Security Awareness - The Information Warfare Site

advertisement
Security Awareness 101
……and Beyond
“Vision without action is only a dream
Action without vision is merely passing the time
Vision with action will change the world.”
- Joel Barker
20th Annual
Computer Security Applications Conference
December 6, 2004
Tucson, Arizona
Kelley Bogart
Melissa Guenther
1
'The methods that will most effectively minimize
the ability of intruders to compromise
information security are comprehensive user
training and education. Enacting policies and
procedures simply won't suffice. Even with
oversight the policies and procedures may not
be effective: my access to Motorola, Nokia,
ATT, Sun depended upon the willingness of
people to bypass policies and procedures that
were in place for years before I compromised
them successfully.'
Kevin Mitnick
2
'The Coming Third Wave of Internet Attacks: The first wave
of attacks targeted the physical electronics. The second
wave - syntactic attacks - targets the network's
operating logic. The coming third wave of attacks semantic attacks - will target data and it's meaning. This
includes fake press releases, false rumors, manipulated
databases. The most severe semantic attacks will be
against automatic systems, such as intelligent agents,
remote-control devices, etc., that rigidly accept input
and have limited ability to evaluate. Semantic attacks are
much harder to defend against because they target
meaning rather than software flaws. They play on
security flaws in people, not in systems.
Always remember:
Amateurs hack systems, professionals hack people.'
Bruce Schneier
3
Introductions
A complimentary team approach
•
Ms. Kelley Bogart (University of Arizona for the University's Business Continuity and Information
Security Office as the Information Security Coordinator.
– Initial work was dedicated to policy and best practices related to Business Continuity and
Information Security topics.
– Last two years have been dedicated to developing and implementing a Campus Security
Awareness Campaign.
– Received international recognition.
– Appointed Co-Chair of the EDUCAUSE Security Awareness Task Force, which is a international
group that focuses on IT issues and solutions specific to academia. And works directly with the
National Cyber Security Alliance with regard to Security Awareness.
– Recently she is working on a partnership agreement with Arizona Homeland Security to use
UA's Awareness Campaign for a Statewide Awareness Campaign Initiative.
•
Ms. Melissa Guenther – Advisor to Phoenix InfraGard and Security Awareness Consultant
– Assists teams in creating blueprints and designing interventions for change, primarily in the
Security Awareness area.
– Clients include Texaco, U of A, Manitoba Information Protection Centre and Public Service of
New Mexico.
– Over 20 years of culture Change Management and Training experience, providing a strong base
for proven results.
– Requested presenter at various security conferences, such as SANS, CSI, and the Arizona
Chapter of High Technology Crime Investigation Association (ACHICIA), both nationally and
internationally.
– Created the plan and blueprint for the University of Arizona's Security Awareness campaign, and
assisted in the implementation.
4
Introduction to Our Work
• If the result of this workshop gives voice to some of your
own experiences, or provides new ideas that contribute to
your success, then we have succeeded.
• At times, you will hear strong recommendations around
proprietary products and processes. We make no
apologies, for we would do all a disservice if we failed to
disclose with great passion those interventions that can
change your company. At the same time, we provide
guidelines and suggestions on how to create your own
versions of these solutions.
• As you take your own journey, we would like to hear from
you and invite you to email us with your questions and
stories of your victories as you chart your own change
path.
5
• A common thread of those that had success with security
awareness efforts- giving people clear direction and
immediately enlisting their energies in creating that future.
• Involvement in security awareness efforts in academia, Fortune
100 and small businesses – variety of situations with one
constant.
People.
• Regardless of presenting issues, success ultimately boils down
to meeting a challenge, solving a problem, or forging a better
future. And it takes people to accomplish these feats. Even if
you define change as implementing technical solutions, such as
a Firewall or automatic update installations, technology
doesn’t work unless people decide to make it work.
• Getting people involved in the process - because people are the
ones who make changes work - is key. “Organizations don’t
change – people change. And then people change
organizations.”
6
Awareness
...to focus attention on security
National Institute for Standards and Technology
7
Framework 1
• Identify program scope
• Goals and objectives
• Identify training staff and identify target
audiences
• Motivate management and employees
• Administer the program
• Maintain the program
• Evaluate the program
» NIST (1995, 1998)
8
Framework 2
•
•
•
•
•
Plan
Design
Implement
Evaluate
Continuous Improvement
» M. Guenther, LLC.
9
Awareness Program Overview
Aims of the Program
Start Up
Environmental scan
Policies and procedures
Technical review
Culture Survey
Stakeholder analysis
Regulatory compliance
Overall structure
Project Phases
Resources and Skills
Budget and Costs
Project communication
Project documentation
Target Audience Groups
Management and Monitoring
Maintenance and transition
Program Content
Topics
Messages
Sources of Material
Program methods and tools
Intranet website
Communication methods
“Branding”
Program Management
Governance
Management
Plan and major activities
Measuring the program
Cost benefit analysis
Program costs
Business benefits
Conclusion
References
Appendix A – Target audience segments
Appendix B – Potential information, physical
and personal security topics
Appendix C – Outline and timeline of program plan
Appendix D – Communication methods
10
Content
– Topics of awareness include but are not limited to:
• The responsibility of users to report issues
• The fact that a users activities can be audited
• The legal requirement for data (citing legislation, as
appropriate)
• Privacy expectations of internal and external users
• The ownership of data
• Password requirements
• The acceptable use policy for E-mail and Internet access
• The intellectual property requirements;
• The sensitivity of department systems to threats, risks
and vulnerabilities; and
• Physical, personal and information vulnerabilities
11
Objectives and Background
– Provide direction and guidance in the areas of
program development and changes to culture
– Address the following questions
• What are the premises, nature and point of departure of
awareness?
• What is the role of attitude, and particularly motivation: the
possibilities and requirements for achieving
motivation/user acceptance with respect to information
security tasks?
• What approaches can be used as a framework to reach
the stage of internalization and end-user commitment?
– Commitment to something means that one wants it
and will make it happen
(Peter Senge, 1990)
12
Washington State anthropologist John Bodley
defines culture as "shared, learned values,
ideals, and behavior — a way of life."
13
Changing Behaviors
• The goal of awareness is to change behavior
• People only adopt new patterns of behavior
when... the old are no longer effective
• People change when the pain of changing is
less than the pain of staying the same.
• Three concepts about human
behavior to note:
14
Changing Behaviors
1. People’s behavior is based upon their
principles and their values
2. An effective awareness program helps the
workforce adopt the organization’s principles
and values
3. A message is persuasive when the addresser
selects information that the addressee
perceives as relevant in terms of his or her
values
15
Changing Behaviors
• “We’ll just create some new
policies.”
What are the fallacies of policy?
• “We just send everyone to
training.”
Knowledge does not guarantee a
change in behavior.
16
Involvement
• To change culture and behaviors we need
involvement from those who will be most
impacted by the change
• WII-FM: What’s In It For Me?
• People like to be included
Your ideas for involvement?
17
Company Policies
Important note:
Don’t wait until
Security Awareness Program
Purposes
Integrate
Feedback
Elicit
P&P’s are done to
start awareness!!
Define
Activities
Implement
Employees
Model 1 - The Security Awareness Program Flow
18
Another Step …
Security Advisory Group or Council
 Group of upper management level people
 Represent all areas of the business
 Promote security awareness
 Promote consistent approach to security
 Drivers of corporate wide security policy
19
Involvement
 Host special events
 Look for “teachable moments”
 Develop security “champions”
 Leverage a “negative event”
 Use the “Grapevine”
20
PLANNING
The beginning is the most important
part of the work.
Plato
21
Strategic Planning
 Step 1: Where are we now?
(Situation Assessment)
 Step 2. Where do we want to be?
(Strategic Direction)
 Step 3 - How do we plan to get
there? (Implementation Planning)
 Step 4 - How will we monitor
progress? (Monitoring)
22
Compelling Issues






Vast amounts of information.
Open environment.
Decentralized functions.
Customer expectations.
Institutional responsibility.
Financial, operational & reputational
risks.
 Increasing threat profile.
23
Security Awareness Culture Survey
Never
or
Rarely
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
Insecure conditions are
corrected immediately.
When I see a vulnerability I
correct it immediately and report
it to a supervisor.
Supervisors actively look for
security vulnerabilities.
Supervisors face consequences
for weak security performance.
Management recognizes and
rewards good security efforts.
My supervisor lets me know if I
am working securely.
Supervisors regularly observe
employees to ensure they are
working securely.
I receive positive feedback from
my supervisor for working
securely.
I receive adequate training on
how to do my job securely.
Employees are free to bring up
security concerns without worry
for their job.
I regularly hear about the
importance of security from
managers.
Security is part of my
performance appraisal.
I know where I can access
security policy and procedures.
I understand how the security
policies and procedures relate to
the work I do.
I know how to report and incident
and who to report an incident to.
Seldom
Sometimes
Often
Always
or
Almost
always
24
It’s the Culture
• Culture drives the behavior of the
organization and it’s people.
• Implementing a behavioral security
process without a solid cultural
foundation is the cause of most
incidents.
25
Danger Signs
• Unclear who is responsible for what.
• Belief that everything is ok, “we are in good shape”
• Belief that rule compliance is enough for security (If
we’re in compliance – we’re ok)
• No tolerance for whistle-blowers
– “culture of silence”
• Problems experienced from other locations not
applied as “lessons learned”
• Lessons that are learned are not built into the
system
• Defects / errors became acceptable
• Security is subordinate to production
• Emergency procedures for severe events is lacking
26
Danger Signs
• Policies and Procedures are confusing, complex and “hard
to find”.
• Security resources and techniques are available but not
used.
• Organizational barriers prevent effective communication.
• There are undefined responsibility, authority, and
accountability for security.
– Security belonged to “IT”
• The acceptance of defects / errors becomes
Institutionalized.
– Because nothing has happened (or we are unaware of
what has happened), we’re ok.
• Culture is resilient, hard to change, and will revert to old
habits if not steered by leadership.
27
What is Culture?
• Social Culture - Our beliefs,
philosophies,
attitudes, practices that govern how
we live.
• Organizational Culture -What
employees believe (perceptions),
attitudes, practices, rules,
regulations, philosophies, values, etc.
28
What is Culture?
• It is the atmosphere which shapes
our behavior.
• Invisible force that largely dictates
the behavior of employees &
management.
29
Company Culture
Production Culture
vs.
Security Culture
Due to high costs of incidents there is
no way a pure production culture can
be profitable to it’s fullest potential.
30
What is a Production
Culture?
• Belief that only production matters.
• Whatever it takes to get the job done.
• Security performance is not
measured.
• Security performance is not part of
supervisor’s job.
31
Security Culture
• Security is not a priority - it is a
corporate Value.
• All levels of management
accountable.
• Security performance measured &
tied to compensation.
• Security integrated into all operations.
32
The Purpose Of The Program
 Security is everyone’s responsibility
 Provide all opportunities to determine how in
their daily roles
 Knowledge (what)
 Skill (how)
 Attitude (want)
Education
Awareness
33
Motivation vs. Attitude
• Motivation tends to be dynamic in nature
– Lasts minutes or weeks
– Intrinsic motivation plays a role
• People feel free to make their own choices
• Need to justify actions in terms of internal reasons
• Attitudes is a more static, internalized factor
– Lasts months to years
– Staged as readjustment, cooperation, acceptance
and internalization
– User acceptance and internalization must be
considered gradual processes and long-term goals
34
A Collection of Approaches
Practical
Approaches/Principles
Logic
Morals and ethics
Intrinsic Motivation
Pave the way
Attitude
Pave the way
+
+
Rationality
Pave the way
+
Emotions
+
+
Sanctions, pressure
-
+
Feeling of security
+
+
Well-being
+
+
35
Analysis and Problem-solving
What We Looked at
 People
 Business
 Measuring, evaluating
36
Break
37
People
 Identify key relationships.
 Establish rapport with students,




faculty and staff.
Become visible and available.
Develop security awareness program.
Be the person who is there to help.
Emotional/psychological management
38
Business
Understand…
Business and customer expectations
Relationships between business and
customer
Key information and other assets, owners
and custodians
39
Strategy
Metrics/
Benchmark
Communication
Culture
Regulatory
Education
Marketing
Strategic
Planning
40
Design
National Institute for Standards and Technology
41
The Awareness Program
The security process is more than
the implementation of technologies
Redefinition of the
corporate culture
Communication of
managements message
Employee
understanding of
value of information
Employee understanding of
importance of their actions
to protect information
42
Scope
The scope of any Security Awareness
campaign will reach all network users,
beginning with senior department
executives working towards each and
every member of the community.
Who are the members of your
community?
43
Customizing the Message
Plan to address segmented groups with
messages specifically designed for those
areas.
•Leadership
•Senior Management
•Staff
•Line Supervisors
•Students
•End Users
•Faculty
•Contractor and Temp
44
Group
Best
Technique
Best
Approach
Expected
Results
Senior Managers
Cost justification
Industry
comparison
Audit report
Presentation
Video
Violation reports
Funding
Support
Line Supervisors
Risk analysis
Demonstrate job
performance
benefits
Perform security
reviews
Presentation
Circulate news
articles
Video
Support
Resource help
Adherence
Users
Sign responsibility
statements
Policies and
procedures
Presentation
Newsletters
Video
Adherence
Support
45
Needs Assessment
• Senior Management - will be expecting a sound, rational
approach to information security.
• Line supervisors - These individuals are focused on
getting their job done.
• Employees - are going to be skeptical. They have been
through so many company initiatives that they have learned
to wait. If they wait long enough and do nothing new, the
initiative will generally die on its own. It will be necessary to
build employees awareness of the information security
policies and procedures. Identify what is expected of them
and how it will assist them in gaining access to the
information and systems they need to complete their tasks.
46
The Information Security Message
• The employees need to know that information is an important
enterprise asset and is the property of the organization.
• All employees have a responsibility to ensure that this asset, like
all others, must be protected and used to support managementapproved business activities.
• To assist them in this process, employees must be made aware
of the possible threats and what can be done to combat those
threats.
• Is the program dealing only with computer held data or does it
reach to all information where ever it is resident?
• Make sure the employees know the total scope of the program.
Enlist their support in protecting this asset.
• The mission and business of the enterprise may depend on it.
47
Delivering the Message
COST
Special events
Security classes
CBT
Security newsletter Video
Screen saver
Posters
Brochure
Web site
Sign-on banner
Giveaway
s
Recognition
awards
E-mail broadcast
EFFECTIVENESS
Not recommended
Recommended
Highly recommended
48
Formats for Communication
•
•
•
•
•
•
•
•
Individual meetings
Staff meetings
Conference calls
E-mails
Videoconferences
Messages
Faxes
Graphics and logo
49
U of A Intranet
UA Security Awareness Campaign
Being Security Aware means you understand that there is the potential for some people to deliberately or accidentally steal,
damage, or misuse the data that is stored within our computer systems and through out our organization. Therefore, it
would be prudent to support the assets of our institution (information, physical, and personal) by trying to stop that
from happening.
2004 Information Security
Awareness Day
Current Security Events
UA Information Security Awareness Day
Computer Security: What you need to know
2004 Information Security Brown Bag Series (.pdf)
Calendar of Campus Security Awareness Events
Presentations
Security Awareness Presentations
Security Plan Information
Security Awareness Campaign Initiatives (.pdf)
Security Awareness Campaign Feedback Questionnaire
Evaluation Model (.pdf)
Send comments and suggestions to:
Kelley Bogart
bogartk@u.arizona.edu
or call 626-8232
UA Privacy Statement
Please send comments, suggestions or questions to:
Business Continuity & Information Security
(520) 626-0100
bcis@u.arizona.edu
Website created and maintained by:
CCIT Information Delivery Team
50
Sample Email Message
An attorney's advice and it's FREE!
A corporate attorney sent the following
out to the employees in his company:
•
•
The next time you order checks, omit your first name and have only
your initials and last name put on them. If someone takes your check
book they will not know if you sign your checks with just your initials
or your first name but your bank will know how you sign your checks.
When you are writing checks to pay on your credit card accounts,
DO NOT put the complete account number on the "For" line. Instead,
just put the last four numbers. The credit card company knows the
rest of the number and anyone who might be handling your check as
it passes through all the check processing channels won't have
access to it.
51
A Picture is Worth
a Thousand Words
Information Protection Centre
Manitoba Information and Communications
Technologies
Cal Poly Pomona University
52
University of Arizona
53
Layered Privacy Notices
54
A Coordinated Approach
Group 1
Group 2
Group 3
Presentation
Staff Meeting
Invitation
Videos and
Poster
Newspaper
article
General
Security
Monthly
Theme
Current
Issues
Group 1 Communicates bottom line cost advantages, business survivability, effects to
shareholder value, attacks on confidential data, and offsetting resulting litigation.
Group 2 Technical staff should have a focus on individual verification procedures, and
features and attributes of software programs that can support increased security.
Group 3 Non-technical overview of what security is and why it is important. Include
elements of security, the threats to security, and countermeasures: all with Company
policies and procedures should lend insight and support of the countermeasures.
55
Implementation
Is hard……times 20!
Perfection is boring and gets in the way of
progress.
Is where continuous improvement starts.
56
Communication and Marketing
You can never over-communicate
during times of change.
57
Why Communicate?





Public support
Demonstrating success
Explaining and persuading
Adequate resources
Public Interest/ Accountability
58
Key Questions
 Who do want to talk to?
 What do we want them to
understand?
 How do we want to influence them?
 Should we priorities or group the
audiences (market segmentation)?
 Do not forget employees as key
stakeholders
59
Stakeholder Analysis
• A technique to assist in making decisions about
who to involve, and how to involve them.
• For any decision or action, a stakeholder is
anyone who is affected by, or can influence, that
decision or action.
• Rate:
– Attitude
– Influence
– Estimate
– Confidence
60
Stakeholder Analysis Template
This template is intended to help you do the stakeholder analysis necessary to any Project.
Identify your stakeholder roles, the representative(s) of each role and the type(s) of knowledge that you need from them
Bear in mind that you might choose to add additional roles and classes of knowledge. You might also have several Stakeholder Names for the same role.
For each stakeholder, identify the relevant classes of knowledge. You might need to add new classes of knowledge for your particular project.
________________________________________Classes
Stakehold
er Role
(The job
title,
departme
nt or
organizati
on that
indicates
a
stakeholdi
ng)
Stakehold
er Name
(The
name's) of
the
responsibl
e
stakehold
er(s)
Necessary
Involveme
nt
(Estimate
of when
and how
much
time)
Goals
Business Technical
Constraint Constraint Functional Look and
s
s
ity
Feel
of Knowledge
________________________________________________________________________________
Usability
Performan
ce
Safety
Operation
al
Environme
nt
Portability Security
Cultural
Acceptanc
e
Legal
Maintaine
nce
Estimates
Administration
Student and Parent
Faculty and staff
Researchers
Health Care Professionals
Auditors, Campus Police and Attorneys
IT Staff
State and Local Government
Marketing Specialist
Graphics Specialist
Safety Specialist
Security Specialist
Cultural Specialists
Legal Specialists
Environmental Specialists
Maintenance Specialists
Training Staff
Project Management
Business Analysts
Standards Specialists
Public Opinion
Auditors
Financial specialists
61
Messages
Passwords
Do not share User names or passwords
Use strong passwords
Do not write passwords down
Viruses
Beware of viruses, particularly in email
attachments
Ensure that antivirus software is installed
and updated
Information handling
Classify information correctly
Pick up print outs and faxes
E-mail and Internet use
Don’t send sensitive info over the Internet
without taking precautions to secure it.
62
Getting There
 Message, audience, means ….. NOT
 Means, audience, message
 What is best for which audience?
 It is not just press, radio and TV
 Spectrum, for example – Personal contact
63
Getting There
 Leaflets and other publications
 Exhibitions
 Paid advertising
 Web and “new” media - narrowcasting
 Build in feedback where you can
64
Timing
• Identify fixed events in programmed
• Be aware of outside fixed events
• Be ready for the unexpected
• Be opportunistic
65
Communication
• Bi-monthly Brown Bag sessions
(training/awareness course(s)
• Monthly security awareness newsletter
• Posters
• Security awareness messages on the
intranet
• Security awareness days
• Integrate efforts with HR efforts
(orientation)
• Modeling
66
Break
67
Measurement
If we are required to assess change in
behavior by virtue of how long a person sits
in a seat……………
we are focusing on the wrong end of the
person.
68
Measuring, Evaluating
• Security is like the brakes on your car.
– Their function is to slow you down.
– But their purpose is to allow you to go
fast.
69
 What do we want to measure?
 What can be measured?
 How can it be measured?
 How do these relate to initial objectives?
 Continued monitoring?
 Feed into future strategies/ campaigns
70
Strategic Content Sessions
 Measurement of existing security weaknesses





can be based on:
Incident reports
Tools that measure compliance
Interviews with supervisors
Testing
Employee surveys
71
Security Awareness Culture Survey
Never
or
Rarely
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
Insecure conditions are
corrected immediately.
When I see a vulnerability I
correct it immediately and report
it to a supervisor.
Supervisors actively look for
security vulnerabilities.
Supervisors face consequences
for weak security performance.
Management recognizes and
rewards good security efforts.
My supervisor lets me know if I
am working securely.
Supervisors regularly observe
employees to ensure they are
working securely.
I receive positive feedback from
my supervisor for working
securely.
I receive adequate training on
how to do my job securely.
Employees are free to bring up
security concerns without worry
for their job.
I regularly hear about the
importance of security from
managers.
Security is part of my
performance appraisal.
I know where I can access
security policy and procedures.
I understand how the security
policies and procedures relate to
the work I do.
I know how to report and incident
and who to report an incident to.
Seldom
Sometimes
Often
Always
or
Almost
always
72
Measurement Tools
1. Distribute a survey or questionnaire seeking input from employees.
If an awareness briefing is conducted during the new-employee orientation, follow up
with the employee (after a specified time period of three to six months) and ask how
the briefing was perceived (i.e., what do they remember, what would they have liked
more information on, etc.).
2. Walk-about’s. While getting a cup of coffee in the morning, ask others in the room
about the awareness campaign. How did they like the new poster? How about the
cake and ice cream during the meeting? Remember that the objective is to heighten
the employee’s awareness and responsibilities of computer security. Thus, even if
the response is “that poster is silly,” do not fret; it was noticed and that is what is
important.
3. Track the number and type of security incidents that occur before and after
the awareness campaign. Most likely, it is a positive sign if one has an increase in
the number of reported incidents. This is an indication that users know what to do
and who to contact if they suspect a computer security breach or incident.
73
Measurement Tools
4. Conduct “spot checks” of user behavior. This may include walking
through the office checking if workstations are logged in while
unattended or if sensitive media are not adequately protected.
5. If delivering awareness material via computer-based delivery,
such as loading it on the organization’s intranet, record student
names and completion status. On a periodic basis, check to see
who has reviewed the material. One could also send a targeted
questionnaire to those who have completed the online material.
6. Have the system manager run a password-cracking program
against the employee’s passwords. If this is done, consider
running the program on a stand-alone computer and not installing it
on the network. Usually, it is not necessary or desirable to install this
type of software on one’s network server. Beware of some free
password-cracking programs available from the Internet because
they may contain malicious code that will export one’s password list
to a waiting hacker.
74
Putting metrics in
perspective – A Case Study
• One of our key areas for security
focus was viruses and worms
• Two main goals.
– Reduce the number of lost work hours
in the organization due to virus/worm
infection and effort required trying and
preventing virus/worm infections.
– Reduce or eliminate secondary
infections of our business partners.
75
Company Background
– Over 1100 employees
– Business partner
• has access to our networks
• receives hundreds to thousands of emails from us
daily.
– Made some technical changes
• Reduce the problems in the first year or so after
introducing them. After that we reached a plateau.
– Introduced an awareness program.
•
•
•
•
Intranet website dedicated to virus problems
security bulletins for new virus/worm outbreaks
regular, monthly security awareness articles
Presentations (both scheduled and on request.)
76
Results
– Then - 6,000 hours expended annually to control
virus/worm outbreaks in 2000
– Now - Less than 2,000 hours in 2003
– Then - 5 significant virus/worm outbreaks in 2000
– Now - 2 significant virus/worm outbreaks in 2003
– Then - Out of a typical 25 new helpdesk requests
per business day, four of them dealt with
virus/worm problems
– Now - New helpdesk requests per day has
increased to 28 on average, virus/worm requests
have dropped to less than 1 per day
77
Five Levels Of The
Information Security Evaluation
Model
•
•
•
•
•
Level 1
Level 2
Level 3
Level 4
Level 5
=
=
=
=
=
COMPLACENCY
ACKNOWLEDGEMENT
INTEGRATION
COMMON PRACTICE
CONTINUOUS IMPROVEMENT
Where is your Organization?
78
Progress to Date
Level 5
CONTINUOUS
IMPROVEMENT
Level 4
Current
COMMON PRACTICE
Level 3
INTEGRATION
Level 2
ACKNOWLEDGMENT
Start
Level 1
COMPLACENCY
79
Highlights of Before and
After Results
 Security Questions and Problems
 AUP
 Security Awareness Training
 Perceived Value of Security
 Stewardship in Projects
 Best Practice
80
Security Awareness
Education Plan
Learning Management
System
Security Intranet website
Traditional Classroom
Training
User Agreement
Videos
Brochures
Exercises
Newsletter
Measurement and
evaluation
Events
Best Security Practices
Screen Savers
Education
Posters
“How To” Guides
81
Security Awareness Content
Personal Security
–Social Engineering
–Identity Theft
–Clean Desk Policy
–Parking Lot Security
–Emergency Alerts
Physical Security
–Building Access
–Rules for ID Badges
–Visitor Control
–PC Security
–Telephone Fraud
–After Hours Access
Information Security
– Password Construction &
Management
– Screensavers
– Internet Security
– Software Piracy
– Data Backups
– E-mail Usage
– Internet Usage
– Viruses
82
Getting Started
Three necessary components to
develop security habits
Knowledge
(What to do)
Skill
(How to do)
Attitude
(Want to do
and Why)
83
Program Elements
Accelerated Learning
• A positive learning environment
• Total learner involvement
• Appeals to all learning styles
• Collaboration among learners
• Learning in context
• Facilitation vs. Training
84
SA Tools
• http://security.arizona.edu/awareness.html
• http://www.iwar.org.uk/comsec/resources/sa-tools/
• http://www.neocomm.com.au/
85
Lessons Learned
86
Lessons Learned: 1
 The security awareness
leadership position is not a
technical role.
 Rather, it is a program manager
role.
 The role must be comfortable as a
program manager, and must be
able to know when to put on the
technical hat.
87
Lessons Learned: 2
 Security awareness is not a natural
thought process for everyone.
 Sometimes you don’t know what
you don’t know.
 You must plant/grow the seeds of
awareness, and illustrate the
relevance of security to all roles.
88
Lessons Learned: 3
• A commitment to security implies
investment primarily in a security
leadership position itself.
• The investment needn’t involve
spending money on technology.
 Invest in the human resource first.
89
Lessons Learned: 4
 While security and privacy are
important to most people, we tend
to be uncomfortable talking about
security weaknesses.
 The role must de-mystify security
and steward creation of appropriate
settings and processes to discuss
security issues.
90
Lessons Learned: 5
 Security is on everyone’s mind, but
not everyone understands how to
apply security in the context of their
work.
 This is sometimes perpetuated from
areas inside the organization.
 Ability to articulate and quantify risk
and cost of consequence is an
essential element of gaining a
motivated audience.
91
Lessons Learned: 6
• The “starter” key relationships are:
 Legal Counsel
 Human Resources
 External Affairs
 Executive Team
 Risk Management
 Audit
92
Lessons Learned: 7
 Over-prescription creates little gain
in security at the expense of
willingness and cooperation from
customers.
 Security is a “living thing”, not a onetime project.
 Find ways to attract and retain all
stakeholders in security discussions
and activities.
93
Lessons Learned: 8
 Few security answers are binary.
 The vast majority of answers are
analog.
 The ability to discriminate which
situations require a binary answer,
and which require more a more
introspective analog answer, is
essential.
94
Lessons Learned: 9
 Measurement is essential to
illustrate value and costs, and to
underwrite future success.
 Keep track of what you do.
 Tabulate.
 Quantify.
 Report.
 Share (with discretion)
95
Security is Like Quality
 "You can't buy security. It's not a product. It's a
mindset and a never-ending process. To succeed,
security must permeate every aspect of our business.
It's not just the responsibility of the executive and
management team; every employee must have a
tenacious commitment to it.
 “Security is intangible, but it's not ethereal. It's difficult
to quantify, but its results are absolutely measurable.
 "How much does security cost? Nothing. It's free when
everyone is committed to it.“
Andrew Briney
96
Lessons Learned: 10
The beginning is the most important
part of the work.
97
We End Where We Began
• If the result of this workshop gives voice to some of
your own experiences, or provides new ideas that
contribute to your success, then we have succeeded.
• As you take your own journey, we would like to hear
from you and invite you to email us with your
questions and stories of your victories as you chart
your own change path.
98
Conclusion
 Organizations don’t change. People change.
And then people change organizations.
 It’s very hard to change people’s minds if it
means reducing their job satisfaction.
 Technology comes and goes, but people will
always be a challenge!
 If you always do what you’ve always done,
you’ll always get what you’ve always got.
99
Thank You
Keep chasing the dog, or
fence it in?
100
Download