Re: Security Awareness Feedback

[Melissa Guenther <mguenther () COX NET>]

Gary 
This is great information.  I especially liked your anecdote ate the end -
made me smile.
As a thank you I am offering an article I wrote on Culture Change and
Security OR a free presentation with permission to use within your
organization -  it is an effective presentation and can be customized for
your use. 
Let me know if you would like me to send it please.

Melissa
 
 
-------Original Message-------
 
From: The EDUCAUSE Security Discussion Group Listserv
Date: 04/27/04 13:33:42
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Security Awareness Feedback
 
Melissa Guenther wrote:
 
> I have been assigned a project to help determine the status of
> Security Awareness interventions.  In such, I am polling both
> individuals and groups on the question below.  I am asking that you
> provide formal and informal information that answers the question.
> Ideally, you will scrub all identifying information before sending -
> as a precaution, I will recheck to make sure names and other
> information is removed.  I will be happy to send anyone interested the
> final report.
>
> Question - Why is security awareness typically such a failure?  It is
> mentioned in 3 places in the 7799 spec.  It is usually considered only
> slightly less important than policy.  Yet, it seems to be uniformly
> poorly implemented.
>
> Note -For purpose of this study:
> There is no such thing as "Security Awareness Training." The purpose
> of awareness efforts is to focus attention on security and possible
> adverse impacts from a security failure. Heightened awareness allows
> individuals to recognize security concerns and respond accordingly.
>
> During awareness activities the learner is a passive information
> recipient, while the learner in a training environment takes on a more
> active role. Awareness aims to reach broad audiences with attractive
> packaging techniques. Training is designed to build knowledge and
> skills to facilitate job performance.
>
> Learning achieved through awareness is short-term, immediate, and
> specific. Training involves higher-level concepts and skills. For
> example, if a learning objective is "to increase use of effective
> password protection among employees," an awareness activity might
> involve using reminder stickers on computer keyboards. A training
> activity might involve computer-based instruction in the use of
> passwords, especially how to change passwords for organization system.
 
Hi Melissa,
 
I interpreted "failure" in your question to mean "ineffective".
 
1. Because people get bored with generalities and
    oversimplifications they hear over and over and that they
    think they have covered. Or that don't apply to the task at
    hand. Or they get frustrated with specifics that are so
    numerous and changing that they can't keep up with them.
 
2. Because, in the haste to complete day to day activities,
    oft heard warnings are dropped in priority to complete
    the task at hand. They feel pressure to get something
    done Right Now and take shortcuts. Or make mistakes
    in haste. In some sense, only controls which prohibit the
    undesired activity are effective against this e.g. system
    enforced password complexity rules, network access
    controls, limited privilege user accounts, mail filtering,
    TCPA enforced software restrictions, etc.
 
    When a person is up to their neck in alligators day after
    day, they tend to become inured to them so they
    can get the swamp drained.
 
3. Because while everyone agrees security is important,
    there is a perception that someone else is taking
    care of it. Some folks feel overwhelmed by the
    responsibility. Some folks don't realize how much
    it depends upon them. Some folks don't realize the
    compromises that need to be made to achieve a
    particular level of exposure.
 
4. Because sometimes its not important to people until something
    bad actually happens to them (individually or collectively).
    Witness last Fall's Blaster effect on the awareness of
    network access filtering best practices and Windows
    Updates. Or the effect of losing one's Internet access
    on getting anti-virus software installed and infections
    cleaned. Or the threat of a lawsuit on copyright violations.
    Who would have put up with today's airline searches
    five years ago?
 
5.  Superficial awareness is inadequate. At least in today's
     environment which is likely to persist for at least a few
     years. Its only the start. A core understanding of underlying
     issues must be imparted in order that the principles can be
     interwoven into daily activity which may change from person
     to person, task to task, threat to threat, or day to day. And
     then it has to be made a priority - by forcing it technologically,
     by making it an organizational priority, and/or requiring
     it for access.
 
    1. A basic knowledge of what a computer is underneath
        all the GUIs and splash screens that have covered up what
        hasn't changed in the past thirty years needs to be acquired.
        What a program is. What it can do. What an icon is. What
        a server and client is. Basic architecture of email, web, and
        network/Internet. What a user account and password is.
        It doesn't have to be mind numbing technical. This has
        benefits beyond the security scope.
 
    2. Focus on some security basics that have been around a lot
        longer than computers:
 
        a. Principle of least access
        b. Principle of defense in depth
        c. Issues of trust and authentication
        d. Complexity vs security
        e. Need for maintenance and monitoring
 
   3. Show the threat environment through real examples.
       Demonstrate a need. Make it personal.
 
   4. Teach how to apply the basic security principals in every
       day activities with an emphasis on a generic understanding
       rather than what icons to click or what products to
       install.
 
Is eight hours of training to protect personal and organizational
information and operation too much? An hour or two is often
spent teaching Word, Excel, or Windows. Why not something
that will last beyond the next release?
 
I'll end this tirade by relating what I hope is an interesting
and amusing experience that is tangentially related. I was
asked to present our awareness talk at an organization who
acquaints seniors with computers. One of the problems related
to me in this endeavor was that the participants were scared
to do anything for fear of breaking something. Unbeknownst
to me, throughout the prior six weeks it was stressed that
the participants should just click something if they didn't know
what it was to learn about it. I spent the first half of the
presentation telling what kinds of things are occurring today.
The second half in protective measures. Imagine the dismay of
the instructors and students when one of my bullet items was
"If you don't know what it is - DON'T CLICK IT".
I haven't been invited back since. :)
 
Gary Flynn
Security Engineer
James Madison University
 
**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.
 

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.