Re: Mandatory Security Training in Higher Education

[Gary Flynn <flynngn () JMU EDU>]

When any faculty, staff, student, or affiliate activates their
campus account for the first time, they are taken through a
series of web pages and quizzes covering elementary security
awareness material.

When a person subsequently changes their password, which they
must do at least every 90 days, they are taken through a
different set of web pages that are updated as circumstances
and threats warrant. There is no quiz on this material so there
is nothing stopping a person from clicking through it and
responses to an automatically sent follow up survey indicate this
is not uncommon. Other responses, however indicate the material
is being taken seriously.

The material consists of static web pages in a session whose
flow is controlled by Mason. The material is not publicly
accessible at this time for a variety of technical reasons
that haven't been a priority to resolve.

We have been writing the content in-house. We've discussed
the pros and cons of getting professional teaching and
presentation help several times but haven't yet taken
that step.

Every time someone goes through the material, they are sent an
e-mail message with links to resources mentioned or displayed
in the content, a link to the content itself, and a link to
a web based survey. The survey asks about convenience,
relevance, difficulty, and effectiveness and solicits
suggestions. Most of the responses are supportive of the
program with a fair number of complaints and a small number
of colorful responses. Switching the password change policy
from 190 days to 90 days increased the complaints somewhat so
we're making an effort to cut down the amount of material and
refresh it more often.

--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security