Building a Successful Information Security Awareness Programme for NLI

Abstract

NLI is a Norwegian industrial company. Information security, which is crucial for their business success, has gained more and more attention from NLI‘s top management and IT department. Currently the technical side of security in NLI is better developed than the human and organizational side. More needs to be done are that building a progamme to increase information security awareness for each employee and making every employee in NLI realize the importance and necessity of information security and then acts accordingly. This thesis defined three research questions in order to building a successful information security awareness programme for NLI: 1) What should the curriculum of an information security awareness programme for NLI be? 2) How should the information security programme be organized to effectively deliver the necessary information to NLI employees? 3) How should the effectiveness of the information security awareness programme be measured in NLI? Solving these three research questions, I have done an interview in NLI and then understood their management organization, work processes and information system in use. Based on results of interview combined with some literature study, I analyzed and then provided proposed training curriculums of an information security awareness programme for NLI. Computer based training which include both web-based and no web-based training combined with an annual web-based mandatory information security exam is the best delivery methods that I proposed for NLI compared with others. In order to measure the effectiveness of the information security awareness programme, I have identified and defined a set of security awareness metrics for NLI. The set is not meant to be a complete set of awareness metrics for NLI, but hopefully they may serve as examples and give inspiration to other metric definitions. The metrics are defined according to available templates, and they are presented in Appendix C at the end of this report. It is important that the proposed information security awareness programme can be used in practical work in NLI. A practical test of this programme is therefore very important. This is however not being described in this report. But it is considered a natural follow-up to this report.