Educause Security Discussion mailing list archives
Re: Security Awareness Feedback
From: Gary Flynn <flynngn () JMU EDU>
Date: Tue, 27 Apr 2004 15:56:40 -0400
Melissa Guenther wrote:
I have been assigned a project to help determine the status of Security Awareness interventions. In such, I am polling both individuals and groups on the question below. I am asking that you provide formal and informal information that answers the question. Ideally, you will scrub all identifying information before sending - as a precaution, I will recheck to make sure names and other information is removed. I will be happy to send anyone interested the final report. Question - Why is security awareness typically such a failure? It is mentioned in 3 places in the 7799 spec. It is usually considered only slightly less important than policy. Yet, it seems to be uniformly poorly implemented. Note -For purpose of this study: There is no such thing as "Security Awareness Training." The purpose of awareness efforts is to focus attention on security and possible adverse impacts from a security failure. Heightened awareness allows individuals to recognize security concerns and respond accordingly. During awareness activities the learner is a passive information recipient, while the learner in a training environment takes on a more active role. Awareness aims to reach broad audiences with attractive packaging techniques. Training is designed to build knowledge and skills to facilitate job performance. Learning achieved through awareness is short-term, immediate, and specific. Training involves higher-level concepts and skills. For example, if a learning objective is "to increase use of effective password protection among employees," an awareness activity might involve using reminder stickers on computer keyboards. A training activity might involve computer-based instruction in the use of passwords, especially how to change passwords for organization system.
Hi Melissa, I interpreted "failure" in your question to mean "ineffective". 1. Because people get bored with generalities and oversimplifications they hear over and over and that they think they have covered. Or that don't apply to the task at hand. Or they get frustrated with specifics that are so numerous and changing that they can't keep up with them. 2. Because, in the haste to complete day to day activities, oft heard warnings are dropped in priority to complete the task at hand. They feel pressure to get something done Right Now and take shortcuts. Or make mistakes in haste. In some sense, only controls which prohibit the undesired activity are effective against this e.g. system enforced password complexity rules, network access controls, limited privilege user accounts, mail filtering, TCPA enforced software restrictions, etc. When a person is up to their neck in alligators day after day, they tend to become inured to them so they can get the swamp drained. 3. Because while everyone agrees security is important, there is a perception that someone else is taking care of it. Some folks feel overwhelmed by the responsibility. Some folks don't realize how much it depends upon them. Some folks don't realize the compromises that need to be made to achieve a particular level of exposure. 4. Because sometimes its not important to people until something bad actually happens to them (individually or collectively). Witness last Fall's Blaster effect on the awareness of network access filtering best practices and Windows Updates. Or the effect of losing one's Internet access on getting anti-virus software installed and infections cleaned. Or the threat of a lawsuit on copyright violations. Who would have put up with today's airline searches five years ago? 5. Superficial awareness is inadequate. At least in today's environment which is likely to persist for at least a few years. Its only the start. A core understanding of underlying issues must be imparted in order that the principles can be interwoven into daily activity which may change from person to person, task to task, threat to threat, or day to day. And then it has to be made a priority - by forcing it technologically, by making it an organizational priority, and/or requiring it for access. 1. A basic knowledge of what a computer is underneath all the GUIs and splash screens that have covered up what hasn't changed in the past thirty years needs to be acquired. What a program is. What it can do. What an icon is. What a server and client is. Basic architecture of email, web, and network/Internet. What a user account and password is. It doesn't have to be mind numbing technical. This has benefits beyond the security scope. 2. Focus on some security basics that have been around a lot longer than computers: a. Principle of least access b. Principle of defense in depth c. Issues of trust and authentication d. Complexity vs security e. Need for maintenance and monitoring 3. Show the threat environment through real examples. Demonstrate a need. Make it personal. 4. Teach how to apply the basic security principals in every day activities with an emphasis on a generic understanding rather than what icons to click or what products to install. Is eight hours of training to protect personal and organizational information and operation too much? An hour or two is often spent teaching Word, Excel, or Windows. Why not something that will last beyond the next release? I'll end this tirade by relating what I hope is an interesting and amusing experience that is tangentially related. I was asked to present our awareness talk at an organization who acquaints seniors with computers. One of the problems related to me in this endeavor was that the participants were scared to do anything for fear of breaking something. Unbeknownst to me, throughout the prior six weeks it was stressed that the participants should just click something if they didn't know what it was to learn about it. I spent the first half of the presentation telling what kinds of things are occurring today. The second half in protective measures. Imagine the dismay of the instructors and students when one of my bullet items was "If you don't know what it is - DON'T CLICK IT". I haven't been invited back since. :) Gary Flynn Security Engineer James Madison University ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Security Awareness Feedback Melissa Guenther (Apr 27)
- <Possible follow-ups>
- Re: Security Awareness Feedback Gary Flynn (Apr 27)
- Re: Security Awareness Feedback Melissa Guenther (Apr 27)