Developing a SecurityAwareness Strategy

Gavin van NiekerkPrincipal Consultant

Topics

Awareness as a survival techniqueSuccess factorsApproachPrinciples: the “ABCs”ContentTechniquesToolsMeasurement and evaluationResources

Survival

Being alert to danger signals, and responding quickly, often is the difference between surviving…and not

Your Staff: Cost-Effective!

First to be affected during incidentCompliance with policy can make or break any security programAwareness helps to—

Become your organization’s detection instrumentsMake security reflexivePrevent incidentsMitigate damage if something happens

How to Spend a Dollar?

Policy

Awareness

Risk Assessment

Technology

Process

Success Factors

Success Factors

Information security policySenior-level management support and buy-inProgram’s focus that security, at its core, is a people problemGoals (short-, intermediate-, and long-term)Audience profilesMotivational techniques

Information Security Policy

Clarify and document management’s intentionSet expectations and guide behaviorEffective policies state—

GoalsResponsibilitiesAllowed behaviorProhibited behaviorPenalties

Helps deal with certain personality types…

Awareness Policy

Increases credibility and visibility of entire information security programShould establish—

That participation in awareness program is mandatoryThat everyone will receive enough timeWho is responsible for conducting the program

Senior-Level Sponsorship

A proper budget—Prevents middle management from denying requests to fund securityAllows for the time with no “bottom line” obviousness

Lead by exampleExecutives must themselves be bound by policyExemptions cost money, blow the budget!

Affirm security staffSupport those charged with enforcing policiesEspecially important when security and convenience conflict

It’s a People Problem

Don’t succumb to the urge to change conditions to force the outcome you want

While we can use technology to mitigate some risk, it really depends on the cooperation of all the users

If people don’t understand, or opt not to participate, the whole security program weakens

Be: specific, realistic, measurable

Goals

Practice, reinforce, repeat, automateMake it reflexive to “think security”

Reinforce desired (often already known) behaviorGradually change undesired behavior

Teach what happens in the event of a failure

Audience Profiles

Everyone, from summer intern to CEO, requires the same level of security awareness

Methods, however, should varyNeeds: group by levels of computer experience

Jargon vs. analogiesRoles and interests—

Users: Will it help me work better? Will it affect my performance review?Managers: How much will it cost? What return?Technicals: Is it authoritative and in the right language?

Use surveys to find out what motivates

Art of Mmotivations

Some behaviors simply must changeSharing passwordsExchanging confidential dataBelief that “hacking” is “cool”

Appeal to—The damage a breach often causesOrganizational recognition for protecting informationFact that attacking is a crime (that often hurts people)Desire to belong to group that shuns harmful actionsCourage it takes to resist peer pressure (rules are good!)

Dribble it out…don’t overwhelm

Don’t Rely Only on Fear

More important to emphasize—Thinking about security in a new wayHow to avoid danger

Potential pitfallsLosing the audience’s attentionAlienating the audienceOverdoing it

Approach

Media Campaign

No different than any otherMessage: Why security is importantProduct: The practice of securityMarket: All employees

Research and planning produces strategyDefine program objectivesIdentify audiences (primary, secondary)Define what’s to be communicatedDescribe benefits to audience

Media Research

Observation, surveys, tests, interviewsHelp desk statistics and trends

How many password resets per week/month/…?IT staff knows your systems, ask—

“How would you break into it?”“Are breaches predictable?”

Use focus groups to test your message

“If I had six hours to chop down a tree, I’d spend the first five sharpening the ax.”

—Abraham Lincoln

Sharpening the Ax

Plan is essentialCan be short and succinct—

Status of current effortsGoals and objectivesHow progress will be measuredActions, by whom, when

Good plans—Allow for faster reactionTake advantage of current events in the newsCoordinate around a theme

Awareness Principles

Appeal to target audienceKnow their existing values and motivationsStart where they are, move to where you want them

Attention-gettingIt’s a prerequisite to learningUse clever slogans, eye-catching images

“A”

SamplBasic (simple, memorable)Sets stage for training, shouldn’t be complexTake away fear and ignoranceFoster recognition there’s a problem and that people are the solution

Buy-in is better than coercionContributors to awareness program are more likely to accept and follow controlsGet feedback for every suggestion; lack implies “no management interest”

“B”

ContinuingPersistence and repetition are importantVary methods used

CredibleClear, relevant, appropriateHave 15 passwords? Write them down—and protect the list

CurrentMaterial must always be fresh“Smell like the tide, not like the fish”

“C”

Content

Risks

Teach: “What does a threat look like?”How to detect unauthorized activity

Busy toll-free: popular? full circuits? attacked line?Typical risks

Malware types and how it is damagingShared risk principles (my risk spreads across network)Impact of distributed attacks (DDoS mostly)Privacy and confidentiality issuesScope of embedded hardware/software vulnerabilities

Tailor to audienceRemote access, for instance

Basic Countermeasures

Security procedures and processesPersonal practices

Passwords—length, reuse, expirationE-mail attachmentsFile transfers and downloads

Reporting proceduresPotential or actual security eventsWho to?How to? Telephone, e-mail, even fax

Responsibilities

Emphasize—Security is everyone’s responsibilityManagement has made it a priorityIt applies to everyone equally

Make system or organizational codes of conduct discoverable and readable

Contact InformationWho • Phone numbers, e-mail addresses, web sites

• Security staff, incident handlers, help deskWhat • Affected computers and operating systems

• Symptoms• Date/time/duration of incident• Active connections• Observed damage, actions taken

How • Method of reporting problem• Out-of-band of affected system

When • Report now? Or wait a while?• Potential damage vs. business impact

Techniques

Start with a Bang

Notwithalongdryboringintroduction

Thatenumerateseverylawregulationpolicystandardguidelineorrequirement

Reactions

“I never thought of it that way.”“That surprises me!”“What a great idea!”“I’d almost forgot about that…”“I can use this.”

Logos and Images

Images have more power than wordsLook for colorful designs that catch the eye and burn into the brainEven animation can help

What wouldhappen ifsomeonechanged

your data?

Wyad cinxsafper efstmxunekhopgel

joor deko?

US NuclearRegulatory Agency

“Keep it clean”“Cyber Tyger”

“It’s a bug’s life”“PC Doctor”

Hospital“Prevention is

better than a cure”

Themes

Unite several concepts into a related messageChoose one that’s reflective of your businessIncorporate design elements into posters

Posters

85 3,000,000

Stories and Examples

Real people, real consequencesLong-time employees (“corporate memory”)News eventsInternet message boardsSecurity personnel

Again, tailor to audienceTheft of medical records: healthcare data processingFraud/impersonation: financial and accounting groups

Use Failure

It’s a learning acceleratorOnline awareness training—

Should provide immediate feedbackNo need to record answersGive staff something to think about

The building is on fire. As you exit the buildingin a safe and orderly manner, you are able to take either the data backups or the backup of your custom built application. Which do you take?

A. The dataB. The backup

Example

Either answer is correct; training module should inform users of thisJust like real life—not everything is easy

In the United States, which of the following activities is illegal?

A. Creating an e-mail virus B. Disrupting Internet communications C. Failing to make daily backups

Encourage Audience Involvement

Use questions—“Did you know…?”“What would you do if…”

Counter-intuitive facts work wonders

Be Surprising

Just like a piñata—good material is full of surprises

Role-play is excellentManager who doesn’t want to follow the “no tailgating” policy

Entertain, lead by exampleRetention is long lasting

User Action and Signoff

Each user signs acceptable use policy after reading

Eliminates “I didn’t know…” excusesDon’t forget periodic refreshers, too

“Noisy prosecutions,” even internally, might discourage security breaches

Also allows tracking trendsAssists identification and response

Analogies

Analogies, metaphors, similes help to associate new concepts with prior knowledgeIllustrations help reinforce the message

Sensitive data is likeprescription drugs:• used only by those who

need it• not given or sold to

unauthorized people• can damage those who

don’t need it

Passwords are likewinter underwear:• should be long

and mysterious• protect the owner• used by one person, not

a group• changed periodically

Humor

Gets attention, motivates and relaxes peopleEven influences organizational cultureBe relevant, complement the message

Otherwise your credibility suffersOK to joke about yourself or those in powerBe careful about backfiring, though

Computer virus,Destroyer of files, survivesthrough lack of scanning

Sources

Cartoons—Dilbert is canonicalHumorous definitionsLetterman-style top ten lists (“Top ten excuses for not making a backup”)Security-related poems or lyrics written to the tunes of popular songs (“The Infosec Rap”)

Learning StylesAuditory • Picks up information from hearing it

• Reached by lectures and written materialVisual • Wants to see what’s being taught

• Prefers diagrams, charts, and picturesKinesthetic • Responds well to tactile input

• Wants to walk through steps or learn by physically performing the task

Personalities

Some people ignore procedures if they don’t understand the reasons

Give them the “whys,” it’s OKGive learners the choice after an exercise

Try again?Or just receive the answer?

Some people retain better when they deduce answers themselves; others simply want to see the result and move on

Circumstances

Disaster—like a fireCan be invigorating

Current eventsCan add credibilityCheck security-related Internet news sitesReward first-discoverer “news hawk” who contributes new story to the awareness program

Recent attackAlso effective for obtaining budget

Tools

Considerations

What tools are most appropriate?What methods are most likely to be credible and appropriate for the audience?Which and how many methods are feasible, given budget and time constraints?

Internet/Intranet

Web sites on the Internet or hosted internallyConvenient for distributed organizationsAnnual refresher trainingGood for people with diverse technology experienceOwn pace, immediate feedbackFlexible, customizableReduce costs and training time

E-mail for sending alerts and newsletters

How?Why?

Screen Savers

Enable auto-locking screen saver with group policyDistribute eye-catching design

Hire a professional artistCoordinate with other awareness themes

Consider animations or even interactive triviaUpdate regularly

Sign-on Messages

Short reminder of users’ responsibilitiesChanged regularlyNote: No legal coverage

Posters

VideosGreat for orientation meetings and “brown bag” staff lunchesProvide popcorn—in bags with printed security messagesMany advantages

Consistent message throughout organizationShort and succinct: 20 minutes, no moreSave travel time and costs

But…Expensive to produce, though…US$3000/minBecome out-of-date rather quickly

Maybe produce segmented video?

Trinkets and tchochkiesPencils, pens, highlighters—“Report breaches, it’s the ‘write’ thing to do”Erasers— “Wipe out password sharing”Notepads—“Note who should be in your area and challenge strangers”Frisbees—“Our information security program is taking off”Mouse pads and inserts—with a clear cover over an area holding removable paper inserts, making the cost to change the message far less than the cost of printing new padsKey chains—“You are the key to information security”Flashlights—“Keep the spot light on security”Cups or mugs—“Awareness: the best part of SecuriTEA” (where the campaign has explained that TEA stands for training, education, and awareness)Magnets, buttons, stickers—“Stick with security”First-aid kits—“Be prepared for security”Rulers, calculators—“Security counts”Coasters, toys, hand exercisers, informational cards, and other items including posters, virus scanning software, and screen savers

Publications

Newsletters and magazinesPaper and electronic

Print stressful communications on paper, staple a facial tissue to it

Add inconvenienceIncrease user burden

Targeted brochures, pamphlets, even comic books

Inspections and Audits

Certainly raise awareness, at least during eventTry “security by walking around” (SBWA)

Catch staff doing something rightLeave behind certificates of congratulations, thank-you notes, or trinketsBe random

Try to social engineer your own workplaceReward users who refuse to complyRetest users who get duped

Conferences and Seminars

International Computer Security DayAnnually, every 30 November

“Grill Your Security Officer Cook-Out”Serve food and drink

Encourage staff to bring questions for security officers

Lectures by dynamic speakersSecurity awareness briefings

Senior executivesNew arrivals

Measurement

It’s the Price we Pay

How many received training?Attendance sheetsCourse registrationsOnline completion noticesSigned acceptable-use policies

Use empirical evidence to demonstrate effectiveness; feedback from—

PresentersAudiencesSupervisors

Audience Satisfaction

Evaluations and surveysYeah, it’s mostly a measurement of how well they liked it…but it’s a place to start

Were the materials useful?Were the activities fun and memorable?Was the information relevant?Can you use it on your job?Any suggestions for improvement?

Learning Effectiveness

Pre-tests measure prior knowledgePost-tests measure what the audience rememberedBoth useful for tailoring future programsPre-test important: it’s how you measure improvement after the training!

Skill Transfer

Gather input from outside evaluatorSupervisor, practitioner, incident handler, help desk

Measure improvements with—Follow-up interviewsWalk-through testingHelp desk and incident reporting statisticsAudit findings

Must acquire a pre-training baseline

Pre- and Post-Observations

Passwords—test with cracking programLocked workstations—check during lunchSurvey of attitudes and knowledge

Whom to report incidents to?Take-home policy for old software?

Monitor actual numbers and types of incidentsAn increase is probably a sign that the awareness program is working—not that there are suddenly many more attacks!

A slide outlining the 2009 evaluation process and prizes will be provided closer to the event.

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.