Security Awareness
Training
The Importance of Information Security and Privacy Literacy
Dennis Devlin, CISO, Brandeis University
Background about Brandeis and higher education
Our collective information security challenge
Two guiding principles
Four stages of competence
Some lessons learned about security training
Summary and takeaways
One more guiding principle
Lively Q&A and discussion
One of the youngest private research universities (1948), as well as only nonsectarian Jewish-sponsored college or university in the US
Combines faculty and resources of a world-class research institution with the intimacy and personal attention of a
small liberal arts college
Operates open, enterprise-class educational and research network with redundant Internet and Internet2 connectivity
235 acre campus of 100 academic and residential buildings 800 miles of optical cable supporting data network and VOIP
3,200 undergraduates, 2,100 graduate students, 15,000 accounts
Both are vulnerable to similar information
security and privacy risks:
– Regulations, Revenues, Reputation, ROI
– All computing doesn’t happen on your campus
However, in addition:
– University networks are open, allow by default, deny by exception, often expose public IP addresses
– Large segments of the population change 1-2x per year like cruise passengers board and disembark – Budgets are even more limited than Fortune 500
Internet-based learning, teaching, and scholarship are not limited to
classrooms and laboratories anymore.
– It occurs in wireless hotspots, Internet cafés, hotels, hostels, off-campus residences, and any place where creative or critical thinking takes place.
Effective information security must acknowledge this reality, and focus on people and process in addition to technology.
Part of our job is to teach students, faculty, and staff to think like we think and learn to protect themselves.
– Safe computing in a hostile environment has become a critical
literacy for anyone who uses the Internet as an educational resource.
Causes of Information Loss
If you think technology can solve your
security problems, then you don’t
understand the problems and you don’t
understand the technology.
Bruce Schneier
“Secrets and Lies”
Wisdom is perishable. Unlike information
or knowledge, it cannot be stored in a
computer or recorded in a book. It expires
with each passing generation.
Sid Taylor
via librarianista
Objective
– Secure Endpoints and Reduce Attack Surfaces
• People
• Devices and Workstations • Confidential Information
Approach
– Play Lots of Away Games and Seize Teachable Moments
• Listen, hear, document, evangelize, help, refer, get well known • Learn leadership structure, security concerns, spans of control • Partner with Administration, Provost, Deans, HR, CFO, Legal, etc.
– Use New Laws and Regulations as Forcing Functions
Educate (Why) as well as Train (How) about Information Security
We all know what we want to teach
– Keep your computer updated with patches and AV – Use strong authentication and limit access by others – Delete or encrypt confidential personal information – Recognize and avoid social engineering scams
– Report information security incidents immediately – Understand and choose good privacy settings
– Back up your critical information – etc., etc. etc.
The question is really how (and when)
Learn and leverage leadership spans of control
– Educate about regulations, revenues, reputation, ROI – Help leaders define organization’s risk tolerance
– Policy is statement of management intent
Form Information Security Advisory Council
Play lots of away games
– Listen, help, document, evangelize, communicate – Accept every invitation to present security
Learn the institutional calendar and life cycles
– What are the moments of truth when you can teach?
Training cannot be just once or once per year
Develop and use themes to maintain focus
– Digital Self-Defense
– Privacy is Your Business – Stop, Think, Click
– Digital is Forever
– See Something, Say Something
Brand security training, information, alerts with a
theme to reinforce message and authenticate
Students, faculty and staff work from home
– So do your employees and their families
Make information security training materials
freely available to families, alumni, etc.
– Also leverage purchasing arrangements for low cost anti-virus, etc.
Establish policy regarding what can be done
using home computers and what information can
be stored on personally owned devices
There is no consistent Maginot Line separating
your constituents from the Internet anymore
– Members of your enterprise are not always connected to, or connecting through your protected network
– And your network needs to be open to do business
The perimeter is now the person and the device
– PC’s, Macs, Linux, iPhones, iPads, PS3’s, Wii’s, …
The Jericho Project had it right
– Every device needs to operate safely in any context – I would add every person needs to operate safely…
Our first year it was
student bookmarks
– These are the five most important things we
wanted them to know – All of the risk/reward
benefits are stated in terms that matter to students (WIIFM)
This is from a sample
slide used for students
– Employers check out information about job applicants online
– Images posted on the Internet are like tattoos – You only get one
chance to make a first impression…
Information Security
Training Program(s)
– 19 versions in 3+ years – Key opportunities
• Semester start week • Employee onboarding • Help Desk employees • Systems administrators • Dormitory evenings
• Faculty meetings
• Departments with CPI
Every interaction can be a teachable moment
– Help desk, orientations, refresher training, incidents
Visit your constituents and learn first hand what
your people are doing with technology
– e.g., faculty using Internet café vs. VPN when away – e.g., workflows that move confidential information – You can’t be with them when they are away so use
the time when they’re on campus to teach
Work to make it easier to do things securely
Even your email signature can be a teaching aid
Dennis Devlin
Chief Information Security Officer
Brandeis University
(781)736-4560 (Office)
ddevlin@brandeis.edu
Brandeis will NEVER ask for your password via e-mail.
DO NOT reply to or click on links in suspicious e-mail.
Forward suspicious e-mail to security@brandeis.edu.
We must teach people to think like we think
1. Every person and device is now a perimeter 2. The four stages of competence
3. The what vs. the how of security training
4. Leverage your leadership to get traction for training 5. Market information security each and every day
6. Promote security for both workplace and home
7. Individual responsibility is the key security message 8. Make material relevant to the intended audience
9. Seize moments of truth as teaching opportunities 10. Syndicate content to accommodate user preference
