|
About the AuthorLysandwr McNary graduated from New Mexico Tech in spring of 2013 with a Bachelor of Science degree in Technical Communication, after years spent in varied pursuits, from book publisher to United States Army Psychological Operations Specialist. Her time with the US Army, including two years in Iraq, provided many opportunities for studying cybersecurity, communication, and human behavior. Contents |
BackgroundPer the United States Government Office of Management and Budget (OMB), which ensures that all agency reports and rules are consistent with Administration policies, FISMA requires all employees of federal agencies and affiliated civilian entities to have information awareness training. The OMB further defines information systems as “a discrete set of information resources organized for the collection, process, maintenance, transmission, and dissemination of information, in accordance with defined procedures, whether automated or manual” (OMB Memo 12.20.2012). This training must initially occur prior to employee access to federal agency information systems, and then annually with additional training provided should duties change or increase (OMB Memo 07-16). Significantly, the OMB Memorandum language specifically notes that “both initial and refresher training must include acceptable rules of behavior and the consequences when the rules are not followed. “ FISMA requires that all federal entities develop and implement “an agency-wide information security program that includes security awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency, of: (a) information security risks associated with their activities; and (b) their responsibilities in complying with agency policies and procedures designed to reduce these risks” (Department of Homeland Security,2012). The primary entity tasked with providing guidance on cybersecurity training requirements, including that of information assurance/awareness, is the National Institute of Standards and Technology (NIST, Computer Security Division, 2012). Cybersecurity information assurance training is defined by NIST as belonging to either Tier 1 (General Security Awareness) which is the information assurance/awareness “basics and literacy” required for all employees with access to federal information systems, or Tier 2, required for employees with higher level involvement in implementing cybersecurity (NIST, Computer Security Division,2012). In order to standardize this training and ensure that products maintain the skills and competencies required, four Information Systems Security Line of Business Security and Awareness Training Shared Service Centers have been recognized to provide sources of approved training products that meet FISMA/NIST requirements and guidelines for both Tier 1 and Tier 2. Each of these four Security Awareness Training Shared Service Centers has a sponsoring agency: the Department of State, the Department of Defense (DoD), the United States Office of Personnel Management (Off of Per M.), and the Department of Veterans Affairs (Dep of VA)(Figure 1). The training level I examined is the Information Assurance /Awareness training mandated for all federal and civilian employees, or the Tier I General Security Awareness (Dept. of Homeland Security, 2012), provided by the DoD Shared Service Center.  Figure 1 General flow of training guidelines and development in support of FISMA (left to right.)
In determining what metrics to apply in this examination, I reviewed the annual FISMA compliance reporting requirements mandated by the OBM and DHS. Federal agencies and other interacting entities such as civilian contractors must presently report whether or not their information assurance/awareness training includes the following: Does it • Address phishing? • Cover the subject of remote access? • Cover the subject of Web 2.0 technologies? • Cover the subject of Peer-to-Peer technologies? The questions are asked, according to DHS, because • “Some of the most effective attacks on cyber-networks, world-wide currently are directed at exploiting user behavior. These include phishing attacks, social engineering to obtain passwords, and introduction of malware via removable media. • These threats are especially effective when directed at those with elevated network privileges and/or other elevated cyber responsibilities. • Training users (privileged and unprivileged) and those with access to other pertinent information and media is a necessary deterrent to these methods. Therefore, Organizations are expected to use risk-based analysis to determine the correct amount, content, and frequency of update to achieve adequate security in the area of influencing these human behaviors that affect cybersecurity. • DHS has determined that some metrics in this section are prioritized as Key FISMA Metrics. • Some questions in this section also contain baseline information to be used to assess future improvement in performance. • The metrics will be used to assess the extent to which Organizations are providing adequate training to address these attacks and threats” (DHS, Reporting Metrics). Additionally, DHS notes that the desired results of successful completion of “cybersecurity awareness training” are that users will understand and avoid risky or negative behavior, will always maintain safe practices in the information environment, and will—to best of their abilities—take steps to increase the security of their information environments during normal work day situations. In support of these desired outcomes, “training that focuses on behavior or activities not experienced by the user during normal information system use will obviously not be of benefit” (DHS, Reporting Metrics). Although the hierarchy is not strictly linear, the Office of Management and Budget (as previously noted) is the highest level of FISMA policy decisions, the Department of Homeland Security is the reporting and auditing authority, and the National Institute of Standards and Technology guides in implementation and mandate fulfillment. To that end, NIST Special Publication (SP) 800-16, on Information Security Training Requirements, expands on Tier 1 “awareness training”. It defines this per FISMA as encompassing basic literacy and security awareness standards for users of information systems, and so the target audience of all Tier I training is all employees of both federal agencies and civilian affiliated entities. In the Information Technology (IT) Security Learning Continuum (Figure 2, NIST SP 800-50), the Security Basics and Literacy level includes these objectives: · “To ensure that users of information and information systems understand the core set of key terms and essential information security concepts that are fundamental for the protection of information and information systems. · To promote personal responsibility and positive behavioral change throughout an organization’s information and information system user population, beyond what is disseminated in the organization’s basic awareness efforts · To offer an information security awareness training curriculum framework to promote consistency across government.” NIST SP 800-16 also specifically states that its training development guidance is targeted towards not only information security professionals but instructional design/training development specialists—or technical communicators. The document recognizes that the two different audiences will be reading for very different reasons, and that training development personnel could also seek guidance on training methodology for use in designing training courses. This further validates the included metrics for application to training modules certified as FISMA compliant. The curriculum framework noted in the above objective for Tier 1 training products has been directed by the OMB from recommendations of the Information Systems Security Line of Business Tier 1 Awareness Training Working Group to include a minimum of twenty-eight topics. These range from protecting shared data to social engineering. Obviously, every topic does not need to be covered in every training module. But if the primary module does not cover all topics, a course of Tier 1 training modules must be available such that when all are completed, every topic has been addressed.  Figure 2 The IT Security Learning Continuum
TECHNICAL COMMUNICATION (TC) BEST PRACTICES The following design principles and best practices were drawn from research studies as well as curricula and syllabi of Technical Communication degree and certificate programs across the United States (Appendix A). In addition, special attention was paid to the programs at New Mexico Institute of Mining and Technology, University of Texas at San Antonio, and Missouri University of Science and Technology. These three institutions are all designated National Centers of Academic Excellence in Information Assurance Education by the National Security Agency (NSA) and DHS, and participate in the federally funded Scholarship for Service program, which supports both undergraduates and graduates studies in cybersecurity and information assurance in order to strengthen the national cybersecurity effort. AUDIENCE AWARENESS—Who will be taking the course and how will they apply it to their jobs? How well does the course maintain credibility and value to the trainee? Does the learner feel included or overlooked (Paretti, 2006)? USER CENTERED DESIGN—How will users access the information and how much control over the format and pathway do they have? What tasks will they perform in the course of the module, to what desired outcome? How interactive is the training (Fisher, 2000)? NAVIGATION—How does the framework, (the information architecture and linear/non-linear construction aspects) affect the users in their choices? Are the desired learning outcomes supported? VISUAL DESIGN/ RHETORIC EYE TRACKING—Applying knowledge of typical visual focus patterns on web/computer interfaces, including time spent on text blocks and graphics (Russell, 2005.) COLOR USE—How color affects information retention, distraction, and learner comfort. Color use guides learner focus, emphasizes where necessary via contrast, and can elicit an emotional response. Colors have symbolic associations (blue-technology and stability) and affect learner’s perception of other colors (Anderson, 278-282). WHITE/NEGATIVE SPACE AND GROUPING—Effectively conveying information, retaining trainee attention (Chaparro, et al 2004), and the effect of enhanced layouts on reader fatigue (Chaparro, et al 2005). FONTS—Ease of reading text, trainee comfort, information retention, and credibility ( Williams, 2000). AUDIO-VISUAL—Is the user effectively included, without causing overload to information processing capabilities and in such a way as to increase information retention (Anderson, 250-265)? GAME THEORY/VIRTUAL WORLD—Are competition (with self), rewards, and “entertainment value” used to add credibility and increase effectiveness of behavioral change (Araki, 2008)? ACCESSIBILITY—Has usability on common systems been addressed, and is the module Americans with Disabilities Act compliant (508 ADA)? |