I am responsible for deploying information security across our IT
infrastructure. How do I explain the importance of security, especially in terms of social
engineering, to users of the systems that aren't technical at all? I also need to launch an
awareness campaign, and it would be great if you could help me with some ideas! Thank you.
Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
The importance of the security function should be mandated from top down (from Executive
Management on down) through everyday practice with security policies, procedures and technical
controls. You already know from being in the field, security is a hard sell. Users see our role as
adversarial; management sees our role as a non-revenue generator. Truth is, the function is
neither. Our mission within an organization is simply to protect the assets of the organization in
the most appropriate method available. Regarding your question on launching a security
awareness campaign: One of the biggest challenges you face is that you will be attempting to
modify adult behavior, which elicits resistance. This, coupled with the subject matter, will
present new and interesting challenges for you. Overall, the principles of developing a security
awareness campaign are relatively simple:
[1] Base your program on your security policies, procedures and technical controls.
[2] Make the user awareness program personal, and develop it toward the user's ability level. I would recommend using a two-level approach: First, focus on acquainting the user community with the security function ("brand identification"). Even if the individuals do not have day-to-day contact with computing systems, they can be sensitized to the security function. Incorporate the program into the individual's daily routines by providing non-participatory, non-structured and non-threatening reminders. Try give-aways (pencils, pens, sticky notes, etc.), videos, newsletters, posters, security fairs. Employee security briefings also work well here. You will first need to develop a security user and security manager manual designed for your organization. The second phase should bring an understanding of security principles through active and structured participation in computer-based and instructor-led security training. Your objectives in this phase will be to promote an understanding of security principles and terminology, personal responsibility in security, positive behavioral change and consistency and accountability in security. If appropriate, you might want to enhance the program to include a phase for data owners and data guardians, to ensure they know and understand what they are responsible for and a phase for decentralized security personnel if they are used at your site. If you require ready-made posters, news bulletins, computer-based training programs, etc., there is an abundance of companies that specialize in security awareness programs.
[1] Base your program on your security policies, procedures and technical controls.
[2] Make the user awareness program personal, and develop it toward the user's ability level. I would recommend using a two-level approach: First, focus on acquainting the user community with the security function ("brand identification"). Even if the individuals do not have day-to-day contact with computing systems, they can be sensitized to the security function. Incorporate the program into the individual's daily routines by providing non-participatory, non-structured and non-threatening reminders. Try give-aways (pencils, pens, sticky notes, etc.), videos, newsletters, posters, security fairs. Employee security briefings also work well here. You will first need to develop a security user and security manager manual designed for your organization. The second phase should bring an understanding of security principles through active and structured participation in computer-based and instructor-led security training. Your objectives in this phase will be to promote an understanding of security principles and terminology, personal responsibility in security, positive behavioral change and consistency and accountability in security. If appropriate, you might want to enhance the program to include a phase for data owners and data guardians, to ensure they know and understand what they are responsible for and a phase for decentralized security personnel if they are used at your site. If you require ready-made posters, news bulletins, computer-based training programs, etc., there is an abundance of companies that specialize in security awareness programs.
This was first published in April 2001