We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - FOI/EIR release

Cyber-security within Scottish Government: FOI release

Published
12 August 2021
Directorate
Digital Directorate
Part of
Public sector, Work and skills
FOI reference
FOI/202100223378
Date received
14 July 2021
Date responded
9 August 2021

Information request and response under the Freedom of Information (Scotland) Act 2002

Information requested

1. Does the organisation provide employees with a cyber-security awareness programme?

  • If yes, what methods of cyber-security awareness are used?
  • If no, is this something that the organisation would consider?

2. How is the effectiveness of cyber-security awareness measured within the organisation?

  • If it isn’t measured, is there a plan to measure in future? How?

3. Is there buy-in and support from top level management for security awareness?

4. Do you utilise phishing simulation software to test employee’s cyber-security awareness towards phishing emails?

5. How many phishing attempts have the organisation received in the last year?

  • Has there been an increase due to the coronavirus pandemic?

Response

1. Yes, this is provided through face to face (pre-pandemic) and remote learning sessions and online tools.

2. Effectiveness of awareness education is gauged by direct measures (the gathering of metrics from feedback forms and questionnaires) as well as indirect measures (impact on behaviours as observed at an individual and organisational level).

3. The security awareness programme is sponsored and reviewed at Director General level.

4. Yes

5. While our aim is to provide information whenever possible, in this instance an exemption under section 30(c) of FOISA (prejudice to effective conduct of public affairs) applies to your request. Disclosing this information would substantially prejudice our ability to carry out the effective
conduct of public affairs.

Providing details about the information you have requested into the public domain could subsequently be used by threat actors, taking into consideration both the external and insider threat, to evade any controls we might or might not have in place. This could therefore enable them to target specific types of attack or data exfiltration methods and would constitute substantial prejudice to the effective conduct of public affairs.

About FOI
The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at http://www.gov.scot/foi-responses.

Contact

Please quote the FOI reference
Central Enquiry Unit
Email: ceu@gov.scot
Phone: 0300 244 4000

The Scottish Government
St Andrews House
Regent Road
Edinburgh
EH1 3DG

Back to top