IWS - The Information Warfare Site
News Watch Make a  donation to IWS - The Information Warfare Site Use it for navigation in case java scripts are disabled

Security Awareness Toolbox

'The methods that will most effectively minimize the ability of intruders to compromise information security are comprehensive user training and education. Enacting policies and procedures simply won't suffice. Even with oversight the policies and procedures may not be effective: my access to Motorola, Nokia, ATT, Sun depended upon the willingness of people to bypass policies and procedures that were in place for years before I compromised them successfully.'

Kevin Mitnick

'The Coming Third Wave of Internet Attacks: The first wave of attacks targeted the physical electronics. The second wave - syntactic attacks - targets the network's operating logic. The coming third wave of attacks - semantic attacks - will target data and it's meaning. This includes fake press releases, false rumors, manipulated databases. The most severe semantic attacks will be against automatic systems, such as intelligent agents, remote-control devices, etc., that rigidly accept input and have limited ability to evaluate. Semantic attacks are much harder to defend against because they target meaning rather than software flaws. They play on security flaws in people, not in systems. Always remember: amateurs hack systems, professionals hack people.'

Bruce Schneier

Latest Addition

DoD Information Systems Security Awareness CBT, October 2007

A Users’ Guide: How to Raise Information Security Awareness’
, ENISA - European Network and Information Security Agency, August 2006

ENISA is publishing ‘A Users’ Guide: How to Raise Information Security Awareness’. The Guide is featuring step-by-step practical advice for Member States on how to “kick start” planning, organising and running information security awareness raising campaigns targeted at different audiences (e.g. Home Users and SME), including a series of steps and recommendations.

The Guide is emphasising three key recommendations for success:

1. Effective Communication Planning. A communication strategy is at the centre of any awareness programmes, based on communication goals and principles, and aligned with target group needs;

2. A Change Management Approach (i.e. targeted communications, involvement, training and evaluation). Applying a change management approach is crucial for awareness raising initiatives as it helps closing the gap between a particular issue and human responses to the need to change;

3. Measurement of the value of awareness programmes. Campaign evaluation is essential for understanding effectiveness and making adjustments. Four main categories have been identified against which to measure security awareness:

* Process Improvement

*  Attack Resistance

*  Efficiency and Effectiveness

*   Internal Protections

Main Documents
Documents courtesy of Melissa Guenther,

Accelerated learning sample for Security Awareness session - A fun way to let adults learn and become aware using experiential learning concepts. Adults learn best when you frame what they do not understand around something they already know. Security can be fun - and then be more effective!

Behaviour Change SA Tool - A tool to utilize when using a Strategic Plan Model in your Security Awareness efforts. This tool helps you determine the desired future state, assess the current reality and identify the gaps between the two.

How To Backup Data From Your Workstation: A How To guide on Options and Methods - One of the most important data management functions you need to perform regularly is the backing up of your unique data. It is imperative that you develop a scheduled method that works for you and allows you to efficiently backup your information. This "how to" guide provides various ways for backing up data. When you think about the time, creativity and energy that your work took to develop and the potential for it to be lost or destroyed in seconds as a probable event, then it is easy to see why this needs to be a regular maintenance behavior. It is not a matter of "if"; it is only a matter of "when". Your workstation or its hard drive (or other component) WILL fail or accidental erasure of your unique data WILL occur.

Information Asset Classification Matrix – A sample Classification Matrix that can be used as a starting place to design your own matrix and facilitate the protection of information and employee responsibilities at three levels.

Monthly Quizzes – Various questions and answers for Physical, Personal and Information security quizzes that can be used for benchmarking and assessing results. “What does not get measured, does not get done,” or at best, ‘does not get done right.’ Because, how do you know it got done right if we do not have measurements of anything? That is why effective Security Awareness programs uses measurements and benchmarking techniques to track the quantity and quality of initiatives, their impacts, and the degree to which they achieved objectives.

Motivating the Workforce to Support Security Objectives: A Long-Term View (Courtesy of Donn B. Parker, CISSP) - The alternative security objective of due diligence and business enablement has far more, positive potential for good motivation. Rewarding due diligence, not just unpredictable risk awareness, is the secret kept far too long.

Principles of Effective Security Awareness (SA) Communication - A SA Communication Plan is based on the following key principles of effective organizational communication.

Protecting Privacy in the New Millenium - A sample presentation created specifically for Gram Leach Bliley Act, although it can be easily modified to support similar privacy regulatory drivers.

Part 1 Understand:
• the driving forces behind privacy regulation
• key privacy terms and concepts
• obligations under the privacy regulations
• Perform your job functions in a manner consistent with the privacy requirements
• Properly distribute your institution's privacy and opt out notices in the course of customer interaction
• Accurately address customer questions and issues regarding privacy

Part 2
• Global networks, global privacy
• GBLA Terms and Definitions

RUA Formula for Security Awareness - A three-step process to help all employees recognize potential security threats and deal in an effective way before they become an actual security breach.

Security Awareness Benchmarking and Metrics - "What does not get measured, does not get done," or at best, ‘does not get done right.’ Because, how do you know it got done right if we do not have measurements of anything? That is why effective Security Awareness programs uses measurements and bench-marking techniques to track the quantity and quality of communication, its impact, and the degree to which it achieved its objectives.

Security Awareness Days – Security Awareness is everyday – individuals and groups have established specific date(s) to provide opportunities to focus on security behaviors. The purpose of this document is to provide information to help differentiate between the multiple Security Awareness Day(s), their purpose, and links to more information on each. As stated previously – every day is security awareness day – it is not an either/or situation.

Security Awareness Incident Response Scenarios Experiential Learning for Meetings or to Supplement Presentations - – A series of scenarios that can be used as Experiential Learning for meetings or to supplement presentations. They provide participants an opportunity to try on new behaviors in a safe setting – the dialogue that is always part of these is even more beneficial.

Security Awareness Perception Survey and Measurement, Zero Incident Culture:  Often, people will act the way they feel and by their perceptions By measuring key areas critical to cultural climate, interventions can be made in proactive ways to improve your overall security efforts.

Measuring critical components of your security efforts can improve your own programs and processes and develop a strategy for continuous improvement.

A few key dimensions that would be measured include: management support, coaching, supervisory support, training and tools and equipment. there are 12 dimensions in all.

When you begin to measure these areas, you can start to move ahead with a well thought out plan of action. This form of measurement will help to: 1) Increase management visibility and gain support; 2) reduce costs through more focused efforts; 3) form baselines for ongoing improvements; 4) increase accountability for supervisors and managers; and 5) improve employee relations by allowing workers to be "part of the process."

Measuring your security climate (or Zero Incident Culture) makes good business sense and can help move your efforts in the right direction. By measuring key indicators, "before incidents occur," you can make very good use of a proactive "up-stream" measure that can become integral to your long-term success.

Security Awareness Program - Whether it's checking e-mail, answering a telephone, or logging off for the day, employees must be encouraged to think security into every action they take and every decision they make. Only when security becomes second nature will it become truly effective.

Activities have been developed that meet the purposes of the Security Awareness Program (i.e., heighten your awareness, develop your skills and remind you of Company policies and procedures). Because the awareness program is dynamic and designed to evolve in order to meet the future needs of the Company and employees, and to address the issues that arise due to rapidly advancing information technology, current activities will need to be modified or new activities will be developed to maintain program relevancy. This model integrates a feedback mechanism into the program to allow continuous integration and promote ownership.

Employees are more likely to forget or ignore advice that has no relevance to their job, and "one lesson for all" just doesn't work. It's therefore important that employees make the connection between the lessons taught and the task at hand. For example, employees involved in accounting or transaction processing in a business that takes on-line credit card orders are far more likely to remember security lessons focused on protecting credit card files and personal customer information and on privacy issues.

Security Awareness Quiz Questions – Similar to the monthly quizzes above, however, are formatted to support on-line assessments. As stated before, how will you ever know if you are successful unless you measure your progress?

Security Awareness Workshop Trainer Notes Version 1.0 – This is a template that can be used for Train – the – Trainer (those that might be doing the security awareness sessions) Again, it is intended to be a template and used as a springboard for your own ideas – although this session was very successful

Security Checklist for Teleworkers - A chain is only as strong as its weakest link. It's a well worn cliché, but it's an important one to bear in mind when you're thinking about the security of your network. Teleworking can present a huge security risk in a security fence — teleworkers frequently represent the weakest link. The good news is that this need not be the case. It is possible to make teleworking acceptably secure, so that the risks it presents are balanced by the advantages. Security Checklist for Teleworkers covers basic steps that need to be initiated for those that work outside the workplace.

Security Education and Awareness Communication [1.6 MB] - this presentation (actually a work book, as it contains some security awareness tools) was given by Kelley Bogart and Melissa Guenther at the 2004 Annual Computer Security Applications Conference in Tucson, Arizona. The work contained in the presentation includes some of the collaborative efforts of the presenters while designing and implementing the University of Arizona Security Awareness campaign, which has been recognized as a best practice approach. Some of the features in their complimentary team approach included:

• Off-the-shelf solutions for developing a security awareness program.
• Step-by-step methodology on how to communicate the message – how to get buy in from the entire
• Evaluation tools and suggestions for future improvement - where and how to make updates.

Security Template for Proactive Process – A process and supporting tool that promotes thinking and planning for security at the onset of a program/process.

Security/Privacy Awareness Campaign Feedback Questionnaire – Security Awareness works best when it is integrated with existing programs and processes. This tool can be used to gather important information for a decentralized environment, allowing customization to meet the needs of different areas – while still aligning to the overall plan.

Security Sense - A sample handout that can be emailed or handed out face to face - it covers some simple email security suggestion. Remember, what is common sense is not always common practice!

Social Engineering– A sample presentation of a Comprehensive Social Engineering material. Objectives of this presentation include:

• Understand the principles of social engineering
• Define the goals of social engineering
• Recognize the signs of social engineering
• Identify ways to protect yourself from social engineering

Standard of Practice - This document describes the steps in positioning a Security Shift -

• Security simply used to protect information vs. Enabling business initiatives with security
• Bolt-on/add-on structure to business process vs. Integrating security and controls into daily business processes
• Security Solutions and Technology used to supplement core infrastructure vs. Leveraging security technical solutions to enhance core infrastructure
•In addition, it outlines Standards of good practice for security efforts.

Student Security Awareness Evaluation Form – a first level measurement tool – modeled after Kirkpatrick’s Evaluation Model and used to capture participants reaction to any security presentation. (also called “Smiley reports”) – If you are interested in obtaining a report on Effective Benchmarking and Measurement option, please me.

Suspicious or Unusual Event Report - This form is completed when an employee reports a suspicious or unusual event relegated to your resources. Events may include (but are not limited to) unauthorized access of the network (from both internal and external sources), compromise of sensitive data, destroying hardware or software, and malicious code such as viruses, worms, Trojan horses, or any other uninvited software.

Other Documents

DoD Information Systems Security Awareness CBT, October 2007

FASP Security, Awareness, Training and Education improves awareness of the need to protection system resources as well as develops skills and knowledge so computer users can perform their jobs more securely and build in-depth knowledge awareness. 2000 - 2003

Information Assurance Awareness Posters, Keesler Air Force Base, 2004

Information Security Awareness Version 1.0 14 April, 2000 (© Treasury Board of Canada Secretariat 2000) Prepared by: Bruce Hunter, BEng, MEng, Government of Canada PKI Secretariat, Chief Information Officer Branch, Treasury Board of Canada Secretariat

NIST Special Publication 800-50, Building an Information Technology Security Awareness and Training Program,  October, 2003 (previous drafts)

Testimony of Kevin Mitnick, Cyber Attack: Is the Government Safe?, Senate Committee on Governmental Affairs, March 2, 2000

Useful Links

Customizable Security Guide - Defense Security Service (DSS), Employees' Guide to Security Responsibilities, Implementation Package, Automated Briefing System (ABS), Read What Others Are Saying about this Program

Indian Health Service (IHS) Computer Security Awareness Training - The Computer Security Act requires that all U.S. Government personnel who use computers, as part of their work activities, complete training on computer security awareness.

SANS InfoSec Reading Room Security Awareness - Most of the computer security white papers in the Reading Room have been written by students seeking GIAC certification to fulfill part of their certification requirements and are provided by SANS as a resource to benefit the security community at large.

Security Awareness Group Mailing List - The security awareness group provides a forum to discuss awareness methodologies and share information security (INFOSEC) tips. The group may also be of interest to anyone interested in learning more about INFOSEC