How to train people to increase their security awareness in IT

Abstract

One of the key issues concerning IT systems is Information Security Management. Among the security objectives in the ISO/IEC 27002:2013 standard refers to information security awareness, education and training. In this area there are many important aspects but in this paper authors focus on people, their knowledge and their security awareness. Authors introduce a model that could illustrate organization members, their relations and knowledge about security. Results of simulations can be used to create plans of training to increase their security awareness. Finally authors present few cases where different strategies of teaching people are tested and the analysis is presented. If knowledge does not change under the influence of co-workers, it is better to train those with smallest knowledge.