Educause Security Discussion mailing list archives

Re: Mandatory Awareness Training Enforcement

From: Alan Andersen <andersena () HUSSON EDU>
Date: Wed, 6 Jan 2021 14:04:10 -0500

We have found training our faculty and staff very effective in reducing
folks falling for phishing schemes and being more aware before they click.
We use a combination of annual training along with monthly simulated
phishing and monthly tips/tricks.

To start, we conducted a simulated phishing campaign to set a benchmark. I
believe it was initially around 18%. Over two years we reduced that number
to just under 5% which is well below the national average. It doesn't mean
that we will never experience an incident of some type, but I do believe
that our efforts have made us much safer.

As far as compliance to the training goes, we do not hit 100% compliance.
Mid 90's is about as good as we get. As someone else suggested and because
us IT folks can be black and white sometimes, I'd love to be able to
disable accounts until they complied, but culture wise, that is unlikely.


*Alan Andersen*
IT Project Manager
*Ph: *207-941-7607 | *C: *207-852-9859
*Husson University*
1 College Circle
Bangor ME 04401






On Wed, Jan 6, 2021 at 9:34 AM Menne, Michael S <michael.menne () mnsu edu>
wrote:

How do you measure the mandated training to a reduction of risk in user
behavior?  Is the training effective at improving user behavior?



Thank you,



*Michael Menne, CISSP*

*Chief Information Security Officer*

*IT Solutions Information Security*

*Minnesota State University, Mankato*

*Phone:  (507) 389-5705*

*Cell: (507) 405-0717*

https://mankato.mnsu.edu/cyberaware



[image: signature_217893240]



*Confidentiality Notice: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information.  Any unauthorized review, use,
disclosure or distribution is prohibited.  If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all copies
of the original message.*







*From: *The EDUCAUSE Security Community Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU> on behalf of Curt Kappenman <
ckappenman () ANDERSONUNIVERSITY EDU>
*Reply-To: *The EDUCAUSE Security Community Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU>
*Date: *Tuesday, January 5, 2021 at 10:26 AM
*To: *"SECURITY () LISTSERV EDUCAUSE EDU" <SECURITY () LISTSERV EDUCAUSE EDU>
*Subject: *Re: [SECURITY] Mandatory Awareness Training Enforcement



We disable the user account at the beginning of the next quarter if they
fail to complete the training.  They must contact the security department
to have their account enabled and take the required training.

Curt Kappenman



*From:* The EDUCAUSE Security Community Group Listserv <
SECURITY () LISTSERV EDUCAUSE EDU> *On Behalf Of *Pardonek, Jim
*Sent:* Tuesday, January 5, 2021 11:14 AM
*To:* SECURITY () LISTSERV EDUCAUSE EDU
*Subject:* [SECURITY] Mandatory Awareness Training Enforcement



Happy New Year everyone!



I know this has been rehashed a few times but it appears that some of the
archival information that used to be on the educause site is no longer
there.



I’m looking for information from schools that mandate annual information
security awareness training.



My question is what enforcement means are you using to get compliance?



This is much appreciated.



Thanks!



*James Pardonek, MS, CISSP, CEH, GSNA*

*Associate Director*

*Chief Information Security Officer*


* Loyola University Chicago  1032 W. Sheridan Road | Chicago, IL  60660 *
* (**: (773) 508-6086*



*Loyola University Chicago will never ask you for your username or
password.*

*For the latest information security news at Loyola, please follow us
online,*

*Twitter: @LUCUISO*

*Facebook: https://www.facebook.com/lucuiso/
<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Flucuiso%2F&data=04%7C01%7Cmichael.menne%40MNSU.EDU%7C60f17cc6c3584c064d1508d8b196a7b1%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637454607916403648%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=X7%2F3yn9VcAk8adCGGQTc3aA4qGXfM7RgjSM7qOzzidg%3D&reserved=0>*

*Our Blog http://blogs.luc.edu/uiso/
<https://nam02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fblogs.luc.edu%2Fuiso%2F&data=04%7C01%7Cmichael.menne%40MNSU.EDU%7C60f17cc6c3584c064d1508d8b196a7b1%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637454607916413642%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=sw5cM5DRJGsCzknp0d6mGNe%2BD0Eit7jRhED5tTHilGY%3D&reserved=0>*



**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email reply.
Additional participation and subscription information can be found at
https://www.educause.edu/community
<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cmichael.menne%40MNSU.EDU%7C60f17cc6c3584c064d1508d8b196a7b1%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637454607916413642%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=0uHt0jJAGY0kYMV0GP2zvU7ho0729vXzI4ajUJ73SmQ%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email reply.
Additional participation and subscription information can be found at
https://www.educause.edu/community
<https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.educause.edu%2Fcommunity&data=04%7C01%7Cmichael.menne%40MNSU.EDU%7C60f17cc6c3584c064d1508d8b196a7b1%7C5011c7c60ab446ab9ef4fae74a921a7f%7C0%7C0%7C637454607916423639%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=%2B1nAkAEgGtGru4uvTB5QYNqV3GlP6xX%2FuO%2FIU%2BWG49w%3D&reserved=0>

**********
Replies to EDUCAUSE Community Group emails are sent to the entire
community list. If you want to reply only to the person who sent the
message, copy and paste their email address and forward the email reply.
Additional participation and subscription information can be found at
https://www.educause.edu/community


**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Current thread:

Mandatory Awareness Training Enforcement Pardonek, Jim (Jan 05)
- Re: Mandatory Awareness Training Enforcement Curt Kappenman (Jan 05)
- <Possible follow-ups>
- Re: Mandatory Awareness Training Enforcement Menne, Michael S (Jan 06)
  - Re: Mandatory Awareness Training Enforcement Curt Kappenman (Jan 06)
    - Re: Mandatory Awareness Training Enforcement Menne, Michael S (Jan 06)
    - Re: Mandatory Awareness Training Enforcement Curt Kappenman (Jan 06)
    - Re: Mandatory Awareness Training Enforcement Pardonek, Jim (Jan 06)
  - Re: Mandatory Awareness Training Enforcement Alan Andersen (Jan 06)
  - Re: Mandatory Awareness Training Enforcement Tanner, Andrea (Jan 07)