Re: Faculty Acceptance of Security Awareness Education?

[Ozzie Paez <ozpaez () SPRYNET COM>]

Terri,

You just encapsulated the greatest security challenges in any environment,
people and culture.  Security by its very nature is intrusive in what it
seeks to get people to do and not do.  I have worked in some of the most
restricted, secure environments where the culture was accepting and
supporting of high security measures; and yet security violations, often
serious, did happen and were almost always traceable to one or more people,
groups of people, departments, etc.  I have had conversations with others on
PhishMe and the issue of entrapment always comes into play.  Yet, from a
people centric security perspective, providing feedback (even somewhat
embarrassing feedback) is critical to keeping security policies and programs
effective.  Here is one thing that may be of help:  Find someone who is
respected/liked within the ranks of professors and administrators and have
them lead the feedback sessions.  Often times, not just in academia but in
private and government environments as well, those in higher positions do
not appreciate feedback from those in perceived lower positions, and that
does include security folks.  So, if you are going to brief professors and
PhDs, from a people perspective, it is better to have someone with a PhD and
professorship lead the feedback session; then have the hands on technical
types provide more detailed, technically centric information.  Ditto in the
private sector, where often times it is executives who not only violate
security policies, but actually demand that they be allowed to do so.  In
those cases, having a member of the board or very senior executive (CIO,
CFO, etc.) speak to him or her can eliminate issues of 'lower ranks'
lecturing 'higher ranks'.



BTW - One of the weakest components of all security certifications is the
lack of people centric, culturally sensitive focus.  We can buy all the
gizmos, do-das, firewalls and everything in between, and then have all of it
made irrelevant by what those on the inside, who theoretically should know
better, end up doing.  PhishMe provides feedback on the people level
effectiveness of parts of your programs BEFORE a crisis or embarrassment
forces change.  If you do not know how effective you are being with the user
community, then all you have, after all the expenditures, is an unproven
hypothesis.  Consider what happened at the White House with the couple that
managed to get in without an invitation last week.  For all the
recrimination and potential charges, were it not for them, those in charge
of security might not have known that they had a major people-centric
security hole until something bad happened.  In the end, regardless of what
they do with the trespassers, the security folks got unquestionable feedback
that they needed to improve their overall security posture, probably through
improved training of the security and White House staffs.  This is the
conundrum of security - you can succeed a thousand times, but it is
primarily failures (hopefully non-catastrophic) that allow professionals, if
they can set their bruised feelings aside, to identify weaknesses and make
significant improvements.



Hope it helps,



Ozzie Paez

SSE/SAIC

303-332-5363



From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Terri Jones
Sent: Sunday, November 29, 2009 7:48 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Faculty Acceptance of Security Awareness Education?



Matthew,



I looked into PhishMe, and it's pretty slick. But in discussing it with
other IT managers, we really hesitate to "entrap" users into doing the
things we tell them over and over not to do. What has been your experience
with this aspect, and are there ways of using the service other than
tricking users? I'm not trying to be troublesome, just looking for another
perspective, as this is the impression the service gave to my colleagues.



Thanks,

Terri Jones





************************************************

Terri Jones

Director, IT Information Services

Chief Information Security Officer

Webster University

470 E. Lockwood Avenue,

St. Louis, MO 63119

 <mailto:terrij () webster edu> terrij () webster edu / (314)246-7953











On Nov 17, 2009, at 11:59 AM, Matthew Wollenweber wrote:





I've thought on this problem a lot recently. I haven't yet tried to push the
plan through management, but the most reasonable approach to me seems to be
targeted and automated training. Most malware we see is the result of
trojans, which means user interaction is generally required. When we
remediate the system, it would be easy enough to sign the user up for a
phishing/trojan awareness training through a service like phishme.com. That
way users that have problems get training, training functions as a test of
sorts, and it's automated so the employee isn't defensive about what they
were doing that led to the compromise. Again, this isn't implemented but in
my opinion it feels like an unresolved problem when we remediate a system
for a trojan with little or no training/interaction with the user and this
is the best solution I've had on the subject.





On Wed, Oct 28, 2009 at 6:21 PM, Jon Good <Jon.Good () ucop edu> wrote:

Researching a question posed by our Academic Senate leadership:



   What approaches have worked at other institutions to persuade faculty to
get on the security awareness bandwagon [take the "training"]?





Jon Good
Director, Information Security
Information Resources & Communications
University of California Office of the President
415 - 20th Street, 3rd Floor
Oakland, CA 94612-2901
(510) 987-0518






--
Matthew Wollenweber