have to consider the introduction stage. This step is important because it will allow employees of an enterprise to perceive the kind of changes they will have to face in organizational operation. This stage of training and education process also will have to highlight the necessity of the introduction of information security system in the organizational process. Creating awareness about the implemented system: In present competitive business environment, it is necessary to for every enterprise to implement innovative strategies that have the potential to provide competitive advantage in the market. Implementation of information security system is also considered as one of the important part of an enterprise (Andress 2014). Therefore, training and education program regarding information security system will have to create awareness so that every employee can able to understand the kind of positive impact it can have on the organizational processes. Creating awareness will also influence the willingness of the employees to learn this new technology. Therefore, organizations will able to have employees with greater amount of skill. Hence, enterprises will able to manage their information much more effectively. Highlighting the key areas where implemented system will have greater impact: Highlighting the key areas where implemented system will have greater impact will have to be the next step of the training and education process. Since, it will allow employees to identify the exact areas where organization is struggling to secure its information. Therefore, employees will also become very careful for those areas. This will minimize the possibilities of human error. As mentioned earlier, human error considered as one of the prime factor that create negative impact on the information security process of the organization. Hence, if training and education process can able to utilize this step properly, it will able to create high security information system. Educating the way of executing the implemented system: As per the article by Luftman et al. (2012) every system has its unique way of working. Therefore, it requires specific skills from the individuals in order to utilize that system for the desired objective. Information security system is no difference. Therefore, it does demand specific skill set from the employees. Hence, next step of training and education of information security will have to consider about the development of knowledge regarding the way of execution of information security system. Hence, it will allow enterprises to secure its information in a much more effective way. Informing legislative boundary of the implemented system: As mentioned earlier, information security system has some legislative restriction. Therefore, it is necessary for every members of an enterprise to know about these rules and regulations. Thus, it highlighted the importance of this particular step in the training and education process of information security. In addition, it also allows enterprises to maintain proper ethical practices regarding the information security. Hence, this step of training and education process actually has great positive impact on the overall development process of the organizational image and goodwill. Providing practical practices: According to Aloul (2012), training and educational program regarding any subject cannot be fulfilled without implementing any practice session. Since, it allows the learner to evaluate the process or technology with a firsthand experience. As a result, learners can able to remember all the process or knowledge effectively for long time. Therefore, enterprises also will have to implement practical training process so that the employees can able to utilize information security system much more effectively. References: Adelsberger, H.H., Collis, B. and Pawlowski, J.M. eds., 2013.Handbook on information technologies for education and training. Springer Science Business Media. Ahmad, A., Maynard, S.B. and Park, S., 2014. Information security strategies: towards an organizational multi-strategy perspective.Journal of Intelligent Manufacturing,25(2), pp.357-370. Aloul, F.A., 2012. The need for effective information security awareness.Journal of Advances in Information Technology,3(3), pp.176-183. Amankwa, E., Loock, M. and Kritzinger, E., 2015, November. Enhancing information security education and awareness: Proposed characteristics for a model. In2015 Second International Conference on Information Security and Cyber Forensics (InfoSec)(pp. 72-77). IEEE. Andress, J., 2014.The basics of information security: understanding the fundamentals of InfoSec in theory and practice. Syngress.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.