Security Awareness 101 ……and Beyond. “Vision without action is only a dream Action without vision is merely passing the time Vision with action will change the world.” - Joel Barker. 20th Annual Computer Security Applications Conference December 6, 2004 Tucson, Arizona Kelley Bogart
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
“Vision without action is only a dreamAction without vision is merely passing the timeVision with action will change the world.”
- Joel Barker
Computer Security Applications Conference
December 6, 2004
'The methods that will most effectively minimize the ability of intruders to compromise information security are comprehensive user training and education. Enacting policies and procedures simply won't suffice. Even with oversight the policies and procedures may not be effective: my access to Motorola, Nokia, ATT, Sun depended upon the willingness of people to bypass policies and procedures that were in place for years before I compromised them successfully.'
'The Coming Third Wave of Internet Attacks: The first wave of attacks targeted the physical electronics. The second wave - syntactic attacks - targets the network's operating logic. The coming third wave of attacks - semantic attacks - will target data and it's meaning. This includes fake press releases, false rumors, manipulated databases. The most severe semantic attacks will be against automatic systems, such as intelligent agents, remote-control devices, etc., that rigidly accept input and have limited ability to evaluate. Semantic attacks are much harder to defend against because they target meaning rather than software flaws. They play on security flaws in people, not in systems.
Amateurs hack systems, professionals hack people.'
A complimentary team approach
National Institute for Standards and Technology
Identify program scope
Goals and objectives
Identify training staff and identify target audiences
Motivate management and employees
Administer the program
Maintain the program
Evaluate the program
NIST (1995, 1998)
Aims of the Program
Policies and procedures
Resources and Skills
Budget and Costs
Target Audience Groups
Management and Monitoring
Maintenance and transition
Sources of Material
Program methods and tools
Plan and major activities
Measuring the program
Cost benefit analysis
Appendix A – Target audience segments
Appendix B – Potential information, physical and personal security topics
Appendix C – Outline and timeline of program plan
Appendix D – Communication methods
and will make it happen
(Peter Senge, 1990)
Washington State anthropologist John Bodley defines culture as "shared, learned values, ideals, and behavior — a way of life."
behavior to note:
1. People’s behavior is based upon their principles and their values
2. An effective awareness program helps the workforce adopt the organization’s principles and values
3.A message is persuasive when the addresser selects information that the addressee perceives as relevant in terms of his or her values
Knowledge does not guarantee a change in behavior.
What are the fallacies of policy?
Your ideas for involvement?
Don’t wait until
P&P’s are done to
Security Awareness Program Purposes
Model 1 - The Security Awareness Program Flow
Security Advisory Group or Council
The beginning is the most important
part of the work.
organization and it’s people.
• Culture is resilient, hard to change, and will revert to old habitsif not steered by leadership.
attitudes, practices that govern how we live.
Due to high costs of incidents there is no way a pure production culture can be profitable to it’s fullest potential.
National Institute for Standards and Technology
The security process is more than the implementation of technologies
Redefinition of the corporate culture
Communication of managements message
Employee understanding of value of information
Employee understanding of importance of their actions to protect information
The scope of any Security Awareness
campaign will reach all network users,
beginning with senior department
executives working towards each and
every member of the community.
Who are the members of your community?
Customizing the Message
Plan to address segmented groups with messages specifically designed for those areas.
UA Security Awareness Campaign
Being Security Aware means you understand that there is the potential for some people to deliberately or accidentally steal, damage, or misuse the data that is stored within our computer systems and through out our organization. Therefore, it would be prudent to support the assets of our institution (information, physical, and personal) by trying to stop that from happening.
2004 Information SecurityAwareness Day
Current Security Events
UA Information Security Awareness Day Computer Security: What you need to know
2004 Information Security Brown Bag Series (.pdf)
Calendar of Campus Security Awareness Events
Security Awareness Presentations
Security Plan Information
Security Awareness Campaign Initiatives(.pdf)Security Awareness Campaign Feedback QuestionnaireEvaluation Model(.pdf)
Send comments and suggestions to:Kelley Bogartbogartk@u.arizona.eduor call 626-8232
UA Privacy Statement
Please send comments, suggestions or questions to:Business Continuity & Information Security(520) firstname.lastname@example.org
Website created and maintained by:CCIT Information Delivery Team
An attorney's advice and it's FREE!
A corporate attorney sent the following out to the employees in his company:
Information Protection Centre
Manitoba Information and Communications Technologies
Cal Poly Pomona University
University of Arizona
Layered Privacy Notices
A Coordinated Approach
Staff Meeting Invitation
Videos and Poster
Group 1 Communicates bottom line cost advantages, business survivability, effects to shareholder value, attacks on confidential data, and offsetting resulting litigation.
Group 2 Technical staff should have a focus on individual verification procedures, and features and attributes of software programs that can support increased security.
Group 3 Non-technical overview of what security is and why it is important. Include elements of security, the threats to security, and countermeasures: all with Company policies and procedures should lend insight and support of the countermeasures.
Is hard……times 20!
Perfection is boring and gets in the way of
Is where continuous improvement starts.
Communication and Marketing
You can never over-communicate
during times of change.
If we are required to assess change in behavior by virtue of how long a person sits in a seat……………
we are focusing on the wrong end of the person.
4. Conduct “spot checks” of user behavior. This may include walking through the office checking if workstations are logged in while unattended or if sensitive media are not adequately protected.
5. If delivering awareness material via computer-based delivery, such as loading it on the organization’s intranet, record student names and completion status. On a periodic basis, check to see who has reviewed the material. One could also send a targeted questionnaire to those who have completed the online material.
6. Have the system manager run a password-cracking program against the employee’s passwords. If this is done, consider running the program on a stand-alone computer and not installing it on the network. Usually, it is not necessary or desirable to install this type of software on one’s network server. Beware of some free password-cracking programs available from the Internet because they may contain malicious code that will export one’s password list to a waiting hacker.
Where is your Organization?
Three necessary components to develop security habits
(What to do)
(How to do)
(Want to do
The beginning is the most important part of the work.
We End Where We Began
Keep chasing the dog, or fence it in?