Educause Security Discussion mailing list archives

Security Awareness Feedback

From: Melissa Guenther <mguenther () COX NET>
Date: Tue, 27 Apr 2004 09:50:20 -0700

I have been assigned a project to help determine the status of Security Awareness interventions. In such, I am polling
both individuals and groups on the question below. I am asking that you provide formal and informal information that
answers the question. Ideally, you will scrub all identifying information before sending - as a precaution, I will
recheck to make sure names and other information is removed. I will be happy to send anyone interested the final
report.

Question - Why is security awareness typically such a failure? It is mentioned in 3 places in the 7799 spec. It is
usually considered only slightly less important than policy. Yet, it seems to be uniformly poorly implemented.

Note -For purpose of this study:
There is no such thing as "Security Awareness Training." The purpose of awareness efforts is to focus attention on
security and possible adverse impacts from a security failure. Heightened awareness allows individuals to recognize
security concerns and respond accordingly.
During awareness activities the learner is a passive information recipient, while the learner in a training environment
takes on a more active role. Awareness aims to reach broad audiences with attractive packaging techniques. Training is
designed to build knowledge and skills to facilitate job performance.

Learning achieved through awareness is short-term, immediate, and specific. Training involves higher-level concepts and
skills. For example, if a learning objective is "to increase use of effective password protection among employees," an
awareness activity might involve using reminder stickers on computer keyboards. A training activity might involve
computer-based instruction in the use of passwords, especially how to change passwords for organization system.

Thank you for your consideration.

Melissa Guenther
Increasing Awareness to Improve Security
480-786-6034

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at
http://www.educause.edu/cg/.

Current thread:

Security Awareness Feedback Melissa Guenther (Apr 27)
- <Possible follow-ups>
- Re: Security Awareness Feedback Gary Flynn (Apr 27)
- Re: Security Awareness Feedback Melissa Guenther (Apr 27)