e-Learning Blog

Generally, information security education in a corporate setting aims to improve the security literacy (※) of each employee in order to prevent security incidents (accidents related to information security) from occurring.

Examples of security incidents include unauthorized access and malware infections. When these incidents occur, there is a serious risk of information leakage and tampering, which can be a critical issue for companies.

To avoid risks, it is important to organize and confirm the approach to business and to implement measures to enhance security. However, even with a sophisticated security system in place, it is ultimately up to humans to use it, so it is essential for each employee to improve their security literacy. Information security education is one of the most important forms of employee education in order for a company to continue stable operations and growth.
※The ability to possess knowledge and skills related to information security and to practice them correctly

So, what exactly is information security education?

〈General Information Security Education (Example)〉

●Threats and Countermeasures When Using the Internet

Explanation of risks and countermeasures when using services using the internet, such as browsing websites, email, information equipment, and mobile devices.

●Notes for Information Dissemination

Tips and troubleshooting for using dedicated platforms provided on the internet, such as SNS and blogs, to disseminate information.

●Accidents and Damage Cases

Introduction of case studies based on actual accidents and damages to raise awareness, and methods to avoid risks based on those lessons.

〈Corporate/Organizational Information Security Education (Example)〉

●Employee Training

Explanation of security measures that concern each employee, such as password management, virus protection, precautions for teleworking, and measures when using portable media and devices.

●Education for Organizational Executives

Explanation for executives in charge of overseeing organizations, such as the necessity of information security measures, the concept of information security management, and the responsibility of companies handling personal information.

●Education for Information Management Personnel

Explanation of security measures that information management personnel should implement, such as "physical security" measures for unauthorized access, viruses, targeted attacks, etc., as well as "physical security" measures for server management and equipment failure, and the introduction and operation of information security policies.

In a corporate setting, the content of information security education varies depending on each individual's position and role. It is important for each employee to be aware of their responsibilities and actions in order to enhance the overall security awareness of the organization and minimize security risks.

In this chapter, we will understand the risks of information security surrounding companies and reaffirm the importance of information security education.

●There are "threats" and "vulnerabilities" in information security risks

Information security risk refers to the risk of damage or negative impact on information systems and their data, and is classified into "threats" and "vulnerabilities".

First of all, "threat" refers to a factor that causes risk. There are human-induced threats and environmental threats such as disasters.

Next, "vulnerability" refers to a weakness that can be exploited by threats. This includes inadequate virus protection, software bugs, and unlocked buildings, which are referred to as "security holes". The larger the vulnerability, the more likely it is to be targeted by malicious attackers, increasing the risk of confidential information being stolen.

●The increasing number of "targeted attacks"

Currently, when it comes to malicious cyber attacks, the main trend is attacks targeting specific organizations or individuals in order to gain money. These attacks targeting "specific organizations or individuals" are called "targeted attacks". There are various types of targeted attacks, but the most common is phishing emails.
By cleverly luring employees through phishing emails and infecting their PCs with viruses, the virus can spread through the internal network and steal confidential information or destroy systems. These attacks often continue for a long period of time and there are many cases where information is stolen without being noticed.

● Red light for business continuity due to loss of trust

Companies not only hold information about their own employees, such as personal information, but also information about various companies and individuals, such as business partners, subcontractors, and customers. Therefore, if this information is leaked illegally, the company may lose trust and may lead to a decrease in competitiveness and a decline in market position. As a result, it may become difficult for the business to continue.

From the above, it has been found that insufficient information security education can cause serious damage to companies. Therefore, companies need to conduct sufficient information security education and minimize risks.

We have explained the overview and significance of information security education so far, but what steps should be taken when actually conducting it in a company? We will explain it with specific steps.

〈STEP.1〉Clarify the educational content and theme
First, let's clarify what we want to learn through education. When doing so, it is recommended to set specific themes rather than broad topics such as "general information security". Even if it is necessary to explain a wide range of knowledge, it is recommended to divide it by theme.
Example: "Points to note when sending and receiving emails", "Points to note when sharing files with external parties", "Security risks in teleworking"

〈STEP.2〉Selecting the Target Audience for Education
Once the content and theme of the education have been determined, it is important to select the target audience. For example, will all employees be targeted, or will it be limited to specific departments or branches? By setting a scope, the education can be more targeted and practical. Additionally, designating a person in charge for each target audience will make the operation smoother after the education has started.

〈STEP.3〉Consider the frequency and timing of education implementation
Consider the frequency and timing of education implementation beforehand and incorporate it into your schedule so that it can be implemented as part of your work.

(Frequency Example) Every April, once every quarter... etc.
(Timing Example) When joining the company, when an accident occurs at a competitor, when there is a change in internal rules... etc.

〈STEP.4〉Consider methods for implementing education
Next, let's consider methods for implementing education. There are four common methods that can be used:

(1) e-Learning
By utilizing the e-learning systems provided by various companies, high-quality education can be easily implemented and progress can be easily managed. However, internet access is required.

(2) In-house training (group training)
High degree of freedom, such as being able to implement with our own unique content. Costs such as distribution/projection materials, venue arrangements and preparations, and transportation of participants are required.

(3) External Seminars (Group Training)
Deep knowledge can be obtained as experts in the field provide explanations. There may be fees for attending and transportation.

(4) Video materials such as DVDs
Can be used repeatedly and in some cases, can also be duplicated. However, not suitable for fields with high frequency of updates.

Creating and Arranging Materials
Once you have decided on the method of implementation, let's create or arrange materials that are suitable for it.
If you are using existing materials such as e-learning or DVDs, there is no need to create them, but in the field of information security where things are constantly changing, it is important to choose materials that reflect the latest information. When creating materials in-house, be sure to include practical examples and scenarios in addition to theoretical concepts, and be conscious of promoting employees' understanding.

〈STEP.6〉Implementation of Education
Once you have completed the preparations, it is time to implement the education. Use the prepared materials to spread knowledge of information security to employees.

〈STEP.7〉Measure the educational effect and make improvements if necessary
When implementing education, conduct tests, interviews with employees (learners), and surveys to measure how well they understand. Based on the results, evaluate the educational effect and make improvements to the materials if necessary. It is also important to provide support, such as re-education, for employees with low test scores.

In the previous chapter, we introduced four methods for implementing information security education in Learning Designer STEP.4. Among them, we highly recommend e-learning.

E-learning, which allows learning regardless of time and location, has the advantage of being easy for employees to learn and for administrators to centrally manage learning progress and feedback. In addition, it is attractive to be able to acquire knowledge of information security while enjoying interactive elements such as videos and quizzes.

In such e-learning education, in addition to using existing materials, there is also a method of creating original materials in-house. With original materials, it is possible to provide materials that are more unique and highly relevant to employees (learners), which can also be expected to have a high appeal.
Here, we will introduce the method of creating e-learning materials for information security education.

〈Method for Creating Teaching Materials 1〉Creating with Power Point
When creating e-learning materials, Power Point is one of the most convenient methods. The period from creating the manuscript to delivery is relatively short, and by utilizing existing assets (such as materials for group training), it is possible to create teaching materials more efficiently. Therefore, it is suitable for materials with high update frequency, such as information security.

〈How to Create Teaching Materials.2〉Creating with e-Learning Authoring Tools
e-Learning authoring tools are tools that allow you to easily create interactive teaching materials by combining various media such as text, images, audio, and video. Even without knowledge of programming, it is possible to create high-quality materials by utilizing the functions. Some examples of e-Learning authoring tools include "iSpring Suite," an add-in software for Power Point, and "Vyond," which specializes in animation.
＞ iSpring Sales
＞ Vyond (Animation Production) Sales

〈How to Create Learning Materials.3〉Outsourcing to Professionals
This is a method of ordering custom-made e-learning materials from vendors (sales companies) that provide e-learning materials. One of the major benefits is that you can create your own unique materials from scratch with the support of professionals. Of course, it is possible to prepare materials in-house using the Power Point and e-learning creation tools introduced above. However, even if it is only part of the process or materials, by utilizing external resources, you can efficiently create higher quality materials.

When creating e-learning materials, consider the following points:

① What kind of tools will be used?
② Will it be created in-house or outsourced?
③ File format (PowerPoint, video, animation)

Let's make the best choice that matches the completed image of the teaching materials and various conditions. If you are unsure about your choice, it is also recommended to consult with the vendor and receive advice.
＞ e-Learning Material Production

In today's digital environment, there is always a risk of cyber attacks and data leaks. In order to protect companies from these threats, it is important for each employee to enhance their security literacy and information security education is essential.

If you are unsure about what kind of education to provide or have concerns about the appropriateness of the teaching materials, why not consult with a vendor who has specialized knowledge?

At Human Science, we not only provide various advice on e-learning, but also offer total support for planning, designing, and creating materials for e-learning. Additionally, we also offer an e-learning course on "Information Security Basics".

"Information Security Fundamentals Course" introduces specific and easy-to-understand points to be aware of when using computers and smartphones for work, such as updating software and using free Wi-Fi. It covers general content that is not limited to any particular industry, making it widely applicable.

For more information, please refer to Human Science Co., Ltd.'s e-learning site.
＞ e-learning material "Information Security Fundamentals Course"