Endpoint
10/30/2009
01:23 PM
Connect Directly
RSS
E-Mail
50%
50%

Tech Insight: Developing Security Awareness Among Your Users

Skip the 'Wall of Shame' and instead try promotional events, penetration testing your users

There's a general misconception about user awareness that the IT industry has fostered for years: the belief that end users are dumb, and awareness is a waste of time. This mind set seems to affect the information security field more than any other area of IT. We even have t-shirts that say things like, "Social Engineering Specialist: Because There Are No Patches For Human Stupidity."

There's obviously no "IT smarts patch" or 12-step program to help users better recognize phishing scams or make them think twice before clicking on a link from Facebook. It's the job of IT and the company to develop an information security awareness program that's interesting, innovative, and won't bore users to tears. And that's where the breakdown occurs -- a breakdown that feeds the negative attitude about user awareness.

So what is user security awareness? The National Institute of Standards and Technology (NIST) in March released a draft of NIST Special Publication 800-16, "Information Security Training Requirements: A Role- and Performance-Based Model." In Section 2.2.1, NIST states:

"Awareness is not training. Security awareness is a blended solution of activities that promote security, establish accountability, and inform the workforce of security news. Awareness seeks to focus an individual's attention on an issue or a set of issues. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize information security concerns and respond accordingly."

In other words, a security awareness program needs to inform users of security issues, the policies surrounding them, and why they are important. Trouble is, the "why" is left out, so users consider security policies a boring nuisance they have to listen to once or twice a year, but take no ownership in. And even though PCI DSS Requirement 12.6 is yet another reason to have an awareness program, compliance with PCI doesn't mean anything to users if they don't understand the consequences of noncompliance.

Getting users to take ownership in security is critical to the success of any awareness program. For users to truly believe they are the first line of defense, they need to take ownership of the problems caused by their lack of understanding of security issues and the consequences of their actions. Are they aware of data breach disclosure laws in your state? Do they know what attackers are after these days? Have they seen real-world examples of attacks against other users?

Penetration testing is one method being used more often to help companies realize the deficiencies in their security awareness programs. Enterprises that have previously left users out of the scope of pen tests are now contracting for full-scope pen testing that includes social engineering, simulated phishing e-mail messages, and attacks against client-side applications. The lessons learned from a pen test can be leveraged to show your users how important their role is in protecting sensitive corporate data.

But avoid negative practices, such as a "wall of shame." Calling out users publicly for their security gaffes can be a very effective tool at curbing risky behavior (i.e., surfing porn and social networking sites) in the short term, but employees often end up embarrassed and resentful of information security, which can backfire, leading to carelessness and apathy toward their responsibilities to help protect company data.

Plenty of resources are available to help you develop effective security awareness programs. NIST SP 800-16 and related NIST SSP 800-50 (PDF) are excellent guidelines. Microsoft also has developed a guidance document and sample materials, which are available here.

In addition, here are some activities and materials suggested by NIST in SP 800-16:

  • host an information security day;
  • conduct briefings on current issues, like the dangers of social networking;
  • distribute promotional items with motivational slogans (think coffee mugs, mouse pads);
  • provide login banners serving as security reminders;
  • show awareness videos (Computer Security Awareness Poster & Video Contest 2009); and
  • distribute posters and flyers.

Information security awareness programs can work, but only if you implement them with the right motivations -- and not just to meet compliance requirements. Numerous resources are available to help companies create effective programs to promote secure computing practices resulting in a safer environment for both users and the company's sensitive data.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.