InfoSec Exam—Design and Development
Team work is involved in the design and development of each InfoSec
exam. The process begins with the establishment of a baseline for the
target audience.
To ols for on-line user registration, status process, and
compliance reporting are created by the Internal IT Development group
in consultation with the ISPP group. On-line registration requires each
user to read a condensed version of the company’s Information Security
Statement of Policy
and to electronically agree to comply with that
before the user can proceed with the exam.
The ISPP group also works with selected subject matter experts to
ensure accurate exam content and terminology. Different subject matter
experts are needed for each module of the exam. Each exam has several
modules, and at least three subject matter experts provide input for
each module.
Actual development of the InfoSec exam is contracted to a local
eLearning vendor. For an organization the size of Aetna, the ISPP group
found that it was more economical to pay for custom development than to
purchase a generic security exam. Off-the-shelf exams from security aware-
ness solution providers were estimated to cost between $4 and $12 per
The cost of customized development was determined to be less than
$2 per user
and allowed Aetna to capitalize on the availability of its sub-
ject matter experts and information security personnel. The ISPP group
worked with Human Performance Technologies in Farmington, Con-
necticut, for the development of its initial InfoSec exams (1999 through
2002), and then with its spin-off firm, Peak Performers in West Hartford,
Connecticut, for later versions of the exam. Each version of the exam
requires the team leader, technical writer, graphics designer, and application
programmer from the eLearning firm to develop the storyboard and code
the exam modules. This process can take up to two months to complete.
Once the prototype is developed, it undergoes usability testing by the
Human Factors Engineering group at Aetna. The purpose of usability
InfoSec Exam—Design and Development 201
38190_CH07_FINAL_.qxd 3/25/06 8:43 AM Page 201
testing is to ensure that the content of each module is acceptable to the
users and that the exam is easy to navigate. The Usability Lab is located
at Aetnas Hartford, Connecticut, headquarters. The ISPP group selects
users to participate in the testing drawn from a variety of work groups at
this same location. The users are chosen on the basis of their willingness
to participate and their level of technological capability. Most of the eight
to ten users who are selected have an entry-level understanding of com-
puters and tend to be uncomfortable with Web-based applications.
The Usability Lab is equipped with cameras that are focused on each
user’s face, keyboard, and monitor during testing.
After the test, which
takes about an hour to complete, the recordings are reviewed. Careful
attention is given to any changes in user facial expressions, particularly
those that indicate frustration or uncertainty, along with the parts of
the exam that prompted these changes.
Any necessary modifications to the modules are made by the
eLearning vendor, and then the InfoSec exam application code is turned
over to Aetnas Information Services group so that it can be embedded in
the infrastructure. The application code is linked to the employee data-
base so that each user’s exam registration and completion activity can be
monitored, and it is tested for quality assurance and stress performance
before it becomes operational. Quality assurance testing is done to ensure
that the code is compatible with user desktop configurations.
This testing
is designed to troubleshoot interoperability problems and to reduce the
number of individual calls for assistance when the users access the InfoSec
exam through their desktop machines. Stress testing is done to ensure
that the application code can function efficiently when a large volume of
users simultaneously attempt to access it. When the testing is complete,
the InfoSec exam is ready for enterprise implementation.
It takes approximately six months to design and develop each ver-
sion of the InfoSec exam. After six months of an exams operation, the
process begins again to design and develop the next version.
202 Case 7 Aetna
38190_CH07_FINAL_.qxd 3/25/06 8:43 AM Page 202

Get Information Security: Contemporary Cases now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.