methods that will most effectively minimize the ability
of intruders to compromise information
security are comprehensive user training and education.
Enacting policies and procedures simply won't suffice.
Even with oversight the policies and procedures
may not be effective: my access to Motorola, Nokia,
ATT, Sun depended upon the willingness of people
to bypass policies and procedures that were in
place for years before I compromised them successfully.'
Coming Third Wave of Internet Attacks: The first
wave of attacks targeted the physical electronics.
The second wave - syntactic attacks - targets the
network's operating logic. The coming third wave
of attacks - semantic attacks - will target data
and it's meaning. This includes fake press releases,
false rumors, manipulated databases. The most severe
semantic attacks will be against automatic systems,
such as intelligent agents, remote-control devices,
etc., that rigidly accept input and have limited
ability to evaluate. Semantic attacks are much harder
to defend against because they target meaning rather
than software flaws. They play on security flaws
in people, not in systems. Always remember: amateurs
hack systems, professionals hack people.'
DoD Information Systems Security Awareness CBT, October 2007
A Users’ Guide: How to Raise Information Security Awareness’, ENISA - European Network and Information Security Agency, August 2006
ENISA is publishing ‘A Users’ Guide: How to Raise Information Security Awareness’. The Guide is featuring step-by-step practical advice for Member States on how to “kick start” planning, organising and running information security awareness raising campaigns targeted at different audiences (e.g. Home Users and SME), including a series of steps and recommendations.
The Guide is emphasising three key recommendations for success:
1. Effective Communication Planning. A communication strategy is at the centre of any awareness programmes, based on communication goals and principles, and aligned with target group needs;
2. A Change Management Approach (i.e. targeted communications, involvement, training and evaluation). Applying a change management approach is crucial for awareness raising initiatives as it helps closing the gap between a particular issue and human responses to the need to change;
3. Measurement of the value of awareness programmes. Campaign evaluation is essential for understanding effectiveness and making adjustments. Four main categories have been identified against which to measure security awareness:
* Process Improvement
* Attack Resistance
* Efficiency and Effectiveness
* Internal Protections
courtesy of Melissa Guenther,
learning sample for Security Awareness session - A
fun way to let adults learn and become aware using experiential
learning concepts. Adults learn best when you frame what
they do not understand around something they already know.
Security can be fun - and then be more effective!
Change SA Tool - A tool to utilize when using a
Strategic Plan Model in your Security Awareness efforts.
helps you determine the
desired future state, assess the current reality and identify
the gaps between the two.
To Backup Data From Your Workstation: A How To guide on
Options and Methods - One of the most important
data management functions you need to perform regularly is
the backing up of your unique
data. It is imperative that you develop a scheduled method
that works for you and allows you to efficiently backup your
information. This "how to" guide provides various
ways for backing up data. When you think about the time,
creativity and energy that your work took to develop and
the potential for it to be lost or destroyed in seconds as
a probable event, then it is easy to see why this needs to
be a regular maintenance behavior. It is not a matter of "if";
it is only a matter of "when". Your workstation
or its hard drive (or other component) WILL fail or accidental
erasure of your unique data WILL occur.
Asset Classification Matrix – A
sample Classification Matrix
that can be used as a
starting place to design
your own matrix and facilitate
the protection of information
and employee responsibilities
– Various questions and answers for
Physical, Personal and Information security quizzes
that can be used for benchmarking
and assessing results. “What does not get measured,
does not get done,” or at best, ‘does not get
done right.’ Because,
how do you know it got done
do not have
is why effective Security Awareness
programs uses measurements
and benchmarking techniques
the quantity and
quality of initiatives, their
impacts, and the
degree to which
they achieved objectives.
the Workforce to Support Security Objectives: A Long-Term
View (Courtesy of Donn B. Parker, CISSP) -
The alternative security objective of due diligence and
has far more, positive potential for good motivation. Rewarding
due diligence, not just unpredictable risk awareness, is
the secret kept far too long.
of Effective Security Awareness (SA) Communication -
A SA Communication Plan is based on the following key principles
of effective organizational communication.
Privacy in the New Millenium - A sample presentation
created specifically for Gram Leach Bliley Act,
although it can be easily modified to support
similar privacy regulatory drivers.
Part 1 Understand:
• the driving forces behind privacy regulation
• key privacy terms and concepts
• obligations under the privacy regulations
• Perform your job functions in a manner consistent with
the privacy requirements
• Properly distribute your institution's privacy and opt
out notices in the course
of customer interaction
• Accurately address customer questions and issues regarding
• Global networks, global privacy
• GBLA Terms and Definitions
Formula for Security Awareness - A three-step process to
help all employees recognize potential security threats
and deal in an effective way before they become an actual
Awareness Benchmarking and Metrics - "What
does not get measured, does not get done," or at best, ‘does
not get done right.’ Because,
how do you know it got done right if
That is why effective Security Awareness
programs uses measurements and bench-marking
the quantity and quality of communication,
its impact, and
the degree to which it achieved its
Security Awareness Days – Security
Awareness is everyday – individuals and groups have
established specific date(s) to provide opportunities to
focus on security behaviors. The purpose of this document
is to provide information to help differentiate between
the multiple Security Awareness Day(s), their purpose,
and links to more information on each. As stated previously – every
day is security awareness day – it
is not an either/or
Awareness Incident Response Scenarios Experiential
Learning for Meetings or to Supplement Presentations - – A
series of scenarios that can be used as Experiential Learning
for meetings or to supplement presentations. They provide
participants an opportunity to try on new behaviors in
a safe setting – the
dialogue that is always
part of these
is even more
Security Awareness Perception Survey and Measurement, Zero Incident Culture: Often, people will act the way they feel and by their perceptions By measuring key areas critical to cultural climate, interventions can be made in proactive ways to improve your overall security efforts.
Measuring critical components of your security efforts can improve your own programs and processes and develop a strategy for continuous improvement.
A few key dimensions that would be measured include: management support, coaching, supervisory support, training and tools and equipment. there are 12 dimensions in all.
When you begin to measure these areas, you can start to move ahead with a well thought out plan of action. This form of measurement will help to: 1) Increase management visibility and gain support; 2) reduce costs through more focused efforts; 3) form baselines for ongoing improvements; 4) increase accountability for supervisors and managers; and 5) improve employee relations by allowing workers to be "part of the process."
Measuring your security climate (or Zero Incident Culture) makes good business sense and can help move your efforts in the right direction. By measuring key indicators, "before incidents occur," you can make very good use of a proactive "up-stream" measure that can become integral to your long-term success.
Awareness Program - Whether it's checking e-mail,
answering a telephone, or logging off for the day, employees
be encouraged to think security into every action they
take and every decision they make. Only when security
becomes second nature will it become truly effective.
Activities have been developed that meet the purposes of
the Security Awareness Program (i.e., heighten your awareness,
develop your skills and remind you of Company policies
and procedures). Because the awareness program is dynamic
designed to evolve in order to meet the future needs
of the Company and employees, and to address the issues
due to rapidly advancing information technology, current
activities will need to be modified or new activities
will be developed to maintain program relevancy. This model
a feedback mechanism into the program to allow continuous
integration and promote ownership.
are more likely to forget or ignore advice
that has no relevance to their job, and "one lesson for all" just
doesn't work. It's therefore important that employees
make the connection between the lessons taught
and the task
at hand. For example, employees involved in
accounting or transaction
processing in a business that takes on-line credit
card orders are far more likely to remember security
on protecting credit card files and personal
customer information and on privacy issues.
Awareness Quiz Questions – Similar
Awareness Workshop Trainer Notes Version
1.0 – This is a template that can be
used for Train – the – Trainer (those
that might be doing the security awareness sessions)
Again, it is intended to be a template and used
as a springboard for your own ideas – although
Checklist for Teleworkers - A chain is only as strong
as its weakest link. It's a well worn cliché, but
it's an important one to bear in mind when you're thinking
about the security of your network. Teleworking can present
a huge security risk in a security fence — teleworkers
frequently represent the weakest link. The good news is that
this need not be the case. It is possible to make teleworking
acceptably secure, so that the risks it presents are balanced
by the advantages. Security Checklist for Teleworkers covers
basic steps that need to be initiated for those that work
outside the workplace.
Education and Awareness Communication [1.6 MB] - this
presentation (actually a work book, as it contains some security
tools) was given by Kelley Bogart and Melissa Guenther at
the 2004 Annual Computer Security Applications Conference
in Tucson, Arizona. The work contained in the presentation
includes some of the collaborative efforts of the presenters
while designing and implementing the University of Arizona
Security Awareness campaign, which has been recognized as
a best practice approach. Some of the features in their complimentary
team approach included:
• Off-the-shelf solutions for developing a security awareness
Step-by-step methodology on how to communicate the message – how
to get buy in from the entire
• Evaluation tools and suggestions for future improvement -
where and how to make updates.
Template for Proactive Process – A
Awareness Campaign Feedback Questionnaire – Security Awareness works best when
it is integrated with existing programs and processes.
This tool can be used to gather important information
for a decentralized environment, allowing customization
to meet the needs of different areas – while
still aligning to the overall plan.
Sense - A sample handout that can be emailed or handed out
face to face - it covers some simple email security suggestion.
Remember, what is common sense is not always common practice!
Engineering– A sample
presentation of a Comprehensive
material. Objectives of this
• Understand the principles of social engineering
• Define the goals of social engineering
• Recognize the signs of social engineering
• Identify ways to protect yourself from
of Practice - This document describes the steps
in positioning a Security Shift -
• Security simply used to protect information vs. Enabling
business initiatives with security
• Bolt-on/add-on structure to business process vs. Integrating security
and controls into daily business processes
• Security Solutions and Technology used to supplement core infrastructure
vs. Leveraging security technical solutions to enhance core infrastructure
•In addition, it outlines Standards of good practice for security efforts.
Security Awareness Evaluation Form – a
first level measurement tool – modeled
after Kirkpatrick’s Evaluation
Model and used to capture participants
reaction to any security presentation.
(also called “Smiley reports”) – If
you are interested in obtaining
a report on Effective Benchmarking
or Unusual Event Report - This form
is completed when an employee reports
a suspicious or unusual event relegated
to your resources. Events may include
(but are not limited to) unauthorized
access of the network (from both internal
and external sources), compromise of
sensitive data, destroying hardware or
software, and malicious code such as
viruses, worms, Trojan horses, or any
other uninvited software.
DoD Information Systems Security Awareness CBT, October 2007
Security, Awareness, Training and Education improves
awareness of the need to protection system resources
as well as develops skills and knowledge so computer
users can perform their jobs more securely and build
in-depth knowledge awareness. 2000 - 2003
Assurance Awareness Posters,
Keesler Air Force Base, 2004
Awareness Version 1.0 14 April, 2000 (© Treasury
Board of Canada Secretariat 2000) Prepared by: Bruce Hunter,
BEng, MEng, Government of Canada PKI Secretariat, Chief Information
Officer Branch, Treasury Board of Canada Secretariat
Special Publication 800-50, Building an Information
Technology Security Awareness and Training Program, October,
Testimony of Kevin
Mitnick, Cyber Attack: Is the Government Safe?, Senate
Committee on Governmental Affairs, March 2, 2000
Security Guide - Defense Security Service (DSS), Employees'
Guide to Security Responsibilities,
Implementation Package, Automated Briefing System (ABS),
Read What Others Are Saying about this Program
Health Service (IHS) Computer Security Awareness Training - The Computer Security Act requires that all
U.S. Government personnel who use
computers, as part of their work activities, complete training
on computer security awareness.
SANS InfoSec Reading Room
Security Awareness - Most of the computer
security white papers in the Reading Room have
been written by students
seeking GIAC certification to fulfill part of
their certification requirements and are provided
by SANS as a resource to
benefit the security community at large.
Awareness Group Mailing List -
The security awareness group provides a forum
to discuss awareness methodologies and share
(INFOSEC) tips. The group may also be of
interest to anyone interested in learning
more about INFOSEC