1. Breakout Session 2: Awareness and Training

2. B2: Awareness and Education Identification of constituencies Identification of challenge Inventory of existing programs and products Identification of gaps Identification of gap-fillers Recommendations

3. Methodology Enumerate and discuss constituencies Association, contribution, state of affairs, challenges For each constituency Awareness vs Training Identify needs Problem areas, repeat issues Identify and discuss solutions Existing programs Programs ideas

4. Constituencies Researchers Scientists Research Faculty Research Assistants Graduate students Undergraduates Institutional Review Boards/Human Subjects Committees Visitors / affiliates Faculty Librarians Students (resident versus non-resident) Undergraduate Graduate Teaching Assistants

5. Constituencies (cont) Administrators Senior executives, CIO -- decision makers Policy/compliance officers Staff, employees, email users, basic users Power users (tinkers, meddlers) Data custodians Auditors Archivists Human resources Student affairs Technicians Security Professionals System administrators Database administrators Network administrators Web administrators Helpdesk/support staff Programmers (Coding)

6. Constituencies (cont) Guests/Visitors/Transients Collaborators Onsite Visiting Members of existing community Remote push/pull Local Regional National International Private service partners Contractors Vendors Consultants Law enforcement Internal External University services Outreach Alumni

7. Opportunities for Training EDUCAUSE/Internet2 TF Security Education/Awareness Working Group CIOs / some IT Professionals National CyberSecurity Alliance General Student Body CEIAE (60+) – variety of programs (e.g., NIATEC @ Idaho State) Curriculum development Self-paced training for IT Professionals Self-paced training for Researchers? CISSE Faculty Bootcamp SANS (SANS EDU) Technicians Certifications Usenix Graduate Students Computer Science Faculty

8. Opportunities for Training (cont) IEEE Graduate Students Engineering Faculty ACM / SIGSAC– online digital reference, journal Computer Science Faculty Students Vendor Certifications for IT staff Free training for faculty Open Courseware Initiative (give and take) Source for Curriculum Government online training (NIH, NSF, NOAA, etc.) NSF Annual Security Awareness Training Administrative staff NSTISSC Curriculum Standards Etc (ISACA, ISSA, ACSE, …)

9. Challenges Reaching users, particularly researchers and scientists. Independent, focused on their sciences Increasingly untethered science Fear barriers to goals Conflicting / varying requirements between external funding bodies and local facilities and classified research sponsors Lack of understanding / perception of broad impact of security events / benefits of security On the one hand they are paranoid about integrity of research but on the other they decry the inconvenience of security measures Incorporating security awareness into the culture Limited access to trained IT support

10. Fundamental Recommendations Ensure that applicable aspects of security are considered at the institutional level – IRBs, job descriptions, orientation sessions, compliance training, etc. Find and engage external organizations (higher education Presidential associations, professional organizations, academies, accreditation boards, NSF) that have the respect of and influence over these constituencies. Promote and leverage existing opportunities. Encourage NSF to be more aggressive in providing security awareness assistance (e.g., Guidelines for IT Security of NSF’s Large Facilities). Encourage institutions to include technology support (IT Security) in grant proposals, especially graduate students (future researchers).