![Page 1: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/1.jpg)
![Page 2: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/2.jpg)
Developing a SecurityAwareness Strategy
Gavin van NiekerkPrincipal Consultant
![Page 3: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/3.jpg)
Topics
Awareness as a survival techniqueSuccess factorsApproachPrinciples: the “ABCs”ContentTechniquesToolsMeasurement and evaluationResources
![Page 4: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/4.jpg)
Survival
![Page 5: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/5.jpg)
Being alert to danger signals, and responding quickly, often is the difference between surviving…and not
Your Staff: Cost-Effective!
First to be affected during incidentCompliance with policy can make or break any security programAwareness helps to—
Become your organization’s detection instrumentsMake security reflexivePrevent incidentsMitigate damage if something happens
![Page 6: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/6.jpg)
How to Spend a Dollar?
Policy
Awareness
Risk Assessment
Technology
Process
![Page 7: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/7.jpg)
Success Factors
![Page 8: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/8.jpg)
Success Factors
Information security policySenior-level management support and buy-inProgram’s focus that security, at its core, is a people problemGoals (short-, intermediate-, and long-term)Audience profilesMotivational techniques
![Page 9: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/9.jpg)
Information Security Policy
Clarify and document management’s intentionSet expectations and guide behaviorEffective policies state—
GoalsResponsibilitiesAllowed behaviorProhibited behaviorPenalties
Helps deal with certain personality types…
![Page 10: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/10.jpg)
Awareness Policy
Increases credibility and visibility of entire information security programShould establish—
That participation in awareness program is mandatoryThat everyone will receive enough timeWho is responsible for conducting the program
![Page 11: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/11.jpg)
Senior-Level Sponsorship
A proper budget—Prevents middle management from denying requests to fund securityAllows for the time with no “bottom line” obviousness
Lead by exampleExecutives must themselves be bound by policyExemptions cost money, blow the budget!
Affirm security staffSupport those charged with enforcing policiesEspecially important when security and convenience conflict
![Page 12: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/12.jpg)
It’s a People Problem
Don’t succumb to the urge to change conditions to force the outcome you want
While we can use technology to mitigate some risk, it really depends on the cooperation of all the users
If people don’t understand, or opt not to participate, the whole security program weakens
![Page 13: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/13.jpg)
Be: specific, realistic, measurable
Goals
Practice, reinforce, repeat, automateMake it reflexive to “think security”
Reinforce desired (often already known) behaviorGradually change undesired behavior
Teach what happens in the event of a failure
![Page 14: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/14.jpg)
Audience Profiles
Everyone, from summer intern to CEO, requires the same level of security awareness
Methods, however, should varyNeeds: group by levels of computer experience
Jargon vs. analogiesRoles and interests—
Users: Will it help me work better? Will it affect my performance review?Managers: How much will it cost? What return?Technicals: Is it authoritative and in the right language?
Use surveys to find out what motivates
![Page 15: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/15.jpg)
Art of Mmotivations
Some behaviors simply must changeSharing passwordsExchanging confidential dataBelief that “hacking” is “cool”
Appeal to—The damage a breach often causesOrganizational recognition for protecting informationFact that attacking is a crime (that often hurts people)Desire to belong to group that shuns harmful actionsCourage it takes to resist peer pressure (rules are good!)
![Page 16: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/16.jpg)
Dribble it out…don’t overwhelm
Don’t Rely Only on Fear
More important to emphasize—Thinking about security in a new wayHow to avoid danger
Potential pitfallsLosing the audience’s attentionAlienating the audienceOverdoing it
![Page 17: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/17.jpg)
Approach
![Page 18: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/18.jpg)
Media Campaign
No different than any otherMessage: Why security is importantProduct: The practice of securityMarket: All employees
Research and planning produces strategyDefine program objectivesIdentify audiences (primary, secondary)Define what’s to be communicatedDescribe benefits to audience
![Page 19: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/19.jpg)
Media Research
Observation, surveys, tests, interviewsHelp desk statistics and trends
How many password resets per week/month/…?IT staff knows your systems, ask—
“How would you break into it?”“Are breaches predictable?”
Use focus groups to test your message
![Page 20: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/20.jpg)
“If I had six hours to chop down a tree, I’d spend the first five sharpening the ax.”
—Abraham Lincoln
![Page 21: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/21.jpg)
Sharpening the Ax
Plan is essentialCan be short and succinct—
Status of current effortsGoals and objectivesHow progress will be measuredActions, by whom, when
Good plans—Allow for faster reactionTake advantage of current events in the newsCoordinate around a theme
![Page 22: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/22.jpg)
Awareness Principles
![Page 23: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/23.jpg)
Appeal to target audienceKnow their existing values and motivationsStart where they are, move to where you want them
Attention-gettingIt’s a prerequisite to learningUse clever slogans, eye-catching images
“A”
![Page 24: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/24.jpg)
SamplBasic (simple, memorable)Sets stage for training, shouldn’t be complexTake away fear and ignoranceFoster recognition there’s a problem and that people are the solution
Buy-in is better than coercionContributors to awareness program are more likely to accept and follow controlsGet feedback for every suggestion; lack implies “no management interest”
“B”
![Page 25: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/25.jpg)
ContinuingPersistence and repetition are importantVary methods used
CredibleClear, relevant, appropriateHave 15 passwords? Write them down—and protect the list
CurrentMaterial must always be fresh“Smell like the tide, not like the fish”
“C”
![Page 26: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/26.jpg)
Content
![Page 27: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/27.jpg)
Risks
Teach: “What does a threat look like?”How to detect unauthorized activity
Busy toll-free: popular? full circuits? attacked line?Typical risks
Malware types and how it is damagingShared risk principles (my risk spreads across network)Impact of distributed attacks (DDoS mostly)Privacy and confidentiality issuesScope of embedded hardware/software vulnerabilities
Tailor to audienceRemote access, for instance
![Page 28: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/28.jpg)
Basic Countermeasures
Security procedures and processesPersonal practices
Passwords—length, reuse, expirationE-mail attachmentsFile transfers and downloads
Reporting proceduresPotential or actual security eventsWho to?How to? Telephone, e-mail, even fax
![Page 29: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/29.jpg)
Responsibilities
Emphasize—Security is everyone’s responsibilityManagement has made it a priorityIt applies to everyone equally
Make system or organizational codes of conduct discoverable and readable
![Page 30: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/30.jpg)
Contact InformationWho • Phone numbers, e-mail addresses, web sites
• Security staff, incident handlers, help deskWhat • Affected computers and operating systems
• Symptoms• Date/time/duration of incident• Active connections• Observed damage, actions taken
How • Method of reporting problem• Out-of-band of affected system
When • Report now? Or wait a while?• Potential damage vs. business impact
![Page 31: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/31.jpg)
Techniques
![Page 32: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/32.jpg)
Start with a Bang
Notwithalongdryboringintroduction
Thatenumerateseverylawregulationpolicystandardguidelineorrequirement
![Page 33: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/33.jpg)
Reactions
“I never thought of it that way.”“That surprises me!”“What a great idea!”“I’d almost forgot about that…”“I can use this.”
![Page 34: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/34.jpg)
Logos and Images
Images have more power than wordsLook for colorful designs that catch the eye and burn into the brainEven animation can help
![Page 35: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/35.jpg)
What wouldhappen ifsomeonechanged
your data?
Wyad cinxsafper efstmxunekhopgel
joor deko?
![Page 36: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/36.jpg)
US NuclearRegulatory Agency
“Keep it clean”“Cyber Tyger”
“It’s a bug’s life”“PC Doctor”
Hospital“Prevention is
better than a cure”
Themes
Unite several concepts into a related messageChoose one that’s reflective of your businessIncorporate design elements into posters
![Page 37: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/37.jpg)
Posters
85 3,000,000
![Page 38: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/38.jpg)
Stories and Examples
Real people, real consequencesLong-time employees (“corporate memory”)News eventsInternet message boardsSecurity personnel
Again, tailor to audienceTheft of medical records: healthcare data processingFraud/impersonation: financial and accounting groups
![Page 39: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/39.jpg)
Use Failure
It’s a learning acceleratorOnline awareness training—
Should provide immediate feedbackNo need to record answersGive staff something to think about
![Page 40: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/40.jpg)
The building is on fire. As you exit the buildingin a safe and orderly manner, you are able to take either the data backups or the backup of your custom built application. Which do you take?
A. The dataB. The backup
Example
Either answer is correct; training module should inform users of thisJust like real life—not everything is easy
![Page 41: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/41.jpg)
In the United States, which of the following activities is illegal?
A. Creating an e-mail virus B. Disrupting Internet communications C. Failing to make daily backups
Encourage Audience Involvement
Use questions—“Did you know…?”“What would you do if…”
Counter-intuitive facts work wonders
![Page 42: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/42.jpg)
Be Surprising
Just like a piñata—good material is full of surprises
Role-play is excellentManager who doesn’t want to follow the “no tailgating” policy
Entertain, lead by exampleRetention is long lasting
![Page 43: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/43.jpg)
User Action and Signoff
Each user signs acceptable use policy after reading
Eliminates “I didn’t know…” excusesDon’t forget periodic refreshers, too
“Noisy prosecutions,” even internally, might discourage security breaches
Also allows tracking trendsAssists identification and response
![Page 44: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/44.jpg)
Analogies
Analogies, metaphors, similes help to associate new concepts with prior knowledgeIllustrations help reinforce the message
![Page 45: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/45.jpg)
Sensitive data is likeprescription drugs:• used only by those who
need it• not given or sold to
unauthorized people• can damage those who
don’t need it
Passwords are likewinter underwear:• should be long
and mysterious• protect the owner• used by one person, not
a group• changed periodically
![Page 46: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/46.jpg)
Humor
Gets attention, motivates and relaxes peopleEven influences organizational cultureBe relevant, complement the message
Otherwise your credibility suffersOK to joke about yourself or those in powerBe careful about backfiring, though
![Page 47: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/47.jpg)
Computer virus,Destroyer of files, survivesthrough lack of scanning
Sources
Cartoons—Dilbert is canonicalHumorous definitionsLetterman-style top ten lists (“Top ten excuses for not making a backup”)Security-related poems or lyrics written to the tunes of popular songs (“The Infosec Rap”)
![Page 48: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/48.jpg)
Learning StylesAuditory • Picks up information from hearing it
• Reached by lectures and written materialVisual • Wants to see what’s being taught
• Prefers diagrams, charts, and picturesKinesthetic • Responds well to tactile input
• Wants to walk through steps or learn by physically performing the task
![Page 49: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/49.jpg)
Personalities
Some people ignore procedures if they don’t understand the reasons
Give them the “whys,” it’s OKGive learners the choice after an exercise
Try again?Or just receive the answer?
Some people retain better when they deduce answers themselves; others simply want to see the result and move on
![Page 50: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/50.jpg)
Circumstances
Disaster—like a fireCan be invigorating
Current eventsCan add credibilityCheck security-related Internet news sitesReward first-discoverer “news hawk” who contributes new story to the awareness program
Recent attackAlso effective for obtaining budget
![Page 51: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/51.jpg)
Tools
![Page 52: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/52.jpg)
Considerations
What tools are most appropriate?What methods are most likely to be credible and appropriate for the audience?Which and how many methods are feasible, given budget and time constraints?
![Page 53: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/53.jpg)
Internet/Intranet
Web sites on the Internet or hosted internallyConvenient for distributed organizationsAnnual refresher trainingGood for people with diverse technology experienceOwn pace, immediate feedbackFlexible, customizableReduce costs and training time
E-mail for sending alerts and newsletters
How?Why?
![Page 54: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/54.jpg)
Screen Savers
Enable auto-locking screen saver with group policyDistribute eye-catching design
Hire a professional artistCoordinate with other awareness themes
Consider animations or even interactive triviaUpdate regularly
![Page 55: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/55.jpg)
Sign-on Messages
Short reminder of users’ responsibilitiesChanged regularlyNote: No legal coverage
![Page 56: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/56.jpg)
Posters
![Page 57: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/57.jpg)
VideosGreat for orientation meetings and “brown bag” staff lunchesProvide popcorn—in bags with printed security messagesMany advantages
Consistent message throughout organizationShort and succinct: 20 minutes, no moreSave travel time and costs
But…Expensive to produce, though…US$3000/minBecome out-of-date rather quickly
Maybe produce segmented video?
![Page 58: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/58.jpg)
Trinkets and tchochkiesPencils, pens, highlighters—“Report breaches, it’s the ‘write’ thing to do”Erasers— “Wipe out password sharing”Notepads—“Note who should be in your area and challenge strangers”Frisbees—“Our information security program is taking off”Mouse pads and inserts—with a clear cover over an area holding removable paper inserts, making the cost to change the message far less than the cost of printing new padsKey chains—“You are the key to information security”Flashlights—“Keep the spot light on security”Cups or mugs—“Awareness: the best part of SecuriTEA” (where the campaign has explained that TEA stands for training, education, and awareness)Magnets, buttons, stickers—“Stick with security”First-aid kits—“Be prepared for security”Rulers, calculators—“Security counts”Coasters, toys, hand exercisers, informational cards, and other items including posters, virus scanning software, and screen savers
![Page 59: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/59.jpg)
Publications
Newsletters and magazinesPaper and electronic
Print stressful communications on paper, staple a facial tissue to it
Add inconvenienceIncrease user burden
Targeted brochures, pamphlets, even comic books
![Page 60: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/60.jpg)
Inspections and Audits
Certainly raise awareness, at least during eventTry “security by walking around” (SBWA)
Catch staff doing something rightLeave behind certificates of congratulations, thank-you notes, or trinketsBe random
Try to social engineer your own workplaceReward users who refuse to complyRetest users who get duped
![Page 61: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/61.jpg)
Conferences and Seminars
International Computer Security DayAnnually, every 30 November
“Grill Your Security Officer Cook-Out”Serve food and drink
Encourage staff to bring questions for security officers
Lectures by dynamic speakersSecurity awareness briefings
Senior executivesNew arrivals
![Page 62: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/62.jpg)
Measurement
![Page 63: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/63.jpg)
It’s the Price we Pay
How many received training?Attendance sheetsCourse registrationsOnline completion noticesSigned acceptable-use policies
Use empirical evidence to demonstrate effectiveness; feedback from—
PresentersAudiencesSupervisors
![Page 64: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/64.jpg)
Audience Satisfaction
Evaluations and surveysYeah, it’s mostly a measurement of how well they liked it…but it’s a place to start
Were the materials useful?Were the activities fun and memorable?Was the information relevant?Can you use it on your job?Any suggestions for improvement?
![Page 65: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/65.jpg)
Learning Effectiveness
Pre-tests measure prior knowledgePost-tests measure what the audience rememberedBoth useful for tailoring future programsPre-test important: it’s how you measure improvement after the training!
![Page 66: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/66.jpg)
Skill Transfer
Gather input from outside evaluatorSupervisor, practitioner, incident handler, help desk
Measure improvements with—Follow-up interviewsWalk-through testingHelp desk and incident reporting statisticsAudit findings
Must acquire a pre-training baseline
![Page 67: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/67.jpg)
Pre- and Post-Observations
Passwords—test with cracking programLocked workstations—check during lunchSurvey of attitudes and knowledge
Whom to report incidents to?Take-home policy for old software?
Monitor actual numbers and types of incidentsAn increase is probably a sign that the awareness program is working—not that there are suddenly many more attacks!
![Page 68: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/68.jpg)
A slide outlining the 2009 evaluation process and prizes will be provided closer to the event.
![Page 69: Gavin van Niekerk Principal Consultant Topics Awareness as a survival technique Success factors Approach Principles: the “ABCs” Content Techniques Tools](https://reader034.vdocuments.site/reader034/viewer/2022051619/56649e045503460f94aefe62/html5/thumbnails/69.jpg)
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.