Re: Faculty Acceptance of Security Awareness Education?

[Matthew Wollenweber <mjw () CYBERWART COM>]

Terri,

That's a very reasonable concern and not an issue that I've dealt with from
this side. I'm fairly new to the academic environment and still
contemplating how we can help users with this problem since trojans are a
large concern. But, I use to do phishing before as a consultant. A huge
factor is to refrain from blame or publicly singling people out. If you put
people on the defensive they can cause problems. If you set the tone as a
helpful you get much better results. I'm friends with the phishme guys and
the metrics they have are 25% of people fall for unsophisticated attacks and
75% fall for sophisticated attacks. In the sophisticated attack scenarios,
people are basically expected to do something "wrong". But when most people
make the mistake, it's hard to feel stupid - which is really what causes
people to become defensive/angry. They also focus on the awareness education
so it's something they deal with.

If it's something you're interested in I'd propose using small test groups
and gradually decreasing your comfort level. Start with yourselves, then
small groups inside IT, then notified individuals or volunteers.  You might
make it part of a whole program where you start with class based education,
send out notice emails, etc. Thereby everyone should have notice of what's
to come. Most consultancies (including phishme) should be listen to your
concerns and plan accordingly. An experienced group has probably ran into
all the problems you can concieve and minimized them a long time ago.

Sorry if this reply isn't directly helpful. Your concerns are justified, but
IMO can be mitigated by experience and proper planning.

On Sun, Nov 29, 2009 at 9:48 PM, Terri Jones <terrij () webster edu> wrote:

> Matthew,
>
> I looked into PhishMe, and it's pretty slick. But in discussing it with
> other IT managers, we really hesitate to "entrap" users into doing the
> things we tell them over and over not to do. What has been your experience
> with this aspect, and are there ways of using the service other than
> tricking users? I'm not trying to be troublesome, just looking for another
> perspective, as this is the impression the service gave to my colleagues.
>
> Thanks,
> Terri Jones
>
>
>    ************************************************
> Terri Jones
> Director, IT Information Services
> Chief Information Security Officer
> Webster University
> 470 E. Lockwood Avenue,
> St. Louis, MO 63119
> terrij () webster edu / (314)246-7953
>
>
>
>
>
>  On Nov 17, 2009, at 11:59 AM, Matthew Wollenweber wrote:
>
>  I've thought on this problem a lot recently. I haven't yet tried to push
> the plan through management, but the most reasonable approach to me seems to
> be targeted and automated training. Most malware we see is the result of
> trojans, which means user interaction is generally required. When we
> remediate the system, it would be easy enough to sign the user up for a
> phishing/trojan awareness training through a service like phishme.com.
> That way users that have problems get training, training functions as a test
> of sorts, and it's automated so the employee isn't defensive about what they
> were doing that led to the compromise. Again, this isn't implemented but in
> my opinion it feels like an unresolved problem when we remediate a system
> for a trojan with little or no training/interaction with the user and this
> is the best solution I've had on the subject.
>
>
>
> On Wed, Oct 28, 2009 at 6:21 PM, Jon Good <Jon.Good () ucop edu> wrote:
>
> >   Researching a question posed by our Academic Senate leadership:
> >
> >
> >    What approaches have worked at other institutions to persuade faculty
> > to get on the security awareness bandwagon [take the “training”]?
> >
> >
> >
> > Jon Good
> > Director, Information Security
> > Information Resources & Communications
> > University of California Office of the President
> > 415 - 20th Street, 3rd Floor
> > Oakland, CA 94612-2901
> > (510) 987-0518
>
>
>
> --
> Matthew Wollenweber


-- 
Matthew Wollenweber
mjw () cyberwart com
240-753-0281