5

It has been claimed that "the weakest factor in security is the humans". Unfortunately this is a weak link we cannot cut away so we have to deal with it.

I need ideas to help build inherently security awareness in an organization. I had a few ideas myself:

  • All clients have a mandatory screensaver which displays statements like "Remember to lock your PC", "Always wear a visible badge", "Do not let anyone follow you into a locked door without asking them for a valid key card".
  • Send SANS Ouch! newsletter to everyone.
  • Quiz people in security awareness annually
  • Present the OWASP Top 10 to relevant personnel, e.g. developers.

What are your ideas for building security awareness?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Chris Dale
  • 16,119
  • 10
  • 56
  • 97
  • 1
    Check [this](http://security.stackexchange.com/questions/5906/how-to-write-an-email-regarding-it-security-that-will-be-read-and-not-ignored-b) question, you might find it useful. – StupidOne Aug 13 '12 at 13:33
  • Other related questions: [How do I educate others about social engineering?](https://security.stackexchange.com/q/47314/32746), [End user security awareness measurement](https://security.stackexchange.com/q/74194/32746) – WhiteWinterWolf Jul 18 '17 at 16:26

3 Answers3

3

Love the suggestions you gave so far, I'll be keeping them in mind for future reference!

My #1 suggestion would be to attack your own employees. I don't mean you should run around with an axe all "Here's Johnny!" style, screaming at people about proper security practice, but rather stage cyber-attacks and judge their responses, then explain to them what they did right / wrong. People learn through experience much better than they learn through reading an email.

One of the easiest and most effective methods to try is an external website containing a login screen, with the company logo. Send out emails to employees from an external account, claiming to be the sysadmin, saying you've got a new staff portal. Every time a user logs in, have it direct to a page explaining what they just fell for and how they can recognise it in future. Include your phone number and email address in case the user wants to know more. Every time a user calls you up to ask if it's safe, or to report it as a security issue, tell them they did the right thing and make sure their line manager is aware of their success.

Next one to try is a more direct one. Send out an email (again, from an external mailbox) saying that the database is having problems and you've got to re-enter everyone's passwords. Ask them to send their passwords to a "secure password update mailbox", and wait. Every time someone sends a password, explain to them that they just fell for a phishing attack. Downside of this attack is that you'll have to reset a lot of people's passwords!

Just one word of advice: get authorisation to do this before you start the project! ;)

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • I'm aware of Theory X and Theory Y business psychology. In fact, it's the basis for this answer - I'm talking about giving positive feedback, not negative. You phish the users as an eye-opening tactic, then explain what they did wrong. Part of the exercise is to explain to the user that they didn't *fail*, they just didn't *know*. No negative feedback is given. However, if a user responds properly, then you provide positive feedback to their line manager, so they know they did a good job. – Polynomial Aug 13 '12 at 14:03
  • 1
    I also agree that it cannot be a punitive approach, but an arena where employees get to make mistakes safely. Positive feedback is key. – schroeder Aug 13 '12 at 14:27
1

At the company I currently work for, they invest in user education through many avenues. There are online games with prizes (think iPads), required education materials that have to be taken every six months, and regular emails regarding security (including stories of breaches from news agencies).

All of these tend to keep the employees pretty well-educated. the most important key is the amicability of the IT department. Never are the end-users told "A Security Breach Will Mean Your Job!", but rather "If something happens, please let us know so we can quickly handle the situation"

This mindset keeps the end-users from being afraid to report security breaches. Since it's not a scary topic they are more willing to discuss security with their peers, and inform IT when they see what they think might be a security breach. While most all of these aren't actual breaches, it's worth digging through them to find the one or two that could have been catastrophic.

SamuelWarren
  • 226
  • 2
  • 4
0

Most IT departments and by extension many Security teams have a major branding and marketing problem when it comes to security awareness and training.

It matters as much how you say something as it does what you say.

Also keep in mind, as other responders have alluded to, Awareness is not the same as Training and we should always remember that they go hand-in-hand.

I think it's important to first start with a strategy in mind of how you plan to connect with your target audience, who that target audience is, and what types if information they may or may not be receptive to.

From there, I think it's important that When you're creating or conducting security awareness and training that you have a few core values or pillars front of mind. The reason this is important because you always want to be consistent with your message. When you deviate or spread random ideas you find on the internet, that leads to misinformation, which leads to confusion, which leads to your messaging not maintaining consistency with what is actually important for your audience.

For me those pillars are:

  1. Vigilance - This is emphasized by using consistent and reoccuring themes of reminding end users to always have a little bit of skepticism in the back of their mind when they are using the internet, email, etc.

  2. Speed of Reporting - This is maybe the most important pillar in my opinion. I always stress, in everything I send out and piece of content I create, that it's vitally important that end users alert IT/Security/etc., of any suspicious emails, websites they may have visited, behavior in the office. Anything that looks or sounds or appears like it might be nefarious or suspicious, to please report it immediately.

  3. Caution when Clicking - This is the common sense pillar you hear all over the industry. Think before you click, etc, etc. While tacky or cliche, it's solid advice. Encourage and reinforce with end users to take a few seconds and analyze the context surrounding that email or that link or that attachment or whatever the situation may be. Another good term for this might be situational awareness. Taken out of context a link in an email to reset your email password might seem benign. Until you realize it was sent from .

When i'm creating content, talking about security with end users, performing assessments or testing, I always always think about how my messaging is conveying these 3 things first.

Lastly, I think it's important to think about Security Awareness, like a brand or in the eyes of a media company. Newsletters and email blasts get boring. It's important to consider, like I said above, how you are communication just as much as what you are saying.

techspence
  • 11
  • 3