A Healthy Security Attitude

Aetna's InfoSec Awareness training program keeps employees on course

The biggest security risk to any organization comes from within. The Computer Crime and Security Survey conducted by the Computer Security Institute has found that an average of 70 percent of respondents over six years has cited disgruntled and dishonest employees as a likely source of security problems. But a report from the SANS Institute says that many insider security problems also result from employees lack of knowledge.

Health care giant Aetna Inc. is one company thats treating these figures seriously enough to put its money where its mouth is. Donna Richmond, Aetnas InfoSec architecture manager, heads the team that developed and implemented Aetnas Web-based InfoSec Awareness program, which reaches anyone who has access to Aetnas information systems. Last year, the program reached 43,000 users.

Protecting an organization from the inside out is particularly challenging because the threat is people, not products. Its relatively simple to patch a server, but its exceedingly difficult to predict, and then direct, the behavior of one person, let alone a user community of thousands.

"The major risk youre managing is the people you give access to—error and omission and people just rushing to get their jobs done," said Richmond at Aetnas headquarters in Hartford, Conn. "And no matter what controls are in place, each can be circumvented in time, given a persistent, clever opponent preying on the weaknesses of the human element."

Nearly all large organizations have formal training programs in place either as part of a new-hire training program or on an ongoing basis or both, according to Alan Paller, director of research at the SANS Institute, in Bethesda, Md. But most of these programs leave a lot to be desired, he added.

"These programs are notoriously ineffective," Paller said. "Audits taken of employees who have been through many of these programs find them still willing to share passwords, still willing to tell someone proprietary information over the phone, still willing to hold the security door open for someone walking in a uniform carrying a computer."

The problem, said Paller, lies in the fact that most of these programs are taught by people who are not good speakers, who preach rather than motivate and who have never experienced the pain they claim security breaches will cause. Paller added that the programs usually dont get universal coverage nor test the knowledge being transferred.

Paller said Aetnas program solves most of these problems. "They get rid of the bad speaker, they dont waste time because people can test out, and they do test the results," he said.

The keystone of the Aetna InfoSec Awareness program is a Web-based exam that resides on Aetnas security portal. The exam must be completed by employees within 30 days of hire and annually thereafter. Before beginning the exam, employees must sign off on Aetnas security policy.

The exam is divided into six modules. Each module presents information and a series of questions for reinforcement. Each module takes 3 to 7 minutes to finish, and employees can complete them at their convenience within a one-year period.

The exam covers things that are generally part of Aetnas "... Code of Conduct, which addresses the use of technology and information resources, and the handling of confidential information. For example, you dont want to open up attachments if they have an extension of .vbs or .exe," Richmond said. "Or you dont want to fax something sensitive if you dont have someone ready on the other end to pick it up."

The exam isnt technically a test because employees cant fail, but the testing paradigm engages the user and provides employees with an interactive experience.

Its up to managers to enforce Aetnas security awareness training policy and address employees who dont comply.

Compliance with the program has been high—85 percent the first year and 100 percent last year.

Aetnas security team is also increasing awareness through some savvy internal marketing. "Weve tried to brand information security internally," said Richmond. "We conducted a Web-based contest to come up with a logo, a lighthouse called Beacon—a guiding light for good security practices."

Richmond said the logo is used on all security training materials, including the Beacon newsletter, and on certificates earned by employees after completing the security exam. "A lot of people have chosen to post the certificate in their workstations," Richmond said. "You see those over and over, again reinforcing information security."

One of the most striking things about the Aetna program is its simplicity. Richmond takes this as the highest of compliments but adds that its extremely complex to make something this complicated look simple.

"Its devilishly difficult to do something that looks simple," she said. "Its challenging to find experienced InfoSec staff with enough business knowledge and expertise to create this model. You have to have several things all in one individual—they have to understand what the business or industry is, they have to understand the technology and how it enables your business, and they have to have communication skills to put that all together effectively."

Richmond said attention to instructional design was key for the programs usability and support. "We dont have a large staff of people to support the calls if people get stuck in any of our InfoSec awareness tools, so we included rigorous Web usability testing," she said. "This has allowed us to deploy nationally with a support staff of two."

Richmond said designing and implementing the exam program cost between $70,000 and $100,000. She said it would be difficult to quantify the benefits of the InfoSec Awareness program but that it eventually translates to the bottom line. "Youre never going to eliminate risk, but if we can minimize risk and properly handle the information thats in our custody, then we can overall be a more successful company."

The information in any organizations custody should be a key determinant in developing a security program, Richmond said. "Currently, there is a great deal of legal activity in the formation of mandates for security and privacy. For the health care industry, it may well be a directive via HIPAA [Health Insurance Portability and Accountability Act] regulations and other regulations."