Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Awareness Programs - Can One Size Fit All? Michael G. Carr, JD, CISSP Information Security Officer University of Nebraska Barbara.

Similar presentations


Presentation on theme: "Security Awareness Programs - Can One Size Fit All? Michael G. Carr, JD, CISSP Information Security Officer University of Nebraska Barbara."— Presentation transcript:

1 Security Awareness Programs - Can One Size Fit All? Michael G. Carr, JD, CISSP Information Security Officer University of Nebraska Barbara J. Hoskins, Ed.D. Asst. Dean, College of Health, Education & Human Development, Clemson University 2005 © Univ of Nebraska & Clemson Univ, unless noted April 3-5, 2005

2 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? 2005 © Mike Carr (University of Nebraska) & Dr. Barbara Hoskins (Clemson University). Unless noted, this work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.

3 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? Agenda/Format Agenda/Format InfoSec Facts Awareness Program History Food for thought, recommendations Source: 2004 AOL & NCSA Survey

4 2005 © Univ of Nebraska & Clemson Univ, unless noted © 2003 Citibank, N.A. Used with permission Citibank commercial on Identity Theft Removed for copyright reasons Security Awareness Programs - Can One Size Fit All?

5 2005 © Univ of Nebraska & Clemson Univ, unless noted Zombies, Bots and Botnets – Computer Attacks on the Rise – Computer Attacks on the Rise Zombies, Bots and Botnets – Computer Attacks on the Rise – Computer Attacks on the Rise Security Awareness Programs - Can One Size Fit All? 1 in 12 messages contains 'Mydoom' worm 1 in 12 messages contains 'Mydoom' worm We’ve all seen the commercials… We’ve all read the headlines…

6 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? We’ve all pointed to hacking incidents (at other institutions) We’ve enlisted experts ( and sometimes even consultants!) We’ve even helped others who’ve experienced security failures 1st-hand

7 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? So we’ve come up with catchy slogans and funny characters… Passwords are like underwear… Passwords are like underwear… All designed to make folks more aware of the need for diligence

8 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? But despite our efforts… Systems continue to get infected with “mass mailing” viruses, or Become victims of “ drive-by downloads ”

9 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? Source: FTC ID Theft is also growing. In 2002: ID Theft is also growing. In 2002: Billion$47.5 Billion stolen 9.9 million individuals affected Upwards of 600 hrs over 4 years spent straightening out

10 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? Source: FTC, Feb 2005

11 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? Malware continues to hit PCs Malware continues to hit PCs 2/3 of home users had not updated their virus software within the last week 15% reported having no antivirus software Nearly 20% were infected with a virus 63% had been hit with a virus before Source: 2004 AOL & NCSA Survey

12 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? Spyware is on the rise Spyware is on the rise 80% of home computers were infected 88% did not know it Avg infected computer had 93 components 95% said they never gave permission for the programs to be installed Source: 2004 AOL & NCSA Survey

13 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? 84% had financial & health info on the PC 75% used home PC for banking, shopping do not50% of home broadband users do not have a firewall (67% if dial-up is included) 40% home wireless n/w are wide open! Source: 2004 AOL & NCSA Survey And despite…

14 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? And then there’s… Illegal digital music/movie downloads Ownership issues relative to Podcasting Intellectual property theft, in general

15 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All?And… Increases in password cracking Increases in war driving, spam, spyware, etc. 1% of US households fell victim to phishing attacks in early 2004 > $400M in direct monetary losses (Consumers Union)

16 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? Recent BSA/ISSA InfoSec Survey: 65%-72% of senior executives admit being more aware of security issues Primarily due to news reports (i.e. ChoicePoint, Bank of America, AOL & CitiBank commercials) and unfunded federal mandates  But only 19% of I/T staff think that employees are truly aware! Source: Jan 2005 BSA/ISSA Information Security Survey

17 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? How well are Privacy Seals Recognized? Source: Mar 2005/Vol. 48, No. 3 Communications of the ACM Web Shield

18 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? Recent UNLV Study: From 2002 to 2003 eCommerce Sales increased > 26% ($44.3B  $56B) But consumers are generally unaware of Purpose of privacy seals on websites What companies must do to get one What a genuine seal looks like! Source: Mar 2005/Vol. 48, No. 3 Communications of the ACM

19 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? The need to educate and raise awareness (even more) is Paramount!

20 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? Determine why our messages have not been getting through Determine why our messages have not been getting through Our job (if we accept it) is to… effectiveWork with educators, sales persons & marketers to develop effective campaigns  Define & measure “effectiveness” © Paramount Pictures

21 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? > 15yrs ago, U.S. federal government recognized the relationship > 15yrs ago, U.S. federal government recognized the relationship Security Awareness  Ability to protect the CIA of information Security Awareness  Ability to protect the CIA of information Computer Security Act of 1987 Computer Security Act of 1987 Required federal agencies to provide mandatory training in computer security awareness Required federal agencies to provide mandatory training in computer security awareness

22 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? In 1989, NIST published “Computer Security Training Guidelines” In 1989, NIST published “Computer Security Training Guidelines” US Office of Personnel Mgmt made these guidelines mandatory US Office of Personnel Mgmt made these guidelines mandatory 4 years later, US OMB required NIST to update the Guidelines 4 years later, US OMB required NIST to update the Guidelines Special Publication Special Publication Originally mainframe-oriented, these were formal recognitions that security awareness training was warranted Originally mainframe-oriented, these were formal recognitions that security awareness training was warranted

23 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? SP only provided a conceptual framework for awareness SP only provided a conceptual framework for awareness It lacked detailed guidance on programs It lacked detailed guidance on programs “trinkets with promotional slogans”, “awareness video tapes”, posters, flyers “trinkets with promotional slogans”, “awareness video tapes”, posters, flyers “…audiences tend to tune-out and, if presented … repeatedly, the material will be ignored…” “…audiences tend to tune-out and, if presented … repeatedly, the material will be ignored…” GAO even developed recommendations: “attention-getting” and “user-friendly” GAO even developed recommendations: “attention-getting” and “user-friendly”

24 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? NIST SP “Building an Information Technology Security Awareness and Training Program” NIST SP “Building an Information Technology Security Awareness and Training Program” Recommends metrics to measure success Recommends metrics to measure success –# of security incidents or violations [1] –the % of users exposed to awareness materials [1] Reporting may increase because of enhanced vigilance

25 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? NIST SP checklist NIST SP checklist Assess training needs Develop awareness & training strategy & plan Establish priorities Decide on complexity level of the message(s) Select awareness topics Maximize partnerships in development & roll-out (create ownership) NIST initiatives & deliverables should be APPLAUDED! NIST initiatives & deliverables should be APPLAUDED!

26 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? Numerous EDUCAUSE Resources Numerous EDUCAUSE Resources Security Task Force Cybersecurity Awareness Resources CD ECAR Research Bulletins EDUCAUSE & ECAR initiatives & deliverables should be APPLAUDED! EDUCAUSE & ECAR initiatives & deliverables should be APPLAUDED!

27 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? However: empirical data is lacking on Security Awareness Program effectiveness However: empirical data is lacking on Security Awareness Program effectiveness No call from federal govt, private industry or higher education to research the issue No call from federal govt, private industry or higher education to research the issue Recent Congressional hearings on cyber terrorism were void of awareness issues Recent Congressional hearings on cyber terrorism were void of awareness issues Generally accepted “codes of practice” and mgmt stds (BS7799, ISO17799) lack concrete advice on measuring awareness program effectiveness

28 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? “Security Awareness, Training, and Education Programs for the Enterprise” “Security Awareness, Training, and Education Programs for the Enterprise” © 2005 Fred Cohen, Burton Group $10 to $100 per person per $10 to $100 per person per year Dedicated FTEDedicated FTE Measuring effectivenessMeasuring effectiveness

29 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? “Security Awareness, Training, and Education Programs for the Enterprise” © 2005 Fred Cohen, Burton Group

30 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? We must do something (better) We must do something (better) Golden Rule: Golden (marketing) Rule: Know thy audience Challenging since our target audience spans 4 generations Challenging since our target audience spans 4 generations (encompasses employees, students, faculty, staff, executives, and administrators) And unlike “Tide” detergent and “Skippy” peanut butter, we probably can not afford to target niche markets

31 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? But developing a single awareness program for 4 distinctive, different generations of users won’t be easy either This latest demographic group seems to be: radically different and immune to current communication methods and messages

32 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? So, who are these users? Traditionalists Baby Boomers Generation Xers Millennials Source: Howe & Strauss, 2000, Millennials Rising: The Next Great Generation

33 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? The Traditionalists Born Grew up in times of war & scarcity Value loyalty and structure Approx 75 million Source: Howe & Strauss, 2000, Millennials Rising: The Next Great Generation

34 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? The Baby Boomers Born TV generation Optimistic yet competitive Approx 80 million Source: Howe & Strauss, 2000, Millennials Rising: The Next Great Generation

35 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? The Generation Xers Born PC generation Skeptical—downsizings & divorce Approx 46 million Source: Howe & Strauss, 2000, Millennials Rising: The Next Great Generation

36 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? The Millennials Born 1981 or after Internet generation Thrive on multi-tasking, interactivity & problem solving Approx 76 million Source: Howe & Strauss, 2000, Millennials Rising: The Next Great Generation

37 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? % of U.S. Population Source: Howe & Strauss, 2000, Millennials Rising: The Next Great Generation

38 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? The Millennials in 1982 in 1982 : More $$ spent on video games and computers than music and movies in 1983 in 1983 : Time Person of the Year: The PC in 1985 in 1985 : the CD/ROM was introduced Millennials have always had cable TV, answering machines, remote controls, touch- tone phones, etc. Source: Turkle, 1984, The Second Self: Computers and the Human Spirit

39 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? The Millennials They are 27% of US population, >50% online Almost 1/3 have college-degreed parents or parent with some college education By age 21, 2X time: video games as reading Cell, instant & text messaging over landline Digital Natives Source: Prensky, 2001, Digital Game-Based Learning New Strategist Editors, 2001, The Millennials: Americans Under Age 25

40 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? The Millennials Internet: 1 st choice to find something, entertainment, shop, communicate View traditional teaching methods as boring, slow and anything but engaging (this also includes non-interactive course mgmt systems) Source: Prensky, 2001, Digital Game-Based Learning

41 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? The Millennials Because of gaming, they enjoy simulations, layers of activity, multi-tasking and teams $125M in 1 st Day Sales!Late 2004  Halo 2 : $125M in 1 st Day Sales! (Spider-Man 2 had $115M its 1 st weekend) Source: Prensky, 2001, Digital Game-Based Learning

42 2005 © Univ of Nebraska & Clemson Univ, unless noted HALO 2 © Microsoft Corporation Halo2 trailer can be downloaded Or viewed at halo.bungie.org/misc/halo2trailermirrors.html

43 2005 © Univ of Nebraska & Clemson Univ, unless noted The Millennials Forcing educators and marketers to change message and medium Security Awareness Programs - Can One Size Fit All? US Army Future Combat Systems video Can be viewed at

44 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? The Millennials The need to update advertisements or awareness campaigns is nothing new So, why such a fuss? Joe Nemecheck

45 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? To be fair… Ricky Rudd

46 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? To be fair… Casey Atwood

47 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? To be fair… Ashton Lewis

48 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? To be fair… Justin Labonte

49 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? The Challenge Many Millennials lack the desire to learn about computer systems (and security) Many believe they know enough already They expect educational and training experiences to be dynamic, challenging, flexible, innovative, and interactive (problem solving) They expect quick responses to their inquiries Source: Lancaster & Stillman, 2001, When Generations Collide

50 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? The Challenge Purely educational environments may be able to adapt to these demands Can compliance be realized via games, online contests & animated spokespersons targeted at the Millennials?

51 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? The Challenge What can we do to ensure that “cartoonish” or gaming-oriented awareness programs stand out? cell phoneCan we develop programs that are received, understood and followed when the target medium is a cell phone ?

52 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? The Challenge And what about the other three generations of computer users? We can’t expect programs designed for Millennials to be effective for others (and vice-versa)

53 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? The Challenge It’s time for collaboration – Teachers College + Behavioral Sciences + Business College + CompSci Programs – Sales, R&D, Marketing & I/T Depts It’s time for research It’s time for results! It’s time for results!

54 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? The Challenge new mathCan you hear me now?Where’s the Beef?Take the same skills and ingenuity that gave us “ new math ”, “ Can you hear me now? ” and “ Where’s the Beef? ”

55 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? The Challenge Comprehensive information security awareness programs that will modify behavior in all computer users with Measurable results!with Measurable results!

56 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? In conclusion… It won’t be easy It won’t be cheap Consequences of not acting are even less attractive But it can be done! But it can be done! © Paramount Pictures

57 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? Po $$ ible Approache $ : External Resources External Resources − NSF, NSF Cyber Trust Grants − Dept of Homeland Security, MS-ISAC − President’s I/T Advisory Committee − EDUCAUSE, ECAR − National Institute of Standards & Technology (NIST) Internal Resources Internal Resources −Interdisciplinary Team & Task Force(s) −National Cyber Security Alliance (NCSA) −Class Projects & Graduate Dissertations −National Centers of Academic Excellence in Information Assurance Education (CAEIAE)

58 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? Some Good Awareness Programs: Some Good Awareness Programs: [1] Univ of Arizona● Univ of N.Texas George Mason Univ● Oklahoma Univ Univ of Georgia● Univ of Tennessee Indiana Univ● EDUCAUSE Univ of Maryland [2] [1] not an exhaustive list! [2] out of College of Education – Technology Outreach ! ! ! Unfortunately, hard evidence on “effectiveness” is still lacking Unfortunately, hard evidence on “effectiveness” is still lacking

59 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? Aspects of Good Awareness Programs: New employee orientation, and Annual reminders of responsible use, etc., and All-encompassing InfoSec Policy/Procedure, and Posters & “Awareness Days” (April ?, October ?), and Vulnerability scans/tests, and Training, training, training, and Periodic press releases, articles, status reports, and Executive support, and Regular staff discussions, and on and on and on…

60 2005 © Univ of Nebraska & Clemson Univ, unless noted Security Awareness Programs - Can One Size Fit All? So, until empirical data exists:  Know that something is better than nothing  Realize that your entire audience may not “get it”  And consider:  Tracking incidents by generation, and  Modifying your message & medium accordingly

61 Security Awareness Programs - Can One Size Fit All? Michael G. Carr, JD, CISSP Information Security Officer University of Nebraska Barbara J. Hoskins, Ed.D. Asst. Dean, College of Health, Education & Human Development, Clemson University 2005 © Univ of Nebraska & Clemson Univ, unless noted April 3-5, 2005


Download ppt "Security Awareness Programs - Can One Size Fit All? Michael G. Carr, JD, CISSP Information Security Officer University of Nebraska Barbara."

Similar presentations


Ads by Google