Critical Control 20: Security Skills Assessment and Appropriate Training To Fill Gaps
The skills of five groups of people are constantly being tested by attackers:
End users are fooled into opening attachments and loading software from untrusted sites, visiting web sites where they are infected and more.
System administrators are also fooled like normal users but are also tested when unauthorized accounts are set up on their systems, when unauthorized equipment is attached, when large amounts of data are exfiltrated.
Security operators and analysts are tested with new and innovative attacks with sophisticated privilege escalation, with redirection and other attacks along with a continuous stream of more traditional attacks.
Application programmers are tested by criminals who find and exploit the vulnerabilities they leave in their code.
To a lesser degree system owners are tested when they are asked to invest in cyber security but are unaware of the devastate impact a compromise and data exfiltration or data alteration would have on their mission.
Any organization that hopes to be ready to find and respond to attacks effectively owes it to their employees and contractors to find the gaps in their knowledge and to provide exercises and training to fill those gaps. A solid security skills assessment program can provide actionable information to decision makers about where security awareness needs to be improved, and can also help determine proper allocation of limited resources to improve security practices.
How can this control be implemented and its effectiveness measured?
QW: Develop security awareness training for various personnel job descriptions. The training should include specific, incident-based scenarios showing the threats an organization faces.
Config/Hygiene: Devise periodic security awareness assessment quizzes, to be given to employees and contractors on at least an annual basis, determining whether they understand the information security policies and procedures for the