To start, a specific awareness strategy was created as the basis for collaboration. This strategy is the ongoing reference for information security actions and ensures an efficient and goal-oriented approach. The strategy also makes a fundamental contribution to fostering a security culture.

At the beginning of the collaboration, the Security Awareness Radar® was used to measure the current status of the information security culture in the entire Mainzer Stadtwerke group. The result was targeted employee training. Existing e-learnings in all the subject areas meant that training was already available for the priority topics. Additional e-learning courses were developed especially for the requirements of Mainzer Stadtwerke and for optimal integration of the company's specific user guidelines into the training material.

Since the Mainzer Stadtwerke group is part of the critical infrastructure, it has a legal obligation to meet requirements in the areas of corporate governance, data protection and IT security law, and aspects of criminal law. Furthermore, the normative requirements DIN ISO/IEC 27001 and DIN ISO/IEC 27002 must be included in the planning and implementation.

The awareness strategy that was created contains detailed instructions, which can be used as a starting point for the design, development, and implementation of effective and targeted awareness programs through to the evaluation of the programs. It refers to the legal and regulatory requirements and provides a basis for fulfilling them.

To build a security culture that is part of everyday work life, all employees should take responsibility for security in their working environment and act appropriately when handling data and information.

Areas of collaboration between Mainzer Stadtwerke and TreeSolution included the following:

• Analysis of the company's initial situation and inventory for the further development of strategic measures.
• Creation of an awareness strategy to strengthen security awareness in culture and behavior.
• Implementation of an accurate and detailed measurement with the Security Awareness Radar®.
• Evaluation of the results of the measurement after considering the awareness, behavior, and culture of the company.
• Introduction of the first e-learning courses for the targeted increase of employee awareness.
• Additional development of individual e-learnings for direct training of the user guidelines in the company.
• Each year, targeted training courses can be carried out in security-relevant areas.

A holistic approach was taken in the support for the creation of the information security management system (ISMS) and the security program. Output included a comprehensive document on which the training courses could be based. The document serves as the basis for the security culture and to promote the “human firewall.”

The results of the Security Awareness Radar® provided a detailed picture of information security and security awareness among employees. It became apparent which topics and target groups had to be given priority training in order to increase security awareness in the company and to anchor information security in the corporate culture. This knowledge was incorporated into the information security strategy and training material.

The provision of the training material by TreeSolution allowed demands on the scarce time resources of Mainzer Stadtwerke to be kept to a minimum.

Alternative solutions had to be found for the training of employees who did not have access to a PC. This challenge was also mastered, resulting in optimal training of these employees and their inclusion in the measurement survey.

The extensive training material consisting of more than 15 topics enabled in-depth training of the employees. Through additional, individually created modules specific to Mainzer Stadtwerke, topics could be presented to the employees in an even more targeted manner, thus further reducing the risks.

The training and measures were well received by the employees and could be implemented and applied in everyday work. As an employee put it in the measurement survey:

“I consider regular training/instructions on security, like those for occupational safety and fire protection instructions, as necessary to stay up-to-date and to provide all those involved with comprehensive information.”
Mainzer Stadtwerke Employee

Employees must complete refresher courses every year, with new topics being added regularly. New employees are also given extensive training at the start of their employment.

The training actions based on the overall program can also be used as proof for ISO certification and annual re- certification.

All measures planned and implemented to date promote a security-conscious corporate culture and thus contribute to the “human firewall.” Through holistic and continuous training over a longer period of time, knowledge about information security is constantly expanded and strengthened in the security culture.

The training material is regularly updated to ensure it is up-to-date and expanded with new additional training courses.

In the future, the suppliers are also to be involved in training courses and another survey carried out using the Security Awareness Radar®.