Download presentation
Presentation is loading. Please wait.
Published byKeanu Letchworth Modified over 9 years ago
1
April 22, 2003 Security Professionals Workshop 1 Best Practices in User Education: A Critical Component in any Information Security Program Shirley Payne Director, Security Coordination & Policy University of Virginia Cedric Bennett Director, Information Security Services Stanford University Security Professionals Workshop April 22, 2003
2
Security Professionals Workshop 2 Topics Why education? Who needs to be educated? Communicating Effective Practices Exercise Wrap up
3
April 22, 2003 Security Professionals Workshop 3 The Need For Education Statistics show most breaches are caused by insiders: Disgruntled employees and contractors Inquisitive students Unintentional actions or lack of action Excuses: I didn’t know I thought someone else would take care of that I don’t know how I‘ve got more important things to do
4
April 22, 2003 Security Professionals Workshop 4 * Threats To Computer Systems * Threats By People Unintentional Employee Action50-60% Intentional Employee Action15-20% Outside Actions1- 3% Physical & Environmental Threats Fire Damage10-15% Water Damage5-10% Electrical Fluctuations1- 5% Natural Disaster1% Other 5-10% * Dr. Corey D. Schou
5
April 22, 2003 Security Professionals Workshop 5 “Automakers have added systems to cars that can pinpoint their location and even call emergency services if a crash is detected. However, have these smart cars made the roadways safer? This is an analogous situation for information security. Overall security will only improve if users are educated about the technology they are using.” Richard Hunter, VP of Gartner’s G2 Richard Hunter, VP of Gartner’s G2
6
April 22, 2003 Security Professionals Workshop 6 Lack Of Education Causes Major Problems We’ve exposed student, employee, donor and medical data Our IT resources have been used for attacks on businesses and the Federal government Our research data have been compromised Our hardware has been confiscated by FBI investigators We’re spending significant time in reaction mode
7
April 22, 2003 Security Professionals Workshop 7 More Bad News: Education Is Hard! Few acknowledge personal responsibility for security Many consider the issue too technically complex Management fails to comprehend business implications Security budgets and staff stretched to limit
8
April 22, 2003 Security Professionals Workshop 8 How Do We Approach This? Finely sharpen education program design: Well define target audiences and what they need to know Determine how best to communicate the message Leverage what others are doing
9
April 22, 2003 Security Professionals Workshop 9 Who Needs To Be Educated? Faculty Staff Students Parents Researchers Healthcare professionals Local businesses Governmental agencies Local citizens Institution executives
10
April 22, 2003 Security Professionals Workshop 10 Communication Is 2-way Don’t forget to listen Check your understanding Empathy The Platinum Rule Do unto others as they would prefer
11
April 22, 2003 Security Professionals Workshop 11 Be The Listener Use language familiar to the listener Avoid jargon Only moderate use of FUD Reference concerns of the listener Use metaphor to make your points Don’t assume facts or understanding Use humor and informality appropriately Repetition is important
12
April 22, 2003 Security Professionals Workshop 12 Provide What Is Needed Get lots of input Check with Help Desk, consultants, system administrators Prioritize the messages Focus the program to get the “biggest bang”
13
April 22, 2003 Security Professionals Workshop 13 Effective Practices Web sites & email Articles in local publications Posters and postcards Show & Tell presentations and meetings Enlist others to help Mount a campaign Never stop
14
April 22, 2003 Security Professionals Workshop 14 Effective Practices Exercise Interactive group session Form groups Each group will be assigned a Target Audience Choose what the educational focus will be Consider best ways to reach that target Work on problem for 6 minutes Make bulleted list of approaches Some groups will report results Every group will hand in results We will make all results available on workshop / session web site Thirteen pages of exercise results follow the wrap-up page
15
April 22, 2003 Security Professionals Workshop 15 Selected Examples University of Florida’s security awareness day http://www.itsa.ufl.edu http://www.itsa.ufl.edu Texas A&M’s security awareness training http://infosec.tamu.edu/sat/main.html http://infosec.tamu.edu/sat/main.html Indiana University’s “how-to” page http://www.itso.iu.edu/howto http://www.itso.iu.edu/howto James Madison University’s R.U.N.S.A.F.E. program http://www.jmu.edu/computing/runsafe/ http://www.jmu.edu/computing/runsafe/ University of Virginia’s security toolkit http://www.itc.virginia.edu/securitytoolkit http://www.itc.virginia.edu/securitytoolkit Stanford’s secure computing site http://securecomputing.stanford.edu http://securecomputing.stanford.edu
16
April 22, 2003 Security Professionals Workshop 16 Selected References Center for Education and Research in Information Assurance and Security http://www.cerias.purdue.edu http://www.cerias.purdue.edu National Institute of Standards and Technology Computer Security Resource Center http://csrc.nist.gov/ATE http://csrc.nist.gov/ATE SANS Institute http://www.sans.org http://www.sans.org Virginia Alliance for Secure Computing and Networking http://vascan.org http://vascan.org
17
April 22, 2003 Security Professionals Workshop 17 Wrap Up Other Questions and Answers? Check the Security Professionals Workshop site for these slides plus session developed materials
18
April 22, 2003 Security Professionals Workshop 18 Effective Practices Exercise The thirteen pages which follow are the results from the session exercise, by group In some cases, the same target audiences were considered by different session work groups
19
April 22, 2003 Security Professionals Workshop 19 Ideas for reaching “target” groups – Executives Make them think they make decisions Low tone “Fox” news – fear – stress need for information protection Cost benefit analysis Address their concerns Metaphors in terms s/he can understand Put a positive spin “Security can protect productivity” Educate them about security [problem & resolutions Tailor to their areas of expertise – this is actually a very diverse group Brief, pithy Identify reputation (and other risks) for division Exercise results page
20
April 22, 2003 Security Professionals Workshop 20 Target includes “student staff” Educate on security policies by incorporation in orientation Identify key staff member(s) to become trainers Widely publish security policies and usage Ideas for reaching “target” groups – Staff (1 st Group) Exercise results page
21
April 22, 2003 Security Professionals Workshop 21 Ideas for reaching “target” groups – Staff (2 nd Group) Staff associations / forums Email Print info on payroll check advice E.g., an announcement of an event Voice mail Importance of making it clear that each staff member has a responsibility to protect information of which are a steward Use parking permits as a means to contact people (meetings, dates, etc.) Simple give-away gifts with messages Website, intranet Posters Log-in banner Orientation / training program Tents on cafeteria tables Interactive contests Recognize people for doing something right “Good Job” or “Pat on the Back” –a-week Employee newsletters Exercise results page
22
April 22, 2003 Security Professionals Workshop 22 Ideas for reaching “target” groups – Staff (3 rd Group) Problem: Not teaching passwords as secure Issue: Writing passwords on desk or posting them on telephone. Weak policies – not ensuring strong passwords Outreach: PowerPoint, email Use “live” examples (e.g., $25,0000 debt on telephone calls – lecturers inviting study groups of students also see password on telephone) Use Crack Send notification that passwords have been compromised and need to be changed Exercise results page
23
April 22, 2003 Security Professionals Workshop 23 Ideas for reaching “target” groups – Students What to focus on Not sharing passwords Peer to peer Sharing software “down-ware” Use of email Use of virus protection Harassment No threats in chat rooms How to reach them *Student information privacy – protect their own info Freshman orientation Newspapers Information literacy course (mandatory coursework) Public service pop-ups Include a required technology class Provide reading material with acceptance package Fraternity security parties Student orientation pamphlets / posters Exercise results page
24
April 22, 2003 Security Professionals Workshop 24 Ideas for reaching “target” groups – Students (2 nd Group) Some techniques Door hangers with security information E.g., on password changing Posters (residences halls and classrooms) Stickers on restroom doors Freshman orientation – ½ hour Student media (radio, cable TV) Contests with prizes Free Anti-virus CD in every residence hall room And other enhanced ways to distribute site-licensed free software Web info Focus Campuswide authentication (strong passwords) Anti-virus software – using it and updating it Copyright Ethics File-shares (closing open shares) WinXP or W2K – problems with no administrative password, etc. Personal firewalls Proper use of email Proper use of instant messaging Exercise results page
25
April 22, 2003 Security Professionals Workshop 25 Ideas for reaching “target” groups – Students (3 rd Group) Focus Passwords General ethics File sharing Anti-virus Copyright WinXP/2K admin passwords Personal firewalls Net-iquette Approaches Residence hall bulletin boards Door hangers Campus-wide Identifiers Posters inside bathroom stalls Freshman orientation College radio / cable TV Contests with prizes Free Anti-virus and other software CD distribution Exercise results page
26
April 22, 2003 Security Professionals Workshop 26 Ideas for reaching “target” groups – System Administrators To educate on: What are their roles and responsibilities What authority do they have What are the best practices Rules for decision making Incident handling processes What to do if media or police request info Exercise results page
27
April 22, 2003 Security Professionals Workshop 27 Ideas for reaching “target” groups – Faculty (1 st Group) Start at the top Dean of Faculty or equivalent Get support at that level Have the message come from the faculty Use Faculty Senate / Department meetings, etc. Be proactive – “get in their face” Show the Value Proposition to them (convince of value to them) E.g., intellectual property, book in progress, etc) Use Research Office or other offices, e.g., Procurement Bribe them with food, door prizes “Scare the pants off them” CNN News idea Exercise results page
28
April 22, 2003 Security Professionals Workshop 28 Ideas for reaching “target” groups – Faculty (2 nd Group) Focus on protecting grades / reseach Approaches Be added to faculty meeting / luncheon Ask for assistance (e.g., secretary, TA, etc.) Hold classes provided by IT staff Exercise results page
29
April 22, 2003 Security Professionals Workshop 29 Ideas for reaching “target” groups – Parent & Alumni What to communicate Communicate policies (AUP, Security, etc.) Policy violations have disciplinary consequences that could interrupt their academic experience Approaches Web page for technical specifications Link to policies Mailing (U.S. Mail) about policies Highlight legal and university judicial penalties Provide translations in multiple languages, if appropriate Alumni newsletter, parent’s magazines Use analogies to make the point Exercise results page
30
April 22, 2003 Security Professionals Workshop 30 Ideas for reaching “target” groups – Researchers Where research brushes agains AUPs, contact someone and discuss Approach it from their angle Dangers of losing research data – integrity Premature release of results Educate research compliance committees (IRBs) about this Educate campus office that takes in grant proposals about security implications Grant-tracking system Exercise results page
31
April 22, 2003 Security Professionals Workshop 31 Ideas for reaching “target” groups – Application Systems Staff Speaker program Web site List serve On-side professional training Web seminars designed for need Presentations at staff meetings Application testing / certification Peer-to-peer training Exercise results page
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.