Re: Security Awareness specifically for Higher Ed?

["Lazarus, Carolann" <lazarus () BUFFALO EDU>]

Hi Cathy.
For those who don't know me, I've been an IT Auditor at the same public institution for 25 years.  Before that I worked 
at a banking entity.  The main differences I've seen that might impact training are:

*        A sense of urgency.  At the bank you knew you were protecting $ for customers.  In higher Ed (at least my 
institution) it's not as clear what and who you are protecting and what the consequences are.

*        Open - there was an interesting security thread recently on Higher Ed allowing porn sites.  Higher Ed is 
usually much more open.  Both faculty and staff probably have access to lots of iffy and scary sites.  Private 
corporations can lock down a lot more.  So there needs to be more training on the risks of going to those sites.

*        Research dollars - I've run into many researchers that do whatever they want to do.  Some have been very 
concerned with security others not so much.  And of course they want full administrative privileges on their systems.  
Frequently they are able to hire their own IT staff.  Making sure they are well versed in security should be a focus.

*        Compliance - In general a lot of the compliance security issues are solved by having non-specific good 
security, but corporations don't have FERPA and Financial Aide GLBA.

I'm sure there are others I'm either forgetting or have missed.

Carolann Lazarus
716-829-6947
lazarus () buffalo edu<mailto:lazarus () buffalo edu>

From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Jim A. Bole
Sent: Friday, August 23, 2019 2:24 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Security Awareness specifically for Higher Ed?

Cathy,

I just became part of higher ed this year when I joined Stevenson.

Before that I spend more than 15 years in private industry doing infosec, including leading a security awareness 
program for an international company with 20K employees.

Now I'm preparing Stevenson's cybersecurity awareness program for October.

I think the messages/content/priorities for higher ed are similar, perhaps nearly identical, to those for other 
orgs/industries. The threats are typically the same.

For me, the key to a successful awareness campaign is creating engaging content that clearly communicates simple 
behaviors we want our users to do.

Posters, videos, branding, social media, events, gamification, etc. are great tools. There might be some small 
differences in content and use of those tools between a university audience than a corporate audience, but nothing 
significant.

At least that's my experience so far.

Happy to discuss further.

Jim Bole
Director of Information Security
Stevenson University
1525 Greenspring Valley Road
Stevenson, MD, 21153-0641
jbole () stevenson edu<mailto:jbole () stevenson edu> | O: 443-334-2696






From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV 
EDUCAUSE EDU>> On Behalf Of Ullman, Catherine
Sent: Thursday, August 22, 2019 11:39 AM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Security Awareness specifically for Higher Ed?

Good morning!

I've been in some interesting conversations with some companies that create security awareness online training and 
those conversations ultimately lead to this question:

What would security awareness training specifically designed for higher ed look like?  What would be different about it 
from what is created for corporate environments?

I'd really like to gather a list of thoughts from this community to bring back to these folks at some point.  Feel free 
to reply off-list if you'd prefer.

Thanks,
Cathy


Dr. Catherine J Ullman
Senior Information Security Analyst
Information Security Office
University at Buffalo
cende () buffalo edu<mailto:cende () buffalo edu>



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community