1. April 22, 2003 Security Professionals Workshop 1 Best Practices in User Education: A Critical Component in any Information Security Program Shirley Payne Director, Security Coordination & Policy University of Virginia Cedric Bennett Director, Information Security Services Stanford University Security Professionals Workshop April 22, 2003

2. Security Professionals Workshop 2 Topics  Why education?  Who needs to be educated?  Communicating  Effective Practices  Exercise  Wrap up

3. April 22, 2003 Security Professionals Workshop 3 The Need For Education  Statistics show most breaches are caused by insiders:  Disgruntled employees and contractors  Inquisitive students  Unintentional actions or lack of action Excuses: I didn’t know I thought someone else would take care of that I don’t know how I‘ve got more important things to do

4. April 22, 2003 Security Professionals Workshop 4 * Threats To Computer Systems *  Threats By People  Unintentional Employee Action50-60%  Intentional Employee Action15-20%  Outside Actions1- 3%  Physical & Environmental Threats  Fire Damage10-15%  Water Damage5-10%  Electrical Fluctuations1- 5%  Natural Disaster1%  Other 5-10% * Dr. Corey D. Schou

5. April 22, 2003 Security Professionals Workshop 5 “Automakers have added systems to cars that can pinpoint their location and even call emergency services if a crash is detected. However, have these smart cars made the roadways safer? This is an analogous situation for information security. Overall security will only improve if users are educated about the technology they are using.” Richard Hunter, VP of Gartner’s G2 Richard Hunter, VP of Gartner’s G2

6. April 22, 2003 Security Professionals Workshop 6 Lack Of Education Causes Major Problems  We’ve exposed student, employee, donor and medical data  Our IT resources have been used for attacks on businesses and the Federal government  Our research data have been compromised  Our hardware has been confiscated by FBI investigators  We’re spending significant time in reaction mode

7. April 22, 2003 Security Professionals Workshop 7 More Bad News: Education Is Hard!  Few acknowledge personal responsibility for security  Many consider the issue too technically complex  Management fails to comprehend business implications  Security budgets and staff stretched to limit

8. April 22, 2003 Security Professionals Workshop 8 How Do We Approach This?  Finely sharpen education program design:  Well define target audiences and what they need to know  Determine how best to communicate the message  Leverage what others are doing

9. April 22, 2003 Security Professionals Workshop 9 Who Needs To Be Educated?  Faculty  Staff  Students  Parents  Researchers  Healthcare professionals  Local businesses  Governmental agencies  Local citizens  Institution executives

10. April 22, 2003 Security Professionals Workshop 10 Communication Is 2-way  Don’t forget to listen  Check your understanding  Empathy  The Platinum Rule Do unto others as they would prefer

11. April 22, 2003 Security Professionals Workshop 11 Be The Listener  Use language familiar to the listener  Avoid jargon  Only moderate use of FUD  Reference concerns of the listener  Use metaphor to make your points  Don’t assume facts or understanding  Use humor and informality appropriately  Repetition is important

12. April 22, 2003 Security Professionals Workshop 12 Provide What Is Needed  Get lots of input  Check with Help Desk, consultants, system administrators  Prioritize the messages  Focus the program to get the “biggest bang”

13. April 22, 2003 Security Professionals Workshop 13 Effective Practices  Web sites & email  Articles in local publications  Posters and postcards  Show & Tell presentations and meetings  Enlist others to help  Mount a campaign  Never stop

14. April 22, 2003 Security Professionals Workshop 14 Effective Practices Exercise  Interactive group session  Form groups  Each group will be assigned a Target Audience  Choose what the educational focus will be  Consider best ways to reach that target  Work on problem for 6 minutes  Make bulleted list of approaches  Some groups will report results  Every group will hand in results  We will make all results available on workshop / session web site  Thirteen pages of exercise results follow the wrap-up page

15. April 22, 2003 Security Professionals Workshop 15 Selected Examples  University of Florida’s security awareness day http://www.itsa.ufl.edu http://www.itsa.ufl.edu  Texas A&M’s security awareness training http://infosec.tamu.edu/sat/main.html http://infosec.tamu.edu/sat/main.html  Indiana University’s “how-to” page http://www.itso.iu.edu/howto http://www.itso.iu.edu/howto  James Madison University’s R.U.N.S.A.F.E. program http://www.jmu.edu/computing/runsafe/ http://www.jmu.edu/computing/runsafe/  University of Virginia’s security toolkit http://www.itc.virginia.edu/securitytoolkit http://www.itc.virginia.edu/securitytoolkit  Stanford’s secure computing site http://securecomputing.stanford.edu http://securecomputing.stanford.edu

16. April 22, 2003 Security Professionals Workshop 16 Selected References  Center for Education and Research in Information Assurance and Security http://www.cerias.purdue.edu http://www.cerias.purdue.edu  National Institute of Standards and Technology Computer Security Resource Center http://csrc.nist.gov/ATE http://csrc.nist.gov/ATE  SANS Institute http://www.sans.org http://www.sans.org  Virginia Alliance for Secure Computing and Networking http://vascan.org http://vascan.org

17. April 22, 2003 Security Professionals Workshop 17 Wrap Up  Other Questions and Answers?  Check the Security Professionals Workshop site for these slides plus session developed materials

18. April 22, 2003 Security Professionals Workshop 18 Effective Practices Exercise  The thirteen pages which follow are the results from the session exercise, by group  In some cases, the same target audiences were considered by different session work groups

19. April 22, 2003 Security Professionals Workshop 19 Ideas for reaching “target” groups – Executives  Make them think they make decisions  Low tone “Fox” news – fear – stress need for information protection  Cost benefit analysis  Address their concerns  Metaphors in terms s/he can understand  Put a positive spin  “Security can protect productivity”  Educate them about security [problem & resolutions  Tailor to their areas of expertise – this is actually a very diverse group  Brief, pithy  Identify reputation (and other risks) for division Exercise results page

20. April 22, 2003 Security Professionals Workshop 20  Target includes “student staff”  Educate on security policies by incorporation in orientation  Identify key staff member(s) to become trainers  Widely publish security policies and usage Ideas for reaching “target” groups – Staff (1 st Group) Exercise results page

21. April 22, 2003 Security Professionals Workshop 21 Ideas for reaching “target” groups – Staff (2 nd Group)  Staff associations / forums  Email  Print info on payroll check advice  E.g., an announcement of an event  Voice mail  Importance of making it clear that each staff member has a responsibility to protect information of which are a steward  Use parking permits as a means to contact people (meetings, dates, etc.)  Simple give-away gifts with messages  Website, intranet  Posters  Log-in banner  Orientation / training program  Tents on cafeteria tables  Interactive contests  Recognize people for doing something right  “Good Job” or “Pat on the Back” –a-week  Employee newsletters Exercise results page

22. April 22, 2003 Security Professionals Workshop 22 Ideas for reaching “target” groups – Staff (3 rd Group)  Problem:  Not teaching passwords as secure  Issue:  Writing passwords on desk or posting them on telephone.  Weak policies – not ensuring strong passwords  Outreach:  PowerPoint, email  Use “live” examples (e.g., $25,0000 debt on telephone calls – lecturers inviting study groups of students also see password on telephone)  Use Crack  Send notification that passwords have been compromised and need to be changed Exercise results page

23. April 22, 2003 Security Professionals Workshop 23 Ideas for reaching “target” groups – Students  What to focus on  Not sharing passwords  Peer to peer  Sharing software  “down-ware”  Use of email  Use of virus protection  Harassment  No threats in chat rooms  How to reach them  *Student information privacy – protect their own info  Freshman orientation  Newspapers  Information literacy course (mandatory coursework)  Public service pop-ups  Include a required technology class  Provide reading material with acceptance package  Fraternity security parties  Student orientation pamphlets / posters Exercise results page

24. April 22, 2003 Security Professionals Workshop 24 Ideas for reaching “target” groups – Students (2 nd Group)  Some techniques  Door hangers with security information  E.g., on password changing  Posters (residences halls and classrooms)  Stickers on restroom doors  Freshman orientation – ½ hour  Student media (radio, cable TV)  Contests with prizes  Free Anti-virus CD in every residence hall room  And other enhanced ways to distribute site-licensed free software  Web info  Focus  Campuswide authentication (strong passwords)  Anti-virus software – using it and updating it  Copyright  Ethics  File-shares (closing open shares)  WinXP or W2K – problems with no administrative password, etc.  Personal firewalls  Proper use of email  Proper use of instant messaging Exercise results page

25. April 22, 2003 Security Professionals Workshop 25 Ideas for reaching “target” groups – Students (3 rd Group)  Focus  Passwords  General ethics  File sharing  Anti-virus  Copyright  WinXP/2K admin passwords  Personal firewalls  Net-iquette  Approaches  Residence hall bulletin boards  Door hangers  Campus-wide Identifiers  Posters inside bathroom stalls  Freshman orientation  College radio / cable TV  Contests with prizes  Free Anti-virus and other software  CD distribution Exercise results page

26. April 22, 2003 Security Professionals Workshop 26 Ideas for reaching “target” groups – System Administrators  To educate on:  What are their roles and responsibilities  What authority do they have  What are the best practices  Rules for decision making  Incident handling processes  What to do if media or police request info Exercise results page

27. April 22, 2003 Security Professionals Workshop 27 Ideas for reaching “target” groups – Faculty (1 st Group)  Start at the top  Dean of Faculty or equivalent  Get support at that level  Have the message come from the faculty  Use Faculty Senate / Department meetings, etc.  Be proactive – “get in their face”  Show the Value Proposition to them (convince of value to them)  E.g., intellectual property, book in progress, etc)  Use Research Office or other offices, e.g., Procurement  Bribe them with food, door prizes  “Scare the pants off them”  CNN News idea Exercise results page

28. April 22, 2003 Security Professionals Workshop 28 Ideas for reaching “target” groups – Faculty (2 nd Group)  Focus on protecting grades / reseach  Approaches  Be added to faculty meeting / luncheon  Ask for assistance (e.g., secretary, TA, etc.)  Hold classes provided by IT staff Exercise results page

29. April 22, 2003 Security Professionals Workshop 29 Ideas for reaching “target” groups – Parent & Alumni  What to communicate  Communicate policies (AUP, Security, etc.)  Policy violations have disciplinary consequences that could interrupt their academic experience  Approaches  Web page for technical specifications  Link to policies  Mailing (U.S. Mail) about policies  Highlight legal and university judicial penalties  Provide translations in multiple languages, if appropriate  Alumni newsletter, parent’s magazines  Use analogies to make the point Exercise results page

30. April 22, 2003 Security Professionals Workshop 30 Ideas for reaching “target” groups – Researchers  Where research brushes agains AUPs, contact someone and discuss  Approach it from their angle  Dangers of losing research data – integrity  Premature release of results  Educate research compliance committees (IRBs) about this  Educate campus office that takes in grant proposals about security implications  Grant-tracking system Exercise results page

31. April 22, 2003 Security Professionals Workshop 31 Ideas for reaching “target” groups – Application Systems Staff  Speaker program  Web site  List serve  On-side professional training  Web seminars designed for need  Presentations at staff meetings  Application testing / certification  Peer-to-peer training Exercise results page