Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Awareness 101 ……and Beyond

Similar presentations


Presentation on theme: "Security Awareness 101 ……and Beyond"— Presentation transcript:

1 Security Awareness 101 ……and Beyond
“Vision without action is only a dream Action without vision is merely passing the time Vision with action will change the world.” - Joel Barker Features: Off-the-shelf solutions for developing a security awareness program. Step-by-step methodology on how to communicate the message – how to get buy in from the entire organization. Evaluation tools and suggestions for future improvement - where and how to make updates. 20th Annual Computer Security Applications Conference December 6, 2004 Tucson, Arizona Kelley Bogart Melissa Guenther (C) Copyright Melissa Guenther, LLC. All rights reserved.

2 'The methods that will most effectively minimize the ability of intruders to compromise information security are comprehensive user training and education. Enacting policies and procedures simply won't suffice. Even with oversight the policies and procedures may not be effective: my access to Motorola, Nokia, ATT, Sun depended upon the willingness of people to bypass policies and procedures that were in place for years before I compromised them successfully.' Kevin Mitnick (C) Copyright Melissa Guenther, LLC. All rights reserved.

3 Amateurs hack systems, professionals hack people.' Bruce Schneier
'The Coming Third Wave of Internet Attacks: The first wave of attacks targeted the physical electronics. The second wave - syntactic attacks - targets the network's operating logic. The coming third wave of attacks - semantic attacks - will target data and it's meaning. This includes fake press releases, false rumors, manipulated databases. The most severe semantic attacks will be against automatic systems, such as intelligent agents, remote-control devices, etc., that rigidly accept input and have limited ability to evaluate. Semantic attacks are much harder to defend against because they target meaning rather than software flaws. They play on security flaws in people, not in systems. Always remember: Amateurs hack systems, professionals hack people.' Bruce Schneier (C) Copyright Melissa Guenther, LLC. All rights reserved.

4 A complimentary team approach
Introductions A complimentary team approach Ms. Kelley Bogart (University of Arizona for the University's Business Continuity and Information Security Office as the Information Security Coordinator. Initial work was dedicated to policy and best practices related to Business Continuity and Information Security topics. Last two years have been dedicated to developing and implementing a Campus Security Awareness Campaign. Received international recognition. Appointed Co-Chair of the EDUCAUSE Security Awareness Task Force, which is a international group that focuses on IT issues and solutions specific to academia. And works directly with the National Cyber Security Alliance with regard to Security Awareness. Recently she is working on a partnership agreement with Arizona Homeland Security to use UA's Awareness Campaign for a Statewide Awareness Campaign Initiative. Ms. Melissa Guenther – Advisor to Phoenix InfraGard and Security Awareness Consultant Assists teams in creating blueprints and designing interventions for change, primarily in the Security Awareness area. Clients include Texaco, U of A, Manitoba Information Protection Centre and Public Service of New Mexico. Over 20 years of culture Change Management and Training experience, providing a strong base for proven results. Requested presenter at various security conferences, such as SANS, CSI, and the Arizona Chapter of High Technology Crime Investigation Association (ACHICIA), both nationally and internationally. Created the plan and blueprint for the University of Arizona's Security Awareness campaign, and assisted in the implementation.

5 Introduction to Our Work
If the result of this workshop gives voice to some of your own experiences, or provides new ideas that contribute to your success, then we have succeeded. At times, you will hear strong recommendations around proprietary products and processes. We make no apologies, for we would do all a disservice if we failed to disclose with great passion those interventions that can change your company. At the same time, we provide guidelines and suggestions on how to create your own versions of these solutions. As you take your own journey, we would like to hear from you and invite you to us with your questions and stories of your victories as you chart your own change path. (C) Copyright Melissa Guenther, LLC. All rights reserved.

6 A common thread of those that had success with security awareness efforts- giving people clear direction and immediately enlisting their energies in creating that future. Involvement in security awareness efforts in academia, Fortune 100 and small businesses – variety of situations with one constant. People. Regardless of presenting issues, success ultimately boils down to meeting a challenge, solving a problem, or forging a better future. And it takes people to accomplish these feats. Even if you define change as implementing technical solutions, such as a Firewall or automatic update installations, technology doesn’t work unless people decide to make it work. Getting people involved in the process - because people are the ones who make changes work - is key. “Organizations don’t change – people change. And then people change organizations.” (C) Copyright Melissa Guenther, LLC. All rights reserved.

7 Awareness ...to focus attention on security
National Institute for Standards and Technology (C) Copyright Melissa Guenther, LLC. All rights reserved.

8 Framework 1 Identify program scope Goals and objectives
Identify training staff and identify target audiences Motivate management and employees Administer the program Maintain the program Evaluate the program NIST (1995, 1998) To increase understanding of problems relating to awareness, two categories can be outlined: framework and content. The framework category is more of an area of “engineering disciplines”, containing issues that can be approached in a structural manner and quantitative research, that may be formalized and are a matter of explicit knowledge. (C) Copyright Melissa Guenther, LLC. All rights reserved.

9 Framework 2 Plan Design Implement Evaluate Continuous Improvement
M. Guenther, LLC.

10 Awareness Program Overview
Aims of the Program Start Up Environmental scan Policies and procedures Technical review Culture Survey Stakeholder analysis Regulatory compliance Overall structure Project Phases Resources and Skills Budget and Costs Project communication Project documentation Target Audience Groups Management and Monitoring Maintenance and transition Program Content Topics Messages Sources of Material Program methods and tools Intranet website Communication methods “Branding” Program Management Governance Management Plan and major activities Measuring the program Cost benefit analysis Program costs Business benefits Conclusion References Appendix A – Target audience segments Appendix B – Potential information, physical and personal security topics Appendix C – Outline and timeline of program plan Appendix D – Communication methods

11 Content Topics of awareness include but are not limited to:
The responsibility of users to report issues The fact that a users activities can be audited The legal requirement for data (citing legislation, as appropriate) Privacy expectations of internal and external users The ownership of data Password requirements The acceptable use policy for and Internet access The intellectual property requirements; The sensitivity of department systems to threats, risks and vulnerabilities; and Physical, personal and information vulnerabilities The Content category, on the other hand, constitutes a more informal interdisciplinary field, a non-engineering area, includes tacit knowledge as well, and should be approached using qualitative methods. How we really motivate others to comply with information security guidelines is a matter that lies within this content category. (C) Copyright Melissa Guenther, LLC. All rights reserved.

12 Objectives and Background
Provide direction and guidance in the areas of program development and changes to culture Address the following questions What are the premises, nature and point of departure of awareness? What is the role of attitude, and particularly motivation: the possibilities and requirements for achieving motivation/user acceptance with respect to information security tasks? What approaches can be used as a framework to reach the stage of internalization and end-user commitment? Commitment to something means that one wants it and will make it happen (Peter Senge, 1990) (C) Copyright Melissa Guenther, LLC. All rights reserved.

13 Culture Washington State anthropologist John Bodley defines culture as "shared, learned values, ideals, and behavior — a way of life." (C) Copyright Melissa Guenther, LLC. All rights reserved.

14 Changing Behaviors The goal of awareness is to change behavior
People only adopt new patterns of behavior when... the old are no longer effective People change when the pain of changing is less than the pain of staying the same. Three concepts about human behavior to note: (C) Copyright Melissa Guenther, LLC. All rights reserved.

15 Changing Behaviors 1. People’s behavior is based upon their principles and their values 2. An effective awareness program helps the workforce adopt the organization’s principles and values 3. A message is persuasive when the addresser selects information that the addressee perceives as relevant in terms of his or her values (C) Copyright Melissa Guenther, LLC. All rights reserved.

16 Knowledge does not guarantee a change in behavior.
Changing Behaviors “We’ll just create some new policies.” What are the fallacies of policy? “We just send everyone to training.” Knowledge does not guarantee a change in behavior. (C) Copyright Melissa Guenther, LLC. All rights reserved.

17 Your ideas for involvement?
To change culture and behaviors we need involvement from those who will be most impacted by the change WII-FM: What’s In It For Me? People like to be included Your ideas for involvement? (C) Copyright Melissa Guenther, LLC. All rights reserved.

18 Employees Company Policies Security Awareness Program Purposes
Important note: Don’t wait until P&P’s are done to start awareness!! Security Awareness Program Purposes Integrate Define Feedback Activities Whether it's checking , answering a telephone, or logging off for the day, employees must be encouraged to think security into every action they take and every decision they make. Only when security becomes second nature will it become truly effective.   Activities have been developed that meet the purposes of the Security Awareness Program (i.e., heighten your awareness, develop your skills and remind you of Company policies and procedures). Because the awareness program is dynamic and designed to evolve in order to meet the future needs of the Company and employees, and to address the issues that arise due to rapidly advancing information technology, current activities will be modified or new activities will be developed to maintain program relevancy Employees are more likely to forget or ignore advice that has no relevance to their job, and "one lesson for all" just doesn't work. It's therefore important that employees make the connection between the lessons taught and the task at hand. For example, employees involved in accounting or transaction processing in a business that takes on-line credit card orders are far more likely to remember security lessons focused on protecting credit card files and personal customer information and on privacy issues. That important security information might not seem so important or relevant to a telephonist, receptionist, or delivery driver, who are more likely to meet or speak with an intruder and be much more susceptible to social engineering. Implement Elicit Employees Model 1 - The Security Awareness Program Flow (C) Copyright Melissa Guenther, LLC. All rights reserved.

19 Another Step … Security Advisory Group or Council
Group of upper management level people Represent all areas of the business Promote security awareness Promote consistent approach to security Drivers of corporate wide security policy (C) Copyright Melissa Guenther, LLC. All rights reserved.

20 Involvement Host special events Look for “teachable moments”
Develop security “champions” Leverage a “negative event” Use the “Grapevine” (C) Copyright Melissa Guenther, LLC. All rights reserved.

21 PLANNING The beginning is the most important part of the work. Plato
(C) Copyright Melissa Guenther, LLC. All rights reserved.

22 Strategic Planning Step 1: Where are we now? (Situation Assessment)
Step 2. Where do we want to be? (Strategic Direction) Step 3 - How do we plan to get there? (Implementation Planning) Step 4 - How will we monitor progress? (Monitoring) Questions often arise concerning the vision, or its critical success factors, or key strategies, objectives or goals.  What is a strategy anyway? How does it differ from a goal or an objective? How is mission different from vision, or are they really the same?  Strategic Planning is a method for taking a strategic approach to addressing a business situation, such as security and security awareness.. It provides a simple communication tool for helping construct a business strategy. The planning is fully scalable and applies to Fortune 500 companies, non-profit organizations, a (company name), an individual department, a work team, etc. There are four major steps in the process. Some of the benefits of utilizing this planning include: Identify and establish key relationships. Recommend security goals and architecture. Figure out what needs to be done. Prioritize. Seek low-hanging opportunities. Demonstrate value-add. (C) Copyright Melissa Guenther, LLC. All rights reserved.

23 Compelling Issues Vast amounts of information. Open environment.
Decentralized functions. Customer expectations. Institutional responsibility. Financial, operational & reputational risks. Increasing threat profile. This is a list of some of the predominant challenges we faced in implementing a comprehensive awareness campaign. (C) Copyright Melissa Guenther, LLC. All rights reserved.

24 Security Awareness Culture Survey

25 It’s the Culture Culture drives the behavior of the
organization and it’s people. Implementing a behavioral security process without a solid cultural foundation is the cause of most incidents.

26 Danger Signs Unclear who is responsible for what.
Belief that everything is ok, “we are in good shape” Belief that rule compliance is enough for security (If we’re in compliance – we’re ok) No tolerance for whistle-blowers “culture of silence” Problems experienced from other locations not applied as “lessons learned” Lessons that are learned are not built into the system Defects / errors became acceptable Security is subordinate to production Emergency procedures for severe events is lacking

27 Danger Signs Policies and Procedures are confusing, complex and “hard to find”. Security resources and techniques are available but not used. Organizational barriers prevent effective communication. There are undefined responsibility, authority, and accountability for security. Security belonged to “IT” The acceptance of defects / errors becomes Institutionalized. Because nothing has happened (or we are unaware of what has happened), we’re ok. • Culture is resilient, hard to change, and will revert to old habits if not steered by leadership.

28 What is Culture? Social Culture - Our beliefs, philosophies,
attitudes, practices that govern how we live. Organizational Culture -What employees believe (perceptions), attitudes, practices, rules, regulations, philosophies, values, etc.

29 What is Culture? It is the atmosphere which shapes our behavior.
Invisible force that largely dictates the behavior of employees & management.

30 Company Culture Production Culture vs. Security Culture
Due to high costs of incidents there is no way a pure production culture can be profitable to it’s fullest potential.

31 What is a Production Culture?
Belief that only production matters. Whatever it takes to get the job done. Security performance is not measured. Security performance is not part of supervisor’s job.

32 Security Culture Security is not a priority - it is a corporate Value.
All levels of management accountable. Security performance measured & tied to compensation. Security integrated into all operations.

33 The Purpose Of The Program
Security is everyone’s responsibility Provide all opportunities to determine how in their daily roles Knowledge (what) Skill (how) Attitude (want) Education Need to explain: what the program will be trying to accomplish, how it will aim to improve the operations of the company, and how vital the protection of Information Assets really is. You will need to explain why "Security is everyone's responsibility", and ensure everybody understands it; explain that even if the company has the latest technological improvements like firewalls, intrusion detection systems, etc., an uneducated staff member could easily endanger sensitive information, and render any technical security measure in place, completely and utterly useless. Majority of people often tend to think that it is not their responsibility to help improve the security of their company. Generally people are of the (wrong) opinion that only the IT department or Information Security Office(ISO) can and need to take care of issues like these Awareness (C) Copyright Melissa Guenther, LLC. All rights reserved.

34 Motivation vs. Attitude
Motivation tends to be dynamic in nature Lasts minutes or weeks Intrinsic motivation plays a role People feel free to make their own choices Need to justify actions in terms of internal reasons Attitudes is a more static, internalized factor Lasts months to years Staged as readjustment, cooperation, acceptance and internalization User acceptance and internalization must be considered gradual processes and long-term goals (C) Copyright Melissa Guenther, LLC. All rights reserved.

35 A Collection of Approaches
Practical Approaches/Principles Intrinsic Motivation Attitude Logic Pave the way Morals and ethics + Rationality Emotions Sanctions, pressure - Feeling of security Well-being Logic. All actions should be logical. Do not act inconsistently. If, for example, a superior argues for relevance of the universality principle and then tries to justify compliance with security guidelines by appealing to this principle, that superior cannot later logically plead for an action that violates this principle (without providing any persuasive reasons for why the universality principle is not relevant in this particular situation). Emotions. Emotions are an integral part of thinking and rational decision making. When people are confronted with a set of choices, emotional learning (past experiences) streamlines their decisions by eliminating some options and highlighting others Consequently, security measures should aim at provoking emotions and appealing to them in order to affect attitudes and motivation in a positive manner. Morals and ethics. Morals strongly guide human behavior. It is more intelligible to act for moral reasons than for non-moral ones, although this view has been criticized on the grounds that moral, or justified, reasons do not imply motivation per se (since one may see non-moral reasons as intelligible as well). Moreso, the moral aspect overrides all other concerns. Thus, if killing an innocent person is regarded as immoral, we may not ( and should not ) kill innocent persons, regardless of the non-moral concerns related to the issue, e.g. financial gain. Security norms, at least those imposed by legislation, are ± hopefully ± founded on moral and ethical notions (this is not always so in practice, however). They are ± hopefully ± arrived at by means of ethical analyses (carried out by conceptual analysis) and should correspond to a desirable state-of-affairs. Electrical break-ins (nowadays often referred to as hacking), are (or should be?) covered by legislation because it seems to be wrong (in a general sense) to gain unauthorized access to computers or information systems. But why does it seem to be morally wrong to do so? Using the principle of universality, justice by fairness in terms of the ``veil of ignorance'', for example, we could ask: ``What if everybody were to indulge in hacking?'' We would most probably not want anyone to break into our computer systems, or our houses as we feel that life in such a society would be very uncomfortable (and we postulate that this is one reason why hacking should be regulated as a criminal activity by legislation). Although there may be a moral dimension behind security activities (although this does not mean that security activities are right per se), it is commonly agreed by computer ethicists that people often fail to realize it. As a result, they do not apply their moral notions to the area of computing, and an important stimulus (human morality/moral responsibility) is lost from the security point of view. If people were to understand the ethical dimensions of security procedures (such as inadequate maintenance of passwords) and the possible morally negative consequences of such negligence, they would probably be more likely to follow the instructions. Different ethical theories should be used for this purpose. . Well-being. Negligence of security measures and weak security may threaten the well-being of individuals, companies and societies. Therefore, users should be made aware of such a threat to their wellbeing and how adherence to security guidelines would prevent this from happening. This differs from morals and ethics in the respect that loss of well-being may have non-moral consequences. . Feeling of security. Safety needs (the desire to feel safe and secure, and free from threats to our existence) rank high among our needs, according to Maslow (1954). Even though Maslow's theory has been criticized, mainly due to the lack of proof for its hierarchy of needs, the fact remains that needs are the fundamental reason why people act and thus are essential to a full understanding of motivation''. Although violations in terms of information security would not endanger people's lives directly (other than in a hospital environment, for example), it is reasonable to assume that people will still want to achieve and maintain a feeling of security through adherence to security procedures ± given that such a need can be pointed out or awakened. Like morals and ethics, computing may be a blind spot for this, where users may not themselves recognize the possible jeopardy, such as the invasion of their informational privacy, or the deletion, modification or unauthorized use of their information. . Rationality. This involves the rational presentation of factual, descriptive reasons for actions. People are rational (at least in some respects), and they therefore demand rational explanations. The following issues, for example, can be addressed thoroughly according to the requirements of rationality: What are the implications of weak security for the company and the employees? Why is it rational to follow security guidelines? Why is it irrational not to follow security guidelines or pay attention to security? (C) Copyright Melissa Guenther, LLC. All rights reserved.

36 Analysis and Problem-solving What We Looked at
People Business Measuring, evaluating This page is intentionally left blank (C) Copyright Melissa Guenther, LLC. All rights reserved.

37 Break

38 People Identify key relationships.
Establish rapport with students, faculty and staff. Become visible and available. Develop security awareness program. Be the person who is there to help. Emotional/psychological management How People Learn is as Important as What They Learn To aid in the most effective memory recall and overall impact, awareness education should be delivered with a combination of several different mediums. Visual Stimulation—Four-color visuals that relate to the topic at hand leave a lasting impression about the information and aid in better recall. Audio Stimulation—After a while, no matter how important the message, a continuous flat tone losses the audience. Using voice fluctuations where appropriate, and combining a variety of voices where key messages are being conveyed, leads to a more attentive audience. Practical Application—Using hands-on techniques for items such as password changes will assist the end-user with a proactive response to the information being provided. Analogies—Learning by association offers strong memory recall and gives the audience the ability to relate the information to a real-world situation. (C) Copyright Melissa Guenther, LLC. All rights reserved.

39 Business Understand… Business and customer expectations
Relationships between business and customer Key information and other assets, owners and custodians Many shy away from Data Classification, due to the perception that it requires too much resources (people and time). At a minimum, however, a Data Classification tool can be used to create awareness. (C) Copyright Melissa Guenther, LLC. All rights reserved.

40 Strategy Metrics/ Benchmark Communication Culture Regulatory Education
We took a combination strategy approach. We integrated elements of Regulatory, Culture, Communication and Marketing and Education in all our efforts. Strategic Planning is useful in establishing drivers and in providing a framework, especially in the initial stages. Education Marketing Strategic Planning (C) Copyright Melissa Guenther, LLC. All rights reserved.

41 National Institute for Standards and Technology
Design National Institute for Standards and Technology (C) Copyright Melissa Guenther, LLC. All rights reserved.

42 The security process is more than the implementation of technologies
The Awareness Program The security process is more than the implementation of technologies Redefinition of the corporate culture Communication of managements message Security is not a project it is a process. Employee understanding of value of information Employee understanding of importance of their actions to protect information (C) Copyright Melissa Guenther, LLC. All rights reserved.

43 Who are the members of your community?
Scope The scope of any Security Awareness campaign will reach all network users, beginning with senior department executives working towards each and every member of the community. Who are the members of your community? (C) Copyright Melissa Guenther, LLC. All rights reserved.

44 Customizing the Message
Plan to address segmented groups with messages specifically designed for those areas. Leadership Staff Students Faculty Senior Management Line Supervisors End Users Contractor and Temp The appropriate amount of security awareness can take a different form for the particular audience. Target audiences should be established and the appropriate amount of awareness, combined with the company policies and procedures for that target audience, should be communicated. Example Group - Senior Management Best Technique - Cost justification, Industry comparison, Audit report, Risk analysis Best Approach - Presentation, Video, Violation reports Expected results - Funding, Support Vs. Group - Line Supervisors Best Technique - Demonstrate job performance benefits, Perform security reviews Best Approach = Presentation, Circulate news articles, Video Expected results - Support, Resource help, Adherence Group - Users Best Technique - Sign responsibility statements, Policies and procedures Best Approach - Presentation, Newsletters, Video Expected results - Adherence, Support (C) Copyright Melissa Guenther, LLC. All rights reserved.

45 Group Best Technique Best Approach Expected Results Senior Managers
Cost justification Industry comparison Audit report Presentation Video Violation reports Funding Support Line Supervisors Risk analysis Demonstrate job performance benefits Perform security reviews Circulate news articles Resource help Adherence Users Sign responsibility statements Policies and procedures Newsletters Senior Management - will be expecting a sound, rational approach to information security. They will be interested in the overall cost of implementing the policies and procedures and how this program stacks up against others in the industry. A key concern will be how the audit staff will view them policies and procedures and that the security program will give them an acceptable level of risk. Line supervisors - These individuals are focused on getting their job done. They will not be interested in anything that appears to slow down their already tight schedule. To win them over, it will be necessary to demonstrate how the new controls will improve their job performance process. As we have been stressing since the beginning, the goal of security is to assist management in meeting the business objectives or mission. It will be self-defeating to tell supervisors that the new policies are being implemented to allow the company to be in compliance with audit requirements. This is not the reason to do anything and a supervisor will find this reason to be useless. Stress how the new process will give the employees the tools they need (access to information and systems) in a timely and efficient manner. Show to them where the problem resolution process is and who to call if there are any problems with the new process.  Employees - are going to be skeptical. They have been through so many company initiatives that they have learned to wait. If they wait long enough and do nothing new, the initiative will generally die on its own. It will be necessary to build employees awareness of the information security policies and procedures. Identify what is expected of them and how it will assist them in gaining access to the information and systems they need to complete their tasks. Point out that by protecting access to information, they can have a reasonable level of assurance (remember never use absolutes) that their information assets will be protected from unauthorized access, modification, disclosure or destruction. (C) Copyright Melissa Guenther, LLC. All rights reserved.

46 Needs Assessment Senior Management - will be expecting a sound, rational approach to information security. Line supervisors - These individuals are focused on getting their job done. Employees - are going to be skeptical. They have been through so many company initiatives that they have learned to wait. If they wait long enough and do nothing new, the initiative will generally die on its own. It will be necessary to build employees awareness of the information security policies and procedures. Identify what is expected of them and how it will assist them in gaining access to the information and systems they need to complete their tasks.

47 The Information Security Message
The employees need to know that information is an important enterprise asset and is the property of the organization. All employees have a responsibility to ensure that this asset, like all others, must be protected and used to support management-approved business activities. To assist them in this process, employees must be made aware of the possible threats and what can be done to combat those threats. Is the program dealing only with computer held data or does it reach to all information where ever it is resident? Make sure the employees know the total scope of the program. Enlist their support in protecting this asset. The mission and business of the enterprise may depend on it.

48 Delivering the Message
COST EFFECTIVENESS Recognition awards broadcast Sign-on banner Screen saver Web site Posters Brochure Security newsletter Special events Security classes Video CBT Not recommended Recommended Highly recommended Giveaways It’s important to look at different mediums for delivering the message and determine which are most effective. Keep in mind the culture of your organization, whether it is a centralized or decentralized environment, what worked in previous efforts, etc..The next slide is a one way we considered in customizing our messages. (C) Copyright Melissa Guenther, LLC. All rights reserved.

49 Formats for Communication
Individual meetings Staff meetings Conference calls s Videoconferences Messages Faxes Graphics and logo When available, videos and interactive CD-ROM-based programs help reinforce your message. However, having a lot of fancy graphics and sound effects does have the potential of diverting attention away from the message you are trying to get across. Simply telling a story that demonstrates the point and is relevant to your audience is far more effective and Case Studies provide an effective platform for delivering a key message. In fact, I highly recommend that someone in your department be assigned the task of collecting stories, both industry-wide and Company specific. Asking questions reinforces key points and helps you to interact with your audience to keep things interesting. Repeating key points near the end helps to further reinforce the basic message. (C) Copyright Melissa Guenther, LLC. All rights reserved.

50 UA Security Awareness Campaign 2004 Information Security Awareness Day
U of A Intranet UA Security Awareness Campaign Being Security Aware means you understand that there is the potential for some people to deliberately or accidentally steal, damage, or misuse the data that is stored within our computer systems and through out our organization. Therefore, it would be prudent to support the assets of our institution (information, physical, and personal) by trying to stop that from happening. 2004 Information Security Awareness Day Current Security Events  UA Information Security Awareness Day   Computer Security: What you need to know  2004 Information Security Brown Bag Series (.pdf)  Calendar of Campus Security Awareness Events Presentations  Security Awareness Presentations Security Plan Information   Security Awareness Campaign Initiatives (.pdf)  Security Awareness Campaign Feedback Questionnaire  Evaluation Model (.pdf) Send comments and suggestions to: Kelley Bogart or call UA Privacy Statement Please send comments, suggestions or questions to: Business Continuity & Information Security (520) Website created and maintained by: CCIT Information Delivery Team

51 Sample Email Message An attorney's advice and it's FREE!
A corporate attorney sent the following out to the employees in his company: The next time you order checks, omit your first name and have only your initials and last name put on them. If someone takes your check book they will not know if you sign your checks with just your initials or your first name but your bank will know how you sign your checks. When you are writing checks to pay on your credit card accounts, DO NOT put the complete account number on the "For" line. Instead, just put the last four numbers. The credit card company knows the rest of the number and anyone who might be handling your check as it passes through all the check processing channels won't have access to it. Put your work phone # on your checks instead of your home phone. If you have a PO Box use that instead of your home address. Never have your SS# printed on your checks. You can add it if it is necessary. But if you have it printed, anyone can get it. Place the contents of your wallet on a photocopy machine, do both sides of each license, credit card, etc. You will know what you had in your wallet and all of the account numbers and phone numbers to call and cancel. Keep the photocopy in a safe place. I also carry a photocopy of my passport when I travel either here or abroad. We've all heard horror stories about fraud that's committed on us in stealing a name, address, Social Security number, credit cards, etc. Unfortunately I, an attorney, have firsthand knowledge because my wallet was stolen last month. Within a week, the thieve(s) ordered an expensive monthly cell phone package, applied for a VISA credit card, had a credit line approved to buy a Gateway computer, received a PIN number from DMV to change my driving record information online, and more. But here's some critical information to limit the damage in case this happens to you or someone you know: We have been told we should cancel our credit cards immediately. But the key is having the toll free numbers and your card numbers handy so you know whom to call. Keep those where you can find them easily. File a police report immediately in the jurisdiction where it was stolen, this proves to credit providers you were diligent, and is a first step toward an investigation (if there ever is one). But here's what is perhaps most important: (I never even thought to do this). Call the three national credit reporting organizations immediately to place e a fraud alert on your name and Social Security number. I had never heard of doing that until advised by a bank that called to tell me an application for credit was made over the Internet in my name. The alert means any company that checks your credit knows your information was stolen and they have to contact you by phone to authorize new credit. By the time I was advised to do this, almost two weeks after the theft, all the damage had been done. There are records of all the credit checks initiated by the thieves' purchases, none of which I knew about before placing the alert. Since then, no additional damage has been done, and the thieves threw my wallet away this weekend (someone turned it in). It seems to have stopped them in their tracks. The numbers are: Equifax: Experian:(formerly TRW): Trans Union: Social Security Administration(fraud line): (C) Copyright Melissa Guenther, LLC. All rights reserved.

52 A Picture is Worth a Thousand Words
Information Protection Centre Manitoba Information and Communications Technologies Cal Poly Pomona University University of Arizona

53

54 Layered Privacy Notices

55 A Coordinated Approach
Group 1 Group 2 Group 3 Presentation Staff Meeting Invitation Videos and Poster Newspaper article In addition , social engineering, visitors and vendor procedures, telephone hacking, and clarification of correspondence to various classification levels should be emphasized. General Security Monthly Theme Current Issues Group 1 Communicates bottom line cost advantages, business survivability, effects to shareholder value, attacks on confidential data, and offsetting resulting litigation. Group 2 Technical staff should have a focus on individual verification procedures, and features and attributes of software programs that can support increased security. Group 3 Non-technical overview of what security is and why it is important. Include elements of security, the threats to security, and countermeasures: all with Company policies and procedures should lend insight and support of the countermeasures. (C) Copyright Melissa Guenther, LLC. All rights reserved.

56 Implementation Is hard……times 20!
Perfection is boring and gets in the way of progress. Is where continuous improvement starts. (C) Copyright Melissa Guenther, LLC. All rights reserved.

57 Communication and Marketing
You can never over-communicate during times of change. Communication Objective  The main communication objective of our plan was : "To promote IT Security awareness through education and training to all individuals involved in the management, operation, programming, maintenance or use of the (Company Name) technology resources and services. To inform these individuals of their IT Security responsibilities and how this knowledge is expected to be fulfilled." With specific emphasis on campus members responsibilities such as: Knowledge of and compliance with (company name) of Arizona Security policies and other regulated laws for protecting institutional data: FERPA Copyright MP3 file downloads USA Patriot Act A.R.S. Section Privacy Act of 1974 ABOR Policy 6-912 Electronic Privacy Statement (company name) of Arizona Policy on Release of Student Information UA Policy Governing Use and Duplication of Computer Software Grading Policy: Publicly Posting Final Grades (C) Copyright Melissa Guenther, LLC. All rights reserved.

58 Developing a Communications Strategy
Why Communicate? Public support Demonstrating success Explaining and persuading Adequate resources Public Interest/ Accountability Developing a Communications Strategy Agenda –        Purpose of strategy –        Strategies for organization and for issues –        Link with organizational objectives/ priorities –        Reputation and stakeholders –        The practicalities of developing a strategy  Why Communicate? –        Public support –        Demonstrating success –        Explaining and persuading –        Adequate resources –        Public Interest/ Accountability Public Relations – Definition 1980s “The planned and sustained effort to establish and maintain goodwill and mutual understanding between an organization and its public” Now “The management of an organization’s reputation” (C) Copyright Melissa Guenther, LLC. All rights reserved.

59 Key Questions Who do want to talk to?
What do we want them to understand? How do we want to influence them? Should we priorities or group the audiences (market segmentation)? Do not forget employees as key stakeholders This lists just some of the questions we asked ourselves during the Stakeholder analysis. Stakeholder analysis A technique to assist in making decisions about who to involve, and how to involve them. For any decision or action, a stakeholder is anyone who is affected by, or can influence, that decision or action. Draw a chart that has 6 columns. The four columns in the middle need only be wide enough to contain a three or four letter symbol. You need a little more width in the right-hand column than in the left-hand one.   The four columns in the middle are used to measure Att=attitude Inf=influence E=estimate C=confidence  2. List stakeholders Identify and list the stakeholders. These may be individuals, or stakeholder groups, or some combination.  If stakeholders can be treated as a group, use groups. The most effective way of doing this is to list as many stakeholders as you can on a working sheet of paper. Then transfer them to the left hand column of the chart. It may help to list them in rough order of importance. (You may change your mind about their importance after this analysis.) 3. Estimate attitude and confidence For columns 2 to 5, work across the page. Record your estimates of the following in the columns. In order, they are: (C) Copyright Melissa Guenther, LLC. All rights reserved.

60 Stakeholder Analysis A technique to assist in making decisions about who to involve, and how to involve them. For any decision or action, a stakeholder is anyone who is affected by, or can influence, that decision or action. Rate: Attitude Influence Estimate Confidence (C) Copyright Melissa Guenther, LLC. All rights reserved.

61

62 Messages Passwords Viruses Information handling
Do not share User names or passwords Use strong passwords Do not write passwords down Viruses Beware of viruses, particularly in attachments Ensure that antivirus software is installed and updated Information handling Classify information correctly Pick up print outs and faxes and Internet use Don’t send sensitive info over the Internet without taking precautions to secure it. Messaging While there are many variations on the content, in practice the most popular topics and their associated awareness message are listed in Table 2 below: Table 2 Sampling of just a few of the most common topics for Security awareness campaigns Passwords ·         Do not share User IDs or passwords ·         Use ‘strong’ passwords ·         Don’t write passwords down Viruses ·         Beware of viruses, particularly in attachments ·         Ensure that anti-virus software is installed and updated Physical Security ·         Keep premises secure ·         Adhere to clear desk and clear screen policies ·         Take proper care of laptop computers and Internet use ·         Don’t send sensitive information over the Internet without taking suitable precautions to protect it ·         Internet use must comply with corporate policies (C) Copyright Melissa Guenther, LLC. All rights reserved.

63 Getting There Message, audience, means ….. NOT
Means, audience, message What is best for which audience? It is not just press, radio and TV Spectrum, for example – Personal contact This page intentionally left blank (C) Copyright Melissa Guenther, LLC. All rights reserved.

64 Getting There Leaflets and other publications Exhibitions
Paid advertising Web and “new” media - narrowcasting Build in feedback where you can This page intentionally left blank (C) Copyright Melissa Guenther, LLC. All rights reserved.

65 Timing Identify fixed events in programmed
Be aware of outside fixed events Be ready for the unexpected Be opportunistic As with many efforts, timing is everything. If something is not as successful as you need, it may be wise to try it again at an opportune time. (C) Copyright Melissa Guenther, LLC. All rights reserved.

66 Communication Bi-monthly Brown Bag sessions (training/awareness course(s) Monthly security awareness newsletter Posters Security awareness messages on the intranet Security awareness days Integrate efforts with HR efforts (orientation) Modeling This page intentionally left blank (C) Copyright Melissa Guenther, LLC. All rights reserved.

67 Break

68 Measurement If we are required to assess change in behavior by virtue of how long a person sits in a seat…………… we are focusing on the wrong end of the person. How will you ever know if your successful unless you use some type of measurement? As mentioned before, one foot in ice water and one foot in boiling water does not mean that on average you are at room temperature. Security is not an end state, nor can it be judged by measuring any single variable at any single point in time. (C) Copyright Melissa Guenther, LLC. All rights reserved.

69 Measuring, Evaluating Security is like the brakes on your car.
Their function is to slow you down. But their purpose is to allow you to go fast. One foot in ice water and one foot in boiling water does not mean that on average you are at room temperature. Security is not an end state, nor can it be judged by measuring any single variable at any single point in time. One of the important areas in measuring and evaluating your program is acknowledging both efficiency and effectiveness. Efficiency is doing the right thing - effectiveness is doing the right thing the right way. COMPUTING POLICY DIGEST Policy, Procedure or Statement Source Subject Main Point ROI metrics Your privileges and rules of responsible behavior governing them (C) Copyright Melissa Guenther, LLC. All rights reserved.

70 What do we want to measure? What can be measured?
How can it be measured? How do these relate to initial objectives? Continued monitoring? Feed into future strategies/ campaigns Evaluation of Security Awareness Program The successful delivery of a Security awareness campaign should result in the desired Security-positive behaviours being adopted and maintained by the campaign recipients. The success of the campaign must then be checked in order to ensure value for money from the investment in Security awareness, and to improve repeats of the campaign and the development of new campaigns in the future. The success of the Security Education & Awareness program will be based on two parameters - qualitative and quantitative feedback. Distribute a survey or questionnaire seeking input from campus members. If an awareness briefing is conducted during the new-student or employee orientation, follow up with the participants (after a specified time period of three to six months) and ask how the briefing was perceived (i.e., what do they remember, what would they have liked more information on). Ask others in the room about the awareness campaign. How did they like the new poster? Remember that the objective is to heighten awareness and responsibilities of computer Security. Thus, even if the response is "that poster is silly," do not fret; it was noticed and that is what is important. Track the number and type of Security incidents that occur before and after the awareness campaign. Most likely, it is a positive sign if there is an increase in the number of reported incidents. This is an indication that users know what to do and whom to contact if they suspect a computer Security breach or incident. (C) Copyright Melissa Guenther, LLC. All rights reserved.

71 Strategic Content Sessions
Measurement of existing security weaknesses can be based on: Incident reports Tools that measure compliance Interviews with supervisors Testing Employee surveys Security/Privacy Awareness Campaign Feedback Questionnaire - for Net Managers. What is a NetManager? The Network Managers (NetMgrs) Group is the organization, of people responsible for the management and support of networks, with focus towards the technical aspects of networks, from departments or unit affiliated with the (company name) campus. It is a technical working group with concerns and expertise in dealing with operational support and enhancement of data communications on campus. These are the people who, within their areas, are tasked to make data communications happen It can be modified to address your priorities, and sent to any group or individual that can provide valuable feedback. What requirements and/or expectations do you have of the Security/Privacy Awareness Campaign? (C) Copyright Melissa Guenther, LLC. All rights reserved.

72 Security Awareness Culture Survey

73 Measurement Tools 1. Distribute a survey or questionnaire seeking input from employees. If an awareness briefing is conducted during the new-employee orientation, follow up with the employee (after a specified time period of three to six months) and ask how the briefing was perceived (i.e., what do they remember, what would they have liked more information on, etc.). 2. Walk-about’s. While getting a cup of coffee in the morning, ask others in the room about the awareness campaign. How did they like the new poster? How about the cake and ice cream during the meeting? Remember that the objective is to heighten the employee’s awareness and responsibilities of computer security. Thus, even if the response is “that poster is silly,” do not fret; it was noticed and that is what is important. 3. Track the number and type of security incidents that occur before and after the awareness campaign. Most likely, it is a positive sign if one has an increase in the number of reported incidents. This is an indication that users know what to do and who to contact if they suspect a computer security breach or incident. Keep in mind that the evaluation process should reflect and answer whether or not the original objectives/goals of the security awareness program have been achieved. Sometimes, evaluations focus on the wrong item. For example, when evaluating an awareness program, it would not be appropriate to ask each employee how many incidents have occurred over the last year. However, it would be appropriate to ask each employee if they know whom to contact if they suspect a security incident. (C) Copyright Melissa Guenther, LLC. All rights reserved.

74 Measurement Tools 4. Conduct “spot checks” of user behavior. This may include walking through the office checking if workstations are logged in while unattended or if sensitive media are not adequately protected. 5. If delivering awareness material via computer-based delivery, such as loading it on the organization’s intranet, record student names and completion status. On a periodic basis, check to see who has reviewed the material. One could also send a targeted questionnaire to those who have completed the online material. 6. Have the system manager run a password-cracking program against the employee’s passwords. If this is done, consider running the program on a stand-alone computer and not installing it on the network. Usually, it is not necessary or desirable to install this type of software on one’s network server. Beware of some free password-cracking programs available from the Internet because they may contain malicious code that will export one’s password list to a waiting hacker. (C) Copyright Melissa Guenther, LLC. All rights reserved.

75 Putting metrics in perspective – A Case Study
One of our key areas for security focus was viruses and worms Two main goals. Reduce the number of lost work hours in the organization due to virus/worm infection and effort required trying and preventing virus/worm infections. Reduce or eliminate secondary infections of our business partners. (C) Copyright Melissa Guenther, LLC. All rights reserved.

76 Company Background Over 1100 employees Business partner
has access to our networks receives hundreds to thousands of s from us daily. Made some technical changes Reduce the problems in the first year or so after introducing them. After that we reached a plateau. Introduced an awareness program. Intranet website dedicated to virus problems security bulletins for new virus/worm outbreaks regular, monthly security awareness articles Presentations (both scheduled and on request.) (C) Copyright Melissa Guenther, LLC. All rights reserved.

77 Results Then - 6,000 hours expended annually to control virus/worm outbreaks in 2000 Now - Less than 2,000 hours in 2003 Then - 5 significant virus/worm outbreaks in 2000 Now - 2 significant virus/worm outbreaks in 2003 Then - Out of a typical 25 new helpdesk requests per business day, four of them dealt with virus/worm problems Now - New helpdesk requests per day has increased to 28 on average, virus/worm requests have dropped to less than 1 per day (C) Copyright Melissa Guenther, LLC. All rights reserved.

78 Five Levels Of The Information Security Evaluation Model
Level 1 = COMPLACENCY Level 2 = ACKNOWLEDGEMENT Level 3 = INTEGRATION Level 4 = COMMON PRACTICE Level 5 = CONTINUOUS IMPROVEMENT Where is your Organization? The following measurement tool was very beneficial in providing a snapshot view for both Current Reality and Desired Future states. It is recommended that one of the first steps is to customize the Characteristics for each Level, as they relate to your organization. You might engage your executive team or Leadership Team in an exercise in defining what Level 5 would look like. I have often found that this tool provides a compelling Case for Action at the onset of your project. (C) Copyright Melissa Guenther, LLC. All rights reserved.

79 CONTINUOUS IMPROVEMENT
Progress to Date Level 5 CONTINUOUS IMPROVEMENT Level 4 COMMON PRACTICE Current Level 3 INTEGRATION Level 1 Complacency Security Policies & Standards are minimal and may or may not be documented. Security Incidents are viewed as someone else's problem. Existing programs and services are perceived as sufficient. Security is viewed as an enforcer. Level 2 Acknowledgement Realization that existing Information Security processes are fragmented. Executive level support and involvement is visible. Some Security Awareness interventions are implemented and are ongoing. Level 3 Integration General acceptance of campus- wide standards based on Security Infrastructure and displayed through noticeable behavior change. Staff, faculty and students actively and visibly participate in the programs and services. Security incidents are reported immediately to the appropriate area. Level 4 Common Practice The integration of Security programs and services in the campus departments is complete. Security is involved at the onset of projects. U of A is considered as a Security Awareness Best Practice campus. Level 5 Continuous Improvement Threats are continually reevaluated based on changing threat population and security incidents. Additional or more cost effective alternatives are continually identified. The practice of Security is considered a component of the campus culture. Security Awareness is viewed as a business enabler. Level 2 ACKNOWLEDGMENT Start Level 1 COMPLACENCY (C) Copyright Melissa Guenther, LLC. All rights reserved.

80 Highlights of Before and After Results
Security Questions and Problems AUP Security Awareness Training Perceived Value of Security Stewardship in Projects Best Practice This page is intentionally left blank (C) Copyright Melissa Guenther, LLC. All rights reserved.

81 Security Awareness Education Plan
Learning Management System Security Intranet website Traditional Classroom Training User Agreement Videos Brochures Exercises Newsletter Measurement and evaluation Events Best Security Practices Screen Savers Education Posters “How To” Guides Security Awareness Education Plan Feature Learning Management System Description Online Security Awareness and Education CBT courses (registration, delivery, tracking, testing and reporting) Security Intranet website Design a Web site; SSL/PKI protected. Hosts could include: Collaborative work areas Chat Instructor supported web delivered training & awareness Mail list to alert users of new developments Security related newsletters Security Links Security polices and procedures Anti-virus software (corporate license) Learning Management System (LMS) PowerPoint awareness presentations (C) Copyright Melissa Guenther, LLC. All rights reserved.

82 Security Awareness Content
Personal Security Social Engineering Identity Theft Clean Desk Policy Parking Lot Security Emergency Alerts Physical Security Building Access Rules for ID Badges Visitor Control PC Security Telephone Fraud After Hours Access Information Security Password Construction & Management Screensavers Internet Security Software Piracy Data Backups Usage Internet Usage Viruses The menu of security topics fall into three key categories: Personal security Physical security, and Information Security A modular design of the core awareness program allows complete flexibility to ensure your program is timely, targeted, and effective. (C) Copyright Melissa Guenther, LLC. All rights reserved.

83 Three necessary components to develop security habits
Getting Started Three necessary components to develop security habits Knowledge (What to do) Skill (How to do) Attitude (Want to do and Why) What we are striving for are sound security habits. A habit is the combination of knowledge (knowing what to do), skill (knowing how to do it) and attitude (understanding what happens if we don’t, why it is necessary and wanting to do it). And, like most newly acquired habits, you’ll expend the most energy as you begin to acquire them. Think about a rocket taking-off. Most of the energy is needed during lift off, to break through the pull from gravity and propel the object into action. However, once the rocket is in space, much less energy is needed, especially once there is no pull from gravity. So expect to have some set backs in the beginning, and know that if repeated relentlessly, the habits will be engrained at such a subtle level, that you do not necessarily think about them. A good analogy is to refer to the time when seat belts were first introduced. Remember how cumbersome they were? How many times did people forge to put them on? And can you remember grimacing when you forgot to talk them off? I bet very few even think about putting them on. It is probably an automatic response when you get into a car. That is where we need to be with sound security practices. (C) Copyright Melissa Guenther, LLC. All rights reserved.

84 Program Elements Accelerated Learning
A positive learning environment Total learner involvement Appeals to all learning styles Collaboration among learners Learning in context Facilitation vs. Training Employees may be attending your present security awareness presentations (hearing, but not listening), nodding (or nodding off) at the appropriate moments, only to return to their day-to-day work with no change in their behavior or attitude towards security.  Briefings on security inevitably start with the growing importance of computers and dangers that await those who are unwary, unwise, or careless . . .; however, this message can become tired and the listeners bored until something catastrophic happens. When someone says, "It won't happen here," it probably already has.  That’s where Accelerated Learning makes a difference. What is Accelerated Learning? Why do we utilize its concepts? It’s several things. It encompasses: A philosophy of learning A wide variety of learning techniques A system for creating optimal learning environments. Our aim is to make learning fun, fast and effective! For example, although lectures are not necessarily eliminated, they tend to share the stage with activities that involve the learner totally. So, instead of lecturing “ad nauseum” about how to protect against and react to a social engineer, participants will engage in various incident response role play situations. They will have an opportunity to watch and listen to others, teach others what they already know, and have discussions to create shared meaning. We all know that teaching is the best way to learn. Accelerated Learning provides that experience to the participants, not just the “trainer”. (C) Copyright Melissa Guenther, LLC. All rights reserved.

85 SA Tools http://security.arizona.edu/awareness.html
(C) Copyright Melissa Guenther, LLC. All rights reserved.

86 Lessons Learned This page intentionally left blank
(C) Copyright Melissa Guenther, LLC. All rights reserved.

87 Lessons Learned: 1 The security awareness leadership position is not a technical role. Rather, it is a program manager role. The role must be comfortable as a program manager, and must be able to know when to put on the technical hat. This page intentionally left blank (C) Copyright Melissa Guenther, LLC. All rights reserved.

88 Lessons Learned: 2 Security awareness is not a natural thought process for everyone. Sometimes you don’t know what you don’t know. You must plant/grow the seeds of awareness, and illustrate the relevance of security to all roles. This page intentionally left blank (C) Copyright Melissa Guenther, LLC. All rights reserved.

89 Lessons Learned: 3 A commitment to security implies investment primarily in a security leadership position itself. The investment needn’t involve spending money on technology. Invest in the human resource first. This page intentionally left blank (C) Copyright Melissa Guenther, LLC. All rights reserved.

90 Lessons Learned: 4 While security and privacy are important to most people, we tend to be uncomfortable talking about security weaknesses. The role must de-mystify security and steward creation of appropriate settings and processes to discuss security issues. This page intentionally left blank (C) Copyright Melissa Guenther, LLC. All rights reserved.

91 Lessons Learned: 5 Security is on everyone’s mind, but not everyone understands how to apply security in the context of their work. This is sometimes perpetuated from areas inside the organization. Ability to articulate and quantify risk and cost of consequence is an essential element of gaining a motivated audience. This page intentionally left blank (C) Copyright Melissa Guenther, LLC. All rights reserved.

92 Lessons Learned: 6 The “starter” key relationships are: Legal Counsel
Human Resources External Affairs Executive Team Risk Management Audit This page intentionally left blank (C) Copyright Melissa Guenther, LLC. All rights reserved.

93 Lessons Learned: 7 Over-prescription creates little gain in security at the expense of willingness and cooperation from customers. Security is a “living thing”, not a one-time project. Find ways to attract and retain all stakeholders in security discussions and activities. This page intentionally left blank (C) Copyright Melissa Guenther, LLC. All rights reserved.

94 Lessons Learned: 8 Few security answers are binary.
The vast majority of answers are analog. The ability to discriminate which situations require a binary answer, and which require more a more introspective analog answer, is essential. This page intentionally left blank (C) Copyright Melissa Guenther, LLC. All rights reserved.

95 Lessons Learned: 9 Measurement is essential to illustrate value and costs, and to underwrite future success. Keep track of what you do. Tabulate. Quantify. Report. Share (with discretion) This page intentionally left blank (C) Copyright Melissa Guenther, LLC. All rights reserved.

96 Security is Like Quality
"You can't buy security. It's not a product. It's a mindset and a never-ending process. To succeed, security must permeate every aspect of our business. It's not just the responsibility of the executive and management team; every employee must have a tenacious commitment to it. “Security is intangible, but it's not ethereal. It's difficult to quantify, but its results are absolutely measurable. "How much does security cost? Nothing. It's free when everyone is committed to it.“ Andrew Briney (C) Copyright Melissa Guenther, LLC. All rights reserved.

97 The beginning is the most important part of the work.
Lessons Learned: 10 The beginning is the most important part of the work. This page intentionally left blank (C) Copyright Melissa Guenther, LLC. All rights reserved.

98 We End Where We Began If the result of this workshop gives voice to some of your own experiences, or provides new ideas that contribute to your success, then we have succeeded. As you take your own journey, we would like to hear from you and invite you to us with your questions and stories of your victories as you chart your own change path. (C) Copyright Melissa Guenther, LLC. All rights reserved.

99 Conclusion Organizations don’t change. People change. And then people change organizations. It’s very hard to change people’s minds if it means reducing their job satisfaction. Technology comes and goes, but people will always be a challenge! If you always do what you’ve always done, you’ll always get what you’ve always got. This page intentionally left blank (C) Copyright Melissa Guenther, LLC. All rights reserved.

100 Keep chasing the dog, or fence it in?
Thank You This page intentionally left blank Keep chasing the dog, or fence it in? (C) Copyright Melissa Guenther, LLC. All rights reserved.


Download ppt "Security Awareness 101 ……and Beyond"

Similar presentations


Ads by Google