Security Awareness Blog

Ten Things to Think About For Your Security Awareness Program (Guest Blog)

Editor's Note:This guest blog post is from Sandra Dunn from HP. Sandra will be leading a mentor led MGT433 course in Boise, Idaho in October.

There is an interesting debate in the dark corners of Security Awareness nerdom regarding the benefits of Security Awareness Programs. The arguments go back and forth, "You can't trust your users your only choice is to lock them down!", "Lock down your users!" Slow productivity to a crawl?! You can't lock them down from every possible way they might infect your network! Finally at the end of long email discussion or a long list of comments on an article that has been written someone with a quiet voice of reason steps in and says "Doesn't it make the most sense to do both?"

As is commonly found the best answer is to find a balance between the two extremes. Those with quick minds will jump to the next big question: Is it 50% security control 50% security awareness? The right ratio answer might surprise you: every environment is unique. So now earn that title you so proudly display on your Linkedin Profile, pull out those notes from the STH 433 class, and flex those keyboard fingers. Here are ten things to think about for your Security Awareness Program

#1 Security is like quality, it is part of everyone's job

This is the most important behavior change we can help instill in people. We aren't just making noise we really do need them to contribute. We are counting on them to protect the company. Corporations are realizing that their users are their first line of defense. A continuous Security Awareness program can help to make security issues as intuitive as quality issues.

#2 Making a difference doesn't require a huge budget

A weekly email with five security tips can have an impact. The most successful security awareness program I was part of started out as a relatively small effort. I came up with the ideas for topics but then found security subject matter experts within our own company to come present.

#3 Find the passion for the people you are helping. They are your greatest asset

We've all seen examples of "security people" having some level of distain for "non-security" people. Please understand that they are putting as much passion into their role as you're putting into security. In almost all cases they absolutely want to protect the company, it's their lively hood too! They just need to put a majority of their cycles into being a good accountant, sales person, or developing the next big thing. Provide security practices that are easy to understand and easy to do and everyone will appreciate you.

#4 Believe in synergy

Synergy is the interaction of multiple elements in a system to produce an effect different from or greater than the sum of their individual effects. Imparting awareness to general users can pay big dividends in preventing security issues. Those users contribute with different perspectives and adding their area of expertise and you have new ways to see issues and solve security problems.

#5 One size does not fit all

Just like the investment in security controls vs education what and where to emphasize is different depending on the unique security risks to your company.

#6 Metrics that really measure

If your management measures success by having a high participation level in a program, so they make it mandatory for everyone, but then people go through the program by clicking the ?next' button as fast as they can without reading the content, is there any value in your metric? Use metrics to understand where the greatest risk is and then put the right resources there. Easy Metrics may not be the Right Metrics.

#7 Fail with Flames

To put together a highly successful program that your management team and the people in your company really like, you will have to be creative, bold and maybe a little crazy. And there is a slight chance that this creative, bold and a little crazy idea will fail. Don't settle for providing the same mundane easy to discount and ignore content we've all had to endure because you were a little afraid.

#8 Do your best to be consistent and clear with your message

Please please please don't warn people about url shortner's and then put a url shortned link to the slides in your webinar. This is a great article to this point. http://h30499.www3.hp.com/t5/Following-the-Wh1t3-Rabbit/The-Tricky-Game-of-Breach-Notification/ba-p/6137089#.UebboI03ttQ

#9 Don't take it personally

Remember if people didn't like something that you've put your heart and soul into, they still in almost all cases still like you. Take their feedback for what it is feedback. You just aren't going to be able please everyone (so make sure that the people you need to please are happy)

#10 Keep planning for the next event

Whether it is in the next quarter, next six months or next year grab onto as much momentum and harness the synergy for next year, and the year after that because one thing you know for sure there will be a whole new set of topics you need to discuss next year!

Sandra (Sandy) Dunn has over 20 years in the software and hardware industry. Initially starting out in Software and hardware sales she worked with NASA, JPL, Secret Service, IRS, and other Federal Agencies to determine their Server, PC, and Notebook sales. At HP she has worked as a Digital Sending & Security Analyst for HP MFP printers on the Competitive Intelligence team, an ACT Engineer for the Accreditation team for HP that certifies partner solutions with her focus being on security & regulatory, a Security Engineer on the Inkjet PSO team and has just joined the HP Cyber Security team as a Cyber Security Engagement Manager. She has a CISSP, Security +, ISTQB, SANS GSEC, GWAPT, GCPM and is a SANS Mentor. She has two children, a wonderful husband, too many horses and lives outside of Boise Idaho. Linkedin Profile www.linkedin.com/pub/sandra-dunn-cissp/10/974/472/

Twitter @subzer0girl

3 Comments

Posted August 19, 2013 at 6:24 PM | Permalink | Reply

HJohn

In my master's project in 2001, I did some work on Mayfield's Paradox which goes basically like this:
"Keeping everyone out of a system is expensive, and getting everyone on a system is expensive. The cost between these extreme's is relatively low."
I applied this to electronic commerce. I won't go into all the details, except to say that all the research for the project plus 12 years of experience since reinforces that when it comes to security versus usability, "Balance is Everything."
A chart of Mayfield's Paradox is here:
http://www.isaca.org/Journal/Past-Issues/2001/Volume-2/Pages/Mathematical-Proofs-of-Mayfields-Paradox-A-Fundamental-Principle-of-Information-Security.aspx

Posted August 25, 2013 at 7:28 AM | Permalink | Reply

Reardan

There are quite a few companies running very successful security awareness programs. We can just implement their ideas to our environment and in most case will have the same level of success.
You have to understand it though, not just copy =)

Posted August 28, 2013 at 2:36 PM | Permalink | Reply

Ashley Schwartau

I think you hit a lot of super important points here. A couple more that I would add:
''" Make it personal. People relate better to things and learn faster when they care and when they see how situations/consequences/rules/behavior affect them and their families. One of our tenants in any program we create for clients is always drawing lessons back to the HOME because if you can get users to make changes at home, then it'll be easier for them to make changes at work. "You know that thing you on your personal computer? Do it here at work, too!"
''" Security Awareness is like advertising. You've got to be repetitive. Any successful awareness campaign takes lots of repeating and different messaging tactics. Supposedly, people must hear an idea or see a product at least 7 times before they think of purchasing it (and hear a word 7 times before it's part of their vocabulary), so you must reiterate a message at least 7 times for it to become habit.
''" Make it fun! So many people forget this last step when designing an awareness program. ENGAGE your users. Include games, contests, humor. So many people worry about the "do's" and "don'ts" that they never think about how they are delivering that message. Think back to how you learned in school ''" did you learn more in the strict, teacher's class who lectured and never made you laugh, or did you learn more in that hands-on bio class taught by the hilarious guy in the funny tie?
Ashley Schwartau
Director, Media Production
http://www.TheSecurityAwarenessCompany.com