Endpoint
10/30/2009
01:23 PM
Connect Directly
RSS
E-Mail
50%
50%

Tech Insight: Developing Security Awareness Among Your Users

Skip the 'Wall of Shame' and instead try promotional events, penetration testing your users

There's a general misconception about user awareness that the IT industry has fostered for years: the belief that end users are dumb, and awareness is a waste of time. This mind set seems to affect the information security field more than any other area of IT. We even have t-shirts that say things like, "Social Engineering Specialist: Because There Are No Patches For Human Stupidity."

There's obviously no "IT smarts patch" or 12-step program to help users better recognize phishing scams or make them think twice before clicking on a link from Facebook. It's the job of IT and the company to develop an information security awareness program that's interesting, innovative, and won't bore users to tears. And that's where the breakdown occurs -- a breakdown that feeds the negative attitude about user awareness.

So what is user security awareness? The National Institute of Standards and Technology (NIST) in March released a draft of NIST Special Publication 800-16, "Information Security Training Requirements: A Role- and Performance-Based Model." In Section 2.2.1, NIST states:

"Awareness is not training. Security awareness is a blended solution of activities that promote security, establish accountability, and inform the workforce of security news. Awareness seeks to focus an individual's attention on an issue or a set of issues. The purpose of awareness presentations is simply to focus attention on security. Awareness presentations are intended to allow individuals to recognize information security concerns and respond accordingly."

In other words, a security awareness program needs to inform users of security issues, the policies surrounding them, and why they are important. Trouble is, the "why" is left out, so users consider security policies a boring nuisance they have to listen to once or twice a year, but take no ownership in. And even though PCI DSS Requirement 12.6 is yet another reason to have an awareness program, compliance with PCI doesn't mean anything to users if they don't understand the consequences of noncompliance.

Getting users to take ownership in security is critical to the success of any awareness program. For users to truly believe they are the first line of defense, they need to take ownership of the problems caused by their lack of understanding of security issues and the consequences of their actions. Are they aware of data breach disclosure laws in your state? Do they know what attackers are after these days? Have they seen real-world examples of attacks against other users?

Penetration testing is one method being used more often to help companies realize the deficiencies in their security awareness programs. Enterprises that have previously left users out of the scope of pen tests are now contracting for full-scope pen testing that includes social engineering, simulated phishing e-mail messages, and attacks against client-side applications. The lessons learned from a pen test can be leveraged to show your users how important their role is in protecting sensitive corporate data.

But avoid negative practices, such as a "wall of shame." Calling out users publicly for their security gaffes can be a very effective tool at curbing risky behavior (i.e., surfing porn and social networking sites) in the short term, but employees often end up embarrassed and resentful of information security, which can backfire, leading to carelessness and apathy toward their responsibilities to help protect company data.

Plenty of resources are available to help you develop effective security awareness programs. NIST SP 800-16 and related NIST SSP 800-50 (PDF) are excellent guidelines. Microsoft also has developed a guidance document and sample materials, which are available here.

In addition, here are some activities and materials suggested by NIST in SP 800-16:

  • host an information security day;
  • conduct briefings on current issues, like the dangers of social networking;
  • distribute promotional items with motivational slogans (think coffee mugs, mouse pads);
  • provide login banners serving as security reminders;
  • show awareness videos (Computer Security Awareness Poster & Video Contest 2009); and
  • distribute posters and flyers.

Information security awareness programs can work, but only if you implement them with the right motivations -- and not just to meet compliance requirements. Numerous resources are available to help companies create effective programs to promote secure computing practices resulting in a safer environment for both users and the company's sensitive data.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4734
Published: 2014-07-21
Cross-site scripting (XSS) vulnerability in e107_admin/db.php in e107 2.0 alpha2 and earlier allows remote attackers to inject arbitrary web script or HTML via the type parameter.

CVE-2014-4960
Published: 2014-07-21
Multiple SQL injection vulnerabilities in models\gallery.php in Youtube Gallery (com_youtubegallery) component 4.x through 4.1.7, and possibly 3.x, for Joomla! allow remote attackers to execute arbitrary SQL commands via the (1) listid or (2) themeid parameter to index.php.

CVE-2014-5016
Published: 2014-07-21
Multiple cross-site scripting (XSS) vulnerabilities in LimeSurvey 2.05+ Build 140618 allow remote attackers to inject arbitrary web script or HTML via (1) the pid attribute to the getAttribute_json function to application/controllers/admin/participantsaction.php in CPDB, (2) the sa parameter to appl...

CVE-2014-5017
Published: 2014-07-21
SQL injection vulnerability in CPDB in application/controllers/admin/participantsaction.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to execute arbitrary SQL commands via the sidx parameter in a JSON request to admin/participants/sa/getParticipants_json, related to a search parameter...

CVE-2014-5018
Published: 2014-07-21
Incomplete blacklist vulnerability in the autoEscape function in common_helper.php in LimeSurvey 2.05+ Build 140618 allows remote attackers to conduct cross-site scripting (XSS) attacks via the GBK charset in the loadname parameter to index.php, related to the survey resume.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Where do information security startups come from? More important, how can I tell a good one from a flash in the pan? Learn how to separate ITSec wheat from chaff in this episode.