Re: Faculty Acceptance of Security Awareness Education?

["Delaney, Cherry L." <cdelaney () PURDUE EDU>]

Good point. We have a website with helpful tips, send tips to an email that is sent out daily to staff and faculty, 
place posters around campus, run videos on the university tv,  but we don’t know how much they read it, again, they 
don’t tend to read the things sent to them. I am sure they could benefit and maybe even admit it would benefit them as 
an employee, if they would give us the chance to speak to them….

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Raymond, 
Jessica
Sent: Wednesday, November 25, 2009 11:21 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Faculty Acceptance of Security Awareness Education?

One thing we have found beneficial at our University is to provide staff with security information they can use 
personally as well as professionally.  The personal aspect drives it home for them while bringing the acceptance piece 
in.  For example, we provide training on identity theft, how to prevent it, and what to do if it happens to you.  When 
they see how the training benefits them as a person, they begin to listen how it benefits them as an employee as well.

[cid:image001.png@01CA6DC1.FFA4DA30]

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Delaney, 
Cherry L.
Sent: Wednesday, November 25, 2009 9:06 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Faculty Acceptance of Security Awareness Education?

Hugh,

I really credit you with getting a meeting with the Council of Deans in the first place. I applaud that you were able 
to get acceptance of your program but to then get them to attend an hour of content totally blows me away. I meet with 
the Chair of our University Senate (the faculty senate) nearly weekly and he continually reiterates that you can’t tell 
faculty anything or make them do anything. So I haven’t even approached them about Security Awareness “training”, a 
word they despise. They would laugh at receiving a certificate of participation. You have a very different environment 
from us.

Cherry Delaney
Security Training and Outreach Coordinator
Purdue University YONG Hall
155 S Grant Street
West Lafayette, IN  47907-2114
765-496-1288
cdelaney () purdue edu<mailto:cdelaney () purdue edu>

Work hours 8 - 5 Monday through Thursday.
NOTE: Purdue will NEVER send an email message asking users to reply with a password or other confidential personal 
information such as Social Security numbers or bank account numbers. Messages requesting such information are 
fraudulent and should be deleted.
[cid:image002.jpg@01CA6DC1.FFA4DA30]




From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Hugh 
Burley
Sent: Tuesday, November 17, 2009 2:30 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Faculty Acceptance of Security Awareness Education?

We have now begun our Information Security Awareness Campaign for faculty.

After being turned down for funding for an on-line program ($15,000.00 - $30,000.00/year), I began developing my own 
face-2-face program last winter. Initially I had about 200 potential slides and needed to figure out how to present 
core content in one hour.  With the assistance of a small group of ITS staff with training experience I set up an 
Information Security Awareness Training Team and managed to reduce the slide deck to its current length of 46 slides, 
which has become our Information Security Awareness Essentials presentation. This session uses TurningPoint 
Technologies audience response units, light humour, and a goodie basket to encourage interaction. Over time we have 
found that 15-25 people per session works best. Total funding for this program is $750.00. ( I have had to ask external 
departments to help fill the goodie basket.)  Each participant receives a printed Certificate of Participation which 
includes a list of 25 things they can do to improve information security on the back. Faculty are encouraged to include 
this session on their Academic Performance And Review submission.

One of the highest value additions to this campaign was when a faculty member from our Computing Department joined.  
This has enhanced the recognition of the program among faculty and improved the quality of presentations.  Prior to 
launching the campaign we presented to the Council of Deans.  This definitely helped to improve acceptance of the 
program.

I am  right in the thick of it now and am spending a great deal of time and effort encouraging participation.  Our goal 
is to have approximately 1/3 of on campus faculty (~200), participate before January 2010.  This week we are running 
six sessions and in December and we are planning to present another six to eight sessions.

Other awareness building tools this year have included poster campaigns, a Cyber security awareness table in October, 
and maintaining an Information Security website.    All of which have been modestly successful.

Best of luck with your program.

Regards,


Hugh Burley
Thompson Rivers University
ITS - Senior Technology Coordinator
[cid:image003.png@01CA6DC1.FFA4DA30]
Information Security
BCCOL - 222D
250-852-6351

> > > Jon Good <Jon.Good () UCOP EDU> 28/10/2009 4:21 pm >>>
Researching a question posed by our Academic Senate leadership:

   What approaches have worked at other institutions to persuade faculty to get on the security awareness bandwagon 
[take the “training”]?


Jon Good
Director, Information Security
Information Resources & Communications
University of California Office of the President
415 - 20th Street, 3rd Floor
Oakland, CA 94612-2901
(510) 987-0518