april 22, 2003 security professionals workshop 1 best practices in user education: a critical...

April 22, 2003April 22, 2003 Security Professionals WorkshopSecurity Professionals Workshop 11

Best Practices in User Education:Best Practices in User Education:

A Critical Component in any A Critical Component in any Information Security ProgramInformation Security Program

Shirley PayneShirley PayneDirector, Director, Security Coordination & Policy Security Coordination & Policy University of VirginiaUniversity of Virginia

Cedric BennettCedric BennettDirector, Director,

Information Security ServicesInformation Security ServicesStanford UniversityStanford University

Security Professionals WorkshopSecurity Professionals Workshop

April 22, 2003April 22, 2003


TopicsTopics

Why education?Why education? Who needs to be educated?Who needs to be educated? CommunicatingCommunicating Effective PracticesEffective Practices

ExerciseExercise

Wrap upWrap up


The Need For EducationThe Need For Education

Statistics show most breaches are Statistics show most breaches are caused by insiders:caused by insiders: Disgruntled employees and contractorsDisgruntled employees and contractors Inquisitive students Inquisitive students Unintentional actions or lack of actionUnintentional actions or lack of action

Excuses:• I didn’t know• I thought someone else would take care of that• I don’t know how• I‘ve got more important things to do


Threats To Computer Systems**

Threats By PeopleThreats By People Unintentional Employee ActionUnintentional Employee Action 50-60%50-60% Intentional Employee ActionIntentional Employee Action 15-20%15-20% Outside ActionsOutside Actions 1- 3%1- 3%

Physical & Environmental ThreatsPhysical & Environmental Threats Fire DamageFire Damage 10-15%10-15% Water DamageWater Damage 5-10%5-10% Electrical FluctuationsElectrical Fluctuations 1- 5%1- 5% Natural DisasterNatural Disaster 1%1%

OtherOther 5-10%5-10%

* Dr. Corey D. Schou


““Automakers have added systems to Automakers have added systems to cars that can pinpoint their location and cars that can pinpoint their location and even call emergency services if a crash even call emergency services if a crash is detected. However, have these smart is detected. However, have these smart cars made the roadways safer? This is cars made the roadways safer? This is an analogous situation for information an analogous situation for information security. security. Overall security will only Overall security will only improve if users are educated about the improve if users are educated about the technology they are usingtechnology they are using.” .”

Richard Hunter, VP of Gartner’s G2Richard Hunter, VP of Gartner’s G2


Lack Of Education Causes Lack Of Education Causes Major Problems Major Problems

We’ve exposed student, employee, donor and We’ve exposed student, employee, donor and medical datamedical data

Our IT resources have been used for attacks Our IT resources have been used for attacks on businesses and the Federal governmenton businesses and the Federal government

Our research data have been compromised Our research data have been compromised Our hardware has been confiscated by FBI Our hardware has been confiscated by FBI

investigators investigators We’re spending significant time in reaction We’re spending significant time in reaction

mode mode


More Bad News: More Bad News: Education Is Hard!Education Is Hard!

Few acknowledge personal responsibility Few acknowledge personal responsibility for securityfor security

Many consider the issue too technically Many consider the issue too technically complexcomplex

Management fails to comprehend Management fails to comprehend business implicationsbusiness implications

Security budgets and staff stretched to Security budgets and staff stretched to limitlimit


How Do We Approach This?How Do We Approach This?

Finely sharpen education program Finely sharpen education program design:design: Well define target audiences and what they Well define target audiences and what they

need to knowneed to know Determine how best to communicate the Determine how best to communicate the

messagemessage

Leverage what others are doingLeverage what others are doing


Who Needs To Be Who Needs To Be Educated?Educated?

FacultyFaculty Staff Staff StudentsStudents ParentsParents ResearchersResearchers Healthcare professionalsHealthcare professionals Local businessesLocal businesses Governmental agenciesGovernmental agencies Local citizensLocal citizens Institution executivesInstitution executives


Communication Is 2-wayCommunication Is 2-way

Don’t forget to listenDon’t forget to listen Check your understandingCheck your understanding EmpathyEmpathy

The Platinum RuleThe Platinum Rule

Do unto others as they would preferDo unto others as they would prefer


Be The ListenerBe The Listener

Use language familiar to the listenerUse language familiar to the listener Avoid jargonAvoid jargon Only moderate use of FUDOnly moderate use of FUD

Reference concerns of the listenerReference concerns of the listener Use metaphor to make your pointsUse metaphor to make your points Don’t assume facts or understandingDon’t assume facts or understanding Use humor and informality appropriatelyUse humor and informality appropriately Repetition is importantRepetition is important


Provide What Is NeededProvide What Is Needed

Get lots of inputGet lots of input Check with Help Desk, consultants, system Check with Help Desk, consultants, system

administratorsadministrators

Prioritize the messagesPrioritize the messages Focus the program to get the “biggest bang”Focus the program to get the “biggest bang”


Effective PracticesEffective Practices

Web sites & emailWeb sites & email Articles in local publicationsArticles in local publications Posters and postcardsPosters and postcards Show & Tell presentations and meetingsShow & Tell presentations and meetings Enlist others to helpEnlist others to help Mount a campaignMount a campaign Never stopNever stop


Effective Practices ExerciseEffective Practices Exercise

Interactive group sessionInteractive group session Form groupsForm groups Each group will be assigned a Target AudienceEach group will be assigned a Target Audience

Choose what the educational focus will be Choose what the educational focus will be Consider best ways to reach that targetConsider best ways to reach that target

Work on problem for 6 minutesWork on problem for 6 minutes Make bulleted list of approachesMake bulleted list of approaches

Some groups will report results Some groups will report results Every group will hand in resultsEvery group will hand in results We will make all results available on workshop / session We will make all results available on workshop / session

web siteweb site Thirteen pages of exercise results follow the wrap-up pageThirteen pages of exercise results follow the wrap-up page


Selected ExamplesSelected Examples

University of Florida’s security awareness day University of Florida’s security awareness day http://www.itsa.ufl.eduhttp://www.itsa.ufl.edu

Texas A&M’s security awareness training Texas A&M’s security awareness training http://infosec.tamu.edu/sat/main.htmlhttp://infosec.tamu.edu/sat/main.html

Indiana University’s “how-to” page Indiana University’s “how-to” page http://http://www.itso.iu.edu/howtowww.itso.iu.edu/howto

James Madison University’s R.U.N.S.A.F.E. program James Madison University’s R.U.N.S.A.F.E. program http://http://www.jmu.edu/computing/runsafewww.jmu.edu/computing/runsafe//

University of Virginia’s security toolkit University of Virginia’s security toolkit http://http://www.itc.virginia.edu/securitytoolkitwww.itc.virginia.edu/securitytoolkit

Stanford’s secure computing site Stanford’s secure computing site http://http://securecomputing.stanford.edusecurecomputing.stanford.edu


Selected ReferencesSelected References

Center for Education and Research in Center for Education and Research in Information Assurance and Security Information Assurance and Security http://http://www.cerias.purdue.eduwww.cerias.purdue.edu

National Institute of Standards and Technology National Institute of Standards and Technology Computer Security Resource Center Computer Security Resource Center http://http://csrc.nist.govcsrc.nist.gov/ATE/ATE

SANS Institute SANS Institute http://http://www.sans.orgwww.sans.org Virginia Alliance for Secure Computing and Virginia Alliance for Secure Computing and

Networking Networking http://http://vascan.orgvascan.org


Wrap UpWrap Up

Other Questions and Answers?Other Questions and Answers?

Check the Security Professionals Workshop site for Check the Security Professionals Workshop site for these slides plus session developed materialsthese slides plus session developed materials


Effective Practices ExerciseEffective Practices Exercise

The thirteen pages which follow are the results The thirteen pages which follow are the results from the session exercise, by group from the session exercise, by group In some cases, the same target audiences were In some cases, the same target audiences were

considered by different session work groupsconsidered by different session work groups


Ideas for reaching “target” groups –Ideas for reaching “target” groups –ExecutivesExecutives

Make them think they make decisionsMake them think they make decisions Low tone “Fox” news – fear – stress need for information protectionLow tone “Fox” news – fear – stress need for information protection Cost benefit analysisCost benefit analysis Address their concernsAddress their concerns Metaphors in terms s/he can understandMetaphors in terms s/he can understand Put a positive spinPut a positive spin ““Security can protect productivity”Security can protect productivity” Educate them about security [problem & resolutionsEducate them about security [problem & resolutions Tailor to their areas of expertise – this is actually a very diverse Tailor to their areas of expertise – this is actually a very diverse

groupgroup Brief, pithyBrief, pithy Identify reputation (and other risks) for divisionIdentify reputation (and other risks) for division

Exercise results page


Target includes “student staff”Target includes “student staff” Educate on security policies by incorporation in Educate on security policies by incorporation in

orientationorientation Identify Identify keykey staff member(s) to become trainers staff member(s) to become trainers

Widely publish security policies and usageWidely publish security policies and usage

Ideas for reaching “target” groups –Ideas for reaching “target” groups –Staff (1Staff (1stst Group) Group)



Ideas for reaching “target” groups –Ideas for reaching “target” groups – Staff (2 Staff (2ndnd Group) Group)

Staff associations / forumsStaff associations / forums EmailEmail Print info on payroll check advice Print info on payroll check advice

E.g., an announcement of an eventE.g., an announcement of an event Voice mailVoice mail Importance of making it clear that each staff member has a responsibility Importance of making it clear that each staff member has a responsibility

to protect information of which are a stewardto protect information of which are a steward Use parking permits as a means to contact people (meetings, dates, etc.)Use parking permits as a means to contact people (meetings, dates, etc.) Simple give-away gifts with messagesSimple give-away gifts with messages Website, intranetWebsite, intranet PostersPosters Log-in bannerLog-in banner Orientation / training programOrientation / training program Tents on cafeteria tablesTents on cafeteria tables Interactive contestsInteractive contests Recognize people for doing something rightRecognize people for doing something right

““Good Job” or “Pat on the Back” –a-weekGood Job” or “Pat on the Back” –a-week Employee newslettersEmployee newsletters



Ideas for reaching “target” groups Ideas for reaching “target” groups ––

Staff (3 Staff (3rdrd Group) Group) Problem: Problem:

Not teaching passwords as secureNot teaching passwords as secure Issue: Issue:

Writing passwords on desk or posting them on telephone.Writing passwords on desk or posting them on telephone. Weak policies – not ensuring strong passwordsWeak policies – not ensuring strong passwords

Outreach:Outreach: PowerPoint, emailPowerPoint, email Use “live” examples (e.g., $25,0000 debt on telephone calls – Use “live” examples (e.g., $25,0000 debt on telephone calls –

lecturers inviting study groups of students also see password lecturers inviting study groups of students also see password on telephone)on telephone)

Use Use CrackCrack Send notification that passwords have been compromised and Send notification that passwords have been compromised and

need to be changedneed to be changed



Ideas for reaching “target” groups –Ideas for reaching “target” groups –StudentsStudents

What to focus onWhat to focus on Not sharing passwordsNot sharing passwords Peer to peerPeer to peer

Sharing softwareSharing software ““down-ware”down-ware”

Use of emailUse of email Use of virus protectionUse of virus protection HarassmentHarassment No threats in chat roomsNo threats in chat rooms

How to reach themHow to reach them *Student information privacy – protect their own info*Student information privacy – protect their own info Freshman orientationFreshman orientation NewspapersNewspapers Information literacy course (mandatory coursework)Information literacy course (mandatory coursework) Public service pop-upsPublic service pop-ups Include a required technology classInclude a required technology class Provide reading material with acceptance packageProvide reading material with acceptance package Fraternity security partiesFraternity security parties Student orientation pamphlets / postersStudent orientation pamphlets / posters



Ideas for reaching “target” groups –Ideas for reaching “target” groups –Students (2Students (2ndnd Group) Group)

Some techniquesSome techniques Door hangers with security informationDoor hangers with security information

E.g., on password changingE.g., on password changing Posters (residences halls and classrooms)Posters (residences halls and classrooms) Stickers on restroom doorsStickers on restroom doors Freshman orientation – ½ hourFreshman orientation – ½ hour Student media (radio, cable TV)Student media (radio, cable TV) Contests with prizesContests with prizes Free Anti-virus CD in every residence hall room Free Anti-virus CD in every residence hall room

And other enhanced ways to distribute site-licensed free softwareAnd other enhanced ways to distribute site-licensed free software Web infoWeb info

FocusFocus Campuswide authentication (strong passwords)Campuswide authentication (strong passwords) Anti-virus software – using it and updating itAnti-virus software – using it and updating it Copyright Copyright EthicsEthics File-shares (closing open shares)File-shares (closing open shares) WinXP or W2K – problems with no administrative password, etc.WinXP or W2K – problems with no administrative password, etc. Personal firewallsPersonal firewalls Proper use of emailProper use of email Proper use of instant messagingProper use of instant messaging



Ideas for reaching “target” groups –Ideas for reaching “target” groups –Students (3Students (3rdrd Group) Group)

FocusFocus PasswordsPasswords General ethicsGeneral ethics File sharingFile sharing Anti-virusAnti-virus CopyrightCopyright WinXP/2K admin passwordsWinXP/2K admin passwords Personal firewallsPersonal firewalls Net-iquetteNet-iquette

ApproachesApproaches Residence hall bulletin boardsResidence hall bulletin boards Door hangersDoor hangers

Campus-wide IdentifiersCampus-wide Identifiers Posters inside bathroom stallsPosters inside bathroom stalls Freshman orientationFreshman orientation College radio / cable TVCollege radio / cable TV Contests with prizesContests with prizes Free Anti-virus and other softwareFree Anti-virus and other software CD distributionCD distribution



Ideas for reaching “target” groups –Ideas for reaching “target” groups –System AdministratorsSystem Administrators

To educate on:To educate on: What are their roles and responsibilitiesWhat are their roles and responsibilities What authority do they haveWhat authority do they have What are the best practicesWhat are the best practices Rules for decision makingRules for decision making Incident handling processesIncident handling processes What to do if media or police request infoWhat to do if media or police request info



Ideas for reaching “target” groups –Ideas for reaching “target” groups –Faculty (1Faculty (1stst Group) Group)

Start at the topStart at the top Dean of Faculty or equivalentDean of Faculty or equivalent Get support at that levelGet support at that level

Have the message come from the facultyHave the message come from the faculty Use Faculty Senate / Department meetings, etc.Use Faculty Senate / Department meetings, etc. Be proactive – “get in their face”Be proactive – “get in their face” Show the Show the Value PropositionValue Proposition to them (convince of value to to them (convince of value to

them)them) E.g., intellectual property, book in progress, etc)E.g., intellectual property, book in progress, etc)

Use Research Office or other offices, e.g., ProcurementUse Research Office or other offices, e.g., Procurement Bribe them with food, door prizesBribe them with food, door prizes ““Scare the pants off them” Scare the pants off them”

CNN News ideaCNN News idea



Ideas for reaching “target” groups –Ideas for reaching “target” groups –Faculty (2Faculty (2ndnd Group) Group)

Focus on protecting grades / reseachFocus on protecting grades / reseach ApproachesApproaches

Be added to faculty meeting / luncheonBe added to faculty meeting / luncheon Ask for assistance (e.g., secretary, TA, etc.)Ask for assistance (e.g., secretary, TA, etc.) Hold classes provided by IT staffHold classes provided by IT staff



Ideas for reaching “target” groups –Ideas for reaching “target” groups – Parent & Alumni Parent & Alumni

What to communicateWhat to communicate Communicate policies (AUP, Security, etc.)Communicate policies (AUP, Security, etc.) Policy violations have disciplinary consequences that Policy violations have disciplinary consequences that couldcould

interrupt their academic experienceinterrupt their academic experience ApproachesApproaches

Web page for technical specificationsWeb page for technical specifications Link to policiesLink to policies

Mailing (U.S. Mail) about policiesMailing (U.S. Mail) about policies Highlight legal and university judicial penaltiesHighlight legal and university judicial penalties Provide translations in multiple languages, if appropriateProvide translations in multiple languages, if appropriate Alumni newsletter, parent’s magazinesAlumni newsletter, parent’s magazines Use analogies to make the pointUse analogies to make the point



Ideas for reaching “target” groups –Ideas for reaching “target” groups –ResearchersResearchers

Where research brushes agains AUPs, contact Where research brushes agains AUPs, contact someone and discusssomeone and discuss

Approach it from their angleApproach it from their angle Dangers of losing research data – integrityDangers of losing research data – integrity Premature release of resultsPremature release of results Educate research compliance committees (IRBs) Educate research compliance committees (IRBs)

about thisabout this Educate campus office that takes in grant Educate campus office that takes in grant

proposals about security implicationsproposals about security implications Grant-tracking systemGrant-tracking system



Ideas for reaching “target” groups –Ideas for reaching “target” groups –Application Systems StaffApplication Systems Staff

Speaker programSpeaker program Web siteWeb site List serveList serve On-side professional trainingOn-side professional training Web seminars designed for needWeb seminars designed for need Presentations at staff meetingsPresentations at staff meetings Application testing / certificationApplication testing / certification Peer-to-peer trainingPeer-to-peer training


april 22, 2003 security professionals workshop 1 best practices in user education: a critical...

Documents

overall security

schou slide

reaction mode slide

vp of gartners g2 slide

lack of education

user education

education statistics

education program design