CHAPTER49
IMPLEMENTING A
SECURITY-AWARENESS
PROGRAM
K. Rudolph

49.2.1 Learning Continuum 49·3

49.2.3 Focus on Behavior 49·6
49.3 CRITICAL SUCCESS FACTORS 49·8

49.4 TOPICS 49·17
49.5 TECHNIQUES FOR
GETTING AND HOLDING
ATTENTION 49·18
49.5.1 Images 49·19

49.5.11 Spaced Repetition 49·27
49.5.12 Pretest and Refne
Messages and
Methods Before
Distributing Them 49·27
49.6 TOOLS 49·29

49 · 1
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
49 · 2 IMPLEMENTING A SECURITY-AWARENESS PROGRAM
49.6.8 eLearning Courses 49·31
49.6.9 Classroom Training
and Clickers 49·32
49.6.10 People Penetration
Tests and Spear
Phishing Exercises 49·33
49.6.11 Contests and

49.6.15 Inspections and
Audits 49·38

·38
49.7.1 Baseline 49·39
49.7.2 Metrics 49·39
49.8 CONCLUDING REMARKS 49·41
49.9 GLOSSARY 49·42
49.10 NOTES 49·43
49.1 INTRODUCTION. An active security-awareness program is not a luxury:
It is a business necessity. Losses from security failures are growing at an increasing
rate. Some examples of such failures include:
A 2012 New Year’s Eve California offce building burglary led to the March
collapse and bankruptcy of a national medical records frm because it allowed
medical records and social security numbers of14,000 people to be exposed1;
As of March 2012, BlueCross BlueShield had spent $18.5 million resolving a
2009 hard drive heist, not including the value of the data itself2; and
An attack on Sony’s PlayStation Network exposed personal details of 90,000
customers, which analysts say will cost as much as $2 billion to fx.3
According to the Government Accountability Offce, the number of reported security
breaches increased from 5,503 in 2006 to 41,776 in 2010, an increase of 650 percent.4
The number of compromised records reported in 2011 was 174 million in Verizon’s
2012 data-breach report.5
Information security is the translation of the instinctive ability to recognize and react
to physical threats into an ability to recognize and respond to threats to information
assets (e.g., hardware, software, data, and information).
The purpose of an information-security awareness program is to prevent loss and
to ensure compliance with laws and regulations. Security awareness helps to instantiate security policies—to convert theoretical advice and instructions on protecting
information assets into observable, positive behavior.
Information-security awareness leads people to:
Pay attention to what is happening around them;
Recognize suspicious circumstances that may be security violations;
Know the initial actions to take in response to their suspicions; and
Take the appropriate actions in response (people often know what they should do,
but are reluctant to get involved).
Security awareness is the result of activities, tools, and techniques that help a
target audience focus on identifying what in their environment has value that must
be protected (physical assets such as a laptop or mobile phone and intangibles such
as data/information) and what they can do to provide that protection. For a business,
the target audience must include owners, employees, contractors, suppliers, partners,
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
KEY CONCEPTS 49 · 3
customers, and any other individuals who have or require access to the organization’s
information or information systems. A well-trained workforce is inarguably the most
cost-effective security control.
The most important security-awareness messages are:
What must be protected and why should I care?
Why am I important to security?
What do security incidents look like?
What do I do about security?
Effective awareness programs motivate people, provide measurable benefts, and
measure those benefts. Awareness materials must compete to gain people’s attention.
They must also be tailored to an audience, their work environment, and the technologies
they use to achieve maximum impact. This chapter outlines a practical approach for
implementing an effective security-awareness program.
49.2 KEY CONCEPTS. Key concepts for this chapter are that security awareness
is part of a learning continuum, awareness relates more to common knowledge than
common sense, and effective security awareness focuses on behavior modifcation.
49.2.1 Learning Continuum. “Information Security Training Requirements:
A Role- and Performance-Based Model (Draft),” National Institute of Standards and
Technology (NIST) Special Publication (SP) 800-16 Revision 1, addresses security
awareness and role-based training. This document defnes an information-security
learning continuum:
Awareness,
Awareness training,
Role-based training, and
Education and professional development.6
Awareness applies to all employees whether or not they have access to information
systems (e.g., a groundskeeper who notices someone carrying boxes out of the offce
after hours needs to recognize that he or she may be witnessing a security incident and
must know how to report the potential incident). Awareness training addresses security
basics and literacy, and serves as a transition from awareness to role-based training.
SP 800-16 REV1 states:
Awareness training strives to build in an organization’s information system user population a
foundation of information-security terms and concepts upon which later role-based training,
if required, can be based. Awareness training informs users of the threats and vulnerabilities
that impact their organization and personal work environments by explaining the “what” but
not the “how” of security, and communicating what is and what is not allowed. Awareness
training not only communicates information-security policies and procedures that need to be
followed, but also provides the foundation for any sanctions and disciplinary actions imposed
for noncompliance. Awareness training is used to explain the rules of behavior for using
a department’s or agency’s information systems and information and establishes a level of
expectation on the acceptable use of the information and information systems.7
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
49 · 4 IMPLEMENTING A SECURITY-AWARENESS PROGRAM
Awareness programs, as used in this chapter, include the frst two levels of the
continuum: awareness and basics and literacy. Awareness intends to focus attention
on security. Awareness sets the stage for additional learning by changing individual
perceptions and organizational culture so that security is recognized as critical and
necessary. Security failures can keep individuals from successfully completing their
work and can threaten organizational survival. Security-awareness activities have the
following characteristics:
Learning tends to be short term, immediate, and specifc.
Learners are information recipients.
Learning can occur at the same time everywhere throughout an organization, and
it can be continuous.
Awareness activities are directed at broad audiences with attractive, attentiongetting techniques, similar to those used in advertising and cause-marketing.
Basics and literacy applies to workers who use an organization’s computers or
access nonpublic information. Basics and literacy should direct the workforce regarding
compliance with security controls and appropriate responses to attacks in process.
Characteristics of basics and literacy are:
Basics and literacy activities are more formal than awareness activities. The purpose of basics and literacy is to build knowledge and to change attitudes. Specifically, these activities “promote personal responsibility and positive behavioral
change throughout an organization’s information and information system user
population, beyond what is disseminated in the organization’s basic awareness
efforts.”8
Basics and literacy activities use a variety of techniques to address different
learning personalities and styles.
Basics and literacy activities often include a course or presentation and a statement
of acceptance of responsibilities.
Basics and literacy activities typically start with an employee orientation, usually
completed before the employee is placed in a work environment.
Basics and literacy activities include periodic refresher activities on at least an
annual schedule.
Awareness materials are generally broad in coverage, but limited in depth (that
is, awareness covers a lot of ground, but does not dig very deep holes). Role-based
training and education and professional development apply to staff with signifcant
security-related roles or functions, including:
Executives, such as the chief information offcer (CIO) and the chief information
security offcer (CISO)
Information system security offcers (ISSOs) and staff
Program and functional managers (e.g., system owners, information owners, network administrators, system administrators, security administrators)
Application designers and developers
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
KEY CONCEPTS 49 · 5
Role-based training takes longer than awareness, and involves establishing and
enhancing skills and competency for those involved in functional specialties (e.g.,
management, systems design, and acquisition). Training is provided selectively based
on an individual’s job functions (roles) and is most effective when tailored to the
business environment. Education and professional development are appropriate for
those pursuing a security career, and include college-level courses and professional
certifcations, such as the Certifed Information Systems Security Professional (CISSP)
and the Certifed Data Protection (CDP) specialist. Role-based training and education
and professional development are beyond the scope of this chapter.
49.2.2 Awareness: Common Sense or Common Knowledge? Ira
Winkler, president of the Internet Security Advisors Group, writes, “The fundamental
issue is that of common sense vs. common knowledge. You cannot expect people to
behave with common sense if they do not have a common knowledge.”9 Consider the
following security-awareness messages. Are the messages below common sense?
Do not share your password
Do not discuss sensitive or protected information in public
Create long, strong passwords
Report actual or suspected incidents
Delete email chain messages
Some would say that these messages are nothing but common sense. If these security messages are common sense, then why do we need to publish tips telling
people not to share their passwords, not to let others tailgate into secure work areas,
and not to talk about sensitive information in public? Perhaps these messages are
“common sense waiting to happen.” Or, possibly, these are common-sense items only
within a particular environment or background, such as individuals who are computer
literate.
In 2007, IRS workers familiar with the policy of not sharing passwords, disclosed
their passwords because they did not understand that changing their password to one
provided by a caller was the same as disclosing it.10An IRS audit group, posing as
computer help desk staff, called 102 IRS employees asking each to help them “correct
a computer problem” by providing their user name and temporarily changing their
password to one the caller suggested.
Sixty-one of the 102 employees did as requested.
Managers were more lax than nonmanagers.
A follow-up survey asking why the employees gave up their passwords so easily
found that about one-third believed what they had been told by the unknown caller.
Ten percent believed that changing their password was not the same as disclosing
it, which they knew was against the rules.11
The 10 percent of respondents who did not recognize their actions as disclosure
demonstrate a need for improved security-awareness activities. While most (but unfortunately not all) security professionals know to never change their password to one
that someone else knows, this principle is not common knowledge among all computer
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
49 · 6 IMPLEMENTING A SECURITY-AWARENESS PROGRAM
users. “When there are widespread problems, there is clearly a failure in how the security community is delivering the message.”12 An awareness program should instill
common knowledge, and by using material that grabs attention and maintains interest,
transform that common knowledge into common sense.
49.2.3 Focus on Behavior. An organization’s workforce is generally among
the frst to be affected by a security incident. Their compliance with security policy
can make or break a security program. A staff that is security-aware can detect and
prevent many incidents and mitigate damage when incidents do occur. Thus, the need
for awareness programs that focus on behaviors.
The need to focus on behaviors is critical, especially with younger workers. “Seven
out of ten young employees who are aware of their companies’ IT policies acknowledge
breaking those rules with varying regularity, according to a Cisco survey of more than
2,800 college students and young professionals in 14 countries.”13
The most common reasons for this are:
The employees’ belief that they aren’t doing anything wrong (33 percent)
The need to access unauthorized applications for their jobs (22 percent)
Lack of enforcement (19 percent)
Lack of time to think about policies (18 percent)
Inconvenience of adhering to policies (16 percent)
Forgetting to follow policies (15 percent)
Nearly two-thirds (61 percent) said that the responsibility for protecting information
and devices is on IT or service providers and not on individual employees. As this
example illustrates, security is too important to sacrifce to the status quo.
Security-related behaviors can be classed as good, bad, or ugly14: Good behavior
complies with the letter of the law or better, the spirit of the law; bad behavior includes na¨ıve mistakes or dangerous tinkering for example, sharing a password, writing
a packet-spoofng application to test one’s programming ability, or scanning the organization network to see how it works; and ugly behavior consists of intentional misuse
or destruction for example, building script that disables other users’ terminal sessions,
forging email header information, using a fle decryption program to access trade
secrets without authorization, or introducing a Trojan horse program into the network.
Within an organization, good security behaviors include compliance with security
policy, such as:
Releasing nonpublic information only with appropriate authorization
Promptly reporting a potential security vulnerability such as a lost mobile device
Politely terminating and then reporting a suspected social engineering attempt
Creating and using strong, unique passwords for critical systems
Bad security typically experienced includes:
Sharing passwords
Deploying a wireless network gateway that allows noncompany personnel to use
the company’s network
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
KEY CONCEPTS 49 · 7
Setting up a packet-spoofng application to test the user’s programming ability
Setting up a network monitoring scanner on the user’s PC
Ugly security behaviors include intentional misuse such as:
Building a script to disable other users’ terminal sessions
Forging email header information
Intentionally introducing malicious code into the organization computing infrastructure
Using someone else’s email to send messages
Behaviors directly affect the ability of the organization to meet its business objectives. Good behaviors promote business objectives and allow resources to be focused
on achieving organizational goals (e.g., improved proftability and reduced costs). Bad
and ugly behaviors result in wasted resources and loss of workforce focus on business
objectives (that is, increased costs and reduced performance). Bad and ugly behaviors,
carried to their extreme, can result in organizational failure (e.g., intentionally compromising customer fnancial records could result in a fnancial liability so large that the
company goes bankrupt). Exhibits 49.1 and 49.2 illustrate a table showing measurable
end user security behaviors, whether the behaviors are good, bad, or ugly, and how
they could be measured.
Effective security-awareness programs encourage people to treatmistakes as “portals
of discovery” where they can learn how to avoid similar mistakes. Employees should
recognize that it is in everyone’s best interest to limit damage from a mistake and, more
importantly, to learn from it, and report it quickly rather than fxing it quietly. Mistakes
often have side effects, and pretending that a mistake didn’t happen is dangerous. In a
Harvard Business Review interview, former Toyota chairman Katsuaki Watanabe said,
“Hidden problems are the ones that become serious threats eventually. If problems
are revealed for everyone to see, I will feel reassured. Because once problems have
been visualized, even if our people didn’t notice them earlier, they will rack their
brains to fnd solutions to them.”15 Sharing what you learned can prevent loss. In her
research on learning in hospitals, Amy Edmondson of Harvard University discovered
that the highest-performing nursing units had reported the largest number of mistakes.
Not because they made more mistakes, but because they felt safe to report and share
the ones they did make.16 Learning the cause and how to avoid mistakes is vital
to security.
Technologists typically try to control workforce behaviors by adding layers of
technical controls. As demonstrated by the increasing number of reported information
compromises, technological approaches alone cannot solve a people problem. The
workforce needs access to data and computing functions to do their job. Technology
cannot effectively distinguish between the instances when an individual employs a
capability they are authorized to use to accommodate a good behavior versus a bad
behavior. Technology cannot adequately address the human factor of intent.
The rise of mobile computing in the work environment has brought increased importance to the human factor. The network perimeter now extends from a defned physical
area to wherever data might be at any given time (e.g., an employee’s home, a laptop
at an offsite meeting). Building good computing habits at home is as important, if not
more important, than building those behaviors at work. Secure computing habits will
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
49 · 8 IMPLEMENTING A SECURITY-AWARENESS PROGRAM

EXHIBIT 49.1 Awareness Metrics, continued as Exhibit 49.2
transfer across environments, as individuals recognize good behaviors are benefcial to
them regardless of whether they are at home or at work.
49.3 CRITICAL SUCCESS FACTORS. Critical success factors for implementing
a security-awareness program include:
An information security policy
Senior-level management commitment and buy-in, to demonstrate the importance
of security
Resources with subject matter, communications, and training expertise
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
CRITICAL SUCCESS FACTORS 49 · 9

*G·B·U = Good, Bad, or Ugly
G: Good behavior complies with the ‘letter or the law’ or better, the ‘spirit of the law,’ e.g., not releasing nonpublic
information inappropriately, discovering and reporting a security vulnerability.
B: Bad behavior includes naïve mistakes or dangerous tinkering — e.g., sharing a password, deploying a wireless
network gateway that allows noncompany personnel to use the company’s network, setting up a packet spoofing
application to test one’s programming ability, or setting up a network monitoring scanner on one’s PC.
U: Ugly behavior consists of detrimental mususe or intentional destruction — e.g., someone builds a special
script that disabled other users’ terminal sessions, forges email header information to make it look like someone else
sent a message, uses a file decryption program to discover the contents of a file containing trade secrets, or intentionally
introduces a Trojan horse program into the network.
(Behavior categories inspired by “Analysis of End User Security Behaviors” – by Jeffrey M. Stanton, Kathryn R. Stam,
Paul Mastrangelo, and Jeffrey Jolton, July 12, 2004.)
EXHIBIT 49.2 Awareness Metrics, continued from Exhibit 49.1
Visibility, audience appeal, and participation to address all subgroups within the
workforce
Destinations and road maps to guide and monitor program activities
49.3.1 Information Security Policy. Effective information security policies
are in-place, credible, comprehensive, and current. Security objectives must be embodied in policies that clarify and document management’s intentions and concerns.
Policies are an organization’s laws. They set expectations for employee performance
and guide behaviors. Information security policies include statements of goals and responsibilities, and delineate what activities are allowed, what activities are not allowed,
and what penalties may be imposed for failure to comply.
Effective information security policies show that management expects a focus on security. Well-defned security policies show what is expected of the workforce and make
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
49 · 10 IMPLEMENTING A SECURITY-AWARENESS PROGRAM
it easier to take disciplinary action against those who ignore policy and compromise
security.
A cohesive security-awareness policy provides credibility and visibility to the
information-security program. It shows that management recognizes that security is
important and that individuals should and will be held accountable for their actions.
As Daryl White, chief information offcer for the U.S. Department of the Interior, said,
“You can’t hold frewalls and intrusion detection systems accountable; you can only
hold people accountable.”17 Credibility also requires that management back employees
who do the right thing.
An awareness policy should address three basic concepts:
1. Participation in the awareness program is required for everyone, including senior
management, part-time and full-time staff, new hires, contractors, and other
outsiders who have access to the organization’s information systems. New hires
might be required to receive a security-awareness orientation briefng within a
specifc time (e.g., 30 days after hire) or before being allowed system access.
Existing employees might be required to attend an awareness activity or take a
course within one month of program initiation, and periodically thereafter (e.g.,
semiannually or annually).
2. Everyone will be given suffcient time to participate in awareness activities. In
many organizations, security policy also requires that employees sign a statement
indicating that they understand the material presented and will comply with
security policies.
3. Responsibility for conducting awareness program activities is assigned. The
program might be created and implemented by one or a combination of: the
training department, and the security staff, or an outside organization, consultant,
or security-awareness specialist.
49.3.2 Senior Level Management Commitment. Senior management
must be committed to information security and visibly demonstrate that commitment
by example (e.g., signing the awareness program or activity launch announcement, participating in awareness activities), providing an adequate budget, and supporting the
security staff. Saying security is important but failing to follow organizational policies
will have negative consequences.
Executives set the standard for organizational behavior. For example, in Colombia,
when there was a water shortage, the mayor of Bogota, Antanas Mockus, appeared on ´
television programs taking a shower and turning off the water as he soaped, asking
his fellow citizens to do the same. In just two months people were using 14 percent
less water, a savings that increased when people realized how much money they were
also saving because of economic incentives approved by Mockus. Water use is now
40 percent less than before the shortage.18
Organizational leaders must understand and support the program as well as provide
oversight. Program responsibility has shifted in recent years from a collateral duty of
a compliance or information-security offcer to the highest levels of the organization.
Poor security measures can be costly in damage to the organization’s brand or
reputation, in impact on operations, and in actual and potential lawsuits. The media
will not hesitate to report a security threat or breach. Such stories are a wake-up call
and highlight the need for senior executive commitment to the security function.
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
CRITICAL SUCCESS FACTORS 49 · 11
Wise senior managers know that security is not just about reducing risk, it’s also
a tool to protect the organization’s reputation. It also builds customer confdence and
market valuations, and delivers a competitive edge. In today’s e-commerce environment, effective information security can increase business and profts. Top management
should understand that security is not solely a risk avoidance measure and should see
the security-awareness program as a business enabler.19
Senior-management compliance provides credibility. If security policy prohibits
installation of personal software on organization infrastructure, even senior executives
must comply. Doing otherwise undermines the policy and creates a perception of
inconsistence, unfairness, or unimportance. Senior managers must stand behind the
organization’s policies and the security staff charged with enforcing those policies.
Consistent enforcement is especially important in areas where security and convenience
conflict, such as changing passwords frequently or enforcing denial of system access
for users who have not completed a required awareness refresher activity. In addition,
human beings tend to imitate those with higher social status, so executives who see
their superiors refusing to wear name badges will soon be doing the same—and the
breach of security policy will propagate downward through the entire organization.20
Implementing an awareness program is always a management challenge. Senior
managers generally appear to recognize the benefts of an awareness program, but are
often still reluctant to allocate the fnancial and staff resources necessary to make it
effective. Awareness programs must compete against other organizational needs. It is
relatively easy to identify the cost of an awareness program, but it is diffcult to quantify
its benefts. Thus, awareness programs often lose when competing against programs
where benefts are more tangible (e.g., programs that return a proft). The diffculty in
quantifying benefts is a primary reason why the U.S. Government made maintenance
of a computer security-awareness program mandatory for federal organizations21 and
why security awareness is required by laws and regulation in specifc industries such
as fnance and healthcare.
Management resistance is often tied to viewing security awareness as “nice to have”
but not as important as other needs vying for limited funds. Although the time and
effort to build a strong security program is not trivial, it is far less than the time
and effort required to deal with just one serious incident. Some security professionals
recommend equating awareness with insurance policies. Insurance policies require
continuous funding but are not often used (and the hope is not to use them); however,
few organizations choose to forego those costs.
When common sense and fduciary responsibilities are not enough, legal requirements provide another incentive for awareness programs. The Federal Information
Security Management Act and the Computer Security Act require such programs for
federal organizations. State and federal laws (e.g., the Sarbanes-Oxley Act and the
Gramm-Leach-Bliley Act for fnancial information, and the Health Insurance Portability and Accountability Act for healthcare information) require security-awareness
components in information-security programs for state agencies and public companies.
Requirements to maintain effective security programs are also included in state and
federal contracts that impact critical infrastructures (e.g., healthcare, public safety) and
contracts that require retention of sensitive customer information.22
49.3.3 Resources with Security, Communications, and Training Expertise. Ideally, responsibility for an awareness program should be assigned to one
individual who has a defned budget and has security subject matter expertise, communications skills (such as marketing), and knowledge of training principles. This
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
49 · 12 IMPLEMENTING A SECURITY-AWARENESS PROGRAM
individual should be a member of senior management and performance of the awareness program should be a factor in his or her performance evaluation. Program activities
and materials may be created and deployed by one or more individuals drawn from
internal or external resources.
The mix of skills needed to successfully maintain a security-awareness program
include:
1. Subject matter expertise—Individuals attempting to infuse security awareness
into the business processes should be knowledgeable of those business processes.
This ensures that awareness messages support the business and are delivered using
terminology and content that are accurate and aligned with other organizational
initiatives and activities (e.g., a professional security certifcation is valuable
when working with a technical audience to establish credibility).
2. Communications expertise—Awareness activities often require translation of
technical, security-oriented information into tips, discussions, presentations,
posters, job aids, and other tools that average computer users can understand
and apply in their daily work. Communications skills facilitate development of
these awareness materials.
3. Training expertise—Training is its own discipline. People learn in different
ways. Knowledge of training techniques, how people learn, and how to match
training techniques to learning styles will improve the potential success of an
awareness program.
The awareness team also needs to include an individual with deep information security experience. This individual serves to validate material for the general workforce
and to help avoid the curse of knowledge. Once we know something—say, the melody
of a song—we fnd it hard to imagine not knowing it. Our knowledge has metaphorically cursed us. We have diffculty sharing our own knowledge because we cannot
readily relate to our audience’s state of mind.23
The curse of knowledge was identifed in a 1990 study by Elizabeth Newton, a
graduate student at Stanford University. Study participants were divided into two
groups: tappers and listeners. The experimenters chose 120 well-known songs such as
“Happy Birthday” and the tappers tapped out the rhythm on a table while the listeners
tried to guess the song. Before they started, the tappers were asked to predict listener
success. Most predicted about 50 percent. The actual success ratio was 2.5 percent.
The tappers conveyed the message successfully one time in 40, but thought that they
would get the message across one time in two. This discrepancy resulted from the fact
that the tappers hear the tune internally while they tap, but the listeners only hear what
sounds like random taps.24
49.3.4 Visibility, Audience Appeal, and Participation. An effective
awareness program cultivates a professional, positive, and visible image. A visible
program demonstrates the value of the awareness activities, raises employee morale,
and encourages the support of the general workforce. The more methods used to spread
the message, the more visible the program. An awareness program that uses computerbased courses, videos, posters, acknowledgment statements, newsletters, contests,
events, daily tips, and checklists will reach more people and have a greater impact
than a program that consists of posting security policies to the organization’s intranet
and sending a memo advising staff to read the policies.
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
CRITICAL SUCCESS FACTORS 49 · 13
Everyone should receive suffcient time to participate in awareness activities; this
includes those who are responsible for planning and developing awareness activities.
These activities should occur on compensated time. Organizations that require employees to only obtain or develop security awareness and training on their own time
effectively state that security is not important.
Security-awareness programs that show the organization’s concern for employees’
IT security well-being at home (for telecommuters and others who use computers at
home) and while traveling are better received than programs that ignore such issues.
Practical topics that cross between home and offce might include “what to do if your
Twitter account is hacked,” “how to use Apple iOS5 securely,” or “how to protect
your personal email account.” Whether the target audience is all end users or senior
management, showing them how they will personally beneft from improved security
awareness contributes to program success. Viewing security as a service, with the
entire organization as a customer, highlights the importance of marketing security to
management and staff.
Computer behaviors and habits from home transfer to work. Security professional
Donna Mattick put it this way,
Just knowing that my elderly relatives are using the Internet causes me to stay up at night
worrying, but it also drives me to fnd ways to protect them automatically. On the other end of
the scale, I have a teenage daughter who has an iPad, cell phone, and exposure to computers
at school. She can fnd a way around every protection measure I put in place. So I have to stay
current to keep up with her. … Children, parents, and elders all need to be cyberaware and we
security professionals need to step up and help. For every person we educate how to stay safe
we chip away at the criminals’ ability to take advantage of us.25
49.3.5 Destination and Road Maps. When a psychologist was invited to
give a talk at the Pentagon on managing time and resources, he decided to warm up
the group of generals with a short exercise. He asked them all to write a summary
of their strategic approach in no more than 25 words. The exercise stumped most of
them. The only general who managed a response was one who had worked her way
through the ranks and been wounded in combat in Iraq. Her approach was as follows:
“First I make a list of priorities: one, two, three, and so on. Then I cross out everything
from three down.”26
Create a security-awareness program plan that contains these elements:
A description of the organization and its IT culture (culture is the instinctive
behavior of individuals within an organization), including assigned roles and
responsibilities
Program goals and the status of the organization’s current efforts with a security
baseline
A determination of awareness needs by audience
A description of methods and materials to be acquired, created, and/or modifed
A schedule showing actions to be completed and who is responsible for ensuring
their completion (including program evaluation and updates)
49.3.5.1 Goals. A security-awareness program should have goals and a plan
for achieving the goals that includes measureable criteria. The goals and objectives should be related to improvements in workforce performance and security
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
49 · 14 IMPLEMENTING A SECURITY-AWARENESS PROGRAM
risk. For example, the following might be appropriate goals for a security-awareness
program:
Improve employees’ ability to recognize potential threats and vulnerabilities
Improve the level of compliance with company physical and computer security
controls
Reduce the occurrence of security failures resulting from employee action or
inaction
Reduce the severity of the security incidents that do occur
Specifc, realistic, and measurable goals are best. If possible, establish a baseline
prior to implementing your awareness program or launching a new campaign. A baseline defnes where the organization stands with regard to its security-awareness efforts
and program. It may be that the baseline is zero and a program has not been implemented. In that case, the organization may take a survey to fnd out how people in the
organization view security and how familiar they are with security policies. The results
of the survey would become the baseline. Where a program has been implemented, the
organization may choose to document the level of awareness so that over time, other
measurements can be taken to show changes.
Victor Basili of the University of Maryland developed an approach for metrics where
the metric is created as the fnal step of a process called Goal-Question-Metric.27 He
recommends defning a goal, for example: “Goal—decrease inappropriate Website
visits.” Next, create a question that will indicate whether the goal is being met or
not: “Are staff continuing to visit Websites that they should not?” Then, and only
then, create a metric that will support the goal. The metric would be the number of
attempts to access inappropriate Websites, such as illegal or pornographic material.
This information can be extracted from Web fltering products. This approach offers
several benefts:
It leads to an automated metric
The information for the metric is easy to collect
The metric will give a constantly updated idea of what the organization’s users
are doing
49.3.5.2 Audiences and Messages. Awareness programs need to be
planned to ensure they address the intended target audience in the appropriate manner.
If you are directing your message to your total workforce, then you should consider
consultants, contractors, subcontractors, vendors, suppliers, and other third parties.
When your audience is employees, don’t forget temporary hires and interns. If you
divide your audience by technical skill, you can provide detailed information to your
technical staff and less detail to your clerical staff.
Once you decide on your audience and how to segment that audience, you can
develop messages and delivery methods specifc to each segment. The following are
audience breakdowns for a typical business:
Executives—are generally interested in return on investment and risk reduction,
have a moderate level of technical literacy, and are key targets for spear phishing
and social engineering.
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
CRITICAL SUCCESS FACTORS 49 · 15
Information technology staff—should be interested in building security into
applications, networks, and systems, should have specifc security responsibilities,
and are expected to have moderate to high computer literacy.
Business users—primarily focus on getting the business process completed regardless of the security impact. They can be easily frustrated when security
controls are time consuming or inhibit “real work,” but they can be motivated
when they can see the benefts to themselves and their families, and will respond
positively once they understand the value of security controls, especially if they
handle sensitive or protected customer data.
New hires—for those for whom this is their frst “real” job, awareness will need
to focus on the fundamentals (what needs protection, from whom or what, why
they should care, and what is their role in the organization). For new hires who
have been in the job market, awareness messages generally need to focus on how
security is addressed in this organization.
Mobile device and smart phone users—often associate risk with the smallness
and low cost of the device instead of the adverse impact their compromise or loss
could have on themselves as well as on the company.
People who travel—whether they travel locally or abroad, travelers have removed
themselves and their computer devices from the friendly surroundings of the offce
and home. An unattended device, in a hotel room, in the trunk of a car, or even at
airport screening, is an invitation for theft and data compromise.
These messages should be delivered using a mix of tools (e.g., posters, screen savers,
presentations, events, computer-based courseware, classroom training, and one-on-one
training). The more times the same message is delivered using different approaches,
the greater the likelihood the information will be retained.
49.3.5.3 Methods and Frequency. Some companies use a perpetual calendar for their security program. The calendar is used to create a communications plan
that covers the type and frequency of message by audience. A calendar-oriented plan
shows what security-awareness materials and activities are produced monthly, quarterly, or annually. Calendars need to be periodically updated to add special events, such
as security-awareness days or weeks.
A security-awareness program should be an ongoing effort. Some organizations
offer a security-awareness orientation to new employees and regular reinforcement for
all employees at various times throughout the year. Doing so provides spaced repetition
of the material, and reinforces learning. Some organizations address security awareness on a monthly basis with newsletters, posters, screen savers, contests, surveys, and
online modules. Other organizations offer awareness courses that are updated annually
and provide reinforcement at various times, such as on November 30, International
Computer Security Awareness Day. NIST SP 800-50, “Building an Information Technology Security Awareness and Training Program”28 presents a detailed approach for
establishing and maintaining a security-awareness program, including an appendix
with a sample awareness program plan template.
49.3.6 Common Challenges and Mistakes. Awareness program planning
should consider common obstacles and constraints such as keeping management informed, changing material language to relevant business terminology, gaining union
support, and overcoming audience resistance. The program should also be structured
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
49 · 16 IMPLEMENTING A SECURITY-AWARENESS PROGRAM
to address signifcant, but less recognized challenges of diffusion of responsibility
(where a person is less likely to act when others are present because they assume that
others will take action or have already done so); and attenuation (when a message
loses its strength and the learners tune out, usually because the message has been
reused, overused, or doesn’t capture the student’s interest). Wildlife managers describe
attenuation as “getting used to something we shouldn’t.” They say: “A fed bear is a
dead bear.”29 When bears in parks get used to campers and carelessly stored food, they
adapt, resulting in dangerous encounters or mailings and the destruction of the bear.
Bad things can happen when your awareness messages lose their signal strength.
A common mistake is not ftting the program to the environment. Build an awareness
program around your business environment. If you take materials from other organizations, be sure to tailor the content to your environment and target audience. Free
training materials can have signifcant costs in terms of wasted audience time and can
increase security risks by providing a false sense of security if the training doesn’t meet
your program objectives.
Security program planners often overlook the learners. This typically occurs because
those charged with planning and building the program were selected for their technical
competence, but have limited experience in selecting learning methods and techniques.
Programs that don’t consider the learner often fail. Learners should be able to relate to
the awareness materials and apply the materials to their jobs.30
Joseph A. Grau, former chief of the Information Security Division at the Department of Defense Security Institute, believed in the importance of marketing security
and often stated that customers actually pay for security services. For example, managers pay for enforcing the requirement to lock a classifed document in a safe rather
than leaving it on a desk, with labor hours. Other methods of payment are in the
form of energy, attention, and concern for security matters, such as taking time to
identify and report a potential security incident. Even egos are part of the payment
for security. There is an “ego cost” when “scientists, researchers, technical specialists,
engineers, and management personnel must refrain from communicating their successes to friends, family, and peers to protect sensitive, company private or classifed
information.”31
Be sure that your awareness program plan clearly defnes your objective (how to
know when you are successful) and how you can monitor your progress toward your
stated objective. Successful performance is always easier to achieve when you have a
road map or plan that tells you where you are, where you are going, and how to tell that
you have reached your destination. Abraham Lincoln related planning to sharpening
an ax. If he was asked to cut down a tree in eight hours, he would spend the frst six
sharpening his ax. It takes great effort to chop down a tree with a dull ax, but cutting
a tree down with a sharp ax goes much more quickly. Similarly it is much harder to
create, manage, and measure the effect of an unplanned awareness program than a
planned program with defned objectives, assigned responsibilities, and management
direction.
Careful planning promotes awareness activities that elicit specifc, positive responses. Flexible plans allow timely changes to address changes in the organizational
structure, objectives, new technologies, and applicable threats and vulnerabilities. Flexibility also allows incorporation of relevant current events, events that use external
sources to emphasize your security message. Microsoft’s policy of issuing awards for
help in capturing virus writers is evidence that security issues are now getting high-level
attention.
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
TOPICS 49 · 17
49.4 TOPICS. In planning an awareness program, you should have an understanding of the topics that you want to address. NIST SP 800-16, “Information Security
Training Requirements: A Role- and Performance-Based Model (Draft),” identifes the
following security-awareness topics:
Roles and responsibilities in information security
Ways to protect shared data (e.g., encryption, backups)
Examples of internal and external threats (e.g., social engineering, hackers)
Malicious code (e.g., viruses, worms)
Security controls
Ways to recognize an information-security incident
Principles of information security
Passwords
Social engineering
Data backup and storage
Computer viruses and worms
Incident response
Personal use and gain
Privacy
Personally identifable information (PII)
Identity theft
Internet surfng
Inventory control
Physical security
Spyware
Phishing
Scams and spam
Mobile devices (e.g., laptops, smartphones, tablet computers)
Portable storage devices (e.g., CDs, USB drives)
Remote access
Copyright infringement and software piracy
Use and abuse of email
Email do’s and don’ts
Peer-to-peer fle sharing threats
National security information systems, where applicable32
Although these topics may not be directly relevant to a specifc organization, they do
provide a catalog to which you can add or subtract based on your industry, technology,
and assets that need protection. For example, healthcare providers should address
personal health information (PHI), both paper and electronic (ePHI); organizations
that accept credit cards should include topics linked to the Payment Card Industry Data
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
49 · 18 IMPLEMENTING A SECURITY-AWARENESS PROGRAM
Security Standards (PCI DSS); and organizations that deal extensively with intellectual
property (IP) should consider adding topics that include advanced persistent threats
(APT) and related social engineering techniques.
Exploiting technology weaknesses to gain fnancial reward is a signifcant threat, but
less obvious data thefts can cause substantial harm to your organization’s reputation
and require signifcant clean-up costs. Identity theft can affect organizations as well as
individuals, and stealing the ideas for a new marketing program or product can damage
a frm’s ability to effectively compete for new business.
Including the impact of data theft is a key topic in your awareness list. The impact
of data theft was often not well understood, even though it could result in a frm’s
bankruptcy. It wasn’t too long ago that a court held that a data theft could not be
prosecuted because nothing was actually taken. Today’s judges are more knowledgeable
and recognize that the knowledge the data conveys (e.g., a person’s identity) can be
more damaging than stealing a person’s money. Linking your awareness messages to
impact on the organization is an effective approach to explaining impact and increasing
acceptance of your security message.
Another way to identify appropriate topics is to ask managers, helpdesk, and incident
response personnel to identify recurring problems or review the problem reports to
identify recurring issues. Awareness topics can then be structured to help resolve these
problems by surfacing their cause and how to avoid them. Also, topics that are of
personal relevance are good for gaining attention. Data mining, mobile device location
awareness, cyberbullying, identity theft, travel precautions, and the latest frauds, scams,
and malware are of interest to most computer users.
49.5 TECHNIQUES FOR GETTING AND HOLDING ATTENTION.
If you want to build a ship, don’t drum up the men to gather wood, divide the work, and give
orders. Instead, teach them to yearn for the vast and endless sea.33
—Antoine de Saint-Exupery
If you want to secure information and computer systems, don’t dictate orders or
make commandments for employees to follow. Teach them why they are crucial to the
security process. Learning methods that are interactive, demonstrative, and rewarding
get the most attention. Work with the brain to capture and maintain attention. Before
you can teach your audience anything, you must have their attention. The strongest
messages have a visual and visceral impact and use images, surprise, novelty, emotional
involvement, and empathy.
Most of the events that predict whether something learned will also be remembered occur in
the frst few seconds of learning. The more elaborately we encode a memory during its initial
moments, the stronger it will be.34
Emotional context plays a large role in memory retention. Emotional arousal helps
the brain learn. People remember things that they feel, such as empathy when they learn
about a person who accidentally reformatted a hard drive and did not have a backup.
(Are my fles backed up? Could I accidentally reformat my disk?) Other feelings that
awareness program materials and events can convey include surprise, curiosity, and
satisfaction (e.g., correctly answering a diffcult quiz question or solving a security
puzzle). Scenarios are a good way to create empathy because they allow choice of
action to be directly associated with consequences.
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
TECHNIQUES FOR GETTING AND HOLDING ATTENTION 49 · 19
Anything that increases brain activity causes deeper learning. The more different
types of brain activity involved, the better the results of the awareness program. In
short, design and implement awareness activities and messages that use as much of the
brain (especially both sides) as possible.
49.5.1 Images. “We do not see with our eyes. We see with our brains.”35 Half the
brain is set up for visual processing. The more visual the input, the more likely it is to be
remembered and recalled. This phenomenon is called the Pictorial Superiority Effect
(PSE). The potency of the PSE was described defnitively in 1976 by neuroscientist
Douglas Nelson. “He and others have shown that our brains are essentially hard-wired
for visuals—the very architecture of our visual cortex allows graphics a unique mainline
into our consciousness.”36 People pay attention to color, size, and orientation. People
pay special attention to objects that are moving. This is why animations (e.g., our
computer game-oriented culture) are so effective.
Imagery stimulates both verbal and visual representations. Language is primarily
processed through only the verbal channel. Experiments have shown that imagery
activates multiple, powerful neural pathways of memory recall. While our access to
raw information has grown, our time to process this information has declined (we
are reduced to communicating in sound bites and 140 character Tweets). This places
a premium on meaning-making. Given our brain’s preference for the visual and the
current complexity of our world, “we’ve learned that the very best shortcuts usually
come in graphical form … consequently, today’s visual storytellers have considerable
power.”37
Graphics that incorporate the message in the image (e.g., speech boxes) are more
effective than graphics that described the message or image in an accompanying narrative or that have the message as a caption or title below the image. Exhibit 49.3 shows
two images of a vulnerability caused by a modem. Learners were observed to glance at
the frst one for a short period of time and many “tuned it out.” When the speech boxes
were added, learners looked at the image longer and expressed excitement, saying,
“Oh, I get it. The modem goes around the frewall and circumvents the control.”
49.5.2 Video. While some educational professionals say the future of online
learning is gamifcation38 (learning through games), video is arguably the future
of online security awareness. YouTube is the second most popular search engine
online—today. Humanity watches more than 80 million hours of YouTube every day,
according to Chris Anderson, TED39 founder. Our brains are wired for video more that
print. Video offers a greater density of information. Anderson points out that print and
reading are relatively new compared to face to face communication. Print was scalable,
which was an advantage that has been overtaken by video. Anderson’s TED talk addressed crowd-accelerated innovation and learning where cycles of improvement are
driven by people watching Web video. He uses the examples of street dancers and
TED talks. As a result of being able to see what others in their felds are doing, people
are stepping up their game. Anderson identifed three concepts that fuel accelerated
learning and performance:
1. A crowd, such as a global Internet community—the bigger the crowd, the more
potential innovators there are, as well as commenters, trendspotters, cheerleaders,
skeptics,mavericks, and super-spreaders. These people are creating the ecosystem
through which innovation emerges.
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
49 · 20 IMPLEMENTING A SECURITY-AWARENESS PROGRAM
EXHIBIT 49.3
2. Light, clear, open visibility of what the best are doing—this empowers others to
participate. A light shines on the innovators, either directly through comments,
ratings, email, Facebook, and Twitter, or indirectly through numbers of views
and links (that point Google there).
3. Desire for social status—where the best walks tall and is recognized—“You might
just be a kid with a Webcam, but if you can do something that goes viral, you can
be seen by the equivalent of sports stadiums crammed with people.” This global
recognition drives huge amounts of effort. The light and desire are self-fueling
and attract new people to the crowd.40
Here’s an example of how well video can work for security awareness described by
Chip and Dan Heath. Russ Berland was tasked with redesigning BearingPoint’s ethics
and compliance training program. He inherited a code of conduct which might have
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
TECHNIQUES FOR GETTING AND HOLDING ATTENTION 49 · 21
been repurposed from a law frm. A principal challenge was the need to influence the
behavior of employees across the country, operating in different organizational cultures.
Berland interviewed associates about real-world “gray areas” and uncovered dramatic
stories of strained relationships and ethical quandaries. This inspired his team to create
a humorous fctional series based on The Offce featuring a fctional company designed
to be the “evil doppelganger” of BearingPoint. The fctional company, Aggrieva, used
the motto: “Aggrieva says yes when everyone else says no.” Berland hired a flm maker
and shot 10 short episodes over a weekend. The flms included topics such as bosses
“hitting on” subordinates, teams misrepresenting their expertise, and managers trying
to pass along inappropriate expenses to the client.
The episodes created a sensation and employees said that this was the best training they had ever had. The characters and situations became part of the company’s
vocabulary. “New episodes debuted each Monday, but employees were so ravenous
for the next episode that they started tracking them down on the company’s staging
server, where the videos were posted on the preceding Friday. Thousands of employees
watched the videos before they were released.”41
The videos started conversations about ethics and compliance, and after the videos
aired more people called the hotline to discuss diffcult topics and situations. The videos
were so well-received that people chose to watch them. Awareness programs should
aim to create or locate materials so engaging that people are eager to watch.
49.5.3 Surprise, Novelty, and Expectation Failure. Vital information
about potential threats and resources is likelier to be identifed from things that are
new or unfamiliar. Nature ensures that all living creatures react to novelty and change
because novelty and change often results in danger. A swerving car on the highway,
a jump in your bad cholesterol, or a drop in a stock’s value rivets your attention and
jangles your nerves, events which prime you to protect yourself from harm. Basically,
our brains are surprise detectors.42
Use surprise and expectation failure to deepen security-awareness experiences. Humans crave novelty from evolution and for survival and will respond to the unique
and unusual. Anything that is counter-expectational will tweak the arousal–adaptation
cycle.
Ask questions such as, “Did You Know?” Ask learners with mobile phones how
long their data (multimedia pieces of communication like photos, videos, and texts) is
stored by their cell phone network provider and if their data can be sold to third parties.
Not many people know that nearly four years’ worth of their digital identity is stored
by AT&T, which holds the data for 84 months. Verizon holds this data for 12 months,
Sprint for 24 months, and T-Mobile for 60 months. “28,000 MMS messages are sent
into the world every second, and cell phone companies record much of the metadata
that travels with them, like location, receiver identity, amount of data transferred, and
the cost of the transmission. The average user has 736 pieces of this personal data
collected every day.”43
Another innovative idea from the mayor of Bogota, Antanas Mockus, was to use ´
mimes to improve both traffc and citizens’ behavior. Initially, 20 professional mimes
shadowed pedestrians who didn’t follow crossing rules: A pedestrian running across the
road would be tracked by a mime who mocked his every move. Mimes also poked fun
at reckless drivers. The program was so popular that another 400 people were trained
as mimes.44 What would happen if mimes followed people in your organization around
their offces for a day and mocked people who talked about sensitive information in
public areas or left their computers logged on while they were away from their desks?
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
49 · 22 IMPLEMENTING A SECURITY-AWARENESS PROGRAM
Social psychologist Robert Cialdini states, “Mysteries are powerful because they
create a need for closure.”45 Mysteries exist wherever there are questions without
obvious answers. “Why do criminals attack personal home computers?” “How was the
source of the cyberattacks on Estonia discovered?” “What does the encrypted message
in this week’s security awareness contest say?”
Another way to maintain interest is to pose a question or puzzle that confronts people
with a gap in their knowledge. As part of a security-awareness program, newsletters,
an intranet site, posters, and online courses can ask challenging quiz questions. This
creates two knowledge gaps: “What’s the correct answer?” and “Was I right?” Providing
hints and clues for more diffcult security-awareness questions or contests also helps to
maintain interest. Remember, the objective is to make people think about the problem,
not to guess a single right answer.
Note: Don’t expect people to remember much about security from an initiation day
presentation when all stimuli are new.
49.5.4 Conversational Style. Use a conversational and personal style. A conversational style is useful because “people tend to pay more attention when they perceive that they’re in conversation, since they’re expected to follow along and hold up
their end.” The brain does this even when the learner is reading (e.g., the conversation
is between the learner and a book, magazine, Website, or an eLearning module).46
First- and second-person constructions (involving “I,” “we,” and “you”) create a
feeling of conversation between the content and the reader. In fve out of fve studies
performed in 2000, students who received material with personalized, conversational
text performed better on subsequent transfer tests than those who learned with formal
text.47 Studies found that “students performed up to forty percent better on post-learning
tests if the content spoke directly to the reader using a frst person, conversational style
rather than taking a formal tone.”48
In addition, Dr. Roger Schank, author and expert in workplace learning, states that
conversation is a form of learning by doing.49
49.5.5 Analogies and Examples. To better engage people with a new topic,
start by highlighting things that the audience already knows. As an example, your target
audience may know that the Storm worm was widely spread malicious code, but they
may not know that the controlling computer changes the malicious code it sends every
30 minutes, or that the Storm worm contained new defensive techniques that shut down
the efforts of researchers who were attempting to learn more about it. Use analogies
and examples to tie ideas your audience knows to what you want them to learn:
Backups are like flossing—everyone knows it’s important, but few devote enough
thought or energy to it.
A dynamic IP address is like moving your house several times a day so that
burglars can’t fnd it.
Sensitive information is like prescription medicine: it should be used only by
those who need it and are authorized to have it; it should not be transferred, sold,
or given to people who are not authorized to have it (this is illegal and penalties
apply); it can cause damage if given to people who are not authorized to have it.50
Passwords are like bubble gum; strongest when fresh; should be used by an
individual and not a group; and if laying around, will create a sticky mess.51
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
TECHNIQUES FOR GETTING AND HOLDING ATTENTION 49 · 23
49.5.6 Stories and Empathy. The number-one story commandment, according to Pixar is: “Make me care.”52 Include stories in awareness materials to increase
people’s attention and retention. Stories energize powers of recall and communicate
priorities effectively. Stories are powerful because they provide the content missing
from abstract prose. Stories captivate people. They survive the test of time, and they
become part of the popular culture. Audiences are typically more receptive to someone
who tells stories than to someone who lectures.
Relating a story is different from making a reasoned argument because the way
the message is delivered determines how the audience will react. When the audience
hears an argument, they evaluate it and usually argue back, even if only in their minds.
Stories engage the audience and involve people with the idea. When an audience hears
a story, they are likely to think of similar situations that they have experienced. Stories
can suggest a course of action to someone who is at a decision-making point.
Stories should be about situations that are realistic and related to the lives of the
learners; otherwise, stories may backfre and cause a loss of credibility. The stories
should relate to situations and decisions the audience may face. Stories about hackers
accessing medical records would be useful to organizations that process medical data,
whereas stories about fraud or identity theft would be of interest to personnel involved
in the fnancial industry or the accounting function of an organization.
Effective security-awareness stories are short (a few paragraphs), have two or three
characters at the most, and have a singular message. Stories that show more than one
point of view increase retention because the brain is tuned to learn more deeply when
it is forced to make evaluations and judgments. Stories should contain a surprising
element and they must be true. Lack of credibility in a story is a single point of failure.
Stories about real people and real consequences (people being praised, disciplined,
or fred) are useful in presentations and courses. Sources of stories include individuals
who have been with the organization for a long time and have a “corporate memory,”
news events, Internet special interest bulletin boards, and security personnel who attend
special interest group meetings and conferences.
Organizations should collect stories about security incidents, security heroes, mistakes made, and lessons learned. Having a story collection prepared allows for quick
response to trigger events, such as when an incident similar to ones from the story
collection occurs at the organization. “The secret is to gather, gather, gather—and do
it in advance of any pressing need. … Gather things that get a response in you.…
Anything that displays or evokes energy. Storage is cheap.”53
49.5.7 Currency. Awareness material must be fresh and current. Chef Oscar
Gizelt of Delmonico’s Restaurant in New York said, “Fish should smell like the tide.
Once they smell like fsh, it’s too late.” If awareness material is not changed frequently,
it too begins to smell old and becomes boring.
Take advantage of circumstances. Prepare material to be ready to launch a campaign
alerting people to respond quickly after a disaster or major news event. For example,
after a disaster such as the tsunami in Japan there are always scams and malware that
use sensational news headlines to entice potential victims to click on links to sites that
contain drive-by malware.
Another idea is to prepare messages in advance for specifc times of the year. November 30 is International Computer Security Day. In October, educate about scareware.
During the holiday season in November and December, laptop and mobile-device theft
peaks, so offer tips on securing mobile devices. For tax time, offer tips about keeping
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
49 · 24 IMPLEMENTING A SECURITY-AWARENESS PROGRAM
track of your credit and information regarding fraud resolution specialists to contact
for victims of fraud (e.g., remind staff that if the IRS wants more information from
them, they will receive a letter, not an email. When an email claims to be from the IRS,
it’s best not to click on any links—and to report it to [email protected]).
Current events can be an excellent source of material and can add credibility to
an awareness program. Review current news reports for events that can be used to
emphasize security messages. For example, newscasters who make statements when
they do not know that their microphones are live or a show on the impact of ID theft
can provide good examples for use in an awareness program. Also, several Internet
security and technology sites offer subscriptions to electronic security alerts and
news clippings. One of the more useful newsletters reporting on information-security
breaches is from INFOWAR.54 Some organizations have established a news-hawk
program, in which rewards are given to the frst employee to bring in a new relevant
story that can be used as part of the awareness program. This is also a good technique
to gain buy-in from the end user community.
One of the best times to raise awareness is right after a breach at the organization or at
a similar organization (one in the same industry, in the same location, or using the same
technology). The news is full of stories about information security and data breaches.
49.5.8 Credibility. Credibility is crucial for an awareness program. The message
must be clear, relevant, and appropriate to the real world. If the audience is required
to use 15 different passwords as a part of day-to-day functions, prohibiting them from
writing their passwords may not be as realistic as providing strategies for protecting
the written list.
Show consequences. Some organizations send memos to all staff that describe
specifc examples of personnel who have violated policy. The memos cover a set time
period (e.g., the previous quarter) and include the number of individuals, the nature
of the violations, and the penalties, such as loss of Internet privileges or leave without
pay, displayed in dollars, and based on the average salary.
While all messages should have a call to action, credible messages avoid fear,
uncertainty, and doubt (FUD). FUD isn’t the best choice for communication, and it
will backfre if the material creates a scare and then doesn’t offer a practical solution.
Comedian Chris Bliss explains why FUD doesn’t work:
A great piece of comedy is a verbal magic trick… there’s this mental delight that’s followed
by the physical response of laughter, which, not coincidentally, releases endorphins in the
brain. And just like that, you’ve been seduced into a different way of looking at something
because the endorphins have brought down your defenses. This is the exact opposite of the
way that anger and fear and panic, all of the flight-or-fght responses, operate. Flight-or-fght
releases adrenalin, which throws our walls up sky-high. And the comedy comes along, dealing
with a lot of the same areas where our defenses are the strongest—race, religion, politics,
sexuality—only by approaching them through humor instead of adrenalin, we get endorphins
and the alchemy of laughter turns our walls into windows, revealing a fresh and unexpected
point of view.55
The use of appropriate humor such as the advertising technique of exaggerated
consequences works because humor is a door into the serious. To spoof the popular
advertisements that show a chain reaction of consequences, you could do a similar ad
that says:
1. If you don’t teach your employees about security awareness, they will post their
vacation plans on social media sites.
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
TECHNIQUES FOR GETTING AND HOLDING ATTENTION 49 · 25
2. If your employees post their vacation plans on social media sites, the bad guys
will know when your employees aren’t home.
3. If the bad guys know when your employees aren’t home, the bad guys will clean
them out.
4. If your employees’ homes are cleaned out, they will come to work naked.
5. Don’t let your employees come to work naked.
Another point that Chris Bliss makes is that comedy is a powerful way to communicate because it’s inherently viral; people can’t wait to pass along a great new joke.
He adds, “But it’s when you put all of these elements together—when you get the
viral appeal of a great joke with a powerful punch line that’s crafted from honesty and
integrity, it can have a real world impact at changing a conversation.”56
49.5.9 Social Proof. Robert B. Cialdini is considered an expert on influence.
He studies and writes about the science of persuasion. He describes a common mistake
that causes messages to self-destruct. It’s the story of a former graduate student who
had visited the Petrifed Forest National Park in Arizona with his fancee. At the park’s ´
entrance a sign stated, “Your heritage is being vandalized every day by theft losses
of petrifed wood of 14 tons a year, mostly a small piece at a time.” The student
was shocked when after reading the sign, his normally ultra-honest fancee whispered, ´
“We’d better get ours now.”57
This incident inspired Cialdini and his colleagues to design an experiment where
they posted two different signs. One used the concept of “negative social proof.” It
read, “Many past visitors have removed the petrifed wood from the park, changing
the natural state of the Petrifed Forest.” That sign also showed a picture of several
visitors taking pieces of wood. The experiments placed a second sign to simply convey
that stealing wood was not appropriate. The second sign said, “Please don’t remove
the petrifed wood from the park, in order to preserve the natural state of the Petrifed
Forest.” The accompanying image showed a lone visitor stealing a piece of wood,
covered by the universal “No” symbol of a red circle with a slash through it.
The experimenters placed marked pieces of wood along various pathways and
observed how the signs affected the rate of theft. They switched the signs at the
entrance to the pathways, and they also used pathways with no signs posted as a
control condition. The results:
Where there was no sign, 3 percent of the wood pieces were stolen. Where the
social proof sign (stating that many visitors had removed wood) was posted,
the theft rate increased to 8 percent. Where the sign asked people not to steal the
wood and depicted a single thief, the theft rate decreased to 1.7 percent.
Put simply, social proof refers to our tendency to go along with the crowd and
follow the most popular course of action. We do things that we see other people
like us doing.
Using negative social proof, for example, communicating the popularity of an
undesirable behavior, focuses the audience on the prevalence, rather than the
undesirability, of the behavior.
The authors recommended that the park management reframe the statistics to focus
attention on the number of people who respect the park’s rules, which turned out
to be more than 97 percent.58
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
49 · 26 IMPLEMENTING A SECURITY-AWARENESS PROGRAM
Here’s an example of how to apply this to security awareness. Todd Snapp, President
of RocketReady, speaks to audiences about the human side of security. He often asks
the audience to guess the most common passwords that his team of penetration testers
fnds in organizations where the passwords requirements include using characters from
at least three sets (e.g., uppercase, lowercase, and numbers) and the passwords had to
be changed every 90 days.
Audience members usually call out with guesses, but they rarely guess the answer.
When Todd tells them, there is usually a collective groan and head slap as audience
wonders why such a simple and retrospectively obvious answer didn’t occur to them.
The answer? The season and the year: Fall2011, Winter2011, or Spring2012.
One way to present this information would be to start with “Did You Know? The
most common passwords we fnd are…” This approach would catch attention, but it
would also convey the wrong message. Despite the implied disapproval of choosing
passwords that are easy to guess, the message is that such behavior is common. Putting
the information out in a neutral way would act as strong social proof that many people
just like the audience choose these easily guessed passwords.
A better way to present the information would be to advise people not to choose the
season and year for passwords and to focus their attention on a positive behavior (e.g.,
use an image showing people who had chosen strong passwords speaking disapprovingly of a person in the organization who used the season and year). This makes it clear
that people who use weak passwords are in the minority and have the disapproval of
their co-workers. The take-away is that it’s more effective to emphasize the deviance,
not the popularity, of insecure behavior.59
49.5.10 Accessibility, Diversity, and Culture. Effective awareness materials are accessible, diverse, and culture specifc. Guidelines for creating Web pages that
are accessible to people with vision or hearing impairments are published by the World
Wide Web Consortium (W3C). To be accessible, the Web pages should not rely on
vision or sound alone to impart meaning; for example, all graphics should be labeled
with text that explains the graphic, and the contrast between the text and the background
should be maximized.60 An alternative is to create and maintain two versions of an
online course.
Accessible content is easy to understand. Check written program materials for ease
of reading and understanding with Flesch–Kincaid readability levels or the Gunning
Fog Index. Some word processors have the ability to perform two Flesch–Kincaid
readability tests to indicate how diffcult a passage is to read. The Flesch Reading
Ease and the Flesch–Kincaid Grade Level use the same core measures (word length
and sentence length), but different weighting factors. A text with a comparatively high
score on the Reading Ease test should have a lower score on the Grade Level test.61
The Gunning Fog Index measures the readability of English writing. The index
estimates the years of formal education needed to understand the text on a frst reading.
A Fog Index of 12 requires the reading level of a U.S. high school senior (around 18
years old). The Fog Index is commonly used to confrm that text can be read easily by
the intended audience. Texts for a wide audience generally need a Fog Index less than
12. Awareness material requiring near-universal understanding should have an Index
less than 8.62
Diversity is important to address cultural and other differences among staff. Awareness materials should suit the culture of the organization. Images of people in awareness
materials should show different genders and races, with the subjects dressed similarly
to the way that people within the organization dress. People relate to pictures of other
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
TECHNIQUES FOR GETTING AND HOLDING ATTENTION 49 · 27
people who are similar to themselves. In a global awareness program, language and
cultural differences should be addressed. Materials should avoid the use of local idioms
such as (in the United States), “In a nutshell.”
Awarenessmaterials designed for use in an Islamic countrymight address differences
in techniques used by social engineers. For example, high-pressure techniques (as are
often used in America) would likely be counterproductive in an Islamic culture. Instead,
social engineers are likely to concentrate on the techniques that emphasize trust and
relationship building. Also, since many social engineers are most active when they
expect the target company to have fewer resources, instead of noting that an attack
is most likely on a Friday afternoon (as in the United States), the materials should
note that attacks are most likely on Thursday afternoons and that organizations might
receive a higher volume of social engineering calls during Ramadan or around the Eids
when the organization may have fewer staff available.
Awareness materials designed for Japan might address threats that are targeted to
the Japanese culture, where privacy, reputation, family, and a desire to stay out of
trouble, such as the “It’s me, It’s me” fraud where a young-sounding person calls a
senior and claims to be in trouble and need money to avoid a scandal, and the “One
click contract” fraud, where a Website visitor to a dating or pornography site receives
the message that by clicking on the previous page they have entered a contract and
must now deposit money into a specifed account to avoid fnes or scandal. By keeping
the amount affordable (e.g., the equivalent of about $100 U.S. dollars), many Japanese
people simply make the deposit to avoid the potential trouble.63
When designing material for a company in Qatar, which has a rich history and
industry of pearl diving, a memorable approach is to use a pearl to illustrate the value
of data. Exhibit 49.4 shows a poster image of an oyster with a data disc in place of the
pearl with the caption, “How Valuable Is Your Data?”
49.5.11 Spaced Repetition. The technique of spaced repetition was identifed
by Hermann Ebbinghaus about a hundred years ago. He observed that learning and
memory are the strongest if you spread the repetition of information over a long
period of time—for example, days, weeks, and months. He also proposed a “forgetting
curve,” which are like radioactive half-lives: Each review of the information to be
learned increases memory in strength by about 50 percent, but immediate review does
not increase memory very much because the memory hasn’t decayed much.64
A meta-analysis in 1999 suggested that those who learn information by spaced
repetition will outperform 67 percent of those who learn by mass presentation given
the same number of practice episodes. This varies according to the “nature of the task
being practiced, the inter-trial time interval, and the interaction between these two
variables.”65
For awareness, this means exposure to awareness once a year likely not enough
to effect behavior changes. For awareness, a best practice is to follow John Medina’s
Brain Rules: “Repeat to remember” and “Remember to repeat.”
49.5.12 Pretest and Refine Messages and Methods Before Distributing Them. Pretest and refne materials before distributing them. Pretesting provides
evidence that materials are reaching your target audience with the intended message.
It can also avoid embarrassing situations, such as occur after distributing a poster on
which punctuation or the lack of punctuation changes the message (e.g., “Slow Work
Zone” instead of “Slow, Work Zone”).
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
49 · 28 IMPLEMENTING A SECURITY-AWARENESS PROGRAM
EXHIBIT 49.4 “How Valuable Is Your Data?”
Pretesting may be accomplished using focus groups, providing materials to a single
unit within the organization, or through group or individual interviews. All evaluations
should include a set of multiple-choice or ranking questions with one or two openended questions. This analysis approach facilitates data comparison and aggregation.
The question set should be structured to determine the message received and the
level of experience (novice, beginner, user, power user) required to understand the
material. The questions should also be structured to avoid leading the respondent. A
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
TOOLS 49 · 29
useful approach for coordinating input from larger focus groups is Computer-Aided
ConsensusTM, which uses a shared spreadsheet to identify hidden assumptions and
divergent values among the respondents.66
49.6 TOOLS. When choosing tools to convey an awareness message, address
these questions:
1. What tools are most appropriate for the message?
2. What methods are most likely to be credible to and accessible by the target
audience?
3. Which methods (and how many methods) are feasible, considering the available
budget and the time frame?
4. How often should each method and messages be delivered?
Use as many methods and tools as possible, with a consistent message, to reinforce
the material and increase the likelihood that the audience will be exposed to it often
enough and long enough to absorb it. Some methods are suited to daily updates, such
as tips or questions of the day. Some material, such as simplifed policies, frequently
asked questions (FAQs), and incident reporting information will be received best if
it’s available on demand and just in time when needed. Newsletters are best received
monthly or quarterly. Online courses can be provided monthly (short content pieces
or modules), quarterly, biannually, or annually. Regular updates to content on an
intranet Website, including contests, will drive repeat visits and increase awareness;
stale information will lose viewers.
49.6.1 Intranet Website. An intranet Website focused on security can contain
checklists (e.g., what to post on social media, how to protect mobile devices, how
to manage privacy on Facebook), one-line policies (the most important concept of
each policy distilled to a single line) linked to full policies, identify–react charts, and
interactive technologies such as password visualizers that illustrate the relationships of
your passwords and password strength meters.
Security-awareness activities that use the Internet or an intranet offer the advantages
of ease of use, scalability (can be used for various audience sizes and in distributed
locations), accountability (can capture use statistics, quiz or test scoring, and other
metrics), accommodation of individual learning rates, and even interaction among
members of a community or among students and instructors.
Websites (public or private) can be used in these ways:
As a research tool for gathering information
To present policies and other documents
To post alerts
To collect data for security-awareness surveys or incident reporting
For self-assessments to identify at-risk security practices
For anonymous reporting of security concerns
For Webcasts of security conferences or presentations
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
49 · 30 IMPLEMENTING A SECURITY-AWARENESS PROGRAM
49.6.2 Social Media and Crowd Sourcing. Use social marketing techniques such as Twitter and social networking, email, daily tips, questions, contests,
surveys, and suggestion programs that help achieve buy-in. Your social media strategy
can be used to push and pull. Use social media as a channel for delivering messages
to an audience as a push. Use social media as a way to listen and learn and to create
relationships as a pull. Test and learn. Focus on understanding, run experiments (for
new benefts and services) and analyze the results (for audience engagement). Where
traditional companies push out messages and products, these companies pull customers
in. Instead of treating customers as passive targets, they treat them as active participants.
Like the sun in a solar system, they create a gravitational feld that pulls customers into
their orbit. They go beyond customer loyalty to building customer gravity.67
If your organization is a nonproft, you can use virtual volunteers to help with your
awareness program. One example is Sparked.com, a micro-volunteering network, in
which nonprofts post challenges to the network and volunteers respond with ideas.
Challenges range from requesting user input on a logo to creating promotional materials. This brings together the talents and ideas of many to fnd a single solution, and gives
nonprofts a way to get valuable work for free. Volunteers might design newsletters,
illustrate online courses, or create Website pages. Volunteers search for opportunities
by skill, interest area, development topic, or geographic region.
49.6.3 Videos and Podcasts. Videos can be delivered on DVDs, VHS tapes,
CD-ROMs, or over the Web in various formats including podcasts (videos formatted
to play on iPods or other portable media players). Most security-awareness videos
are less than 20 minutes long. They can be used at orientation briefngs and brownbag lunches for staff where popcorn can be provided in bags preprinted with security
messages. Videos are useful starting points for discussions and for briefngs. They
provide a consistent message throughout the organization and can be shown to staff
at distributed locations, saving instructor travel time and costs. They can also be used
to demonstrate cost effectively the impact of security failures, such as a fre at a data
center or how sensitive data were found in the trash. Security-awareness videos are
available commercially for various fees and from the U.S. Government often at no
charge or for a nominal fee.
Produce awareness videos in digital format in segments that allow for updates as
the environment or organizational needs change.
49.6.4 Compliance Statements. Compliance statements and policy reading
sign-offs are among the most effective security-awareness offerings. After computerbased instruction, according to the Security-Awareness Index report, the most effective
methods were:
Tracking whether workers read policies or not
Requiring a compliance statement
Requiring full-time employees (FTEs) to read policies
Making policies available in electronic format
Require workers to read policies annually
Requiring a compliance statement prior to issuing a user ID68
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
TOOLS 49 · 31
49.6.5 Sign-on Messages, Networked Screen Savers. With some systems, it is possible to add a text message to the log-on or sign-on screen. These messages
should be short, to the point, and changed frequently.
Screen savers are a graphic form of communication and should be eye-catching
for maximum impact. Involving a professional artist will improve message delivery.
Screen savers should contain contact information for the organization’s security and
incident-handling functions. Animations or trivia questions and answers may make the
screen saver more interesting. Screen savers should be updated periodically to keep
the message fresh. Commercially produced security screen savers are available, as are
screen savers that can be easily tailored to deliver a security message.
Software programs such as BroadcastIT offer a centrally managed screen saver that
can show images and videos. This software updates in the background and doesn’t
require much space.
49.6.6 Publications. Publications, such as newsletters, brochures, pamphlets,
comic books, tip sheets, identify and react sheets (documents that list signs of an
incident and steps for the end user to take), whitepapers, and checklists of behaviors
organized by topic, can be targeted to specifc audiences. They may be security focused
or may be generalized publications that contain articles on security-related events
or items of interest. Newsletters should be short, one to two pages, tailored to the
organization’s industry or business. Newsletters should use attention-getting graphics,
headlines, and white space to appeal to readers. Audience interaction can be generated
by encouraging questions, answered in future newsletters, or by including contests,
inviting readers to submit news items, tips, trivia, or reviews of security books or
products.
49.6.7 Posters and Digital Signage. A poster series with themes or related
designs can be used to highlight specifc security issues. A poster should be colorful,
present a single message or idea, and include a “call to action.” Using a professional
artist to design the posters will increase their impact. Posters should be larger than
standard letter size to stand out and gain attention. They should be changed or rotated
regularly and placed at eye level in multiple locations. Posters can be printed on both
sides of the paper, saving paper and shipping costs for organizations with multiple
locations. Signs can make a difference in behavior. In Kenya, inexpensive messages
urging minibus passengers to heckle and criticize their drivers for being reckless caused
a 50–60 percent reduction in insurance claims involving injury or death. The stickers
had messages such as “Don’t just sit there as he drives dangerously! Stand up. Speak
up. Now!” and were illustrated with severed feet and legs. Drivers were given incentives
to leave the stickers in place. The messages encouraging passengers to speak up were
placed in a random sample of over 1,000 long-distance Kenyan minibuses. In those
buses, insurance claims fell by a half to two-thirds, from 10 to less than 5 percent
annually. “Results of a driver survey eight months into the intervention indicated that
passenger heckling contributed to the safety”69 improvement.
49.6.8 eLearning Courses. Web-based awareness courses are useful for geographically dispersed staff members and staff who need to take training at a time that
is convenient for them (e.g., after normal work hours). Web-based courses are especially well suited for use by individuals who have diverse backgrounds and different
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
49 · 32 IMPLEMENTING A SECURITY-AWARENESS PROGRAM
technology experience levels. Online courses offer the following advantages over traditional place-based, classroom training:
Feedback—Feedback is essential to motivation and performance. Feedback is
immediate, so learners do not build on early misunderstandings. Well-designed
Web-based training takes cultural and personality differences into account and
reassures timid trainees while allowing more confdent ones to progress at a faster
pace. “Why,” “How,” “Show me an example,” and “Give me an alternative” buttons
or links can be used to let learners with different needs and personalities use the
course to learn in ways that are comfortable for them.
User convenience—Web-based awareness courses are convenient for the learners
because they can be taken at any time. Those with variable or hectic schedules can
arrange to take the course after hours or whenever they have a convenient time in
their schedule.
Nonthreatening—Web-based courses allow users to make mistakes and learn from
them in a safe, nonthreatening environment.
Flexibility—Web-based courses are flexible and can be customized to accommodate learners with different levels of experience and different interests. By placing
detailed information in subordinate, linked pages, users are able to choose between
the “need-to-know” main pages and the “nice-to-know” hyperlinked pages.
Web-based courses can reduce costs and training time. Placing updates to courses
on the Web eliminates the work involved with distributing the current version and
materials to multiple locations. This can be more effcient and consistent because
the content has been reviewed, edited, and tested to make it clear and concise.
Courseware can also be directly linked to specifc organizational policies and
procedures.
Web-based courses are self-paced, so that more experienced users can race through
without getting bored while novice users can ponder and explore.
A potential problem to watch for in Web-based courses is the tendency to get lost
in the technology. Just because an awareness course could have three dozen animated,
singing computers decorating the pages does not mean that it should. The technology
must be used appropriately; bigger buildings do not make better scholars, and more
impressive technology does not necessarily result in a better learning experience. A
Web-based course that is overloaded with animations and graphics that do not relate to
course content or that has a poorly designed user interface will lose user acceptance.
49.6.9 Classroom Training and Clickers. A study by the European Network and Information Security Agency (ENISA) found that:
The most effective technique has been face-to-face time with staff through workshops and
training sessions. Being able to put a face to a name or function is more personable and
people are more receptive to messages being face-to-face. The training is mandatory. Senior
management actively supports the awareness schemes, making sure that training events are
at convenient times for the business and promoting them to staff. There is good attendance
at sessions since missing the events results in escalation to the employee’s manager. This
senior management support across the business has proved to be critical to the success of the
awareness program.70
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
TOOLS 49 · 33
A downside to in-person, instructor-led training is cost. Instructor-led training must
have an audience that is collocated. Instructor-led training is not cost effective for organizations with a large, distributed workforce—unless they have an in-place audio/visual
conference capability.
Use audience response systems (e.g., clickers) to enhance feedback and audience
interaction. Audience response systems can be used to take attendance, instant polls,
and multiple-choice tests. You can also use the devices to survey audience awareness
of security topics and instantly show the correct answers and a response breakdown.
Clickers allow online crowdsourcing for offline crowds. These devices have a fun
factor and have been described as “effcient, eco-friendly and techno-tickling.” Clickers
allow audiences to participate in the same way as TV game-show contestants and
help shy people “speak up.” Professor James Katz, Director of the Center for Mobile
Communication Studies at Rutgers said: “If people feel their opinions really count,
they’ll be happy and likely to give more opinions.”71 With the prevalence of cell
phones, text messages can now be used for in-class responses.
49.6.10 People Penetration Tests and Spear Phishing Exercises.
Demonstrations of penetration tests and spear phishing exercises are a good way
to generate interest in security among the technical staff and power users. You can
also incorporate vendors and other business partners into internal tests to evaluate and
strengthen your organization’s ability to respond to a cyberattack. Consulting frms
may offer social engineering and penetration testing includes email phishing tests and
phone calls from social engineers. The goals are to test employees’ awareness of fraudulent email messages and incident response effectiveness. It must be made clear that
penetration tests are intended as training exercises, not as employee evaluations.
You can also test awareness by checking the strength of passwords or simulating
social engineering attacks to gauge responses. You can develop penetration exercises
internally or acquire external support. Products such as Metasploit, Core Impact, and
Canvass can be used to simulate a wide range of vulnerability tests, including email and
Web phishing exercises. Before conducting any phishing or other vulnerability exercise,
obtain permission in writing (often termed Rules of Engagement). Without permission,
such activities may be considered hacking, even when performed by security personnel
as part of an awareness exercise.
All testing works best when in support of defned policies and procedures. The
same is true of penetration exercises. A well-designed test will include techniques for
recognizing an attack as well as remedial actions that “victims” of an attack should
take (e.g., reporting spear phishing attacks to organization security).
Testing can provide an estimate of the likelihood that a member of your workforce
will:
Click on an embedded hyperlink in a suspect email message,
Enter Social Security numbers,
Open an attachment without checking to see if it might include malware,
Verify their network account,
Register at an unknown site to download a whitepaper and receive a free product,
or
Download a suspicious fle.
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
49 · 34 IMPLEMENTING A SECURITY-AWARENESS PROGRAM
After the exercise, collect follow-up information by sending a message to recipients
for feedback asking, “Why did you click or not click” or other questions to assess their
thought processes.
Metrics to evaluate testing might include:
Emails that were deleted and not read,
Email forwarded to security personnel,
Reports as spam,
Emails that were read,
Replies to email,
Forwards to colleagues,
“Victims” who clicked on the link, and
“Victims” who provided personal information.
Real-world simulation exercises add to but do not replace traditional awareness
techniques. Classroom instruction can explain and describe attack approaches, but
exercises provide students with a “touch, feel, and experience” that expands their
understanding of security attack approaches and aids in content retention. The goal
of a security-awareness exercise is to make security a natural concern within the
organization, campus, or university. Periodic security-awareness exercises will help
minimize network downtime and maximize network performance as students become
more judicious about handling emails.72
49.6.11 Contests and Incentive Prizes. Contests, incentive prizes, rewards,
and giveaways help achieve buy-in. People like to win and most love a good contest.
A contest can be a simple prize draw or a competition with rules for entry and criteria
for winning.
Contests can be used to ask questions, collect data, conduct research, inspire ideas,
or drive traffc to your security Website. The 3 Ps of contests are:
Planning. Decide on the goal of your contest, then create a theme. Establish clear
rules, including entry procedures and criteria for judging competition entries.
You may need to consider your country or state-specifc regulations (e.g., some
contests and competitions may require a permit, if open to the public and the
competition is a random chance draw).
Prizes. Prizes can be anything from bragging rights to security-themed DVDs
(such as Catch Me If You Can or Swordfsh) or books (such as The Cuckoos’ Egg
by Clifford Stoll, Kingpin by Kevin Poulsen, or The Lure by Steve Schroeder) to
cash awards, lunch with a senior executive, or time off. At presentations, speakers
can tape prizes or awards under seats in the front row to encourage people to come
early and sit up front.
Prizes don’t have to be expensive to be valuable to your audience. Time off,
lunch with the boss, gift certifcates, shredders, security-themed T-shirts, mugs,
certifcates, and trophies all work. Shiny prizes, such as the latest technology (e.g.,
an iPad) or money, have mass appeal. You may want to poll your audience to fnd
out what would be valuable to them. The prize might be intangible (e.g., an honor,
such as announcing the winner in the organization newsletter).
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
TOOLS 49 · 35
Promotion. Announce your contest with email, posts on the security intranet site,
and posters. Also, if it’s a public contest, consider tweeting it, enlisting coworkers
to help spread the word, putting links to the contest on the organization’s Facebook
Page, and writing press releases.
If you run the contest on social media, such as Facebook, Twitter, or Google+, use
applications (many are available) to help administer the contest. To win, people may
simply have to follow, retweet, or answer trivia questions. This type of campaign is
often successful because of the ease of entry. Your security “brand” will beneft from
the increased engagement.
Here are some contest ideas:
What’s That Number? Post a number that relates to security and have people
guess how the number relates to security. The number might be the number of
password reset requests the helpdesk receives in a week, the number of malwareinfested sites blocked by the corporate frewall, or the number of records exposed or dollars lost as a result of a breach experienced by a company in your
industry.
Catch the Red Team. A red team is a group of individuals assigned to test the
security of an organization. Staff are told that a red team will be testing security
(e.g., making social engineering calls). Staff members who catch the red team and
report the potential security violations win a prize. Often, these contests result in
identifying security vulnerabilities and sometimes in catching intrusion attempts
by cybercriminals and not just the attempts of the red team.
Nooo Face! A security-awareness video or photo contest, such as the Annual
Security Video Contest held by Educause or Trend Micro’s “Nooo! Face” Contest,
provide awards for photos that capture the feeling one gets when they realize they
are a cyber, victim: precious data has vanished, destroyed, or been taken by an
attack.
Awareness Materials Contests. Award prizes and recognition for awareness materials, such as the annual contests held by the Federal Information Systems Security Educators’ Association (FISSEA) and the International Information Systems
Security Certifcation Consortium, Inc., ((ISC)2)’s CyberExchange. FISSEA’s
contest has categories: Awareness Posters, Motivational Items (trinkets—pens,
stress relief items, T-shirts, etc.), Awareness Websites, Awareness Newsletters,
and Role-Based Training & Education. The CyberExchange accepts posters, presentations, best practices, flyers, white papers, and more.
Security Song, Jingle, and Verse Contests. Contests could be for the best security
haiku or six-word security stories. The six-word stories are based on the challenge
issued to Ernest Hemingway to write an entire story in six words. His story: “For
sale: baby shoes, never worn.” A security-related six-word story might be “I never
checked my offsite backup…”
Top Ten Lists. Award a prize for the best (funniest) Security Top Ten list. Examples are the “Top Ten Places Not to Hide Your Password” (such as written with
a permanent marker on a light bulb in the offce lamp, on a white board, as a
tattoo) and “Top Ten Security Headlines We’ll Never See” such as, “White House
Painted Purple to Confuse Terrorists” or “Courts Close Due to Lack of Lawsuits
over Security Breaches.”
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
49 · 36 IMPLEMENTING A SECURITY-AWARENESS PROGRAM
Security Stories. Invite people to share their security stories—for example, how
a person was affected by identity theft, or how someone refused to share personal
data when it wasn’t necessary to do so, such as when a healthcare provider’s form
asks for a Social Security number. The emotional content makes stories prime
material for sharing.
Security Trivia. Ask security-related questions, such as:
“What color is Whitfeld Diffe’s hair?” (or, “Who is Whitfeld Diffe and why
is he important to security?”)
“What is the name of the 1983 movie where Mathew Broderick played a young
hacker who gained access to a government nuclear war simulator?” (War Games)
Or, for more technically advanced audiences,
“What type of attack against database-driven applications involves the intruder
manipulating a site’s Web-based interfaces to force the database to execute
undesirable code?” (SQL injection)
“What hardware protocol caused the vulnerability where a Firewire device,
when plugged in, can overwrite anywhere in memory?” (DMA or Direct Memory Access)
Security Fact or Fiction Contests. Contestants must decide if statements are true
or not. For example: “In fscal year 2011, the Electronic Crimes Special Agent
program processed 1,066 terabytes of data on 8,525 units” (fact).73
Contests can boost morale, motivate people, and contribute to team spirit. Vince
Lombardi, former head coach of the Green Bay Packers, understood this. He once said,
“Winning isn’t everything. It’s the only thing.” After criticizing him for this statement,
some of his critics put together a new kind of baseball league for children in a Texas
community: “It was like the Little League—the same ball, same bat, same number
of innings, same playing feld—everything was the same except that they didn’t keep
score. The idea was that there wouldn’t be any losers because nobody would know
who won.” The game lasted one and a half innings. After that “the kids went across the
street to play sand-lot ball where they could keep score.”74
49.6.12 Awards and Recognition. Rewarding good security behaviors contributes to good security. Security is part of everyone’s job and often management
believes no special recognition or incentives should be provided. This approach does
not work well because in a poorly managed organization, security tends to be outside
the normal business process (i.e., security measures are often viewed as an impediment
to getting a job done).
Security is a special concern that must be emphasized if assets are to be adequately
protected. Security should be integrated with performance appraisals. “Personnel become motivated to actively support information security and privacy initiatives when
they know that their job advancement, compensation, and benefts will be impacted. If
this does not exist, then an organization is destined to depend only upon technology
for information security assurance.”75
Awards can be given for extraordinary security behaviors, participation in security events, achieving a security certifcation, or providing a security service such as
speaking to local groups about cybersecurity. Awards work best if they are publicized,
support desired behaviors, and are immediate (close to the act for which the award is
being given).
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
TOOLS 49 · 37
49.6.13 Human Libraries. A Human Library is a technique to promote dialogue, information interchange, reduce prejudices, and encourage understanding. A
Human Library consists of a group of individuals (“books”) who have agreed to share
their knowledge (i.e., the information that’s in their head) with others. Living Books are
people you have recruited because they have experiences of interest to the audience. A
Human Library can be established as a single event with defned start and end times or
an ongoing activity (long-term resource), where the Living Books come and go much
as books are checked in and out from a conventional library; it may be established
in a single physical location where the “books” are available for a fxed time frame,
or it may be a virtual library where the books may be checked out by accessing a
database.76 For security awareness, a Human Library can serve as a resource where
members of the workforce can learn about security from people who understand their
work environment their specifc policies and procedures.
Living Books should be volunteers who are recruited with care to ensure that they
are committed and willing to talk with strangers about important and sometimes very
personal issues. Interview book candidates to ensure the quality of books. Ask the book
about its title (subject area) and motivation to be a book. This is to ensure that books
are focused on supporting awareness. A reader can safely ask any question without
fear of ridicule. A Human Library provides an opportunity to ask the information
security questions you always wanted to ask, but were afraid that asking would make
you appear na¨ıve.
The best sellers are defned as the books that have the most requests for loans.
For metrics, ask books, readers, and librarians for their comments on their Human
Library experience. Ask the books if they would be a book again. Ask if people felt
that they benefted from the library. Ask the books if they learned anything from the
readers.
The experiences that might increase security awareness in living books include:
Victim of identity theft
Computer gaming addict
Computer Incident Response Team member
Penetration tester
Social engineer
Digital forensics expert
Hacker
Ethical hacker
Helpdesk staff member
Biometric expert
Reformed cyberbully
Someone who lost their job as a result of something posted on the Internet
Information system security offcer
Senior executive responsible for security policy
Privacy expert
Electronic Frontier Foundation member
Information-security blogger
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
49 · 38 IMPLEMENTING A SECURITY-AWARENESS PROGRAM
HIPAA expert
Malware researcher
Computer programmer
49.6.14 Volunteer Activities. Strengthen your security-minded workforce
through volunteer programs. Volunteerism increases engagement. Data from the Center for Talent Innovation (CTI) shows that the vast majority of college graduates want
to amplify their commitment to good causes through their employer.77 According to
the Deloitte Volunteer Impact Survey,78 Generation Ys who frequently participate in
their company’s volunteer activities are more likely to be very proud to work for their
company, feel very loyal, and be very satisfed with the progression of their careers.
These sentiments hold true across generational cohorts—91 percent of Gen X women
and 76 percent of Gen X men, and 90 percent of female and 79 percent of male Baby
Boomers, feel it is important to contribute to their community or the wider world
through work.79
There are many programs that allow individuals with security interests to give back
to the community:
Attending the FBI Citizens Academy, which shows how dedicated our FBI is to
protecting our freedom. Most individuals not exposed to computer crime get a rude
awakening of just how bad cybercrime is, especially when they see in real-time
the innocent images of victims of pedophile activity in their own neighborhood.
Individuals with CISSP certifcation can join the (ISC)2 Safe and Secure Online
Program to teach children how to be cyberaware.
Volunteering to be a living book at a Human Library event.
Participating in National Teach-In day to promote cyberawareness for elementary
students.
Cyberawareness training for seniors can be arranged through libraries, religious
organizations, and other groups.
49.6.15 Inspections and Audits. Inspections and audits raise awareness
among the staff being reviewed, at least for the duration of the inspection. Audits
and inspections are typically viewed as negative events. However, there are approaches
that can turn an audit/inspection from a negative to a positive experience. Using a technique called “security by wandering around” (SBWA), a security staff member tours the
work area, identifes staff members doing something correctly, and leaves certifcates
of congratulations, thank-you notes, or trinkets on their desks. One audit technique
is to treat each encounter with a staff member as a training opportunity, explanations
are provided as to “why” a policy is important instead of just rating compliance as
pass or fail. Security personnel might periodically demonstrate social engineering by
attempting to smooth-talk users into providing their passwords. The number of people
who fall for the scheme might be used as an example for the next awareness session.
49.7 EVALUATION AND METRICS. Security consultant Gary Hinson compared security to the brakes on a car. The brakes slow you down, but they also make it
possible for you to go a lot faster. A good metrics program takes time to set up, but once
you have it set up and working well, it can save you time in the long run by making
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
EVALUATION AND METRICS 49 · 39
your program more effective. Metrics aid in decision making. Without a solid metrics
program, it is hard to know whether the program is effective, or if the organization
should spend more money on doing the same thing, or if the resources would be better
used elsewhere.
49.7.1 Baseline. As with any tool, it is important to know how to use metrics.
Metrics are best used when they compare measurements over time to a baseline.
Defning appropriate metrics and immediately gathering data on the current state of
those metrics is an essential frst phase for all future evaluation of security-awareness
programs.
49.7.2 Metrics. Security metrics are evolving, and different organizations have
put forth different tools, different guidance, and different frameworks for evaluating IT
security. For example, organizations may use metrics based on such standards as:
COBIT80
FISMA81
FITSAF82
GLBA83
HIPAA84
ISO 27002:200585
NIST SP 800-5586
PCI DSS87
SANS88
SOX89
or combinations of such guidance.
Few organizations currently use security metrics or even a common vocabulary.
Also, many of the tools and guides for measuring IT security metrics only consider
security awareness as a small portion of overall security program metrics. Metrics
regarding security-awareness programs are high level and not specifc. It is easy to
collect quantitative measures of data, such as the number of virus infections, server
patches performed, or program costs. It is diffcult to measure behavioral change.
A commonly used metric is the number of people who participated in awareness
orientations and refreshers. This fgure can be determined through attendance sheets,
course registrations, or completion notifcations for online courses, and signed user
“acceptance of responsibilities” statements. Another common metric is seat time—how
long this person spent in front of a computer, clicking through the screens, soaking up
the knowledge that was there. Attendance and seat time may indicate that a program
is not effective, but they are not the best measures of awareness program effectiveness.
Better measurements focus on the end users and measure behaviors that are a part
of normal business operations, including user perceptions, activities, and response to
anomalous occurrences.
An effective, measured awareness program can ensure that the workforce serves
as a staff frewall, protecting the organization’s information assets, and ensuring that
there exists a gold-standard or best-in-class security environment. It also provides
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
49 · 40 IMPLEMENTING A SECURITY-AWARENESS PROGRAM
decision makers who are allocating resources with assurances that the securityawareness programs are cost-effective control measures. Also, using objectives such
as “ensuring that 100 percent of employees take the awareness course” is a statement
regarding the program process, not impact, and should be avoided. When it comes to
making a decision between a business case supported by hard numbers and one based
on subjective feelings and unsupported statements such as “workforce training is the
most cost-effective security control,” the hard numbers will win.
Once the performance measures are adopted, the next step in building the business
case solution is to establish at least one metric for each of the supporting goals and
objectives. These metrics may be hard numbers (e.g., number of security incidents),
estimates (e.g., the average cost per security incident), or the results of testing (e.g.,
annual testing of a sample of the workforce). Examples of metrics that might be used
for the four awareness goals presented above include:
Goal: The awareness program will improve employees’ ability to recognize and
report potential threats and vulnerabilities.
Metric: The number of security events as measured by the number of incident
reports.
What to expect: When an awareness program is frst introduced, the expectation
is that the number of reported incidents will increase as employees become
more aware of potential threats, vulnerabilities, and the need to report. Over
time, the number of reported events should stabilize and decline as the security
environment is strengthened.
Goal: The awareness program will improve the level of compliance with company
physical and computer security controls.
Metric: The number of sanctions of individuals for failure to comply with
security policy.
Metric: The number of incidents resulting from employee action or inaction as
determined through incident analysis.
What to expect: The number of employees sanctioned for compliance failures
should decrease as the awareness program reaches more individuals. Similarly,
the awareness program should make individuals more diligent in performing
security-related responsibilities, thus resulting in a reduced number of incidents.
Goal: The awareness program will reduce the occurrence of security failures
resulting from employee action or inaction.
Metric: The number of incidents resulting from employee action or inaction as
determined through incident analysis.
Metric: The number of security incidents resulting from employee actions or
inactions declines over time as individuals recognize the importance of fulflling
their security responsibilities.
Goal: The awareness program will reduce the severity of the security incidents
that do occur.
Metric: The cost per incident as determined through incident analysis.
What to expect: The cost per incident decreases as individuals react more
quickly to identify a potential security incident and take action to mitigate its
impact.
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
CONCLUDING REMARKS 49 · 41
Two other issues should be addressed relative to an awareness program’s goals
and metrics. First, an awareness program seeks to make a behavioral change in the
workforce. Behavioral change takes time, so the metrics should have an established
time frame where management should expect to see performance improvement. The
time frame should be realistic (e.g., quarterly, semi-annual, annual), avoid immediate
impacts (e.g., “After a course on viruses, the number of virus incidents should decrease
within a week”) and avoid time frames that are too long (e.g., “The number of virus
incidents should decrease over the next fve years”).
Second, solicit and use employee feedback. Employee feedback should be analyzed
because it provides indicators of the level of security awareness and the importance
employees ascribe to information security. Analysis of employee feedback could be
used to generate other performance metrics for an awareness program.
Automated metrics are useful to help measure changes in behavior.
Filtering software that monitors content (e.g., 9- or 16-digit strings of numbers
for Social Security numbers and credit card account numbers) or specifc words
can indicate how often people try to email this information;
Web statistics and frewall monitoring software can indicate how often people
visit or attempt to visit specifc Websites, such as the security intranet page;
Helpdesk call log summaries can identify problems related to security issues; and
Performance appraisals, participation in contests, and results of quizzes are indicators of interest in security-related behaviors.
49.8 CONCLUDING REMARKS. Awareness among an organization’s staff is
vital to maintaining the integrity of data and systems. Although organizations often
view computer security as a technological problem and use sophisticated hardware
and software solutions to control access, detect potential security incidents, and prevent fraud, the reality is that computer security is as much a people problem as a
technological problem. End users are closer to potential problems; therefore, they
need to be aware of potential risks, threats, vulnerabilities, and their own security
responsibilities.
People are major contributors to the IT security problem, and they are also crucial to
its solution. People are perceptive and adaptive, and if trained and motivated to be aware,
they can be the strongest and most effective security countermeasure. Individuals often
are the frst to detect security incidents. The actions they take or fail to take determine
the level of damage. An aware workforce often can compensate for defciencies in
technical controls. The intent of the awareness program is to make recognition of and
reaction to security threats a reflexive behavior.
Awareness takes time. It also requires the organization to have an in-place information security policy, the support of the senior-level managers, and clear goals and plans
for achieving awareness. The importance of establishing measurable goals cannot be
overestimated and is critical to obtaining support and funding.
The goal of an awareness program is often to change attitudes and behaviors that
may be embedded in long-term procedures or habits. To effect awareness, the program
must appeal to the audience and be tailored to the workforce and to the technology
of the organization. The primary message of a security-awareness program should be
that security is everyone’s responsibility. Actions taken by end users make a signifcant
difference; thus, a well-trained and motivated workforce is a critical and necessary
security control.
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
49 · 42 IMPLEMENTING A SECURITY-AWARENESS PROGRAM
49.9 GLOSSARY
Awareness—being conscious of what is going on around one; security awareness
specifcally focuses attention on security. Security awareness is the individual’s
understanding that security is important and that everyone has a role in ensuring
the security of information and information technology.
Awareness campaign—the activities associated with conveying a specifc awareness message (e.g., telling people “log off when away from your computer”).
Awareness program—the planned implementation and control of a mix of awareness activities over a period of time, with measurable goals and multiple topics.
An awareness program may encompass several campaigns.
Basics and literacy—a transitional stage between awareness and role-based training.
Education—the process of integrating all security skills and competencies into a
common body of knowledge, adding a multidisciplinary study of concepts,
issues, and principles.
End user (also computer user or user)—any person who uses an information
system.
Focus group—a small group of end users (or of individuals from the target audience) who review and discuss awareness activities, courses, products, and the
like, often under the guidance of an awareness material developer or training
specialist.
FUD factor—the effects of fear, uncertainty, and doubt (FUD).
Gamifcation—the concept of applying game-design thinking to nongame applications to make them more fun and engaging.
Malicious code (also malware)—hardware, software, or frmware that is intentionally included in a system for an unauthorized purpose (e.g., a Trojan horse).
Orientation briefng—a presentation that provides new employees, contractors, and
the like with basic security information and information on the organization’s
security policies and programs. Usually these presentations are conducted on
arrival or shortly thereafter.
Refresher—an awareness activity, such as a briefng, intended to reinforce and
update awareness of security controls and policies and to remind individuals
of their security responsibilities.
Role-based training—the process of producing relevant and needed security skills
and competency. Security awareness is the “what.” Role-based training is the
“how.”
Safe failure—the opportunity to learn from mistakes privately, such as with a
computer simulation or course.
Social engineering—social methods (e.g., threats, misrepresentations) that deceive
a victim so that the victim does what the attacker wants him or her to do. Often
the goal is to get the victim to provide private or sensitive information, such
as account numbers or passwords. An example of a social engineering attack
is the use of “phishing” emails.
Social marketing—an approach to security awareness using attraction and persuasion techniques designed to encourage a group of people to alter old ideas,
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
NOTES 49 · 43
understand and accept new ideas, and value their new awareness enough to
change attitudes and take positive actions to improve IT security.
Target audience—a specifed audience or demographic group for which a securityawareness message is designed.
Threat—anything that can potentially harm a system or its associated assets (hardware, software, data, operations). Threats may be man-made or natural occurrences. Awareness programs do little to address threats; instead, they seek to
reduce vulnerabilities.
Vulnerability—a weakness in automated system security procedures, administrative controls, physical layout, internal controls, and so forth, which could
be exploited by a threat to gain unauthorized access to information or disrupt critical processing. A goal of security-awareness programs is to reduce
behavior-related vulnerabilities.
49.10 NOTES
1. Katy Stech, “Burglary Triggers Medical Records Firm’s Collapse,” The Wall Street
Journal, March 12, 2012, http://blogs.wsj.com/bankruptcy/2012/03/12/burglarytriggers-medical-records-frm%E2%80%99s-collapse
2. Ellis Smith, “BlueCross Burglary Could be Chattanooga’s Costliest Caper,” Times Free Press, March 13, 2012, http://timesfreepress.com/news/2012/
mar/13/bluecross-burglary-could-be-citys-costliest
3. Alex Pham, “Sony Expects Much Wider Annual Loss,” Los Angeles Times, February 3, 2012, http://articles.latimes.com/2012/feb/03/business/la-f-ct-sony-earns-
20120203
4. Tony Busseri, “It’s Time to Take Cybersecurity Seriously,” Wired, March 12, 2012,
www.wired.com/threatlevel/2012/03/opinion-busseri-cybersecurity
5. “Verizon 2012 Data Breach Investigations Report,” p. 2, www.verizonbusiness
.com/resources/reports/rp data-breach-investigations-report-2012-ebk en xg.pdf
(url inactive).
6. Mark Wilson, Kevin Stine, and Pauline Bowen, “Information Security Training
Requirements: A Role- and Performance-Based Model (Draft),” NIST Special
Publication 800-16 Rev. 1 (Draft), March 2009, http://csrc.nist.gov/publications/
drafts/800-16-rev1/Draft-SP800-16-Rev1.pdf
7. Wilson et al., “Information Security Training Requirements,” NIST Special Publication 800-16 Rev. 1 (Draft)
8. Wilson et al., “Information Security Training Requirements,” NIST Special Publication 800-16 Rev. 1 (Draft)
9. Ira Winkler, Zen and the Art of Information Security (Rockland: Syngress, 2007).
10. Mary Kirwan, “Education May Not Be Enough to Ensure Compliance,” The
Globe and Mail, March 31, 2012, http://v1.theglobeandmail.com/servlet/story/
RTGAM.20070911.WBsecurityblog20070911120000/WBStory/WBsecurityblog
11. WebCPA staff, “IRS Security Still Lax,” Accounting Today, Washington, D.C.,
August 6, 2007, www.accountingtoday.com/news/25009-1.html
12. Winkler, Zen and the Art of Information Security.
13. “Many Young Workers Are IT Rule-Breakers,” Harvard Business Review | The
Daily Stat, January 10, 2012, http://web.hbr.org/email/archive/dailystat.php?
date=011012
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
49 · 44 IMPLEMENTING A SECURITY-AWARENESS PROGRAM
14. Jeffrey M. Stanton, Kathryn R. Stam, Paul Mastrangelo, and Jeffrey Jolton, “Analysis of End User Security Behaviors,” Computers & Security 24, no. 2 (March
2005): 124–133, www.sciencedirect.com/science/article/pii/S0167404804001841
15. Thomas Steward and Anand Raman, “Lessons from Toyota’s Long Drive,
An Interview with Katsuaki Watanabe,” Harvard Business Review, July 2007,
http://hbr.org/2007/07/lessons-from-toyotas-long-drive/ar/1
16. John Caddell, “How to Bounce Back from a Big Mistake,” 99U, approximately November 2011, http://99u.com/articles/7089/how-to-bounce-back-froma-big-mistake
17. D. Verton, “Federal Agency Faces Judicial Ultimatum,” Computerworld, 2002,
www.computerworld.com/securitytopics/security/story/0,10801,69937,00.html
18. Mar´ıa Cristina Caballero, “Academic Turns City into a Social Experiment:
Mayor Mockus of Bogota and His Spectacularly Applied Theory,” ´ Harvard University Gazette, March 11, 2004, www.news.harvard.edu/gazette/2004/03.11/01-
mockus.html
19. M. E. Kabay, “The Net Present Value of Information Security: A Paradigm Shift for
INFOSEC and E-commerce,” 2006, www.mekabay.com/infosecmgmt/npvsec.pdf
20. Additional note: See also Chapter 50, “Using Social Psychology to Implement
Security Policies.”
21. The Federal Information Security Management Act of 2002, Section 3544, “Federal
Agency Responsibilities,” http://csrc.nist.gov/drivers/documents/FISMA-fnal.pdf
22. See Chapter 64, “U.S. Legal and Regulatory Security Issues”
23. Dan Heath and Chip Heath. Made to Stick (New York: Random House, 2007).
24. C. Heath and D. Heath, “The Curse of Knowledge.” Harvard Business Review,
December 2006, http://hbr.org/2006/12/the-curse-of-knowledge/ar/1
25. Donna Mattick, personal correspondence, March 2012.
26. John Tierney and Roy Baumeister, Willpower: Rediscovering the Greatest Human
Strength (The Penguin Press HC, 2011).
27. V. Basili, G. Caldiera, and H. D. Rombach, “The Goal Question Metric Approach,”
Encyclopedia of Software Engineering (New York: John Wiley & Sons, 1994),
528–532 www.cs.umd.edu/∼basili/publications/technical/T87.pdf (url inactive).
28. Mark Wilson and Joan Hash, “Building an Information Technology Security Awareness and Training Program,” NIST SP 800-50, October 2003,
http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf
29. K. Sanders, “Bears in Your Backyard? Guidelines for Bear-Proofng Your Property,
and Living with Bears,” 2000, www.yellowstone-bearman.com/B housesafe.html
30. Rebecca Herold, Managing an Information Security and Privacy Awareness and
Training Program, 2nd ed. (CRC Press, 2011).
31. K. Hall and the SE SIG Steering Committee, “A System for Gaining Management Support for Your Safeguards and Security Awareness Program,” 2002,
www.orau.gov/se/Products/SE%20SIG%20Gaining%20Mgmt%20Support.doc
32. Wilson et al., “Information Security Training Requirements,” NIST Special Publication 800-16 Rev. 1 (Draft).
33. de Saint-Exupery, Antoine. The Wisdom of the Sands (Amereon Ltd., October
2003).
34. John Medina, Brain Rules (Pear Press, 2008).
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
NOTES 49 · 45
35. Medina, Brain Rules.
36. Reif Larson, “This Chart Is a Lonely Hunter: The Narrative Eros of the Infographic,” The Millions, February 7, 2012, www.themillions.com/2012/02/thischart-is-a-lonely-hunter-the-narrative-eros-of-the-infographic.html
37. Larson, “This Chart Is a Lonely Hunter.”
38. Brenda Oldfeld, “Game-Changing Technologies for Cybersecurity Awareness and
Training” (presentation, FISSEA Conference, Gaithersburg, MD, March 29, 2012).
39. Anderson, Chris. “How Web Video Powers Global Innovation,” Technology,
Entertainment, Design (TED) Talks, TEDGlobal 2010, Filmed July 2010,
Posted September 2010; www.ted.com/talks/chris anderson how web video
powers global innovation.html
40. Anderson, “How Web Video Powers Global Innovation.”
41. Chip Heath and Dan Heath, The Myth of the Garage (Crown Business, 2011).
42. Winifred Gallagher, New: Understanding Our Need for Novelty and Change (Penguin Press HC: 2011).
43. Maria Popova, “Network: The Secret Life of Your Personal Data,” January
10, 2012; www.brainpickings.org/index.php/2012/01/10/network-michael-rigley/
contains embedded video, “Network,” by Michael Rigley
44. Caballero, “Academic Turns City into a Social Experiment.”
45. Heath and Heath, Made to Stick.
46. Elisabeth Freeman and Eric Freeman, Head First HTML with CSS & XHTML
(O’Reilly Media, 2005).
47. Ruth Colvin Clark and Richard E. Mayer, eLearning and the Science of Instruction.
(San Francisco: Pfeiffer, 2003).
48. Freeman and Freeman, Head First HTML.
49. Roger, C. Schank, Lessons in Learning, e-Learning, and Training: Perspectives
and Guidance for the Enlightened Trainer (Pfeiffer, 2005).
50. Native Intelligence, Poster 153A, www.nativeintelligence.com/ni-posters/posters
.asp
51. Native Intelligence, Poster 115, www.nativeintelligence.com/ni-posters/posters
.asp
52. Andrew Stanton, “The Clues to a Great Story,” Technology, Entertainment,
Design (TED)Talks, TED2012, Filmed February 2012, Posted March 2012;
www.ted.com/talks/andrew stanton the clues to a great story.html
53. Gerald Weinberg, Weinberg on Writing: The Fieldstone Method (Dorset House,
2005).
54. INFOWAR: The Nexus of Technology and Security in Cyberspace, www.infowar
.com
55. Bliss, Chris. “Comedy Is Translation,” Technology, Entertainment, Design
(TED)Talks, TEDX Talk, www.ted.com/talks/chris bliss comedy is translation
.html
56. Bliss, “Comedy Is Translation.”
57. Robert B. Cialdini, Noah J. Goldstein, and Steve Martin, Yes!: 50 Scientifcally
Proven Ways to Be Persuasive (Free Press, 2009).
58. R. B. Cialdini, Influence: The Psychology of Persuasion (HarperBusiness, 2006).
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
49 · 46 IMPLEMENTING A SECURITY-AWARENESS PROGRAM
59. M. E. Kabay, “Applying the Science of Persuasion to Security Awareness,”
Network World Security Strategies Newsletters, 2009, www.mekabay.com/nwss/
725 applying the science of persuasion to security awareness.pdf
60. W3C, “Accessibility,” 2012, www.w3.org/standards/webdesign/accessibility
61. Rudolph Flesch, The Art of Readable Writing (Wiley, 1994).
62. Robert Gunning, The Technique of Clear Writing (McGraw-Hill, 1952).
63. Carnegie Mellon University Information Networking Institute (INI) “Confronting
One-Click Fraud in Japan,” www.ini.cmu.edu/news/features/one-click.html
64. Gwern.net, “Spaced Repetition,” March 12, 2012, www.gwern.net/Spaced%20
repetition
65. J. J. Donovan and D. J. Radosevich, “A Meta-analytic Review of the Distribution of
Practice Effect: Now You See It, Now You Don’t.” Journal of Applied Psychology
84, no. 5 (1999): 795–805.
66. M. E. Kabay, “CAC: Computer-Aided ConsensusTM,” 2009, www.mekabay.com/
methodology/cac ppt.zip
67. Mark Bonchek, “How Top Brands Pull Customers into Orbit,” Harvard
Business Review | Blogs, March 5, 2012, http://blogs.hbr.org/cs/2012/03/
how top brands pull customers.html
68. PentaSafe. “Security Awareness Index Report: Worldwide State of Security Awareness,” 2002.
69. James Habyarimana and William Jack, “Heckle and Chide: Results of a Randomized Road Safety Intervention in Kenya,” Center for Global Development, Working Paper No. 169, April 2009, http://www.cgdev.org/fles/1421541
fle Habyarimana Jack Heckle FINAL.pdf
70. The European Network and Information Security Agency (ENISA), “Information
Security Awareness Initiatives: Current Practice and the Measurement of Success,”
www.enisa.europa.eu/doc/pdf/deliverables/enisa measuring awareness.pdf
71. Jan Hoffman, “Speak Up? Raise Your Hand? That May No Longer Be Necessary,”
The New York Times, March 30, 2012, www.nytimes.com/2012/03/31/us/clickersoffer-instant-interactions-in-more-venues.html
72. Aaron Ferguson, “Fostering E-Mail Security Awareness: The West Point Carronade,” EDUCAUSE, 2004, www.educause.edu/ir/library/pdf/EQM0517.pdf
73. United States Secret Service, “Fiscal Year 2011 Annual Report,” 2011, p. 40,
www.secretservice.gov/USSS FY2011AR.pdf
74. C. Coonradt, The Game of Work (Park City, 1997).
75. Herold, Managing an Information Security and Privacy Awareness and Training
Program.
76. Human Library Website, 2012, http://humanlibrary.org
77. Sylvia Ann Hewlett, “Strengthen Your Workforce Through Volunteer Programs,” Harvard Business Review | Blogs, March 5, 2012, http://blogs.hbr
.org/hbr/hewlett/2012/03/strengthen your workforce thro.html
78. Deloitte Website, “2011 Deloitte Volunteer Impact Survey,” 2011 www.deloitte
.com/view/en US/us/About/Community-Involvement/volunteerism/impactday/f98eec97e6650310VgnVCM2000001b56f00aRCRD.htm
79. Hewlett, Sylvia Ann. “Strengthen Your Workforce Through Volunteer Programs,”
2012; http://blogs.hbr.org/hbr/hewlett/2012/03/strengthen your workforce thro
.html
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
NOTES 49 · 47
80. Information Systems Audit and Control Association (ISACA) “COBIT 5: A Business Framework for the Governance and Management of Enterprise IT,” ISACA
Website, 2012, www.isaca.org/COBIT/Pages/default.aspx
81. National Institute of Standards and Technology (NIST), “FISMA FAQs,” NIST
Website, 2012, http://csrc.nist.gov/groups/SMA/fsma/faqs.html
82. National Institute of Standards and Technology (NIST), “The Federal Information Technology Security Assessment Framework,” 2000, http://csrc
.nist.gov/drivers/documents/Federal-IT-Security-Assessment-Framework.pdf
83. Bureau of Consumer Protection, “Gramm-Leach-Bliley Act,” 2012,
http://business.ftc.gov/privacy-and-security/gramm-leach-bliley-act
84. U.S. Department of Health & Human Services, “Health Information Privacy,”
2012, www.hhs.gov/ocr/privacy
85. ISO/IEC 27002:2005, “Information Technology—Security Techniques—Code
of Practice for Information Security Management,” 2005, www.iso.org/iso/
home/store/catalogue ics/catalogue detail ics.htm?csnumber=50297
86. E. Chew, M. Swanson, K. Stine, N. Bartol, A. Brown, and W. Robinson, “Performance Measurement Guide for Information Security,” NIST SP-800-55, rev. 1,
2008, http://csrc.nist.gov/publications/nistpubs/800-55-Rev1/SP800-55-rev1.pdf
87. VISA Data Security Bulletin, “Visa PCI DSS Compliance Validation Framework,” 2008, < http://usa.visa.com/download/merchants/cisp-bulletin-visa-pcidss-framework-111808.pdf
88. SANS (2012). “Standards,” SANS | Reading Room, 2012 www.sans.org/
reading room/whitepapers/standards
89. U.S. Securities and Exchange Commission, “The Laws That Govern the Securities
Industry,” U.S. SEC Website, 2012, www.sec.gov/about/laws.shtml
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.
Computer Security Handbook, Set, edited by Seymour Bosworth, et al., John Wiley & Sons, Incorporated, 2014. ProQuest Ebook Central,
http://ebookcentral.proquest.com/lib/ivytech/detail.action?docID=1652940.
Created from ivytech on 2023-05-10 02:43:59.
Copyright © 2014. John Wiley & Sons, Incorporated. All rights reserved.