Information security awareness

 Ironshield Technologies offers security awareness materials and related services to the West African market.

 WhatsYourISQ (Information Security Quotient) is the site for an interesting new online awareness product from First Legion Consulting.

 ENISA’s latest report on security awareness documents current practice in Europe and provides guidance on the measurement of awareness programs.

 NASCIO also published a report on the status of security awareness in US state governments.

 Keep up with security awareness entries on the NoticeBored blog.

 Computer Security: 20 Things Every Employee Should Know by Ben Rothke is reviewed here. Fred Cohen produced a similar booklet with generic security advice to employees: Fred’s Information Security Awareness Basics is 24 pages long and costs about a dollar per page.

 Managing an Information Security and Privacy Awareness and Training Program wins the prize for the longest book title we’ve seen of late but it’s worth it. This is an excellent textbook for security awareness professionals, packed full of good ideas. Rebecca has an excellent reputation in the field and at last we have the definitive reference text for security awareness. Thoroughly recommended. Read our rave review.

 If you are looking for help on policy matters, Information security policies, procedures and standards - guidelines for effective information security management by Tom Peltier is recommended (~$63 from Amazon). Tom’s well-written book contains plenty of helpful practical advice on writing and implementing information security policies.

 Check out a one day course giving an overview of security awareness from Simmons Professional Services in the UK

 Social psychology & INFOSEC, Mich Kabay’s seminal 1993 paper on security awareness made the case for “changing beliefs, attitudes and behaviour, both of individuals and of groups. Social psychology can help us understand how best to work with human predilections and predispositions to achieve our goals of improving security”.

 US-CERT Cyber Security Tips provide straightforward information and advice on topical information security issues for a fairly non-technical audience. The well-written tips are based on CERT’s extensive knowledge of real-world information security incidents and risks. An email update service and RSS feed notify people when new tips are released.

 NIST Special Publication 800-50 covers “Building an Information Technology Security Awareness and Training Program”. Although written primarily for US Federal agencies, the details are entirely applicable to other large organizations and the underlying principles are of general interest. The authors describe how to go about planning a security awareness and training program for managers and staff, and the sorts of awareness topics to cover (all of which are included in NoticeBored’s coverage). Other Special Publications mention information security awareness, training and education.

 Australian Business Training delivers emotional intelligence training strategies to improve the attitude, motivation and results of change management, leadership training, management training, sales training and team building programs. ‘Emotional intelligence’ is a fascinating concept, quite distinct from IQ and cleverness. It’s all about relating to people, empathizing and motivating, in other words core concepts in security awareness ... and social engineering.

BITS, the financial services roundtable, offers a page of advice on security awareness in the form of a selection of critical success factors such as “Consider the corproate culture”, “Engage senior management support” etc. with brief supporting statements. If you need a helicopter view, this may suffice.

“Security isn’t only about protecting your network from external threats; it’s also about protecting against threats from within. The first step to security is awareness; therefore, it’s important that all your employees know not only the potential threats but also how to recognize and prevent such threats. Education and awareness empowers each employee with the knowledge of his role in protecting the organization’s network. This, in turn, will go a long way toward mitigating risk.” So says Doug Schweitzer in an editorial in Processor magazine.

Here’s a curiously amusing tale about a shop using AOL Instant Messenger to send a customer’s credit card details, unencrypted, to another shop where the EFTPOS terminal was. The shop assistant had a slight clue about credit card security: on the hand-written receipt, he used X’s in place of most of the credit card number! We use little scenarios like this (and some not so little) in our case studies and other security awareness materials ...

Information Protection Made Easy: A guide for employees and contractors is a security awareness book by David Lineman (~$10 from Information Shield). In just 96 pages, it covers the basics of information security with an emphasis on its relevance to individual employees. Chapter titles are: Desktop and Personal Data Security • Electronic Records • Secure Web Browsing • Protecting Customer Privacy • Email and Instant Messaging Security • Compliance with Laws and Regulations • Handling Confidential Information • Employee right to privacy • Managing Passwords • Corporate governance.

The Definitive Guide to Security Inside the Perimeter is a ‘free’ 200+ page eBook by Rebecca Herold (free except that you need to provide an email address and other information to the publisher and sponsor). It explains the security risks arising from insiders working within the organization, and outlines a broad range of controls. Security awareness and training are mentioned frequently, as you might expect.

EDUCAUSE is a nonprofit association working “to advance higher education by promoting the intelligent use of information technology.” They have a particular interest in information security awareness and have a number of activities to promote security awareness in education. The results of an EDUCAUSE/Internet2 Computer and Network Security Task Force and the National Cyber Security Alliance contest for computer awareness videos will be used in campus security awareness campaigns and efforts, and are available for noncommercial use from their website.

Persuading users to become more security-conscious may involve scaring them about the consequences of not being secure, according to a piece in ComputerWorld. Fear, anger and distrust are powerful motivators, it claims. [Fair enough, but this is certainly not the only way! It is generally acknowledged that FUD (Fear, Uncertainty and Doubt) has short-term effects but people quickly become resistant and eventually immune to the FUD-mongers. Think back for a moment: who had the greatest long-term impact on you - your schoolteachers who cracked the whip and insisted on parrot-fashion learning by rote, or those who interested, intrigued and motivated you?]

CERT’s Virtual Training Environment provides online access to mini courses on a variety of information security topics. The knowledge library is produced by Carnegie Mellon University’s renowned Software Engineering Institute.

An editorial in Processor Magazine outlines some of the security risks facing SMEs as a result of blogging, along with some tips to address them.

Building a security awareness program - addressing the threats from within is a succinct piece by Gideon Rasmussen with a few tips on getting your program off the ground. Gideon has also written a piece on balancing risk against cost.

Global Security Week is a voluntary effort to coordinate security awareness activities worldwide in the week leading up to September 11^th annually. Since 2005, a broad range of public and private sector organizations around the globe have supported the event. If you are a security awareness professional, please take a moment to visit the Global Security Week website and plan your involvement GSW 2008. Participation is entirely voluntary and free of charge: just start planning security-related activities in the week leading up to September 11^th 2008 and tell us about it. We will gladly publicize your event in the Global Security Week calendar. The FAQ on the website has some ideas to help you organize a more effective event and we welcome further input from all awareness event organizers.

If you think you might like to run a security awareness program but are not sure where to start, take a look at our Seven steps to security awareness white paper and others in the freebies section of this website for inspiration.

The UK Home Office sponsored Think U know website advises children on safe surfing. The animated cartoon graphics and games are leagues away from the usual sage-but-rather-stuffy advice aimed at parents but stand a much better chance of engaging with their target audience: pre-teenage children. Security awareness materials for ‘young people’ typically have more text but at least make an effort to include some bright graphics and the odd bit of teenage lingo. Take a look - think - enjoy! Consider the implications in terms of reaching your target audiences with your own security awareness materials. Will an average 8-year-old understand “Respect your friends’ privacy” (#3 on the chat guide at Think U know)?  Would the average adult employee, for that matter?

A somewhat tongue-in-cheek diary/blog by a typical if fictional information security manager shows how security awareness is constantly pushed to the bottom of the in-tray.

An obvious place to offer security awareness materials is at the water cooler - maybe a ‘security corner’?

Sound advice on designing an effective corporate security awareness program mentions many of the features of NoticeBored e.g. gain executive buy-in, work with allies, speak to your audience in familiar terms, walk-the-talk, make it fun and so forth.

Measuring security awareness is not the same as measuring security. Being intangible makes it even more difficult to find meaningful metrics and objective indicators. Advice and tips on performance measurement from Stacey Barr may give you some good ideas.

General end-user information security controls are also mentioned in a presentation by Virginia Tech. The university has amassed a growing collection of security awareness materials.

A collection of end-user educational presentations about IT topics includes topics such as “viruses, cookies and spam”.

The US Office of Personnel Management has mandated agencies to ensure employees, contractors and others who access federal systems are adequately trained in IT security.

Security Stats republished a variety of surveys and statistics on information security but unfortunately appears somewhat out-of-date. Shame. This would have been a useful resource to help justify security awareness and other controls.

If you have questions or comments about security awareness in general, check out the security-awareness group on Yahoo. This ‘email reflector’ is partially moderated - spammers are ejected and the signal-to-noise ratio is pretty good.

“Organized crime is turning to the weakest element in the chain, which is the people. It’s the hands on the keyboard on either end of the transaction that is the actual weak point,” said Detective Chief Superintendent Len Hynds, head of the UK National Hi-Tech Crime Unit (NHTCU), as reported by Wired.

“Arguably the biggest source of security breaches has nothing to do with installing and managing technology.  The greatest weakness in the corporate security infrastructure is us.” So said a report into network security by AT&T and the Economist Intelligence Unit. “No amount of technology will be successful in protecting an organisation if employees are naive, poorly trained or are not made aware of the impact of security violations,” said Tamar Beck, director of Infosecurity Europe. The survey revealed limited awareness of information security by senior executives.

The very first guideline in the OECD Guidelines for the Security of Information Systems and Networks relates to security awareness.

In a survey of UK managers by Integralis, 80% of respondents rated security awareness in their firms as low to medium. Dreadful! Not only is the lack of awareness a missed opportunity, the respondents clearly recognize it yet have not been able to address and resolve the issue. Why the blind-spot, we wonder?

The Society for the Policing of Cyberspace is a Canadian not-for-profit organization dedicated to raising awareness of information security amongst the general population. They hold meetings and present awards for security awareness posters created as school projects.

A review of Tim Layton’s book Information security awareness - the psychology behind the technology is available elsewhere on this site. .

If you are looking for a book on security awareness, specifically, you may be tempted to buy Building an Information Security Awareness Program by Mark B. Desman, published by Auerbach (~$62 from Amazon) but look carefully through the reviews and consider Rebecca Herold’s book on security awareness before you part with your money.

NB: we do not necessarily endorse or agree with the third party websites accessible through the links. Use at your own risk. Please let us know about new or broken links.