Re: Faculty Acceptance of Security Awareness Education?

["Delaney, Cherry L." <cdelaney () PURDUE EDU>]

I really like the informed education process -if only all could enter it with the enthusiasm that Chief Inspector 
Clouseau had with Kato. Maybe setting up a quiz with various attempts and letting the staff see how savvy they are in 
picking out the phishing attempts would be another way to help educate the staff in a friendly way and still be able to 
track how well they are doing at not falling for the sophisticated attacks.

Cherry Delaney
Security Training and Outreach Coordinator
Purdue University YONG Hall
155 S Grant Street
West Lafayette, IN  47907-2114
765-496-1288
cdelaney () purdue edu<mailto:cdelaney () purdue edu>

Work hours 8 - 5 Monday through Thursday.
NOTE: Purdue will NEVER send an email message asking users to reply with a password or other confidential personal 
information such as Social Security numbers or bank account numbers. Messages requesting such information are 
fraudulent and should be deleted.
[cid:image001.jpg@01CA71B7.68662940]



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Matthew 
Wollenweber
Sent: Monday, November 30, 2009 12:08 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Faculty Acceptance of Security Awareness Education?

Terri,

That's a very reasonable concern and not an issue that I've dealt with from this side. I'm fairly new to the academic 
environment and still contemplating how we can help users with this problem since trojans are a large concern. But, I 
use to do phishing before as a consultant. A huge factor is to refrain from blame or publicly singling people out. If 
you put people on the defensive they can cause problems. If you set the tone as a helpful you get much better results. 
I'm friends with the phishme guys and the metrics they have are 25% of people fall for unsophisticated attacks and 75% 
fall for sophisticated attacks. In the sophisticated attack scenarios, people are basically expected to do something 
"wrong". But when most people make the mistake, it's hard to feel stupid - which is really what causes people to become 
defensive/angry. They also focus on the awareness education so it's something they deal with.

If it's something you're interested in I'd propose using small test groups and gradually decreasing your comfort level. 
Start with yourselves, then small groups inside IT, then notified individuals or volunteers.  You might make it part of 
a whole program where you start with class based education, send out notice emails, etc. Thereby everyone should have 
notice of what's to come. Most consultancies (including phishme) should be listen to your concerns and plan 
accordingly. An experienced group has probably ran into all the problems you can concieve and minimized them a long 
time ago.

Sorry if this reply isn't directly helpful. Your concerns are justified, but IMO can be mitigated by experience and 
proper planning.
On Sun, Nov 29, 2009 at 9:48 PM, Terri Jones <terrij () webster edu<mailto:terrij () webster edu>> wrote:
Matthew,

I looked into PhishMe, and it's pretty slick. But in discussing it with other IT managers, we really hesitate to 
"entrap" users into doing the things we tell them over and over not to do. What has been your experience with this 
aspect, and are there ways of using the service other than tricking users? I'm not trying to be troublesome, just 
looking for another perspective, as this is the impression the service gave to my colleagues.

Thanks,
Terri Jones


************************************************
Terri Jones
Director, IT Information Services
Chief Information Security Officer
Webster University
470 E. Lockwood Avenue,
St. Louis, MO 63119
terrij () webster edu<mailto:terrij () webster edu> / (314)246-7953





On Nov 17, 2009, at 11:59 AM, Matthew Wollenweber wrote:


I've thought on this problem a lot recently. I haven't yet tried to push the plan through management, but the most 
reasonable approach to me seems to be targeted and automated training. Most malware we see is the result of trojans, 
which means user interaction is generally required. When we remediate the system, it would be easy enough to sign the 
user up for a phishing/trojan awareness training through a service like phishme.com<http://phishme.com/>. That way 
users that have problems get training, training functions as a test of sorts, and it's automated so the employee isn't 
defensive about what they were doing that led to the compromise. Again, this isn't implemented but in my opinion it 
feels like an unresolved problem when we remediate a system for a trojan with little or no training/interaction with 
the user and this is the best solution I've had on the subject.



On Wed, Oct 28, 2009 at 6:21 PM, Jon Good <Jon.Good () ucop edu<mailto:Jon.Good () ucop edu>> wrote:
Researching a question posed by our Academic Senate leadership:

   What approaches have worked at other institutions to persuade faculty to get on the security awareness bandwagon 
[take the "training"]?


Jon Good
Director, Information Security
Information Resources & Communications
University of California Office of the President
415 - 20th Street, 3rd Floor
Oakland, CA 94612-2901
(510) 987-0518




--
Matthew Wollenweber




--
Matthew Wollenweber
mjw () cyberwart com<mailto:mjw () cyberwart com>
240-753-0281