Symantec offers a super Security Awareness training program for basic end-user training required for PCI, SOX or other compliance. A great best-practice in general for any organization. Link below gives some details. They offer it wither online or you can get the software and host it in-house. List price is $49/license (user) but if you have a good reseller they can usually score it for you at around $18/seat if you have a couple hundred users or more in your organization.

http://www.symantec.com/business/training/theme.jsp?themeid=ssap

Links:

• http://www.symantec.com/business/training/theme.jsp?themeid=ssap

posted July 19, 2008

Education and Awareness would be two ingredients that should be right at the top of that list. End users should be taught issues like what happens if a laptop or backup tape goes missing, and what steps they can take to prevent that from happening, a daily or weekly reminder. Bean counters should be brought into the process on why security is a long term value for the organization, not an expense. It just boggles the mind with the recent spat (or the last 10 years) of news articles why more companies don't encrypt information on computers or backups.

One issue that has always puzzled me is why National Computer Security Day is celebrated only once a year? As corny as it sounds, every day should be National Computer Security Day!

Links:

• http://www.infosecnews.org

William K. also suggests these experts on this topic:

• Bruce P.
• - -.
• Jeff M.

posted July 19, 2008

Educate on all the entities and objects that make up a "cyber" network - the people on the inside, the applications used on the inside and served to the outside, the devices and data on the outside and inside. I think you can put many of these items on a security awareness program, but if you don't educate the users as to the risks and consequences(per management) on what the users responsiblities are, then your program is null-just my two cents.

posted July 20, 2008

Since the question has the "Awareness" i.e. state of being conscious about "Cyber Security." Ideally the approach should be to reach as many number of people (to the largest possible extent). The message should be informative and attractive so that people take time to read, why is it important?

More emphasis on personal level/individual use than on organizational policies would mean more to larger audience. Message for policy makers should be made bold and clear.

Use the best means to spread the message. If you wanted me to go in technical details, please ask.

Thank you.

posted July 21, 2008

This is an end-user, citizen awareness program, correct?

I'd start with a thin layer of awareness meant to educate users on how they can better protect themselves and the infrastructure, and teach them where to go to follow-up with more detailed information.

For my money, for all the trainings I've seen done with end-users in mind, I've never seen one that teaches them how to create a decent password. Teaching them to use passphrases and mnemonics to create more complex, longer passwords rather than the standard 'password123'.

A simple session that explains how trivial passwords can wreck their identity, combined with some overview of how poorly patched OSs and applications or improperly deployed wireless routers contribute to not only their own insecurity but to that of the Internet as a whole would be a great start.

Describe the problem, illustrate the need for diligence, and then direct the users towards resources that can help them after the training would be a great start IMO.

posted July 21, 2008

JC,

I will take a shot at responding to most of your questions since you think I can add value. But, the realy guru in the field who is my business associate on the topic is Robert J. Bagnall, CEO & Pres of Maverick Security (202-302-1900). He is my go to guy on the topic and the best presenter going on the subject matter. Maverick would be a great presentation to have. (www.maverick-security.com).

Bob's 7 Habits of Highly Effetive Businesses is an entire stand-alone presentation.

I would recommend the following topics in no particular order:
1. Cyber - Threat Risks
2. The Worldwide Digital Threat
3. Technology and the criminal threat
4. Cyber Security and the Corporate Security Role
5. Outsourcing and Global Risks

As for last year's conference, I thought the presenters provided an overview but not enough to want to cause the attendees to go home with an action plan. They were all good in their fields and did a good job presenting

All and all, I think we should consider allowing the keynote presenter 60 - 75 minutesd and all others up to 45 minutes. We should strive to reduce the number of presenters so as allow for quality presentations.

I think each presenter might want to consider using speaking objectives for the attendess to use as a presentation point.

Links:

• http://www.maverick-security.com

Felix P. N. also suggests this expert on this topic:

• Robert B.

posted July 21, 2008

Take look at www.cybersecurity.my, they have some good incentives example Emergency Response, Digital Forensics,Security Assurance, Security Management and Best Practices, Strategic Policy Research and Training and Outreach. Let me know if you need an intro to their CEO.

posted July 24, 2008

Joe,

This would be a great group to start with http://www.csialliance.org/.

Regards,

Bob

posted July 24, 2008

Hi Joe,

I’ve read the recommendations from others. There are good suggestions, but I am not sure if they addressed your question. Your question asks for the ingredients of a successful security awareness program and not what security topic you should cover within the program or who is offering security awareness program. Therefore, let me try to address your question.

One of my responsibilities is to provide security awareness program for a company with over 22K employees. I have found that you can not have a one-size-fit-all program. The first thing you need to do is identify your target audience. You can break these into the following groups:

• Professional / Technical Users
• IT Managers
• Corporate Executives
• Senior Executives and Board of Directors
• General Users

Next, you have to determine the method to reach out the audience that you have targeted. The following are a few options available to you:

• Email / Newsletter
• Presentations (In person / Webcast)
• Interactive (Games or CBT)
• Compliance (Testing, Survey, or Self Assessment)

The key to remember in any program is to remember that your audience will be spending time participating in your program. They are not there for you, but you a providing a service to your audience. Therefore, you must answer their question of “What is in it for me”. Is it to:

• Learn about Information Security
• Protect their own or company asset
• Network with peers
• Validate what they already know

In addition, awareness program can not be a one-shot deal. It must be conducted similar to a marketing or advertisement campaign where you have a extravagant kickoff meeting followed by constant reminder or call to action.

I hope this addresses your question. You know how to reach me offline. Please contact me if you would let to discuss this topic further.

Dave Chen, CISSP

posted July 24, 2008

The problem with most awareness programs is that security is seen as something that "blocks" what you want to do. Anything that would be successful must address "What is in it for me?" for every participant.

Cyber and IT security is not something at the core of most of what happens in IT. Many security products (including from almost all "trusted" security vendors) actually create additional security risk because application security is not built into the application.

So, if you can't instill appropriate awareness into the developers of security tools, how can you expect a national program to be effective?

Also, even among cyber security professionals, there are issues with how to implement security and what is acceptable.

posted July 25, 2008