Presentation on theme: "Security Awareness 101 ……and Beyond"— Presentation transcript:
1 Security Awareness 101 ……and Beyond “Vision without action is only a dream Action without vision is merely passing the time Vision with action will change the world.”- Joel BarkerFeatures:Off-the-shelf solutions for developing a security awareness program.Step-by-step methodology on how to communicate the message – how to get buy in from the entire organization.Evaluation tools and suggestions for future improvement - where and how to make updates.20th AnnualComputer Security Applications ConferenceDecember 6, 2004Tucson, ArizonaKelley BogartMelissa Guenther(C) Copyright Melissa Guenther, LLC. All rights reserved.
2 'The methods that will most effectively minimize the ability of intruders to compromise information security are comprehensive user training and education. Enacting policies and procedures simply won't suffice. Even with oversight the policies and procedures may not be effective: my access to Motorola, Nokia, ATT, Sun depended upon the willingness of people to bypass policies and procedures that were in place for years before I compromised them successfully.'Kevin Mitnick(C) Copyright Melissa Guenther, LLC. All rights reserved.
3 Amateurs hack systems, professionals hack people.' Bruce Schneier 'The Coming Third Wave of Internet Attacks: The first wave of attacks targeted the physical electronics. The second wave - syntactic attacks - targets the network's operating logic. The coming third wave of attacks - semantic attacks - will target data and it's meaning. This includes fake press releases, false rumors, manipulated databases. The most severe semantic attacks will be against automatic systems, such as intelligent agents, remote-control devices, etc., that rigidly accept input and have limited ability to evaluate. Semantic attacks are much harder to defend against because they target meaning rather than software flaws. They play on security flaws in people, not in systems.Always remember:Amateurs hack systems, professionals hack people.'Bruce Schneier(C) Copyright Melissa Guenther, LLC. All rights reserved.
4 A complimentary team approach IntroductionsA complimentary team approachMs. Kelley Bogart (University of Arizona for the University's Business Continuity and Information Security Office as the Information Security Coordinator.Initial work was dedicated to policy and best practices related to Business Continuity and Information Security topics.Last two years have been dedicated to developing and implementing a Campus Security Awareness Campaign.Received international recognition.Appointed Co-Chair of the EDUCAUSE Security Awareness Task Force, which is a international group that focuses on IT issues and solutions specific to academia. And works directly with the National Cyber Security Alliance with regard to Security Awareness.Recently she is working on a partnership agreement with Arizona Homeland Security to use UA's Awareness Campaign for a Statewide Awareness Campaign Initiative.Ms. Melissa Guenther – Advisor to Phoenix InfraGard and Security Awareness ConsultantAssists teams in creating blueprints and designing interventions for change, primarily in the Security Awareness area.Clients include Texaco, U of A, Manitoba Information Protection Centre and Public Service of New Mexico.Over 20 years of culture Change Management and Training experience, providing a strong base for proven results.Requested presenter at various security conferences, such as SANS, CSI, and the Arizona Chapter of High Technology Crime Investigation Association (ACHICIA), both nationally and internationally.Created the plan and blueprint for the University of Arizona's Security Awareness campaign, and assisted in the implementation.
5 Introduction to Our Work If the result of this workshop gives voice to some of your own experiences, or provides new ideas that contribute to your success, then we have succeeded.At times, you will hear strong recommendations around proprietary products and processes. We make no apologies, for we would do all a disservice if we failed to disclose with great passion those interventions that can change your company. At the same time, we provide guidelines and suggestions on how to create your own versions of these solutions.As you take your own journey, we would like to hear from you and invite you to us with your questions and stories of your victories as you chart your own change path.(C) Copyright Melissa Guenther, LLC. All rights reserved.
6 A common thread of those that had success with security awareness efforts- giving people clear direction and immediately enlisting their energies in creating that future.Involvement in security awareness efforts in academia, Fortune 100 and small businesses – variety of situations with one constant.People.Regardless of presenting issues, success ultimately boils down to meeting a challenge, solving a problem, or forging a better future. And it takes people to accomplish these feats. Even if you define change as implementing technical solutions, such as a Firewall or automatic update installations, technology doesn’t work unless people decide to make it work.Getting people involved in the process - because people are the ones who make changes work - is key. “Organizations don’t change – people change. And then people change organizations.”(C) Copyright Melissa Guenther, LLC. All rights reserved.
7 Awareness ...to focus attention on security National Institute for Standards and Technology(C) Copyright Melissa Guenther, LLC. All rights reserved.
8 Framework 1 Identify program scope Goals and objectives Identify training staff and identify target audiencesMotivate management and employeesAdminister the programMaintain the programEvaluate the programNIST (1995, 1998)To increase understanding of problems relating to awareness, two categories can be outlined: framework and content.The framework category is more of an area of “engineering disciplines”, containing issues that can be approached in a structural manner and quantitative research, that may be formalized and are a matter of explicit knowledge.(C) Copyright Melissa Guenther, LLC. All rights reserved.
9 Framework 2 Plan Design Implement Evaluate Continuous Improvement M. Guenther, LLC.
10 Awareness Program Overview Aims of the ProgramStart UpEnvironmental scanPolicies and proceduresTechnical reviewCulture SurveyStakeholder analysisRegulatory complianceOverall structureProject PhasesResources and SkillsBudget and CostsProject communicationProject documentationTarget Audience GroupsManagement and MonitoringMaintenance and transitionProgram ContentTopicsMessagesSources of MaterialProgram methods and toolsIntranet websiteCommunication methods“Branding”Program ManagementGovernanceManagementPlan and major activitiesMeasuring the programCost benefit analysisProgram costsBusiness benefitsConclusionReferencesAppendix A – Target audience segmentsAppendix B – Potential information, physical and personal security topicsAppendix C – Outline and timeline of program planAppendix D – Communication methods
11 Content Topics of awareness include but are not limited to: The responsibility of users to report issuesThe fact that a users activities can be auditedThe legal requirement for data (citing legislation, as appropriate)Privacy expectations of internal and external usersThe ownership of dataPassword requirementsThe acceptable use policy for and Internet accessThe intellectual property requirements;The sensitivity of department systems to threats, risks and vulnerabilities; andPhysical, personal and information vulnerabilitiesThe Content category, on the other hand, constitutes a more informal interdisciplinary field, a non-engineering area, includes tacit knowledge as well, and should be approached using qualitative methods. How we really motivate others to comply with information security guidelines is a matter that lies within this content category.(C) Copyright Melissa Guenther, LLC. All rights reserved.
12 Objectives and Background Provide direction and guidance in the areas of program development and changes to cultureAddress the following questionsWhat are the premises, nature and point of departure of awareness?What is the role of attitude, and particularly motivation: the possibilities and requirements for achieving motivation/user acceptance with respect to information security tasks?What approaches can be used as a framework to reach the stage of internalization and end-user commitment?Commitment to something means that one wants itand will make it happen(Peter Senge, 1990)(C) Copyright Melissa Guenther, LLC. All rights reserved.
13 CultureWashington State anthropologist John Bodley defines culture as "shared, learned values, ideals, and behavior — a way of life."(C) Copyright Melissa Guenther, LLC. All rights reserved.
14 Changing Behaviors The goal of awareness is to change behavior People only adopt new patterns of behavior when... the old are no longer effectivePeople change when the pain of changing is less than the pain of staying the same.Three concepts about humanbehavior to note:(C) Copyright Melissa Guenther, LLC. All rights reserved.
15 Changing Behaviors1. People’s behavior is based upon their principles and their values2. An effective awareness program helps the workforce adopt the organization’s principles and values3. A message is persuasive when the addresser selects information that the addressee perceives as relevant in terms of his or her values(C) Copyright Melissa Guenther, LLC. All rights reserved.
16 Knowledge does not guarantee a change in behavior. Changing Behaviors“We’ll just create some new policies.”What are the fallacies of policy?“We just send everyone to training.”Knowledge does not guarantee a change in behavior.(C) Copyright Melissa Guenther, LLC. All rights reserved.
17 Your ideas for involvement? To change culture and behaviors we need involvement from those who will be most impacted by the changeWII-FM: What’s In It For Me?People like to be includedYour ideas for involvement?(C) Copyright Melissa Guenther, LLC. All rights reserved.
18 Employees Company Policies Security Awareness Program Purposes Important note:Don’t wait untilP&P’s are done tostart awareness!!Security Awareness Program PurposesIntegrateDefineFeedbackActivitiesWhether it's checking , answering a telephone, or logging off for the day, employees must be encouraged to think security into every action they take and every decision they make. Only when security becomes second nature will it become truly effective. Activities have been developed that meet the purposes of the Security Awareness Program (i.e., heighten your awareness, develop your skills and remind you of Company policies and procedures). Because the awareness program is dynamic and designed to evolve in order to meet the future needs of the Company and employees, and to address the issues that arise due to rapidly advancing information technology, current activities will be modified or new activities will be developed to maintain program relevancyEmployees are more likely to forget or ignore advice that has no relevance to their job, and "one lesson for all" just doesn't work. It's therefore important that employees make the connection between the lessons taught and the task at hand. For example, employees involved in accounting or transaction processing in a business that takes on-line credit card orders are far more likely to remember security lessons focused on protecting credit card files and personal customer information and on privacy issues.That important security information might not seem so important or relevant to a telephonist, receptionist, or delivery driver, who are more likely to meet or speak with an intruder and be much more susceptible to social engineering.ImplementElicitEmployeesModel 1 - The Security Awareness Program Flow(C) Copyright Melissa Guenther, LLC. All rights reserved.
19 Another Step … Security Advisory Group or Council Group of upper management level peopleRepresent all areas of the businessPromote security awarenessPromote consistent approach to securityDrivers of corporate wide security policy(C) Copyright Melissa Guenther, LLC. All rights reserved.
20 Involvement Host special events Look for “teachable moments” Develop security “champions”Leverage a “negative event”Use the “Grapevine”(C) Copyright Melissa Guenther, LLC. All rights reserved.
21 PLANNING The beginning is the most important part of the work. Plato (C) Copyright Melissa Guenther, LLC. All rights reserved.
22 Strategic Planning Step 1: Where are we now? (Situation Assessment) Step 2. Where do we want to be? (Strategic Direction)Step 3 - How do we plan to get there? (Implementation Planning)Step 4 - How will we monitor progress? (Monitoring)Questions often arise concerning the vision, or its critical success factors, or key strategies, objectives or goals. What is a strategy anyway? How does it differ from a goal or an objective? How is mission different from vision, or are they really the same? Strategic Planning is a method for taking a strategic approach to addressing a business situation, such as security and security awareness.. It provides a simple communication tool for helping construct a business strategy. The planning is fully scalable and applies to Fortune 500 companies, non-profit organizations, a (company name), an individual department, a work team, etc. There are four major steps in the process. Some of the benefits of utilizing this planning include:Identify and establish key relationships.Recommend security goals and architecture.Figure out what needs to be done.Prioritize.Seek low-hanging opportunities.Demonstrate value-add.(C) Copyright Melissa Guenther, LLC. All rights reserved.
23 Compelling Issues Vast amounts of information. Open environment. Decentralized functions.Customer expectations.Institutional responsibility.Financial, operational & reputational risks.Increasing threat profile.This is a list of some of the predominant challenges we faced in implementing a comprehensive awareness campaign.(C) Copyright Melissa Guenther, LLC. All rights reserved.
25 It’s the Culture Culture drives the behavior of the organization and it’s people.Implementing a behavioral security process without a solid cultural foundation is the cause of most incidents.
26 Danger Signs Unclear who is responsible for what. Belief that everything is ok, “we are in good shape”Belief that rule compliance is enough for security (If we’re in compliance – we’re ok)No tolerance for whistle-blowers“culture of silence”Problems experienced from other locations not applied as “lessons learned”Lessons that are learned are not built into the systemDefects / errors became acceptableSecurity is subordinate to productionEmergency procedures for severe events is lacking
27 Danger SignsPolicies and Procedures are confusing, complex and “hard to find”.Security resources and techniques are available but not used.Organizational barriers prevent effective communication.There are undefined responsibility, authority, and accountability for security.Security belonged to “IT”The acceptance of defects / errors becomes Institutionalized.Because nothing has happened (or we are unaware of what has happened), we’re ok.• Culture is resilient, hard to change, and will revert to old habits if not steered by leadership.
28 What is Culture? Social Culture - Our beliefs, philosophies, attitudes, practices that govern how we live.Organizational Culture -What employees believe (perceptions), attitudes, practices, rules, regulations, philosophies, values, etc.
29 What is Culture? It is the atmosphere which shapes our behavior. Invisible force that largely dictates the behavior of employees & management.
30 Company Culture Production Culture vs. Security Culture Due to high costs of incidents there is no way a pure production culture can be profitable to it’s fullest potential.
31 What is a Production Culture? Belief that only production matters.Whatever it takes to get the job done.Security performance is not measured.Security performance is not part ofsupervisor’s job.
32 Security Culture Security is not a priority - it is a corporate Value. All levels of management accountable.Security performance measured & tied to compensation.Security integrated into all operations.
33 The Purpose Of The Program Security is everyone’s responsibilityProvide all opportunities to determine how in their daily rolesKnowledge (what)Skill (how)Attitude (want)EducationNeed to explain:what the program will be trying to accomplish,how it will aim to improve the operations of the company, andhow vital the protection of Information Assets really is.You will need to explain why "Security is everyone's responsibility", and ensure everybody understands it;explain that even if the company has the latest technological improvements like firewalls, intrusion detection systems, etc., an uneducated staff member could easily endanger sensitive information, and render any technical security measure in place, completely and utterly useless.Majority of people often tend to think that it is not their responsibility to help improve the security of their company.Generally people are of the (wrong) opinion that only the IT department or Information Security Office(ISO) can and need to take care of issues like theseAwareness(C) Copyright Melissa Guenther, LLC. All rights reserved.
34 Motivation vs. Attitude Motivation tends to be dynamic in natureLasts minutes or weeksIntrinsic motivation plays a rolePeople feel free to make their own choicesNeed to justify actions in terms of internal reasonsAttitudes is a more static, internalized factorLasts months to yearsStaged as readjustment, cooperation, acceptance and internalizationUser acceptance and internalization must be considered gradual processes and long-term goals(C) Copyright Melissa Guenther, LLC. All rights reserved.
35 A Collection of Approaches Practical Approaches/PrinciplesIntrinsic MotivationAttitudeLogicPave the wayMorals and ethics+RationalityEmotionsSanctions, pressure-Feeling of securityWell-beingLogic. All actions should be logical. Do not act inconsistently. If, for example, a superior argues for relevance of the universality principle and then tries to justify compliance with security guidelines by appealing to this principle, that superior cannot later logically plead for an action that violates this principle (without providing any persuasive reasons for why the universality principle is not relevant in this particular situation).Emotions. Emotions are an integral part of thinking and rational decision making. When people are confronted with a set of choices, emotional learning (past experiences) streamlines their decisions by eliminating some options and highlighting others Consequently, security measures should aim at provoking emotions and appealing to them in order to affect attitudes and motivation in a positive manner.Morals and ethics. Morals strongly guide human behavior. It is more intelligible to act for moral reasons than for non-moral ones, although this view has been criticized on the grounds that moral, or justified, reasons do not imply motivation per se (since one may see non-moral reasons as intelligible as well). Moreso, the moral aspect overrides all other concerns. Thus, if killing an innocent person is regarded as immoral, we may not ( and should not ) kill innocent persons, regardless of the non-moral concerns related to the issue, e.g. financial gain. Security norms, at least those imposed by legislation, are ± hopefully ± founded on moral and ethical notions (this is not always so in practice, however). They are ± hopefully ± arrived at by means of ethical analyses (carried out by conceptual analysis) and should correspond to a desirable state-of-affairs. Electrical break-ins (nowadays often referred to as hacking), are (or should be?) covered by legislation because it seems to be wrong (in a general sense) to gain unauthorized access to computers or information systems. But why does it seem to be morally wrong to do so? Using the principle of universality, justice by fairness in terms of the ``veil of ignorance'', for example, we could ask: ``What if everybody were to indulge in hacking?'' We would most probably not want anyone to break into our computer systems, or our houses as we feel that life in such a society would be very uncomfortable (and we postulate that this is one reason why hacking should be regulated as a criminal activity by legislation). Although there may be a moral dimension behind security activities (although this does not mean that security activities are right per se), it is commonly agreed by computer ethicists that people often fail to realize it. As a result, they do not apply their moral notions to the area of computing, and an important stimulus (human morality/moral responsibility) is lost from the security point of view. If people were to understand the ethical dimensions of security procedures (such as inadequate maintenance of passwords) and the possible morally negative consequences of such negligence, they would probably be more likely to follow the instructions. Different ethical theories should be used for this purpose.. Well-being. Negligence of security measures and weak security may threaten the well-being of individuals, companies and societies. Therefore, users should be made aware of such a threat to their wellbeing and how adherence to security guidelines would prevent this from happening. This differs from morals and ethics in the respect that loss of well-being may have non-moral consequences.. Feeling of security. Safety needs (the desire to feel safe and secure, and free from threats to our existence) rank high among our needs, according to Maslow (1954). Even though Maslow's theory has been criticized, mainly due to the lack of proof for its hierarchy of needs, the fact remains that needs are the fundamental reason why people act and thus are essential to a full understanding of motivation''. Although violations in terms of information security would not endanger people's lives directly (other than in a hospital environment, for example), it is reasonable to assume that people will still want to achieve and maintain a feeling of security through adherence to security procedures ± given that such a need can be pointed out or awakened. Like morals and ethics, computing may be a blind spot for this, where users may not themselves recognize the possible jeopardy, such as the invasion of their informational privacy, or the deletion, modification or unauthorized use of their information.. Rationality. This involves the rational presentation of factual, descriptive reasons for actions. People are rational (at least in some respects), and they therefore demand rational explanations. The following issues, for example, can be addressed thoroughly according to the requirements of rationality: What are the implications of weak security for the company and the employees? Why is it rational to follow security guidelines? Why is it irrational not to follow security guidelines or pay attention to security?(C) Copyright Melissa Guenther, LLC. All rights reserved.
36 Analysis and Problem-solving What We Looked at PeopleBusinessMeasuring, evaluatingThis page is intentionally left blank(C) Copyright Melissa Guenther, LLC. All rights reserved.
38 People Identify key relationships. Establish rapport with students, faculty and staff.Become visible and available.Develop security awareness program.Be the person who is there to help.Emotional/psychological managementHow People Learn is as Important as What They LearnTo aid in the most effective memory recall and overall impact, awareness education should be delivered with a combination of several different mediums.Visual Stimulation—Four-color visuals that relate to the topic at hand leave a lasting impression about the information and aid in better recall.Audio Stimulation—After a while, no matter how important the message, a continuous flat tone losses the audience. Using voice fluctuations where appropriate, and combining a variety of voices where key messages are being conveyed, leads to a more attentive audience.Practical Application—Using hands-on techniques for items such as password changes will assist the end-user with a proactive response to the information being provided.Analogies—Learning by association offers strong memory recall and gives the audience the ability to relate the information to a real-world situation.(C) Copyright Melissa Guenther, LLC. All rights reserved.
39 Business Understand… Business and customer expectations Relationships between business and customerKey information and other assets, owners and custodiansMany shy away from Data Classification, due to the perception that it requires too much resources (people and time). At a minimum, however, a Data Classification tool can be used to create awareness.(C) Copyright Melissa Guenther, LLC. All rights reserved.
40 Strategy Metrics/ Benchmark Communication Culture Regulatory Education We took a combination strategy approach. We integrated elements of Regulatory, Culture, Communication and Marketing and Education in all our efforts. Strategic Planning is useful in establishing drivers and in providing a framework, especially in the initial stages.EducationMarketingStrategic Planning(C) Copyright Melissa Guenther, LLC. All rights reserved.
41 National Institute for Standards and Technology DesignNational Institute for Standards and Technology(C) Copyright Melissa Guenther, LLC. All rights reserved.
42 The security process is more than the implementation of technologies The Awareness ProgramThe security process is more than the implementation of technologiesRedefinition of the corporate cultureCommunication of managements messageSecurity is not a project it is a process.Employee understanding of value of informationEmployee understanding of importance of their actions to protect information(C) Copyright Melissa Guenther, LLC. All rights reserved.
43 Who are the members of your community? ScopeThe scope of any Security Awarenesscampaign will reach all network users,beginning with senior departmentexecutives working towards each andevery member of the community.Who are the members of your community?(C) Copyright Melissa Guenther, LLC. All rights reserved.
44 Customizing the Message Plan to address segmented groups with messages specifically designed for those areas.LeadershipStaffStudentsFacultySenior ManagementLine SupervisorsEnd UsersContractor and TempThe appropriate amount of security awareness can take a different form for the particular audience. Target audiences should be established and the appropriate amount of awareness, combined with the company policies and procedures for that target audience, should be communicated.ExampleGroup - Senior ManagementBest Technique - Cost justification, Industry comparison, Audit report, Risk analysisBest Approach - Presentation, Video, Violation reportsExpected results - Funding, SupportVs.Group - Line SupervisorsBest Technique - Demonstrate job performance benefits, Perform security reviewsBest Approach = Presentation, Circulate news articles, VideoExpected results - Support, Resource help, AdherenceGroup - UsersBest Technique - Sign responsibility statements, Policies and proceduresBest Approach - Presentation, Newsletters, VideoExpected results - Adherence, Support(C) Copyright Melissa Guenther, LLC. All rights reserved.
45 Group Best Technique Best Approach Expected Results Senior Managers Cost justificationIndustry comparisonAudit reportPresentationVideoViolation reportsFundingSupportLine SupervisorsRisk analysisDemonstrate jobperformance benefitsPerform securityreviewsCirculate news articlesResource helpAdherenceUsersSign responsibilitystatementsPolicies andproceduresNewslettersSenior Management - will be expecting a sound, rational approach to information security. They will be interested in the overall cost of implementing the policies and procedures and how this program stacks up against others in the industry. A key concern will be how the audit staff will view them policies and procedures and that the security program will give them an acceptable level of risk.Line supervisors - These individuals are focused on getting their job done.They will not be interested in anything that appears to slow down their already tight schedule. To win them over, it will be necessary to demonstrate how the new controls will improve their job performance process. As we have been stressing since the beginning, the goal of security is to assist management in meeting the business objectives or mission. It will be self-defeating to tell supervisors that the new policies are being implemented to allow the company to be in compliance with audit requirements. This is not the reason to do anything and a supervisor will find this reason to be useless. Stress how the new process will give the employees the tools they need (access to information and systems) in a timely and efficient manner. Show to them where the problem resolution process is and who to call if there are any problems with the new process. Employees - are going to be skeptical. They have been through so many company initiatives that they have learned to wait. If they wait long enough and do nothing new, the initiative will generally die on its own. It will be necessary to build employees awareness of the information security policies and procedures. Identify what is expected of them and how it will assist them in gaining access to the information and systems they need to complete their tasks. Point out that by protecting access to information, they can have a reasonable level of assurance (remember never use absolutes) that their information assets will be protected from unauthorized access, modification, disclosure or destruction.(C) Copyright Melissa Guenther, LLC. All rights reserved.
46 Needs AssessmentSenior Management - will be expecting a sound, rational approach to information security.Line supervisors - These individuals are focused on getting their job done.Employees - are going to be skeptical. They have been through so many company initiatives that they have learned to wait. If they wait long enough and do nothing new, the initiative will generally die on its own. It will be necessary to build employees awareness of the information security policies and procedures. Identify what is expected of them and how it will assist them in gaining access to the information and systems they need to complete their tasks.
47 The Information Security Message The employees need to know that information is an important enterprise asset and is the property of the organization.All employees have a responsibility to ensure that this asset, like all others, must be protected and used to support management-approved business activities.To assist them in this process, employees must be made aware of the possible threats and what can be done to combat those threats.Is the program dealing only with computer held data or does it reach to all information where ever it is resident?Make sure the employees know the total scope of the program. Enlist their support in protecting this asset.The mission and business of the enterprise may depend on it.
48 Delivering the Message COSTEFFECTIVENESSRecognitionawardsbroadcastSign-on bannerScreen saverWeb sitePostersBrochureSecurity newsletterSpecial eventsSecurity classesVideoCBTNot recommendedRecommendedHighly recommendedGiveawaysIt’s important to look at different mediums for delivering the message and determine which are most effective. Keep in mind the culture of your organization, whether it is a centralized or decentralized environment, what worked in previous efforts, etc..The next slide is a one way we considered in customizing our messages.(C) Copyright Melissa Guenther, LLC. All rights reserved.
49 Formats for Communication Individual meetingsStaff meetingsConference callssVideoconferencesMessagesFaxesGraphics and logoWhen available, videos and interactive CD-ROM-based programs help reinforce yourmessage. However, having a lot of fancy graphics and sound effects does have the potential of diverting attention away from the message you are trying to get across. Simply telling a story that demonstrates the point and is relevant to your audience is far more effective and Case Studies provide an effective platform for delivering a key message. In fact, I highly recommend that someone in your department be assigned the task of collecting stories, both industry-wide and Company specific. Asking questions reinforces key points and helps you to interact with your audience to keep things interesting. Repeating key points near the end helps to further reinforce the basic message.(C) Copyright Melissa Guenther, LLC. All rights reserved.
50 UA Security Awareness Campaign 2004 Information Security Awareness Day U of A IntranetUA Security Awareness CampaignBeing Security Aware means you understand that there is the potential for some people to deliberately or accidentally steal, damage, or misuse the data that is stored within our computer systems and through out our organization. Therefore, it would be prudent to support the assets of our institution (information, physical, and personal) by trying to stop that from happening.2004 Information Security Awareness DayCurrent Security Events UA Information Security Awareness Day Computer Security: What you need to know 2004 Information Security Brown Bag Series (.pdf) Calendar of Campus Security Awareness EventsPresentations Security Awareness PresentationsSecurity Plan Information Security Awareness Campaign Initiatives (.pdf) Security Awareness Campaign Feedback Questionnaire Evaluation Model (.pdf)Send comments and suggestions to: Kelley Bogart or callUA Privacy StatementPlease send comments, suggestions or questions to: Business Continuity & Information Security (520)Website created and maintained by: CCIT Information Delivery Team
51 Sample Email Message An attorney's advice and it's FREE! A corporate attorney sent the following out to the employees in his company:The next time you order checks, omit your first name and have only your initials and last name put on them. If someone takes your check book they will not know if you sign your checks with just your initials or your first name but your bank will know how you sign your checks. When you are writing checks to pay on your credit card accounts,DO NOT put the complete account number on the "For" line. Instead, just put the last four numbers. The credit card company knows the rest of the number and anyone who might be handling your check as it passes through all the check processing channels won't have access to it.Put your work phone # on your checks instead of your home phone. If you have a PO Box use that instead of your home address.Never have your SS# printed on your checks. You can add it if it is necessary. But if you have it printed, anyone can get it.Place the contents of your wallet on a photocopy machine, do both sides of each license, credit card, etc. You will know what you had in your wallet and all of the account numbers and phone numbers to call and cancel. Keep the photocopy in a safe place.I also carry a photocopy of my passport when I travel either here or abroad. We've all heard horror stories about fraud that's committed on us in stealing a name, address, Social Security number, credit cards, etc. Unfortunately I, an attorney, have firsthand knowledge because my wallet was stolen last month. Within a week, the thieve(s) ordered an expensive monthly cell phone package, applied for a VISA credit card, had a credit line approved to buy a Gateway computer, received a PIN number from DMV to change my driving record information online, and more. But here's some critical information to limit the damage in case this happens to you or someone you know: We have been told we should cancel our credit cards immediately. But the key is having the toll free numbers and your card numbers handy so you know whom to call. Keep those where you can find them easily.File a police report immediately in the jurisdiction where it was stolen, this proves to credit providers you were diligent, and is a first step toward an investigation (if there ever is one). But here's what is perhaps most important: (I never even thought to do this).Call the three national credit reporting organizations immediately to place e a fraud alert on your name and Social Security number. I had never heard of doing that until advised by a bank that called to tell me an application for credit was made over the Internet in my name. The alert means any company that checks your credit knows your information was stolen and they have to contact you by phone to authorize new credit. By the time I was advised to do this, almost two weeks after the theft, all the damage had been done. There are records of all the credit checks initiated by the thieves' purchases, none of which I knew about before placing the alert. Since then, no additional damage has been done, and the thieves threw my wallet away this weekend (someone turned it in). It seems to have stopped them in their tracks. The numbers are: Equifax: Experian:(formerly TRW): Trans Union: Social Security Administration(fraud line):(C) Copyright Melissa Guenther, LLC. All rights reserved.
52 A Picture is Worth a Thousand Words Information Protection CentreManitoba Information and Communications TechnologiesCal Poly Pomona UniversityUniversity of Arizona
55 A Coordinated Approach Group 1Group 2Group 3PresentationStaff Meeting InvitationVideos and PosterNewspaper articleIn addition , social engineering, visitors and vendor procedures, telephone hacking, and clarification of correspondence to various classification levels should be emphasized.General SecurityMonthly ThemeCurrent IssuesGroup 1 Communicates bottom line cost advantages, business survivability, effects to shareholder value, attacks on confidential data, and offsetting resulting litigation.Group 2 Technical staff should have a focus on individual verification procedures, and features and attributes of software programs that can support increased security.Group 3 Non-technical overview of what security is and why it is important. Include elements of security, the threats to security, and countermeasures: all with Company policies and procedures should lend insight and support of the countermeasures.(C) Copyright Melissa Guenther, LLC. All rights reserved.
56 Implementation Is hard……times 20! Perfection is boring and gets in the way ofprogress.Is where continuous improvement starts.(C) Copyright Melissa Guenther, LLC. All rights reserved.
57 Communication and Marketing You can never over-communicateduring times of change.Communication Objective The main communication objective of our plan was :"To promote IT Security awareness through education and training to all individuals involved in the management, operation, programming, maintenance or use of the (Company Name) technology resources and services. To inform these individuals of their IT Security responsibilities and how this knowledge is expected to be fulfilled."With specific emphasis on campus members responsibilities such as:Knowledge of and compliance with (company name) of Arizona Security policies and other regulated laws for protecting institutional data:FERPACopyrightMP3 file downloadsUSA Patriot ActA.R.S. SectionPrivacy Act of 1974ABOR Policy 6-912Electronic Privacy Statement(company name) of Arizona Policy on Release of Student InformationUA Policy Governing Use and Duplication of Computer SoftwareGrading Policy: Publicly Posting Final Grades(C) Copyright Melissa Guenther, LLC. All rights reserved.
58 Developing a Communications Strategy Why Communicate?Public supportDemonstrating successExplaining and persuadingAdequate resourcesPublic Interest/ AccountabilityDeveloping a Communications StrategyAgenda– Purpose of strategy– Strategies for organization and for issues– Link with organizational objectives/ priorities– Reputation and stakeholders– The practicalities of developing a strategy Why Communicate?– Public support– Demonstrating success– Explaining and persuading– Adequate resources– Public Interest/ AccountabilityPublic Relations – Definition 1980s“The planned and sustained effort to establish and maintain goodwill and mutual understanding between an organization and its public”Now“The management of an organization’s reputation”(C) Copyright Melissa Guenther, LLC. All rights reserved.
59 Key Questions Who do want to talk to? What do we want them to understand?How do we want to influence them?Should we priorities or group the audiences (market segmentation)?Do not forget employees as key stakeholdersThis lists just some of the questions we asked ourselves during the Stakeholder analysis.Stakeholder analysisA technique to assist in making decisions about who to involve, and how to involve them.For any decision or action, a stakeholder is anyone who is affected by, or can influence, that decision or action. Draw a chart that has 6 columns. The four columns in the middle need only be wide enough to contain a three or four letter symbol. You need a little more width in the right-hand column than in the left-hand one. The four columns in the middle are used to measure Att=attitude Inf=influence E=estimate C=confidence 2. List stakeholdersIdentify and list the stakeholders. These may be individuals, or stakeholder groups, or some combination. If stakeholders can be treated as a group, use groups. The most effective way of doing this is to list as many stakeholders as you can on a working sheet of paper. Then transfer them to the left hand column of the chart. It may help to list them in rough order of importance. (You may change your mind about their importance after this analysis.)3. Estimate attitude and confidenceFor columns 2 to 5, work across the page. Record your estimates of the following in the columns. In order, they are:(C) Copyright Melissa Guenther, LLC. All rights reserved.
60 Stakeholder AnalysisA technique to assist in making decisions about who to involve, and how to involve them.For any decision or action, a stakeholder is anyone who is affected by, or can influence, that decision or action.Rate:AttitudeInfluenceEstimateConfidence(C) Copyright Melissa Guenther, LLC. All rights reserved.
62 Messages Passwords Viruses Information handling Do not share User names or passwordsUse strong passwordsDo not write passwords downVirusesBeware of viruses, particularly in attachmentsEnsure that antivirus software is installed and updatedInformation handlingClassify information correctlyPick up print outs and faxesand Internet useDon’t send sensitive info over the Internet without taking precautions to secure it.MessagingWhile there are many variations on the content, in practice the most popular topics and their associated awareness message are listed in Table 2 below:Table 2 Sampling of just a few of the most common topics for Security awareness campaignsPasswords· Do not share User IDs or passwords· Use ‘strong’ passwords· Don’t write passwords downViruses· Beware of viruses, particularly in attachments· Ensure that anti-virus software is installed and updatedPhysical Security· Keep premises secure· Adhere to clear desk and clear screen policies· Take proper care of laptop computersand Internet use· Don’t send sensitive information over the Internet without taking suitable precautions to protect it· Internet use must comply with corporate policies(C) Copyright Melissa Guenther, LLC. All rights reserved.
63 Getting There Message, audience, means ….. NOT Means, audience, messageWhat is best for which audience?It is not just press, radio and TVSpectrum, for example – Personal contactThis page intentionally left blank(C) Copyright Melissa Guenther, LLC. All rights reserved.
64 Getting There Leaflets and other publications Exhibitions Paid advertisingWeb and “new” media - narrowcastingBuild in feedback where you canThis page intentionally left blank(C) Copyright Melissa Guenther, LLC. All rights reserved.
65 Timing Identify fixed events in programmed Be aware of outside fixed eventsBe ready for the unexpectedBe opportunisticAs with many efforts, timing is everything. If something is not as successful as you need, it may be wise to try it again at an opportune time.(C) Copyright Melissa Guenther, LLC. All rights reserved.
66 CommunicationBi-monthly Brown Bag sessions (training/awareness course(s)Monthly security awareness newsletterPostersSecurity awareness messages on the intranetSecurity awareness daysIntegrate efforts with HR efforts (orientation)ModelingThis page intentionally left blank(C) Copyright Melissa Guenther, LLC. All rights reserved.
68 MeasurementIf we are required to assess change in behavior by virtue of how long a person sits in a seat……………we are focusing on the wrong end of the person.How will you ever know if your successful unless you use some type of measurement? As mentioned before, one foot in ice water and one foot in boiling water does not mean that on average you are at room temperature. Security is not an end state, nor can it be judged by measuring any single variable at any single point in time.(C) Copyright Melissa Guenther, LLC. All rights reserved.
69 Measuring, Evaluating Security is like the brakes on your car. Their function is to slow you down.But their purpose is to allow you to go fast.One foot in ice water and one foot in boiling water does not mean that on average you are at room temperature. Security is not an end state, nor can it be judged by measuring any single variable at any single point in time. One of the important areas in measuring and evaluating your program is acknowledging both efficiency and effectiveness.Efficiency is doing the right thing - effectiveness is doing the right thing the right way.COMPUTING POLICY DIGESTPolicy, Procedure or StatementSourceSubjectMain PointROI metricsYour privileges and rules of responsible behavior governing them(C) Copyright Melissa Guenther, LLC. All rights reserved.
70 What do we want to measure? What can be measured? How can it be measured?How do these relate to initial objectives?Continued monitoring?Feed into future strategies/ campaignsEvaluation of Security Awareness ProgramThe successful delivery of a Security awareness campaign should result in the desired Security-positive behaviours being adopted and maintained by the campaign recipients. The success of the campaign must then be checked in order to ensure value for money from the investment in Security awareness, and to improve repeats of the campaign and the development of new campaigns in the future.The success of the Security Education & Awareness program will be based on two parameters - qualitative and quantitative feedback. Distribute a survey or questionnaire seeking input from campus members. If an awareness briefing is conducted during the new-student or employee orientation, follow up with the participants (after a specified time period of three to six months) and ask how the briefing was perceived (i.e., what do they remember, what would they have liked more information on).Ask others in the room about the awareness campaign. How did they like the new poster? Remember that the objective is to heighten awareness and responsibilities of computer Security. Thus, even if the response is "that poster is silly," do not fret; it was noticed and that is what is important.Track the number and type of Security incidents that occur before and after the awareness campaign. Most likely, it is a positive sign if there is an increase in the number of reported incidents. This is an indication that users know what to do and whom to contact if they suspect a computer Security breach or incident.(C) Copyright Melissa Guenther, LLC. All rights reserved.
71 Strategic Content Sessions Measurement of existing security weaknesses can be based on:Incident reportsTools that measure complianceInterviews with supervisorsTestingEmployee surveysSecurity/Privacy Awareness Campaign Feedback Questionnaire - for Net Managers.What is a NetManager?The Network Managers (NetMgrs) Group is the organization, of people responsible for the management and support of networks, with focus towards the technical aspects of networks, from departments or unit affiliated with the (company name) campus. It is a technical working group with concerns and expertise in dealing with operational support and enhancement of data communications on campus. These are the people who, within their areas, are tasked to make data communications happenIt can be modified to address your priorities, and sent to any group or individual that can provide valuable feedback.What requirements and/or expectations do you have of the Security/Privacy Awareness Campaign?(C) Copyright Melissa Guenther, LLC. All rights reserved.
73 Measurement Tools1. Distribute a survey or questionnaire seeking input from employees.If an awareness briefing is conducted during the new-employee orientation, follow up with the employee (after a specified time period of three to six months) and ask how the briefing was perceived (i.e., what do they remember, what would they have liked more information on, etc.).2. Walk-about’s. While getting a cup of coffee in the morning, ask others in the room about the awareness campaign. How did they like the new poster? How about the cake and ice cream during the meeting? Remember that the objective is to heighten the employee’s awareness and responsibilities of computer security. Thus, even if the response is “that poster is silly,” do not fret; it was noticed and that is what is important.3. Track the number and type of security incidents that occur before and after the awareness campaign. Most likely, it is a positive sign if one has an increase in the number of reported incidents. This is an indication that users know what to do and who to contact if they suspect a computer security breach or incident.Keep in mind that the evaluation process should reflect and answer whether or not the original objectives/goals of the security awareness program have been achieved. Sometimes, evaluations focus on the wrong item. For example, when evaluating an awareness program, it would not be appropriate to ask each employee how many incidents have occurred over the last year. However, it would be appropriate to ask each employee if they know whom to contact if they suspect a security incident.(C) Copyright Melissa Guenther, LLC. All rights reserved.
74 Measurement Tools4. Conduct “spot checks” of user behavior. This may include walking through the office checking if workstations are logged in while unattended or if sensitive media are not adequately protected.5. If delivering awareness material via computer-based delivery, such as loading it on the organization’s intranet, record student names and completion status. On a periodic basis, check to see who has reviewed the material. One could also send a targeted questionnaire to those who have completed the online material.6. Have the system manager run a password-cracking program against the employee’s passwords. If this is done, consider running the program on a stand-alone computer and not installing it on the network. Usually, it is not necessary or desirable to install this type of software on one’s network server. Beware of some free password-cracking programs available from the Internet because they may contain malicious code that will export one’s password list to a waiting hacker.(C) Copyright Melissa Guenther, LLC. All rights reserved.
75 Putting metrics in perspective – A Case Study One of our key areas for security focus was viruses and wormsTwo main goals.Reduce the number of lost work hours in the organization due to virus/worm infection and effort required trying and preventing virus/worm infections.Reduce or eliminate secondary infections of our business partners.(C) Copyright Melissa Guenther, LLC. All rights reserved.
76 Company Background Over 1100 employees Business partner has access to our networksreceives hundreds to thousands of s from us daily.Made some technical changesReduce the problems in the first year or so after introducing them. After that we reached a plateau.Introduced an awareness program.Intranet website dedicated to virus problemssecurity bulletins for new virus/worm outbreaksregular, monthly security awareness articlesPresentations (both scheduled and on request.)(C) Copyright Melissa Guenther, LLC. All rights reserved.
77 ResultsThen - 6,000 hours expended annually to control virus/worm outbreaks in 2000Now - Less than 2,000 hours in 2003Then - 5 significant virus/worm outbreaks in 2000Now - 2 significant virus/worm outbreaks in 2003Then - Out of a typical 25 new helpdesk requests per business day, four of them dealt with virus/worm problemsNow - New helpdesk requests per day has increased to 28 on average, virus/worm requests have dropped to less than 1 per day(C) Copyright Melissa Guenther, LLC. All rights reserved.
78 Five Levels Of The Information Security Evaluation Model Level 1 = COMPLACENCYLevel 2 = ACKNOWLEDGEMENTLevel 3 = INTEGRATIONLevel 4 = COMMON PRACTICELevel 5 = CONTINUOUS IMPROVEMENTWhere is your Organization?The following measurement tool was very beneficial in providing a snapshot view for both Current Reality and Desired Future states. It is recommended that one of the first steps is to customize the Characteristics for each Level, as they relate to your organization. You might engage your executive team or Leadership Team in an exercise in defining what Level 5 would look like. I have often found that this tool provides a compelling Case for Action at the onset of your project.(C) Copyright Melissa Guenther, LLC. All rights reserved.
79 CONTINUOUS IMPROVEMENT Progress to DateLevel 5CONTINUOUS IMPROVEMENTLevel 4COMMON PRACTICECurrentLevel 3INTEGRATIONLevel 1 ComplacencySecurity Policies & Standards are minimal and may or may not be documented. Security Incidents are viewed as someone else's problem. Existing programs and services are perceived as sufficient. Security is viewed as an enforcer.Level 2 AcknowledgementRealization that existing Information Security processes are fragmented. Executive level support and involvement is visible. Some Security Awareness interventions are implemented and are ongoing.Level 3 IntegrationGeneral acceptance of campus- wide standards based on Security Infrastructure and displayed through noticeable behavior change. Staff, faculty and students actively and visibly participate in the programs and services. Security incidents are reported immediately to the appropriate area.Level 4 Common PracticeThe integration of Security programs and services in the campus departments is complete. Security is involved at the onset of projects. U of A is considered as a Security Awareness Best Practice campus.Level 5 Continuous ImprovementThreats are continually reevaluated based on changing threat population and security incidents. Additional or more cost effective alternatives are continually identified. The practice of Security is considered a component of the campus culture. Security Awareness is viewed as a business enabler.Level 2ACKNOWLEDGMENTStartLevel 1COMPLACENCY(C) Copyright Melissa Guenther, LLC. All rights reserved.
80 Highlights of Before and After Results Security Questions and ProblemsAUPSecurity Awareness TrainingPerceived Value of SecurityStewardship in ProjectsBest PracticeThis page is intentionally left blank(C) Copyright Melissa Guenther, LLC. All rights reserved.
81 Security Awareness Education Plan Learning Management SystemSecurity Intranet websiteTraditional Classroom TrainingUser AgreementVideosBrochuresExercisesNewsletterMeasurement and evaluationEventsBest Security PracticesScreen SaversEducationPosters“How To” GuidesSecurity Awareness Education PlanFeatureLearning Management SystemDescriptionOnline Security Awareness and Education CBT courses (registration, delivery, tracking, testing and reporting)Security Intranet websiteDesign a Web site; SSL/PKI protected. Hosts could include:Collaborative work areasChatInstructor supported web delivered training & awarenessMail list to alert users of new developmentsSecurity related newslettersSecurity LinksSecurity polices and proceduresAnti-virus software (corporate license)Learning Management System (LMS)PowerPoint awareness presentations(C) Copyright Melissa Guenther, LLC. All rights reserved.
82 Security Awareness Content Personal SecuritySocial EngineeringIdentity TheftClean Desk PolicyParking Lot SecurityEmergency AlertsPhysical SecurityBuilding AccessRules for ID BadgesVisitor ControlPC SecurityTelephone FraudAfter Hours AccessInformation SecurityPassword Construction & ManagementScreensaversInternet SecuritySoftware PiracyData BackupsUsageInternet UsageVirusesThe menu of security topics fall into three key categories:Personal securityPhysical security, andInformation SecurityA modular design of the core awareness program allows complete flexibility to ensure your program is timely, targeted, and effective.(C) Copyright Melissa Guenther, LLC. All rights reserved.
83 Three necessary components to develop security habits Getting StartedThree necessary components to develop security habitsKnowledge(What to do)Skill(How to do)Attitude(Want to doand Why)What we are striving for are sound security habits.A habit is the combination of knowledge (knowing what to do), skill (knowing how to do it) and attitude (understanding what happens if we don’t, why it is necessary and wanting to do it). And, like most newly acquired habits, you’ll expend the most energy as you begin to acquire them.Think about a rocket taking-off. Most of the energy is needed during lift off, to break through the pull from gravity and propel the object into action. However, once the rocket is in space, much less energy is needed, especially once there is no pull from gravity.So expect to have some set backs in the beginning, and know that if repeated relentlessly, the habits will be engrained at such a subtle level, that you do not necessarily think about them.A good analogy is to refer to the time when seat belts were first introduced.Remember how cumbersome they were? How many times did people forge to put them on? And can you remember grimacing when you forgot to talk them off?I bet very few even think about putting them on. It is probably an automatic response when you get into a car.That is where we need to be with sound security practices.(C) Copyright Melissa Guenther, LLC. All rights reserved.
84 Program Elements Accelerated Learning A positive learning environmentTotal learner involvementAppeals to all learning stylesCollaboration among learnersLearning in contextFacilitation vs. TrainingEmployees may be attending your present security awareness presentations (hearing, but not listening), nodding (or nodding off) at the appropriate moments, only to return to their day-to-day work with no change in their behavior or attitude towards security. Briefings on security inevitably start with the growing importance of computers and dangers that await those who are unwary, unwise, or careless . . .; however, this message can become tired and the listeners bored until something catastrophic happens. When someone says, "It won't happen here," it probably already has. That’s where Accelerated Learning makes a difference.What is Accelerated Learning? Why do we utilize its concepts?It’s several things. It encompasses:A philosophy of learningA wide variety of learning techniquesA system for creating optimal learning environments.Our aim is to make learning fun, fast and effective!For example, although lectures are not necessarily eliminated, they tend to share the stage with activities that involve the learner totally. So, instead of lecturing “ad nauseum” about how to protect against and react to a social engineer, participants will engage in various incident response role play situations. They will have an opportunity to watch and listen to others, teach others what they already know, and have discussions to create shared meaning. We all know that teaching is the best way to learn. Accelerated Learning provides that experience to the participants, not just the “trainer”.(C) Copyright Melissa Guenther, LLC. All rights reserved.
85 SA Tools http://security.arizona.edu/awareness.html (C) Copyright Melissa Guenther, LLC. All rights reserved.
86 Lessons Learned This page intentionally left blank (C) Copyright Melissa Guenther, LLC. All rights reserved.
87 Lessons Learned: 1The security awareness leadership position is not a technical role.Rather, it is a program manager role.The role must be comfortable as a program manager, and must be able to know when to put on the technical hat.This page intentionally left blank(C) Copyright Melissa Guenther, LLC. All rights reserved.
88 Lessons Learned: 2Security awareness is not a natural thought process for everyone.Sometimes you don’t know what you don’t know.You must plant/grow the seeds of awareness, and illustrate the relevance of security to all roles.This page intentionally left blank(C) Copyright Melissa Guenther, LLC. All rights reserved.
89 Lessons Learned: 3A commitment to security implies investment primarily in a security leadership position itself.The investment needn’t involve spending money on technology.Invest in the human resource first.This page intentionally left blank(C) Copyright Melissa Guenther, LLC. All rights reserved.
90 Lessons Learned: 4While security and privacy are important to most people, we tend to be uncomfortable talking about security weaknesses.The role must de-mystify security and steward creation of appropriate settings and processes to discuss security issues.This page intentionally left blank(C) Copyright Melissa Guenther, LLC. All rights reserved.
91 Lessons Learned: 5Security is on everyone’s mind, but not everyone understands how to apply security in the context of their work.This is sometimes perpetuated from areas inside the organization.Ability to articulate and quantify risk and cost of consequence is an essential element of gaining a motivated audience.This page intentionally left blank(C) Copyright Melissa Guenther, LLC. All rights reserved.
92 Lessons Learned: 6 The “starter” key relationships are: Legal Counsel Human ResourcesExternal AffairsExecutive TeamRisk ManagementAuditThis page intentionally left blank(C) Copyright Melissa Guenther, LLC. All rights reserved.
93 Lessons Learned: 7Over-prescription creates little gain in security at the expense of willingness and cooperation from customers.Security is a “living thing”, not a one-time project.Find ways to attract and retain all stakeholders in security discussions and activities.This page intentionally left blank(C) Copyright Melissa Guenther, LLC. All rights reserved.
94 Lessons Learned: 8 Few security answers are binary. The vast majority of answers are analog.The ability to discriminate which situations require a binary answer, and which require more a more introspective analog answer, is essential.This page intentionally left blank(C) Copyright Melissa Guenther, LLC. All rights reserved.
95 Lessons Learned: 9Measurement is essential to illustrate value and costs, and to underwrite future success.Keep track of what you do.Tabulate.Quantify.Report.Share (with discretion)This page intentionally left blank(C) Copyright Melissa Guenther, LLC. All rights reserved.
96 Security is Like Quality "You can't buy security. It's not a product. It's a mindset and a never-ending process. To succeed, security must permeate every aspect of our business. It's not just the responsibility of the executive and management team; every employee must have a tenacious commitment to it.“Security is intangible, but it's not ethereal. It's difficult to quantify, but its results are absolutely measurable."How much does security cost? Nothing. It's free when everyone is committed to it.“Andrew Briney(C) Copyright Melissa Guenther, LLC. All rights reserved.
97 The beginning is the most important part of the work. Lessons Learned: 10The beginning is the most important part of the work.This page intentionally left blank(C) Copyright Melissa Guenther, LLC. All rights reserved.
98 We End Where We BeganIf the result of this workshop gives voice to some of your own experiences, or provides new ideas that contribute to your success, then we have succeeded.As you take your own journey, we would like to hear from you and invite you to us with your questions and stories of your victories as you chart your own change path.(C) Copyright Melissa Guenther, LLC. All rights reserved.
99 ConclusionOrganizations don’t change. People change. And then people change organizations.It’s very hard to change people’s minds if it means reducing their job satisfaction.Technology comes and goes, but people will always be a challenge!If you always do what you’ve always done, you’ll always get what you’ve always got.This page intentionally left blank(C) Copyright Melissa Guenther, LLC. All rights reserved.
100 Keep chasing the dog, or fence it in? Thank YouThis page intentionally left blankKeep chasing the dog, or fence it in?(C) Copyright Melissa Guenther, LLC. All rights reserved.