• I took my CISSP exam a week ago. What an exam! I had fun (believe it or not), but there were probably only 50 out of 250 questions that had easy answers. Usually there were several 'correct' answers or no 'correct answer' for each question. More later.

• I seem to be spending more and more time working with the military, and must say I'm enjoying it despite the occasional state of SNAFU (you do know what that means, don't you?).

_________________________________________________________________

Effective Security Awareness Programs are like Exercise

We do a great job with technology: firewalls, IDS, IPS, anti-virus, etc., but technology can only go so far. We always have the “human element,” and despite great technological controls, if a help desk person readily volunteers passwords or the uniformed pseudo-guard at the front door lets just about everyone in, our technological controls are easily bypassed.

“Security Awareness Training, that’s what we need,” is often the call. We’ll ignore the fact that purists will insist that “awareness” and “training” are different, and focus on why employee awareness training alone is rarely sufficient.

1) Most organizations don’t have enough resources.

I spent last week at a large organization that is better funded and has far more resources than most, but they still only have less than one hour per year per employee for security awareness training. That’s one “lunch and learn” or maybe a couple of short online computer based training modules that employees may not pay much attention to anyway.

2) Awareness training is like exercise; the benefits are short lived.

Last summer I went for several 100 mile plus bike rides and was in great shape, at least for a fat middle-aged dude. A couple months after the snow started and the bike riding ended, I was back to my normal slothful self and there were few if any residual effects.

It’s the same with awareness training! You can have the best awareness training possible, but shortly afterwards people will revert to writing their passwords on stickies stuck to their monitors or perhaps under their keyboards, opening random email attachments, and letting others ‘tailgate’ through the sidedoors. The effects of security awareness training are short lived.

Security awareness training is good, but not enough. What’s needed is an awareness program, something that’s ongoing, just like I should have moved my exercise indoors to the gym instead of stopping when the cold weather and snow came.

A security awareness program can include security awareness training, but needs more reinforcement than security awareness training alone can provide.

Examples of what can be included in an ongoing security awareness program include:

• Security awareness posters.

• Slogans. Anyone remember “Lose Lips Sink Ships,” I think from the War of 1812? Its purpose was to remind civilians of the importance of OpSec, even if they didn’t know what that meant. It worked.

• These same slogans or other messages can also appear on coffee cups, mouse pads, and just about anything else.

• Videos. For example, continuously running videos in break rooms for hourly employees often work well.

• Login screen messages.

• Humorous/embarrassing counterexamples, perhaps in a company newsletter or other communications, of others who have made mistakes. Do NOT embarrass or make fun of employees, but you can make fun of yourself or competitors.

• A security day, with attractions for employees. “Security” will not entice many people, but free food and prizes usually work well. Anything that makes it ‘fun’ works well. How about a magician or clown?

Technology “solutions” are only a part of solid information security. We will always have the human element to contend with as well. In order to minimize vulnerabilities in the ever-present human element, humans need consistent and ongoing reminders.

Instructor led and computer based security awareness training sessions can be one component of a security awareness program, but other less resource intensive and disruptive components are needed as well. These will vary depending on the organization, but include a wide variety of possibilities.

Remember that for maximum effect efforts must be ongoing. Any security awareness activities in the past, regardless of how successful, have limited residual effects. Similarly, it’s great I went for a 5 mile run last Wednesday, but the 5000 calorie Chinese buffet lunch I had today probably has more effect on my fitness and health.
_________________________________________________________________
This newsletter is Copyright © 2008 by Demopoulos Associates, Durham, New Hampshire, USA.  All rights are reserved, except that it may be freely redistributed if unmodified.

Sharing securITy is encouraged if the copyright and attribution are included.

 Subscribe to the securITy newsletter