Part 1 : STRATEGIC :
Why DO we care?? What is YOUR cri=cal message? And WHO do you need to reach? :
I’ll try and give you some pointers and ideas for where to look and how to figure that out for your cons=tuents and your ins=tu=on
Part 2 : TACTICAL :
“Who” delivers the message
“How “ : effec=ve methods for outreach, delivery, and determining effec=veness “What” : are some of the essen=al awareness topics to consider :
Why are we COMPELLED to provide Security Awareness training? WHAT is our MOTIVATION??
… it is – not hunger (although cookies can be a persuasive mo=vator)
Fear comes in many forms, it affects people differently, and it causes people to respond.
It is a spectacularly effec=ve mo=vator : ( as history perpetually proves… )
So : what are your Info Security fears? Your : Boss’s, your students’, Or your friends’ fears? Or your Uncle Bob – what are his fears?
Think strategic level : C Levels have “big picture” fears Compliance with :
Governance policies Laws and regula=ons
Control : “Informa=on Is POWER!” -‐-‐ actually, the FLOW of informa=on is Power, and that’s what you need to control…
the full InfoSec CIA spectrum :– Confiden=ality, Integrity, and Availability of informa=on flow : as it shapes percep=on and reputa=on
What DO users fear?
How are Staff fears different from student fears? And what do Faculty fear? When I ask this ques=on, frequently it is : fear of being electronically violated : computer compromised, informa=on stolen
If you Find out their fears, and your awareness program addresses them, people will come and they will listen!
What do YOU fear? I fear failure – or the consequences to others if I fail. OK, let’s just say that LOTS of things scare me,
Use FEAR, but use it WISELY!
this is classic personal safety training concept : convert their fears into “situa<onal awareness,”
and then give them the tools to respond when crap happens. THAT Is what your Awareness Program should strive to do!
In the past, my experience with Info Sec awareness educa=on and training has been both REACTIONARY and AD HOC,
That’s not Bad, … always good to take advantage of adversity
But, it has NOT been comprehensively planned, and well designed to meet the STRATEGIC info security needs of the ins=tu=on and of our cons=tuents.
SO: { What are our ins=tu=onal needs?
ARE our efforts mee=ng those needs? Or the needs of our cons=tuents? }
And the harder ques=on : How do we know if they are? Are there metrics or methods for assessing the effec<veness of our Awareness Educa=on and Training efforts?
I invite you to make the conscious effort to look at your ”Security Awareness
Program" in the broader context of the overall security needs and security profile of the ins=tu=on,
so that your efforts and your program most effec<vely align with those cri=cal needs
One way to do this : Look at your Comprehensive WriLen Informa<on Security Program :
You have one, right? (Hope it’s not like my old one : “write once, read never”) Lots of legal and regulatory mandates require one, so put it to use!
Take your control structure, and look at each domain group :
Note : regardless of what security control solu=ons you implement here – be it a firewall rules, change management process, access control seongs, door locks, heat sensors, security cameras, phish mail blocks, vulnerability scan alerts, you name it… … in the end, there is a HUMAN involved in managing, maintaining, or monitoring those controls…
… because PEOPLE are the weakest link in any security environment :
When you look at the security walls we create with our breadth of controls and barriers, what is the universal solvent to ALL of these security control walls and barriers? its HUMANS!!!
NB: the dis=nc=on between “AWARENESS Educa=on” and “TRAINING” : ul=mately, goals of both are changing human behavior.
awareness : bring issues to people that they ought to know or that would benefit them to know, but there is no impera<ve that they know it;
eg, if a student’s hard drive crashes, it would be god if they knew to make a backup beforehand.
Training : provides knowledge that we require people to know and abide by, such as policy compliance or safe classified data handling;
there may be externally imposed consequences to failure to abide, and there
should be in place a means to verify that users have understood the training material. This could be as simple as an AUP “click through,” up to requiring that an
employee become “cer=fied” for specific training and knowledge. -‐-‐-‐
… or, coming down to ground level from 30,000 feet…. Two approaches I am currently working on are :
(1) Using the security framework sub-‐domains, extrac=ng awareness and training topics and mapping to key cons=tuency groups
(A) Target awareness educa=on and training at the domains where the risk profile is highest, or where you’ll get the most Risk mi<ga<on benefit for your efforts. (2) Compiling a comprehensive list of policy and regulatory compliance mandates, and again extrac=ng awareness and training topics and mapping to key cons=tuency
My for this part of the day : Provide some review of the day’s presenta=ons, and perhaps a bit of addi=onal bits to get your thoughts and ques=ons ready for the panel discussion
I was told I should “. pull everyone and everything back together” –
So, everyone, please pull yourselves and your notes from the day together while I distract you with a few more slides…
IT Staff : includes :
User Support Services / Help desk Academic support staff
yes, even occasionally, technical staff – including the SNS admins from the dark dungeons of the data center
Departmental staff :
target technophile department liaisons, keep them engaged, feed them the Kool-‐aid Student works & student groups :
They’ve got energy, and they hear what’s going on in that large target community Commisera=ng peers from surrounding ins=tu=ons
**** A dynamic domain, as the variety and number of networkable devices grows. END POINT SECURITY : BEST PRACTICES
Secure Communica=ons : Client protec=on :
OS & SW updates and security patch
AV, malware, spyware, ransomware, etc. protec=on Data protec=on :
local encryp=on
Your password, to quote Gandalf in The Fellowship of the Rings : “is it secret? Is it safe?”
Don’t forget, AWARENESS IS GOOD FOR EVERYONE -‐-‐-‐ not just your ins=tu=on! Possible canned speech topics :
ITSec -‐ in one sentence? client security in a nutshell
safe web best prac<ces in a nutshell Top three IS issues
You should explore ways to measure the EFFECTIVENESS of your educa=onal and training efforts
NB: The last bullet item : could either be from successful C-‐Level awareness prosely=zing, or from money laundering, so just watch out for that.
Possible training and awareness resources : EDUCause training materials
SANS training resources lynda.com
other .edu training op=ons that can be obtained