User Awareness and Education
User education and awareness is a very generic term that is often used in business today to refer to the process of
'educating' users on the company's internal computer policy. This effort often times addresses company policy, best, practices, security, etc. What I don't see in most of these programs that I have reviewed as part of audits is the 'awareness' portion, and most likely because this takes a bit more effort. Security professionals for years have been aware that a vulnerability within one of our systems has the potential to become an exposure on a global scale; most users and many system administrators have yet to recognize this new dynamic. The very statement "we are a mid-size company in America, why would anyone in Asia care about our systems, even if they are vulnerable", is a concern.
So my question to all IT Managers out there today is "what are we trying to accomplish? with this training effort?" In the past my goal was to raise the level of awareness for the users so that they can begin to understand the scale of threats that exist on the Internet today. One website that has a great basic summary of things a user can do to improve the overall security of their computer or computers is the IS site at MIT. This article reflects simple approaches, talking about technical and user practices that will aide tremendously in the overall security effort.
The title of my article today is "User Awareness and Education", as opposed to "User Education and Awareness", because I believe that user awareness is one of the most effective cybersecurity tools in our arsenal. With awareness usually comes the desire for education, to understand the why.
As an old friend used to say "This is where we have to engage the gray matter in our brain".
What say you?
tony d0t carothers --gmail
Comments
Nick
Jul 14th 2012
1 decade ago
Roughly 30% of people don't fully understand whatever training is being offered. Sometimes it just takes a lot of repetition to sink in. Sometimes they just don't care. A 30% failure rate means the bad guys now have to send just three or four emails total in order to be assured that one gets through. Big deal.
Even worse, no one ever gets dinged in a performance review because they clicked on a link or went to a search engine result that took them to a bad site. It's simply not a job requirement that affects their performance rating. Their real work is what matters in performance reviews.
Security awareness training is at best a minor control, if it can even be called a control. Any process that has a 30% or so failure rate is actually out of control.
JJ
Jul 15th 2012
1 decade ago
Last week, I sent out the following email:
"
Hello all,
The purpose of this Email is to continue to raise awareness about computer and information security.
This would be the first Email for a few of you new comers to Company, and may be the second this year for you old timers.
Making security news today is analysis of a statement released by the European Network and Information Security Agency, about a report [1] released by McAfee and Guardian Analytics about the state of banking web site security.
A promenently meaningful statement in Brian Krebs's analysis [2] is:
"Many simply urge customers to follow security advice that is increasingly quaint and irrelevant: Use firewall and antivirus software; don’t respond to phishing emails; pick complex passwords and change your password often… I'm not saying antivirus software is completely useless, just that users should behave as though it is."
I agree with Krebs, and when dealing with the challenge of data security, it is best to always act exactly this way; to behave as if all the security mechanisms that are in place are useless.
This means that you should consider your hard work an asset worth protecting. Consider where you expose this and other data.
Pragmatically, continue to follow the three magic rules:
• Never click on links you are unfamiliar with.
• Never download files where you are unsure of the contents.
• Never install software that is from an unreliable source.
But also, consider the following:
• Don't send highly sensitive data over Email, IM, or other mechanisms that involve third parties.
• Beware of data transport. If you bring data from the outside into our network, consider that other computers might be compromised.
Feel free to pose questions as to what you can do solve these security challenges while maintaining a good work flow.
As always, if you have any questions, reach out and grab your closest IT professional."
[1] http://www.mcafee.com/us/resources/reports/rp-operation-high-roller.pdf
[2] http://krebsonsecurity.com/2012/07/eu-to-banks-assume-all-pcs-are-infected/
The hardest thing to do when communicating to raise awareness is to balance being the good Cop, the bad Cop, and being the scary/overly power hungry IT guy that everyone dislikes.
I frequently try to create a separation between people, their work, and their ability to use "network resources, such as the Internet" to improve their work flow. It reminds me of how I felt when I sat down at my University and was exposed to Lexis-Nexus for the first time. It's a resource, a separate system. It's not for Facebook, Gmail, to play flash games, etc.
I also use the phrase "You are the last firewall to protect our network and systems," to put more ownership and responsibility on the user themselves.
mbrownnyc
Jul 16th 2012
1 decade ago
Alex
Jul 16th 2012
1 decade ago
Chris
Jul 17th 2012
1 decade ago
I had an example last week of this as the user, when asked when they last used this item (an old usb drive from about 2004-6 timeframe) and the response made my eyes water. "I couldnt even tell you what that is for or where to put it in." WTF??? RIGHT?
Truth is he knew exactly what it was because unless I missed a millena jump somewhere, quantum bit transfer through the air still is Sci-Fi.
My point is that we are seasoned, obviously as we are reading this, and therefore what we consider informed. We are not, however, anything like the masses. Just ask you grandmother to change her password to a 16 character complex one or explain to you her backup strategy and she wil as likely punch you in the mouth as be able to give you any answer --- EVER.
I think that we take too much credit at times for being educated and not enough credit for educating, correctly. I like the MIT version of the top ten but remember that MIT is for REALLY smart people and if you tell end-users to go to an MIT site and do anything there, their eyes will haze over faster than an Absinthe induced drunken stupor.
So, what is your point, you are asking??? We as professional IT engineers, admins, guru sprctral phenoms are still a rare breed that often more than not, havent the ability to talk to users in a language they understand.
We need to come up with language and education practices that meet their level of competency and then dumb it up a little more. Secondly, we need to learn, fluently, that language. We need to remember that docking clerks, administrative assistants, Tier one help desk, janitorial services, volunteers and anyone thaqt has graduated recently from college with a degree in computer sciences that never logged into any *nix flavour or managed anything larger than their own dorm-room NETWORK, are still only 30% of the 99% of corporate Users we will have to run across and assist.
Each day gives us an opportunity to grow as professionals. If we do not enable our User base with the right education, we secure our future as hair on fire, the whole damn network is down, why the hell did this happen to our mid-level America corporation that no one gives a shite about in Brazil (good oint to point out for Sont PS users tooo). Well, Mr. CEO of midlevel America Corporation, sir, you cannot click on the hyperlink in the email telling you your corporate banking card password is bunk and we need you to tell us all about yourself and you network so we can verify you are who you think you are telling us you are, emails. I thought I made that clear last week. Oh, ok so maybe I didnt.
End Rant.................
Stryker
Jul 17th 2012
1 decade ago
Stryker
Jul 17th 2012
1 decade ago
We just received and email from our Director of Software Development. The screenshot is the MS Run Advertised Programs and his question is Should I run this? The window just popped up on my desktop.
Well there you go. Highly educated yet still the question remains.
At least he asked. Right???
Remember before giving someone enough rope to hang themselves, be sure they do not have a roll of Duct tape.
Stryker
Jul 17th 2012
1 decade ago
As I mentioned to them, we need to lose the word "training" at the end of "Security awareness" because it is something that you cant train someone on. They need to adopt it as a lifestyle. It's a tough battle we face with the digital immigrants :)
Nick
Jul 17th 2012
1 decade ago
My point is that if a mentality shift, paradigm shift or just a plain "No-Shite" shift in the approach to what the corporate world does to ensure the major portion of there workforce has the knowledge is to ever take place, some sort of pre-employment and then again yearly re-certification (this happens in many of the DoD organizations I work with now) can have major and positive advances into how we as people, start looking at what we do and how it impacts the overall organizations. Create a two day seminar, unpaid and mandatory, like background and urine tests, that takes the prospects through the designed daily exercises, pitfalls of laxed attention to detail and steps to do in the event of a cock-up.
I created a call-center training program for a company in the cable internet business in 1999-2000. I called it the "Grandma approach" to customer service. I also worked with the network team to create what I still consider the best Tier 1 support package in the industry. Give them ALL of the tools to do their job and empower them to ask, input and then do the job. I also implemented this pre-employment seminar for them. They are still one of my most valued clients and one of the happiest Call Center NOC elements in the world.
My point and I believe Nick has it as well is that when you make people engage into their own success, they succeed. When you give them easily understood tools that are not only good for the company but are transparently transferrable into their own personal lives, they accept it as a free gift from you. When you let them engage you, at their level and you interact in return, at their level, they are greatful and feel valuable. We have an opportunity and I think an obligation to make our world a better place. How we approach that is as vital as the end result we are talking about and in the business to do. I want my children, grandchildren and their children and grand children to live in a safer and more life giving world. What we see today scares the crap out of them and that makes me more and more focused on doing whatever it takes.
What can one do to make the world a better place? What can one Engineer do to make the workplace a better place? Take one step closer to someone that needs our assistance and see how fast it starts to change.
Stryker
Jul 18th 2012
1 decade ago