Securing people

Click the banner for the site map of NoticeBored.com, the information security awareness service

Managing the human factor in information security by David Lacey (~US$33 from Amazon) covers a wide brief in an engaging an Managing an infosec and priv 2 cover 100 d highly readable style. Recommended. Read our book review for more.

Managing an Information Security and Privacy Awareness and Training Program may not have the most succinct title but the content is first class. This is an excellent textbook for security awareness professionals, packed full of good ideas - the definitive reference text for information security awareness. Recommended. Read our rave review.

ENISA’s report on security awareness documents current practice in Europe and provides guidance on the measurement of awareness programs.

NASCIO also published a report on the status of security awareness in US state governments.

Keep up with security awareness entries on the NoticeBored blog.

Computer Security: 20 Things Every Employee Should Know by Ben Rothke is reviewed here. Fred Cohen produced a similar booklet with generic security advice to employees: Fred’s Information Security Awareness Basics is 24 pages long and costs about a dollar per page.

If you are looking for help on policy matters, Information security policies, procedures and standards - guidelines for effective information security management by Tom Peltier is recommended (~$63 from Amazon). Tom’s well-written book contains plenty of helpful practical advice on writing and implementing information security policies.

Social psychology & INFOSEC, Mich Kabay’s seminal 1993 paper on security awareness made the case for “changing beliefs, attitudes and behaviour, both of individuals and of groups. Social psychology can help us understand how best to work with human predilections and predispositions to achieve our goals of improving security”.

US-CERT Cyber Security Tips provide straightforward information and advice on topical information security issues for a fairly non-technical audience. The well-written tips are based on CERT’s extensive knowledge of real-world information security incidents and risks. An email update service and RSS feed notify people when new tips are released.

NIST Special Publication 800-50 covers “Building an Information Technology Security Awareness and Training Program”. Although written primarily for US Federal agencies, the details are entirely applicable to other large organizations and the underlying principles are of general interest. The authors describe how to go about planning a security awareness and training program for managers and staff, and the sorts of awareness topics to cover (all of which are included in NoticeBored’s coverage). Other Special Publications mention information security awareness, training and education.

Australian Business Training delivers emotional intelligence training strategies to improve the attitude, motivation and results of change management, leadership training, management training, sales training and team building programs. ‘Emotional intelligence’ is a fascinating concept, quite distinct from IQ and cleverness. It’s all about relating to people, empathizing and motivating, in other words core concepts in security awareness ... and social engineering.

WhatsYourISQ (Information Security Quotient) is the site for an interesting new online awareness product from First Legion Consulting.

“Security isn’t only about protecting your network from external threats; it’s also about protecting against threats from within. The first step to security is awareness; therefore, it’s important that all your employees know not only the potential threats but also how to recognize and prevent such threats. Education and awareness empowers each employee with the knowledge of his role in protecting the organization’s network. This, in turn, will go a long way toward mitigating risk.” So says Doug Schweitzer in an editorial in Processor magazine.

Information Protection Made Easy: A guide for employees and contractors is a security awareness book by David Lineman (~$10 from Information Shield). In just 96 pages, it covers the basics of information security with an emphasis on its relevance to individual employees. Chapter titles are: Desktop and Personal Data Security • Electronic Records • Secure Web Browsing • Protecting Customer Privacy • Email and Instant Messaging Security • Compliance with Laws and Regulations • Handling Confidential Information • Employee right to privacy • Managing Passwords • Corporate governance.

The Definitive Guide to Security Inside the Perimeter is a ‘free’ 200+ page eBook by Rebecca Herold (free except that you need to provide an email address and other information to the publisher and sponsor). It explains the security risks arising from insiders working within the organization, and outlines a broad range of controls. Security awareness and training are mentioned frequently, as you might expect.

EDUCAUSE is a nonprofit association working “to advance higher education by promoting the intelligent use of information technology.” They have a particular interest in information security awareness and have a number of activities to promote security awareness in education. The results of an EDUCAUSE/Internet2 Computer and Network Security Task Force and the National Cyber Security Alliance contest for computer awareness videos will be used in campus security awareness campaigns and efforts, and are available for noncommercial use from their website.

Persuading users to become more security-conscious may involve scaring them about the consequences of not being secure, according to a piece in ComputerWorld. Fear, anger and distrust are powerful motivators, it claims. [Fair enough, but this is certainly not the only way! It is generally acknowledged that FUD (Fear, Uncertainty and Doubt) has short-term effects but people quickly become resistant and eventually immune to the FUD-mongers. Think back for a moment: who had the greatest long-term impact on you - your schoolteachers who cracked the whip and insisted on parrot-fashion learning by rote, or those who interested, intrigued and motivated you?]

CERT’s Virtual Training Environment provides online access to mini courses on a variety of information security topics. The knowledge library is produced by Carnegie Mellon University’s renowned Software Engineering Institute.

An editorial in Processor Magazine outlines some of the security risks facing SMEs as a result of blogging, along with some tips to address them.

Building a security awareness program - addressing the threats from within is a succinct piece by Gideon Rasmussen with a few tips on getting your program off the ground. Gideon has also written a piece on balancing risk against cost.

If you think you might like to run a security awareness program but are not sure where to start, take a look at our Seven steps to security awareness white paper and others in the freebies section of this website for inspiration.

The UK Home Office sponsored Think U know website advises children on safe surfing. The animated cartoon graphics and games are leagues away from the usual sage-but-rather-stuffy advice aimed at parents but stand a much better chance of engaging with their target audience: pre-teenage children. Security awareness materials for ‘young people’ typically have more text but at least make an effort to include some bright graphics and the odd bit of teenage lingo. Take a look - think - enjoy! Consider the implications in terms of reaching your target audiences with your own security awareness materials. Will an average 8-year-old understand “Respect your friends’ privacy” (#3 on the chat guide at Think U know)? Would the average adult employee, for that matter?

A somewhat tongue-in-cheek diary/blog by a typical if fictional information security manager shows how security awareness is constantly pushed to the bottom of the in-tray.

An obvious place to offer security awareness materials is at the water cooler - maybe a ‘security corner’?

Sound advice on designing an effective corporate security awareness program mentions many of the features of NoticeBored e.g. gain executive buy-in, work with allies, speak to your audience in familiar terms, walk-the-talk, make it fun and so forth.

Measuring security awareness is not the same as measuring security. Being intangible makes it even more difficult to find meaningful metrics and objective indicators. Advice and tips on performance measurement from Stacey Barr may give you some good ideas.

General end-user information security controls are also mentioned in a presentation by Virginia Tech. The university has amassed a growing collection of security awareness materials.

A collection of end-user educational presentations about IT topics includes topics such as “viruses, cookies and spam”.

Security Stats republished a variety of surveys and statistics on information security but unfortunately appears somewhat out-of-date. Shame. This would have been a useful resource to help justify security awareness and other controls.

If you have questions or comments about security awareness in general, check out the security-awareness group on Yahoo. This email forum is partially moderated - spammers are ejected and the signal-to-noise ratio is pretty good.

“Organized crime is turning to the weakest element in the chain, which is the people. It’s the hands on the keyboard on either end of the transaction that is the actual weak point,” said Detective Chief Superintendent Len Hynds, head of the UK National Hi-Tech Crime Unit (NHTCU), as reported by Wired.

“Arguably the biggest source of security breaches has nothing to do with installing and managing technology. The greatest weakness in the corporate security infrastructure is us.” So said a report into network security by AT&T and the Economist Intelligence Unit. “No amount of technology will be successful in protecting an organisation if employees are naive, poorly trained or are not made aware of the impact of security violations,” said Tamar Beck, director of Infosecurity Europe. The survey revealed limited awareness of information security by senior executives.

The very first guideline in the OECD Guidelines for the Security of Information Systems and Networks relates to security awareness.

In a survey of UK managers by Integralis, 80% of respondents rated security awareness in their firms as low to medium. Dreadful! Not only is the lack of awareness a missed opportunity, the respondents clearly recognize it yet have not been able to address and resolve the issue. Why the blind-spot, we wonder?

The Society for the Policing of Cyberspace is a Canadian not-for-profit organization dedicated to raising awareness of information security amongst the general population. They hold meetings and present awards for security awareness posters created as school projects.

A review of Tim Layton’s book Information security awareness - the psychology behind the technology is available elsewhere on this site. .

If you are looking for a book on security awareness, specifically, you may be tempted to buy Building an Information Security Awareness Program by Mark B. Desman, published by Auerbach (~$62 from Amazon) but look carefully through the reviews and consider Rebecca Herold’s book on security awareness before you part with your money.

Social networking & social media

Social networks have their uses for security purposes.

Is it feasible to ban social networking in the workplace?

A Facebook compromise that led to someone’s friend being duped out of a thousand Australian dollars might be used to generate yet another awareness case study on this topic - we’re spoilt for choice this month!

As well as the personal privacy issues for individuals, Facebook, Twitter and the like are a useful source of information for corporate hackers and social engineers.

Obama warns teens about not disclosing personal information online that they may later regret.

A new site providing privacy and other security advice to the users of social media has grand plans: let’s hope it delivers on the promise.

General article on various social networking security issues, like for instance the possibility of malware infection through add-on applications for social networking sites, or even infected applications that claim to remove other viruses.

There are real dangers associated with cloud computing.

One blogger’s advice to women on using social media actually applies equally to men.

ENISA report on security aspects of social media.

A whizzy promotional video expounds on the explosive growth of social media.

Guidelines for the use of social networking media and systems.

Notes on social networking albeit with little analysis.

Here’s a guide to Facebook privacy settings, mostly little known and barely used. Another here. Check out also the official Facebook privacy principles and help that contributed to Facebook being rated by Americans as one of the most trusted companies.

Hollywood is using social networking.

Using Twitter even has physical security implications.

Find out why Twitter is not the Information Security Management Handbook. Are you giving away information on Twitter without even thinking about it?

A short video on social networking risks.

After Ontario's information and privacy commissioner spoke out, Facebook responded.

Twubble with Twitters: SuperNews! is a cartoon video depicting the incessant fascination with microblogging that afflicts some ~~addicts~~ fans of Twitter.

A video on Flickr led to the prosecution of a self-confessed off-season duck shooter. Doh!

This blogging manifesto is, in effect, a succinct security policy with guidance on blogging in a corporate environment. There is more explicit advice on writing such policies here.

An interesting self-referential example of someone using social media to promote a book ... on social media.

Social networking is social, and that means public.

Facebook accounts have been hacked using login credentials stolen from another social networking website, a dating site, demonstrating yet again that it’s not A Good Idea to use the same credentials on multiple sites. Let me repeat that: don't use the same password on all your online accounts.

Social networks have been used for a new “friend” version of the old Spanish Prisoner/419 scam.

Social networking & social media

Related NoticeBored links collections