Information Security Awareness: How to Get Users Asking for More

Transcription

1 Information Security Awareness: How to Get Users Asking for More Kelley J. Bogart, CISSP Senior Information Security Analyst, University of Arizona Synopsis Any effective information security program has several components working together to create a strong security posture: risk management, policy compliance and education. The education component of the program should ensure risk mitigation by making users aware of their individual roles and responsibilities in security within their organization. These responsibilities include security as it relates to the organizational mission. However, more importantly, users who understand how the risks and potential impact of poor security practices can affect them personally, as well as professionally, are shown to move from a reactive to a proactive approach when it comes to information security. These good security practices then carry forward to the institution, and create a more mature security posture within the organization.

2 The Challanges to Information Security in Higher Education Developing and delivering relevant education to all users of the university network, computer systems and data can be challenging given the uniqueness of the environment: a heavily decentralized, diverse, open network with a substantial amount of networked devices accessible from on and off campus where IT security roles and responsibilities vary depending on the campus department or college. Add to that the amount of valuable information available (i.e., personal, medical, and financial), and The University becomes a huge target. Additionally, over the last several years, there has been a dramatic increase in the level of activity focused on end users to steal identities, compromise machines and propagate viruses. Phishing, Spyware, and brute force password attacks are now commonplace. The ever-changing landscape and growing number of threats to systems and data require more diligence. Ensuring that all employees understand what the risks are and how to keep computing and information resources they use, develop, support or maintain protected from the multitude of threats is essential. Behavioral and cultural changes are the ultimate goals of a security education program. A mature program shifts the organization from a reactive to a proactive stance in dealing with security threats. Good practices in information security can be as second nature as fastening your seatbelt when you get in your car. A true shift in user behavior and culture with regard to information security means you have systemic protection of data and computing resources, buy in, support and accountability by individual users, units and the institution at large. Core Elements and Keys to Success for Security Awareness The foundation for an effective education program starts with awareness of the problem; for the University of Arizona, that is mandatory all-staff awareness. It cannot be overemphasized how critical it is that your initial awareness program is clear, engaging, and relevant to individual users. Geek speak has no place in end user awareness. Remember, this is the first impression you leave on end users. If they like what they learned in the awareness session they attend, they are more inclined to attend or listen the next time you hold an event, publish a newsletter or monthly security tip, offer additional training, send an , etc. First and foremost, it s important for users to understand the overarching objectives of information security; is about the confidentiality, integrity and availability of information and vital services and computing systems. This starts the process for users understanding how their interaction with computer systems, data and how the related security applies to them.

3 The 90/10 Rule: Information Security is 90% People & Process, and 10% Technology When asked about information security, people who have not participated in any awareness training, or have attended an ineffective awareness session, will say that information security is primarily a technology issue. This is what my IT guy does for me. This couldn t be further from the truth. To put this in perspective for end users, we use the 90/10 rule, to help users understand why technology is only a part of information security. Information security is comprised of technical, physical and administrative security controls. Technology, tools and resources, are just that: tools and resources. These tools are an important aspect, but in order to be effective, they require qualified personnel to acquire, configure, manage and monitor them for vulnerabilities, effectiveness and intrusions. They also require that users be aware of their purpose so that they do not circumvent and can report as necessary if they are not functioning appropriately. On a daily basis, users tasks can be performed securely or insecurely. Here are just a few examples of how users might unknowingly compromise security in the course of their day: A user shares the strong password with a coworker who does not have the same privileges in an application containing sensitive data. An employee leaves the office door open with a laptop on the desk and returns five minutes later to find it gone. On top of this, the computer contains sensitive data and has not been backed up recently. An employee replies to a phishing and includes his or her username and password. While some of these items seem small and the impact may only be to the user or to a limited amount of data. However, depending on the access a user has to sensitive data and systems, that damage can be much more far-reaching to the institution at large, both in terms of financial and reputational consequences.

4 Hackers understand that users are their easiest targets for successfully stealing data and compromising systems. Successful awareness programs will ruin the day of any hacker. It s our job as educators to help end users understand the elements of information security that no one can do for them but them. Bottom line: everyone is responsible for security; don t let users off the hook by allowing them to think it s all about technology. The Power of Why: Make it Personal and Relevant! For many information security programs, the why part of their awareness training is all about stating the policy or regulation requiring security, and they immediately move on to the what and how. While understanding regulatory requirements is an essential portion of security awareness, it is not the key to motivating individual users to action with regard to securing essential resources. On the other hand, the University of Arizona Information Security Office has found that taking time to help people really understand why information security is important to them personally is a more effective way of educating users. This is known as WIIFM (what s in it for me). By making information security relevant to the average user as something that is part of everyday life, we find that the user is engaged, and finds merit to the content. The user is then receptive to the knowledge shared on what needs to be done and the details of how to accomplish the task. How Do We Do That? We do this by making sure users understand that security compromises can happen to them. Many users have a belief that they and their computers (personal or work) are not a target. As stated previously, the exact opposite is true. End users are a prime target of hackers. In our training, users come to understand that when they connect to the Internet, they become a potential target along with two-billion other Internet users worldwide. Users are more inclined to change their habits if they understand the impact on their personal information as well as the data they protect at work. Additionally, we encourage users to develop good security practices at home as well as at work, because we understand that personal security habits will be used in the work environment. Thus, it is a winwin situation when good security practices are understood and developed, both in the personal and professional realm. Once You Motivate Them, You ve Got Them! Now they want to acquire knowledge (what) and skill (how). In awareness training, you are motivating users to want to know more. And once they do, you need to provide them with information and skills in order to move forward with their new security mindset. In our awareness program, we provide users with a list of what we call our Top Ten Keys to Security. These keys are presented from a user perspective. Each

5 key provides the average person with information on what can be done to protect data and computers, and how to do it. Protect! Detect! React! Even though you may have all the protective the layers in place, things can and do happen. You must be able to recognize when something might be wrong, and know how to react to the problem. Security education must address how to recognize possible signs of a compromise, and how to react to such a compromise. At the University of Arizona, we call this protect, detect, react. The impact of any security incident can be drastically reduced if it is identified quickly and contained. By training users in detection and reaction, this can be accomplished. Summary Information security is a process, not a project. The threats are ever-evolving, and the program must adapt with it. The most successful programs are those were users understand the important role they play in the program, and have a stake in participating in the program. By making information security relevant, the user understands the benefit of security both professionally and personally, and becomes an advocate for security. Having this in place goes a long way to the maturity of the campus security posture. REFERENCES Banks, T., Bogart, K., Brickner, M., and Choice, T. (2011). Presentation: Meeting Information Security Awareness Needs and the Campus Likes It EDUCAUSE Security Professionals Conference. Bogart, K., Salazar, G. (2006). Presentation: Building and Sustaining a Successful Security Awareness Program: What You Need to Know EDUCAUSE Western Regional Conference. Banks, T., and Bogart, K. (2010). University of Arizona - Information Security Essentials, Mandatory Security Awareness for All Staff. National Institute of Standards and Technology, Technology Administration U.S. Department of Commerce, Building an Information Technology Security Awareness and Training Program University of Arizona Information Security Top Ten Keys to Security,

6 About the Author: Kelley J. Bogart, CISSP is a Senior Information Security Analyst at the University of Arizona, Tucson, AZ. She has worked for the University for 19 years primarily as an analyst, and in Information Security since Her primary focus has been on the people and administrative aspects of security. Kelley has been responsible for developing the UA s Security Awareness and Training Program, which was initiated in 2003 and has received international recognition. Kelley earned her CISSP (Certified Information Security System Professional) in August 2007, which is the globally recognized industry standard for achievement and excellence in Information Security. Contact Kelley at bogartk@ .arizona.edu About the MIS Department: Since pioneering one of the nation s first (MIS) curriculums in 1974, the MIS Department at, has become a leader in IT education and research. U.S. News & World Report has ranked us a top-ten program for over 23 consecutive years since the inception of the rankings in making us one of only three programs nationwide to maintain this status. With over $80 million in research grants, state and industry support, our program has initiated and participated in cutting edge research in information security and assurance, group systems, artificial intelligence, and data management projects while educating over 3500 undergraduate, 1200 graduate and 150 doctoral students. We are a National Center of Academic Excellence in Information Assurance Education (CAE-IAE) as designated by the National Information Assurance Education and Training Program (NIETP) office under the authority of the U.S. National Security Agency (NSA.) Visit us online at