Information Security Awareness: How to Get Users Asking for More



Similar documents
Computer Forensics for CEO s and Managers

THE HUMAN COMPONENT OF CYBER SECURITY

Guide to Penetration Testing

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Threat Intelligence Pty Ltd Specialist Security Training Catalogue

THE TOP 4 CONTROLS.

Technical Testing. Application, Network and Red Team Testing DATA SHEET. Test your security defenses. Expert Testing, Analysis and Assessments

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Multi-Factor Authentication

NATIONAL CYBER SECURITY AWARENESS MONTH

Small businesses: What you need to know about cyber security

5 Reasons Why Your Security Education Program isn t Working (and how to fix it)

Things To Do After You ve Been Hacked

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Report on CAP Cybersecurity November 5, 2015

Introduction to Computer Security

UA Student Security Awareness/Anti- Phishing Campaign

Fighting Off an Advanced Persistent Threat & Defending Infrastructure and Data. Dave Shackleford February, 2012

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

5 Reasons Why Your Security Education Program isn t Working (and how to fix it)

WHITE PAPER KEEPING CLIENT AND EMPLOYEE DATA SECURE DRIVES REVENUE AND BUILDS TRUST PROTECTING THE PROTECTOR

Cyber Security Management

Protecting against cyber threats and security breaches

Information Security It s Everyone s Responsibility

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 14 Risk Mitigation

Cisco Cyber Threat Defense Solution: Delivering Visibility into Stealthy, Advanced Network Threats

Achieving Compliance with the PCI Data Security Standard

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Preemptive security solutions for healthcare

Cyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte

PDSA Special Report. Is your Company s Security at Risk

Cybersecurity. Are you prepared?

Cyber Security Awareness. Internet Safety Intro.

Presented by Evan Sylvester, CISSP

AB 1149 Compliance: Data Security Best Practices

Firewalls for small business

WHITE PAPER. 7 Keys to. successful. Organizational Change Management. Why Your CRM Program Needs Change Management and Tips for Getting Started

IDENTITY & ACCESS. Privileged Identity Management. controlling access without compromising convenience

Information Security Awareness Training. Course Outline. Provides a brief orientation to the topics covered in the module.

10 Best Practices to Protect Your Network presented by Saalex Information Technology and Citadel Group

Information Security. Annual Education Information Security Mission Health System, Inc.

A Case for Managed Security

Defending the Database Techniques and best practices

FERPA: Data & Transport Security Best Practices

Security and Privacy Trends 2014

Jumpstarting Your Security Awareness Program

Corporate Incident Response. Why You Can t Afford to Ignore It

Are You Ready for PCI 3.1?

Executive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:

Presentation for : The New England Board of Higher Education. Hot Topics in IT Security and Data Privacy

Information Security: A Perspective for Higher Education

Multi-Factor Authentication (FMA) A new security feature for Home Banking. Frequently Asked Questions 8/17/2006

Third-Party Risk Management for Life Sciences Companies

NCS 330. Information Assurance Policies, Ethics and Disaster Recovery. NYC University Polices and Standards 4/15/15.

SOMEBODY'S WATCHING YOU! Maritime Cyber Security White Paper. Safeguarding data through increased awareness

Belmont Savings Bank. Are there Hackers at the gate? 2013 Wolf & Company, P.C.

PENETRATION TESTING GUIDE. 1

OVERVIEW. Enterprise Security Solutions

What is Penetration Testing?

ITAR Compliance Best Practices Guide

Remarks by. Thomas J. Curry. Comptroller of the Currency. Before the. Chicago. November 7, 2014

Franchise Data Compromise Trends and Cardholder. December, 2010

White Paper. April Security Considerations for Utilities Utilities Tap Into the Power of SecureWorks

Avoiding the Top 5 Vulnerability Management Mistakes

National Cyber Security Month 2015: Daily Security Awareness Tips

Your security is our priority

Security Fort Mac

The Human Component of Cyber Security

Privilege Gone Wild: The State of Privileged Account Management in 2015

STATEMENT OF SYLVIA BURNS CHIEF INFORMATION OFFICER U.S. DEPARTMENT OF THE INTERIOR BEFORE THE

CYBERSECURITY IN HEALTHCARE: A TIME TO ACT

An Integrated CyberSecurity Approach for HEP Grids. Workshop Report.

Transcription:

Information Security Awareness: How to Get Users Asking for More Kelley J. Bogart, CISSP Senior Information Security Analyst, University of Arizona Synopsis Any effective information security program has several components working together to create a strong security posture: risk management, policy compliance and education. The education component of the program should ensure risk mitigation by making users aware of their individual roles and responsibilities in security within their organization. These responsibilities include security as it relates to the organizational mission. However, more importantly, users who understand how the risks and potential impact of poor security practices can affect them personally, as well as professionally, are shown to move from a reactive to a proactive approach when it comes to information security. These good security practices then carry forward to the institution, and create a more mature security posture within the organization.

The Challanges to Information Security in Higher Education Developing and delivering relevant education to all users of the university network, computer systems and data can be challenging given the uniqueness of the environment: a heavily decentralized, diverse, open network with a substantial amount of networked devices accessible from on and off campus where IT security roles and responsibilities vary depending on the campus department or college. Add to that the amount of valuable information available (i.e., personal, medical, and financial), and The University becomes a huge target. Additionally, over the last several years, there has been a dramatic increase in the level of activity focused on end users to steal identities, compromise machines and propagate viruses. Phishing, Spyware, and brute force password attacks are now commonplace. The ever-changing landscape and growing number of threats to systems and data require more diligence. Ensuring that all employees understand what the risks are and how to keep computing and information resources they use, develop, support or maintain protected from the multitude of threats is essential. Behavioral and cultural changes are the ultimate goals of a security education program. A mature program shifts the organization from a reactive to a proactive stance in dealing with security threats. Good practices in information security can be as second nature as fastening your seatbelt when you get in your car. A true shift in user behavior and culture with regard to information security means you have systemic protection of data and computing resources, buy in, support and accountability by individual users, units and the institution at large. Core Elements and Keys to Success for Security Awareness The foundation for an effective education program starts with awareness of the problem; for the University of Arizona, that is mandatory all-staff awareness. It cannot be overemphasized how critical it is that your initial awareness program is clear, engaging, and relevant to individual users. Geek speak has no place in end user awareness. Remember, this is the first impression you leave on end users. If they like what they learned in the awareness session they attend, they are more inclined to attend or listen the next time you hold an event, publish a newsletter or monthly security tip, offer additional training, send an email, etc. First and foremost, it s important for users to understand the overarching objectives of information security; is about the confidentiality, integrity and availability of information and vital services and computing systems. This starts the process for users understanding how their interaction with computer systems, data and how the related security applies to them.

The 90/10 Rule: Information Security is 90% People & Process, and 10% Technology When asked about information security, people who have not participated in any awareness training, or have attended an ineffective awareness session, will say that information security is primarily a technology issue. This is what my IT guy does for me. This couldn t be further from the truth. To put this in perspective for end users, we use the 90/10 rule, to help users understand why technology is only a part of information security. Information security is comprised of technical, physical and administrative security controls. Technology, tools and resources, are just that: tools and resources. These tools are an important aspect, but in order to be effective, they require qualified personnel to acquire, configure, manage and monitor them for vulnerabilities, effectiveness and intrusions. They also require that users be aware of their purpose so that they do not circumvent and can report as necessary if they are not functioning appropriately. On a daily basis, users tasks can be performed securely or insecurely. Here are just a few examples of how users might unknowingly compromise security in the course of their day: A user shares the strong password with a coworker who does not have the same privileges in an application containing sensitive data. An employee leaves the office door open with a laptop on the desk and returns five minutes later to find it gone. On top of this, the computer contains sensitive data and has not been backed up recently. An employee replies to a phishing email and includes his or her username and password. While some of these items seem small and the impact may only be to the user or to a limited amount of data. However, depending on the access a user has to sensitive data and systems, that damage can be much more far-reaching to the institution at large, both in terms of financial and reputational consequences.

Hackers understand that users are their easiest targets for successfully stealing data and compromising systems. Successful awareness programs will ruin the day of any hacker. It s our job as educators to help end users understand the elements of information security that no one can do for them but them. Bottom line: everyone is responsible for security; don t let users off the hook by allowing them to think it s all about technology. The Power of Why: Make it Personal and Relevant! For many information security programs, the why part of their awareness training is all about stating the policy or regulation requiring security, and they immediately move on to the what and how. While understanding regulatory requirements is an essential portion of security awareness, it is not the key to motivating individual users to action with regard to securing essential resources. On the other hand, the University of Arizona Information Security Office has found that taking time to help people really understand why information security is important to them personally is a more effective way of educating users. This is known as WIIFM (what s in it for me). By making information security relevant to the average user as something that is part of everyday life, we find that the user is engaged, and finds merit to the content. The user is then receptive to the knowledge shared on what needs to be done and the details of how to accomplish the task. How Do We Do That? We do this by making sure users understand that security compromises can happen to them. Many users have a belief that they and their computers (personal or work) are not a target. As stated previously, the exact opposite is true. End users are a prime target of hackers. In our training, users come to understand that when they connect to the Internet, they become a potential target along with two-billion other Internet users worldwide. Users are more inclined to change their habits if they understand the impact on their personal information as well as the data they protect at work. Additionally, we encourage users to develop good security practices at home as well as at work, because we understand that personal security habits will be used in the work environment. Thus, it is a winwin situation when good security practices are understood and developed, both in the personal and professional realm. Once You Motivate Them, You ve Got Them! Now they want to acquire knowledge (what) and skill (how). In awareness training, you are motivating users to want to know more. And once they do, you need to provide them with information and skills in order to move forward with their new security mindset. In our awareness program, we provide users with a list of what we call our Top Ten Keys to Security. These keys are presented from a user perspective. Each

key provides the average person with information on what can be done to protect data and computers, and how to do it. Protect! Detect! React! Even though you may have all the protective the layers in place, things can and do happen. You must be able to recognize when something might be wrong, and know how to react to the problem. Security education must address how to recognize possible signs of a compromise, and how to react to such a compromise. At the University of Arizona, we call this protect, detect, react. The impact of any security incident can be drastically reduced if it is identified quickly and contained. By training users in detection and reaction, this can be accomplished. Summary Information security is a process, not a project. The threats are ever-evolving, and the program must adapt with it. The most successful programs are those were users understand the important role they play in the program, and have a stake in participating in the program. By making information security relevant, the user understands the benefit of security both professionally and personally, and becomes an advocate for security. Having this in place goes a long way to the maturity of the campus security posture. REFERENCES Banks, T., Bogart, K., Brickner, M., and Choice, T. (2011). Presentation: Meeting Information Security Awareness Needs and the Campus Likes It. 2011 EDUCAUSE Security Professionals Conference. http://www.educause.edu/sec11/program/sess06 http://security.arizona.edu/educause2011#secawareness Bogart, K., Salazar, G. (2006). Presentation: Building and Sustaining a Successful Security Awareness Program: What You Need to Know. 2006 EDUCAUSE Western Regional Conference. http://net.educause.edu/node/8811?product_code=wrc06%2fsess28 Banks, T., and Bogart, K. (2010). University of Arizona - Information Security Essentials, Mandatory Security Awareness for All Staff. http://security.arizona.edu/infosecessentials National Institute of Standards and Technology, Technology Administration U.S. Department of Commerce, Building an Information Technology Security Awareness and Training Program http://csrc.nist.gov/publications/nistpubs/800-50/nist-sp800-50.pdf University of Arizona Information Security Top Ten Keys to Security, http://security.arizona.edu/topten

About the Author: Kelley J. Bogart, CISSP is a Senior Information Security Analyst at the University of Arizona, Tucson, AZ. She has worked for the University for 19 years primarily as an analyst, and in Information Security since 2000. Her primary focus has been on the people and administrative aspects of security. Kelley has been responsible for developing the UA s Security Awareness and Training Program, which was initiated in 2003 and has received international recognition. Kelley earned her CISSP (Certified Information Security System Professional) in August 2007, which is the globally recognized industry standard for achievement and excellence in Information Security. Contact Kelley at bogartk@email.arizona.edu About the MIS Department: Since pioneering one of the nation s first (MIS) curriculums in 1974, the MIS Department at, has become a leader in IT education and research. U.S. News & World Report has ranked us a top-ten program for over 23 consecutive years since the inception of the rankings in 1989 - making us one of only three programs nationwide to maintain this status. With over $80 million in research grants, state and industry support, our program has initiated and participated in cutting edge research in information security and assurance, group systems, artificial intelligence, and data management projects while educating over 3500 undergraduate, 1200 graduate and 150 doctoral students. We are a National Center of Academic Excellence in Information Assurance Education (CAE-IAE) as designated by the National Information Assurance Education and Training Program (NIETP) office under the authority of the U.S. National Security Agency (NSA.) Visit us online at www.mis.eller.arizona.edu

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information