I just finished reading through the new draft for NIST SP800-16 document titled "A Role-Based Model for Federal Information Technology/ Cyber Security Training ". If you never heard of NIST, FISMA or the SP800 series of documents, you can probably stop reading now and save yourself some time. However if you are involved in security … Continue reading Draft NIST SP800-16 (vs. SP800-50)
One of the great things about awareness training is not only do staff become more aware and prevent incidents, but they start reporting attacks also, they become human sensors. Today I got just such an email from an employee reporting a phishing attack (click on email for larger view). The email was all about clicking … Continue reading Symantec, How Could You?
When it comes to securing the human, Mobile Device are one of the top ten risks I'm seeing organizations the most concerned about. It makes sense, mobile devices now have the same computing power (and risks) as your laptop. The only difference is mobile devices are easier to lose or have stolen. However, risks with … Continue reading When Mobile Devices Control Every Aspect of Your Life
A common misconception of security awareness is creating content is simple. Just pick some random topics, communicate those random topics, and you are done. To be dead honest, that works for compliance. However to effectively reduce human risk, you have to first identify the the greatest human risks to your organization and focus on just … Continue reading The Challenge of Keeping It Short
Folks, yesterday we did a live webcast for Europe on how to build, maintain and measure a high-impact a security awareness program. The webcast was based on the Securing The Human talks I do at SANS events, but with a focus on European challenges (such as privacy issues, translations, etc). I even attempt to pronounce … Continue reading Webcast on Building Awareness Programs - For Europe