What is Enterprise Security Architecture?
The alarming rate of cyberattacks within public and private sector organizations and government agencies worldwide calls for the need to protect information technology (IT) systems and the data within these systems from intruders in today’s technologically interconnected and highly dependent work environments. Enterprise security architecture involves a comprehensive plan that ensures the security of an organization’s information technology infrastructure and applications using controls such as preventive, detective, corrective, deterrent, and administrative controls (Ghaznavi-Zadeh, 2017).
Security Awareness and Training
Security awareness and training is an administrative control that involves various strategies implemented by an organization to prevent and mitigate risks to information systems associated with users, given that the human factor is the weakest asset in securing an organization’s systems and network (Rege et al., 2020). Thus, awareness and training involve the education of employees, third-party and other stakeholders on how to protect information technology systems, data, people, assets, and services from external and internal threats.
Importance of Security Awareness and Training in the Design of an Enterprise Security Architecture
Awareness and training programs are critical in planning and designing an enterprise-wide security architecture. Current trends in cyberattacks show that cybercriminals have shifted from targeting information systems and networks directly to targeting individuals who have access to these critical systems using social engineering tactics like phishing and whaling to steal credentials, identities, and personal details (Bhardwaj et al., 2021). Thus, making security awareness and training programs critical in maintaining the effectiveness of the “human firewall.” However, it is essential to note that implementing an efficient training and awareness program is grossly insufficient to compensate for the human errors expected to occur in the planning and implementation stages of an enterprise security architecture. This is because, even though an effective security awareness and training program will significantly reduce human errors as it focuses on identifying potential security threats, humans will always be humans. Thus, factors such as fatigue, forgetfulness, and overworked users could influence users to make errors that may jeopardize the entire network, for instance, just with a simple click on an email attachment (Rege et al., 2020). According to Kohn (2014), after attending a training session, employees tend to lose 50% of the information gathered during the training in one hour, 70% in twenty-four hours, and 90% in a week. As a result, a combination of technical, operational and management controls which are, detective, deterrent, corrective, and administrative in nature, are critical in securing an enterprise architecture from external and internal cyber invasion and other forms of physical intrusions. Apart from technology related controls, physical controls, which are often overlooked, are also crucial in securing an organization’s IT infrastructure.
Thus, It is important to note that other preventive aspects such as vulnerability assessments, penetration testing, continuous monitoring, patch management, physical security, and effective security policies and procedures are equally as important as staff awareness and training (Jaf et al., 2018). However, business requirements, risks, and cost are factors that drive the decision to complement technology controls with the “human firewall,” which includes adequately training users and security professionals to protect the enterprise architecture from physical and logical threats coming from internal and external sources.
Kohn, A. (2014). Brain science: the forgetting curve–the dirty secret of corporate training. Learning Solutions. https://learningsolutionsmag.com/articles/1379/brain-science-the-forgetting-curvethe-dirty-secret-of-corporate-training
Bhardwaj, A., Al-Turjman, F., Sapra, V., Kumar, M., & Stephan, T. (2021). Privacy-aware detection framework to mitigate new-age phishing attacks. Computers & Electrical Engineering, 96, 107546. https://doi.org/https://doi.org/10.1016/j.compeleceng.2021.107546
Ghaznavi-Zadeh, R. (2017). Enterprise Security Architecture—A Top-down Approach. ISACA, 4. https://www.isaca.org/resources/isaca-journal/issues/2017/volume-4/enterprise-security-architecturea-top-down-approach
Jaf, S., Ghafir, I., Prenosil, V., Saleem, J., Hammoudeh, M., Faour, H., . . . Baker, T. (2018). Security threats to critical infrastructure: the human factor [Article]. Journal of Supercomputing, 74(10), 4986-5002. https://doi.org/10.1007/s11227-018-2337-2
Rege, A., Nguyen, T., & Bleiman, R. (2020, 1-1 Aug. 2020). A social engineering awareness and training workshop for STEM students and practitioners. 2020 IEEE Integrated STEM Education Conference (ISEC),