Security Awareness Blog

NIST / NICE Security Awareness and Education Strategy

As some of you may already know, NIST (the US National Institute of Standards and Technology) recently published a draft version on its strategy for promoting cyber security awareness and education. This is a draft version and can be a bit hard to read, but it has three core goals. From page 2 of the document, the three stated goals are.

  1. Raise awareness among the American public about the risks of online activities.
  2. Broaden the pool of skilled workers capable of supporting a cyber-secure nation.
  3. Develop and maintain an unrivaled, globally competitive cybersecurity workforce.

I'm excited about a national effort to improve cyber security, especially awareness and the work force. The entire focus is on the human element, one that has been lacking for far too long. Being the security awareness weenie I am, I'm interested the most in goal number one, public awareness. My concern with the strategy is there are so many players involved that the public will get a convoluted message. There will be multiple sites that will be offering various resources. What I would love to see is a single resource promoting a single message. The most successful awareness campaign in US history has been Smokey the Bear. Started in 1944 as part of a campaign to stop forest fires, it is estimated that 95% of adults and 77% of children instantly recognize the Smokey mascot and his message. One country doing this well is aeCERT in the United Arab Emirates. They are using Salim to communicate their awareness message. Salim is the name of local boy, you see him everywhere in the UAE. Salim is a common Arabic name which can mean 'safety', he has been so successful that people in Dubai do not contact their local CERT, they contact Salim. I would love to see NIST come up with a cyber Smokey the Bear or Salim for here in the states. Unfortunately, when it comes to marketing a message, this is where government/security greatly fail. I hope NIST has a budget for some marketing help.

4 Comments

Posted August 19, 2011 at 7:29 PM | Permalink | Reply

HJohn

I think a key to any awareness program, particularly one geared towards the public (who unlike employees we order them to pay attention), is to keep a few facts about the public in mind:
1. The public has a short attention spam.
2. The public has busy fast pace lives and wouldn't dedicate much time even if they had the attention span.
3. The public prefer soundbytes to details.
4. The public is a cheapskate when it comes to security.
5. The public wants what it wants with minimal hassle.
I'm not saying this is good or bad (okay, i would say is bad), but the situation "just is." It is quite limiting, but if we don't accept the limitations, we'll doom ourselves to failure. Some success is better than no success.
Our best bet is to push awareness in small doses, and take advantage when the public is tuned in to a certain risk (before they tune out). When people are horrified over an abduction is a good time to pitch child internet safety, for example. Not saying wait for it to happen, just saying if something does people are listening.
Just my two cents. I've been a local educator for 6 years, and I cringe when people are on their blackberries during an important announcement.
Best,
HJohn

Posted August 19, 2011 at 8:11 PM | Permalink | Reply

lspitzner

I LOVE your top five points, great stuff! This is common knowledge for anyone taking Marketing 101. My concern is with any awareness program is do they have marketing/communication expertise. Marketing is all about changing behaviors (buy our product, not theirs). That is what I love about Smokey the Bear, great marketing that gets people's attention. It also communicates a message with a single image.

Posted August 19, 2011 at 8:39 PM | Permalink

HJohn

Thanks. I just realized that my post was probably too long to hold the attention of most. LOL. I should take my own advice.

Posted August 24, 2011 at 3:50 PM | Permalink | Reply

HJohn

You probably are aware of this, but the NSA has developed "Best Practices for Securing Your Home Network." http://www.nsa.gov/ia/_files/factsheets/Best_Practices_Datasheets.pdf
It's good information, but, unfortunately, I doubt the people most at risk (novice users, those who look it up have done a lot of it already anyway) have the patience or attention span for it, if they ever even hear about it.