Security Consciousness Raising

Saturday, February 06, 2010

Bill Wildprett, CISSP, CISA

0f48ebb4a6ca02dbf5141affdbfa6898


I’ve been thinking about Security Awareness and different ways of teaching it as a mindset.  We infosec folks think about it all the time, cultivating it as part of our general focus on situational awareness; the general public, corporate and government leaders, SMBs – not as much, perhaps.

It’s only when some epic breach like TJX, Heartland, or the recent Google hacks happen, that most people go ‘Huh?’  Security people channel their inner Homer Simpson and go ‘D’Oh!’

I’m sure other security professionals have thought about how effective security in general was approached and taught during World War II; citizens were reminded in public places that ‘Loose Lips Sink Ships’ and that ‘Careless Talk’ cost lives.

So, if we were going to use this approach today, what would we say?  What would resonate and be graphically memorable?

  • Lost Laptop – Work Stop
  • Data Breach – Painful Teach
  • DLP Works for Me!
  • Stolen Data in Motion, Crosses the Ocean

What would you suggest, dear reader, to teach staff to lock Desktops when they’re away from their office?  Or to not store unencrypted corporate data on USB drives, laptops, netbooks, PDA’s etc.,?

The posters above are courtesy of the New Hampshire State Library and Eyewitness to History.  The latter site has an excellent list on how to safeguard information from the enemy, the Ten Prohibited Subjects and more.

Are pithy slogans and eye-catching graphics enough?  Do we need Quentin Tarantino to make a movie?  I’m re-reading NIST SP 800-50 and thinking about this more.  There are all sorts of posters out there too:

In fact, it’s a niche industry!  But, how effective are posters at increasing lasting security awareness with true stickability?  Some very interesting insights and research were assembled by Ross Anderson and mentioned on the ISC2.org blog on 11/15/09, titled Psych and sec‘.  These papers and articles on psychology, behavioral economics, social attitudes towards risk, security usability, and more, remind us of the academic contributions other disciplines bring to security awareness.

What do you think?  Do security posters work in your organization?  Is there enough user-centered design in security mechanisms, or not enough?

I read a great post by Will Irace on the Cassandra Security site and I agree with him ~ it’s all about trusting people and educating/training them to do the ‘right thing’ and why.

Later friends…

Bill Wildprett

Copyright 2010; Suspicious Minds blog: http://suspiciousminds.wordpress.com/

Possibly Related Articles:
10464
HIPAA PCI DSS Security Awareness Breaches
PCI Heartland Security Awareness
Post Rating I Like this!
6d117b57d55f63febe392e40a478011f
Anthony M. Freed There must be education, awareness and monitoring for successful DLP.

Education must be comprehensive, and awareness efforts could definitely employ posters - why not?

But ultimately it comes down to monitoring of network systems for unapproved software, vulnerabilities, and poor DLP practices.

The breach of Marine One avionics - which turned up on an Iranian website - was due to an employee using a P2P file sharing program to rip some tunes.

One bonehead lapse in judgment undid probably millions of dollars in security - and that download could have been blocked before it ever hit their servers.

1265565771
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.