Endpoint
10/30/2009
01:23 PM
50%
50%

Tech Insight: Developing Security Awareness Among Your Users

Skip the 'Wall of Shame' and instead try promotional events, penetration testing your users

There's a general misconception about user awareness that the IT industry has fostered for years: the belief that end users are dumb, and awareness is a waste of time. This mind set seems to affect the information security field more than any other area of IT. We even have t-shirts that say things like, "Social Engineering Specialist: Because There Are No Patches For Human Stupidity."

There's obviously no "IT smarts patch" or 12-step program to help users better recognize phishing scams or make them think twice before clicking on a link from Facebook. It's the job of IT and the company to develop an information security awareness program that's interesting, innovative, and won't bore users to tears. And that's where the breakdown occurs -- a breakdown that feeds the negative attitude about user awareness.

So what is user security awareness? The National Institute of Standards and Technology (NIST) in March released a draft of NIST Special Publication 800-16, "Information Security Training Requirements: A Role- and Performance-Based Model." In Section 2.2.1, NIST states:

"Awareness is not training. Security awareness is a blended solution of activities that promote security, establish accountability, and inform the workforce of security news. Awareness seeks to focus an individual's attention on an issue or a set of issues. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize information security concerns and respond accordingly."

In other words, a security awareness program needs to inform users of security issues, the policies surrounding them, and why they are important. Trouble is, the "why" is left out, so users consider security policies a boring nuisance they have to listen to once or twice a year, but take no ownership in. And even though PCI DSS Requirement 12.6 is yet another reason to have an awareness program, compliance with PCI doesn't mean anything to users if they don't understand the consequences of noncompliance.

Getting users to take ownership in security is critical to the success of any awareness program. For users to truly believe they are the first line of defense, they need to take ownership of the problems caused by their lack of understanding of security issues and the consequences of their actions. Are they aware of data breach disclosure laws in your state? Do they know what attackers are after these days? Have they seen real-world examples of attacks against other users?

Penetration testing is one method being used more often to help companies realize the deficiencies in their security awareness programs. Enterprises that have previously left users out of the scope of pen tests are now contracting for full-scope pen testing that includes social engineering, simulated phishing e-mail messages, and attacks against client-side applications. The lessons learned from a pen test can be leveraged to show your users how important their role is in protecting sensitive corporate data.

But avoid negative practices, such as a "wall of shame." Calling out users publicly for their security gaffes can be a very effective tool at curbing risky behavior (i.e., surfing porn and social networking sites) in the short term, but employees often end up embarrassed and resentful of information security, which can backfire, leading to carelessness and apathy toward their responsibilities to help protect company data.

Plenty of resources are available to help you develop effective security awareness programs. NIST SP 800-16 and related NIST SSP 800-50 (PDF) are excellent guidelines. Microsoft also has developed a guidance document and sample materials, which are available here.

In addition, here are some activities and materials suggested by NIST in SP 800-16:

  • host an information security day;
  • conduct briefings on current issues, like the dangers of social networking;
  • distribute promotional items with motivational slogans (think coffee mugs, mouse pads);
  • provide login banners serving as security reminders;
  • show awareness videos (Computer Security Awareness Poster & Video Contest 2009); and
  • distribute posters and flyers.

Information security awareness programs can work, but only if you implement them with the right motivations -- and not just to meet compliance requirements. Numerous resources are available to help companies create effective programs to promote secure computing practices resulting in a safer environment for both users and the company's sensitive data.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.