Security Awareness Blog

Security Awareness Top Ten Topics - #7 Encryption

This post is the seventh in a series of what I consider the top ten topics for any security awareness program. Selecting the right topics with greatest value for your organization is key to a successful program. This series is not designed to tell you what your awareness program must have, instead these posts are designed to give you recommendations, a place to start. For the seventh topic I like to focus on encryption. Now this may sound a bit odd for an awareness topic since encryption can be technical, but there is a reason to the madness. We in the security community are always telling people to encrypt their information to protect it. The problem is many end users do not understand what encryption is, as such they may use it incorrectly. The second problem is they may not understand encryption's limitations. The classic example is encrypted websites. End users may think that since a webpage has the lock on it, and the connection is encrypted, then the website must be secure. As we know the website is not secure, only the data traveling between those two points. With that said, here are some of the key learning objectives I feel are important.

The first is to simply demonstrate what encryption does, for many it may appear to be black magic. One of my favorite lessons is to simply show a cleartext document, perhaps some text from "Alice In Wonderland" and explain how anyone can access and read that document. Then show that same text but encrypted, or ciphertext. Then explain that no one can read it unless they have the key.

Explain what a key is (something you are, something you know, or something you have).

Provide examples of what can be encrypted, such as your laptop, communications or a USB stick.

Just as important is NOT what you cover. As we have mentioned repeatedly, you have limited time in your program, focus on topics with maximum ROI. Something that has little ROI is discussing SSL certificates. What is the value in spending five minutes explaining to end users how SSL certificates work? Very few people fully understand them (I've been at this for fifteen years and still get confused). Also, how often do criminals used fake or compromised SSL certificates? Sure it happens, but the attacks are rare, we have far more low hanging fruit to deal with. Another topic NOT to cover is the different types of encryptions such as symmetric versus asymmetric. For the end user, they could care less and rightfully so. These are technical issues only security professionals should be worried about, not the end user.

PREVIOUS POSTS IN TOP TEN TOPCIS SERIES

#1 - You Are The Target

#2 - Social Engineering

#3 - Email and IM

#4 - Social Networking

#5 - Browsers

#6 - Passwords

7 Comments

Posted December 20, 2010 at 4:27 PM | Permalink | Reply

HJohn

Great comments. I've long thought that teaching too much detail on encryption causes confusion and causes people to tune out the other parts that are of real consequence.

Posted December 20, 2010 at 4:56 PM | Permalink | Reply

lspitzner

I agree, focus on what people really need to know and avoid getting technical. I know it can be hard for us security professionals to remember, but not everyone is passionate about security. They just need to know the basics so they can continue on with their real daily job (and daily life).

Posted December 20, 2010 at 6:01 PM | Permalink | Reply

Geoff Webb

Absolutely. Making encryption seem overly complex will only reinforce the feeling that securit is something that belongs to IT, and is not part of everyday activities for end users.

Posted January 19, 2011 at 2:42 PM | Permalink | Reply

lahla

How much technical detail your provide on encryption depends on your audience. If you are training your web application team, talking about how SSL certs works is absolutely relevant. Security awareness training isn't just for novices. The IT staff need to be taught and/or reminded of good security practices too. I agree that you don't want to overload a regular or novice user with the details of encryption, but your technical staff needs to know the technical details of encryption.

Posted January 20, 2011 at 3:04 AM | Permalink | Reply

lspitzner

Absolutely, excellent point! One of the key things every awareness program needs to take into consideration is who is the target of the training. This is actually one of the very first things I blogged about when starting this series[1[. In every awareness program you need to decide WHO, WHAT, HOW and WHEN. WHO should be you first step, determining which group(s) will be your targets for the training. That in turn determines WHAT you will train.
Excellent point!
[1] http://www.securingthehuman.org/blog/2010/03/30/communications-who

Posted September 2, 2013 at 4:43 AM | Permalink | Reply

MKhali

Very helpful articles and topics, thank you very much.
How can I get the full videos of your security awareness??
I am working on a awareness program and your articles and videos were very helpful.
Thank you

Posted September 2, 2013 at 1:43 PM | Permalink | Reply

lspitzner

Absolutely! The easiest way to to try out and see all the different Securing The Human videos and solutions is submit for a free trial at https://www.securingthehuman.org/training/inquiry. Thanks!