Security Awareness Training

29  Download (0)

Full text


Security Awareness


The Importance of Information Security and Privacy Literacy

 Dennis Devlin, CISO, Brandeis University


 Background about Brandeis and higher education

 Our collective information security challenge

 Two guiding principles

 Four stages of competence

 Some lessons learned about security training

 Summary and takeaways

 One more guiding principle

 Lively Q&A and discussion


 One of the youngest private research universities (1948), as well as only nonsectarian Jewish-sponsored college or university in the US

 Combines faculty and resources of a world-class research institution with the intimacy and personal attention of a

small liberal arts college

 Operates open, enterprise-class educational and research network with redundant Internet and Internet2 connectivity

 235 acre campus of 100 academic and residential buildings  800 miles of optical cable supporting data network and VOIP

 3,200 undergraduates, 2,100 graduate students, 15,000 accounts


 Both are vulnerable to similar information

security and privacy risks:

– Regulations, Revenues, Reputation, ROI

– All computing doesn’t happen on your campus

 However, in addition:

– University networks are open, allow by default, deny by exception, often expose public IP addresses

– Large segments of the population change 1-2x per year like cruise passengers board and disembark – Budgets are even more limited than Fortune 500


 Internet-based learning, teaching, and scholarship are not limited to

classrooms and laboratories anymore.

– It occurs in wireless hotspots, Internet cafés, hotels, hostels, off-campus residences, and any place where creative or critical thinking takes place.

 Effective information security must acknowledge this reality, and focus on people and process in addition to technology.

 Part of our job is to teach students, faculty, and staff to think like we think and learn to protect themselves.

– Safe computing in a hostile environment has become a critical

literacy for anyone who uses the Internet as an educational resource.


Causes of Information Loss


 If you think technology can solve your

security problems, then you don’t

understand the problems and you don’t

understand the technology.

Bruce Schneier

“Secrets and Lies”


 Wisdom is perishable. Unlike information

or knowledge, it cannot be stored in a

computer or recorded in a book. It expires

with each passing generation.

Sid Taylor

via librarianista


 Objective

– Secure Endpoints and Reduce Attack Surfaces

• People

• Devices and Workstations • Confidential Information

 Approach

– Play Lots of Away Games and Seize Teachable Moments

• Listen, hear, document, evangelize, help, refer, get well known • Learn leadership structure, security concerns, spans of control • Partner with Administration, Provost, Deans, HR, CFO, Legal, etc.

– Use New Laws and Regulations as Forcing Functions

 Educate (Why) as well as Train (How) about Information Security


 We all know what we want to teach

– Keep your computer updated with patches and AV – Use strong authentication and limit access by others – Delete or encrypt confidential personal information – Recognize and avoid social engineering scams

– Report information security incidents immediately – Understand and choose good privacy settings

– Back up your critical information – etc., etc. etc.


 The question is really how (and when)


 Learn and leverage leadership spans of control

– Educate about regulations, revenues, reputation, ROI – Help leaders define organization’s risk tolerance

– Policy is statement of management intent

 Form Information Security Advisory Council

 Play lots of away games

– Listen, help, document, evangelize, communicate – Accept every invitation to present security

 Learn the institutional calendar and life cycles

– What are the moments of truth when you can teach?


 Training cannot be just once or once per year

 Develop and use themes to maintain focus

– Digital Self-Defense

– Privacy is Your Business – Stop, Think, Click

– Digital is Forever

– See Something, Say Something

 Brand security training, information, alerts with a

theme to reinforce message and authenticate


 Students, faculty and staff work from home

– So do your employees and their families

 Make information security training materials

freely available to families, alumni, etc.

– Also leverage purchasing arrangements for low cost anti-virus, etc.

 Establish policy regarding what can be done

using home computers and what information can

be stored on personally owned devices


 There is no consistent Maginot Line separating

your constituents from the Internet anymore

– Members of your enterprise are not always connected to, or connecting through your protected network

– And your network needs to be open to do business

 The perimeter is now the person and the device

– PC’s, Macs, Linux, iPhones, iPads, PS3’s, Wii’s, …

 The Jericho Project had it right

– Every device needs to operate safely in any context – I would add every person needs to operate safely…


 Our first year it was

student bookmarks

– These are the five most important things we

wanted them to know – All of the risk/reward

benefits are stated in terms that matter to students (WIIFM)


 This is from a sample

slide used for students

– Employers check out information about job applicants online

– Images posted on the Internet are like tattoos – You only get one

chance to make a first impression…


 Information Security

Training Program(s)

– 19 versions in 3+ years – Key opportunities

• Semester start week • Employee onboarding • Help Desk employees • Systems administrators • Dormitory evenings

• Faculty meetings

• Departments with CPI


 Every interaction can be a teachable moment

– Help desk, orientations, refresher training, incidents

 Visit your constituents and learn first hand what

your people are doing with technology

– e.g., faculty using Internet café vs. VPN when away – e.g., workflows that move confidential information – You can’t be with them when they are away so use

the time when they’re on campus to teach

 Work to make it easier to do things securely

 Even your email signature can be a teaching aid


Dennis Devlin

Chief Information Security Officer

Brandeis University

(781)736-4560 (Office)

Brandeis will NEVER ask for your password via e-mail.

DO NOT reply to or click on links in suspicious e-mail.

Forward suspicious e-mail to


 We must teach people to think like we think

1. Every person and device is now a perimeter 2. The four stages of competence

3. The what vs. the how of security training

4. Leverage your leadership to get traction for training 5. Market information security each and every day

6. Promote security for both workplace and home

7. Individual responsibility is the key security message 8. Make material relevant to the intended audience

9. Seize moments of truth as teaching opportunities 10. Syndicate content to accommodate user preference


 None of us is as smart as all of us.

Ken Blanchard