Security Awareness Programs - Can One Size Fit All? Michael G. Carr, JD, CISSP Information Security Officer University of Nebraska [email protected] Barbara

April 3-5, 2005

Security Awareness Programs- Can One Size Fit All?

Michael G. Carr, JD, CISSP

Information Security OfficerUniversity of Nebraska

[email protected]

Barbara J. Hoskins, Ed.D.Asst. Dean, College of Health, Education &Human Development, Clemson University

[email protected]

2005 © Univ of Nebraska & Clemson Univ, unless noted



2005 © Mike Carr (University of Nebraska) & Dr. Barbara Hoskins (Clemson University).

Unless noted, this work is the intellectual property of the authors.

Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is

given that the copying is by permission of the authors.

To disseminate otherwise or to republish requires written permission from the authors.



•Agenda/FormatAgenda/Format•InfoSec Facts •Awareness Program History•Food for thought, recommendations

Source: 2004 AOL & NCSA Survey


© 2003 Citibank, N.A.Used with permission

Citibank commercial on Identity TheftRemoved for copyright reasons



Zombies, Bots and BotnetsZombies, Bots and Botnets – – Computer Attacks on the RiseComputer Attacks on the Rise

Zombies, Bots and BotnetsZombies, Bots and Botnets – – Computer Attacks on the RiseComputer Attacks on the Rise


1 in 12 e-mail messagescontains 'Mydoom' worm

1 in 12 e-mail messagescontains 'Mydoom' worm

We’ve all seen the commercials…

We’ve all read the headlines…



We’ve all pointed to hacking incidents (at other institutions)

We’ve enlisted experts (and sometimes even consultants!)

We’ve even helped others who’ve experienced security failures 1st-hand



So we’ve come up with catchy slogans and funny characters…

Passwords arePasswords arelike underwear…like underwear…Passwords arePasswords are

like underwear…like underwear…

All designed to make folks more aware

of the need for diligence



But despite our efforts…

Systems continue to get infected with “mass mailing” viruses, or

Become victims of “drive-by downloads”



Source: FTC

•ID Theft is also growing. In ID Theft is also growing. In 2002:2002:

•$47.5 BillionBillion stolen •9.9 million individuals affected•Upwards of 600 hrs over 4 years

spent straightening out



4%

29%

25%

20%

12%

9%

0%

5%

10%

15%

20%

25%

30%

Under 18 18-29 30-39 40-49 50-59 60 andover

ID Theft Complaints by Victim AgeJanuary 1 - December 31, 2004

Source: FTC, Feb 2005



•Malware continues to hit PCsMalware continues to hit PCs•2/3 of home users had not updated

their virus software within the last week •15% reported having no antivirus

software•Nearly 20% were infected with a virus•63% had been hit with a virus before




•Spyware is on the riseSpyware is on the rise•80% of home computers were infected •88% did not know it•Avg infected computer had 93

components•95% said they never gave permission

for the programs to be installed




•84% had financial & health info on the PC

•75% used home PC for banking, shopping

•50% of home broadband users do notdo not have a firewall (67% if dial-up is included)

•40% home wireless n/w are wide open!


And despite…And despite…



And then there’s…And then there’s…

•Illegal digital music/movie downloads

•Ownership issues relative to Podcasting

•Intellectual property theft, in general



And…And…

•Increases in password cracking

•Increases in war driving, spam, spyware, etc.

•1% of US households fell victim to phishing attacks in early 2004

• > $400M in direct monetary losses (Consumers Union)



Recent BSA/ISSA InfoSec Recent BSA/ISSA InfoSec Survey:Survey:

• 65%-72% of senior executives admit being more aware of security issues

• Primarily due to news reports (i.e. ChoicePoint, Bank of America, AOL & CitiBank commercials) and unfunded federal mandates

But only 19% of I/T staff think that employees are truly aware!

Source: Jan 2005 BSA/ISSA Information Security Survey



How well are Privacy SealsHow well are Privacy SealsRecognized?Recognized?

Source: Mar 2005/Vol. 48, No. 3 Communications of the ACM

Web Shield

1. 2.

3. 4.



Recent UNLV Study:Recent UNLV Study:

•From 2002 to 2003• eCommerce Sales increased > 26% ($44.3B $56B)

• But consumers are generally unaware of

Purpose of privacy seals on websites

What companies must do to get one

What a genuine seal looks like!

Source: Mar 2005/Vol. 48, No. 3 Communications of the ACM



The need to educate The need to educate and and

raise awarenessraise awareness(even more)(even more)

is is

ParamountParamount!!



•Determine why our Determine why our messages have not messages have not been getting throughbeen getting through

Our job (if we accept it) is to…

•Work with educators, sales persons & marketers to develop effectiveeffective campaigns

Define & measure “effectiveness”

© Paramount Pictures



•> 15yrs ago, U.S. federal > 15yrs ago, U.S. federal government recognized the government recognized the relationshiprelationship

•Security Awareness Security Awareness Ability Ability to protect the CIA of informationto protect the CIA of information

•Computer Security Act of 1987Computer Security Act of 1987Required federal agencies

to provide mandatory training in computer security awareness

Required federal agencies to provide mandatory training in

computer security awareness



•In 1989, NIST published “Computer In 1989, NIST published “Computer Security Training Guidelines”Security Training Guidelines”

•US Office of Personnel Mgmt made US Office of Personnel Mgmt made these guidelines mandatorythese guidelines mandatory

•4 years later, US OMB required 4 years later, US OMB required NIST to update the GuidelinesNIST to update the Guidelines

•Special Publication 800-16Special Publication 800-16Originally mainframe-oriented,

these were formal recognitions that securityawareness training was warranted

Originally mainframe-oriented,these were formal recognitions that security

awareness training was warranted



•SP 800-16 SP 800-16 onlyonly provided a conceptual provided a conceptual framework for awarenessframework for awareness

•It lacked It lacked detaileddetailed guidance on programs guidance on programs

•““trinkets with promotional slogans”, trinkets with promotional slogans”, “awareness video tapes”, posters, flyers“awareness video tapes”, posters, flyers

•“…“…audiences tend to tune-out and, if audiences tend to tune-out and, if presented … repeatedly, the material will presented … repeatedly, the material will be ignored…”be ignored…”

GAO even developed recommendations:“attention-getting” and “user-friendly”

GAO even developed recommendations:“attention-getting” and “user-friendly”



•NIST SP 800-50 - “Building an NIST SP 800-50 - “Building an Information Technology Security Information Technology Security Awareness and Training Program” Awareness and Training Program”

•Recommends metrics to measure Recommends metrics to measure successsuccess– # of security incidents or violations [1]

– the % of users exposed to awareness materials

[1] Reporting may increase because of enhanced vigilance



•NIST SP 800-50 checklistNIST SP 800-50 checklist Assess training needs Develop awareness & training strategy &

plan Establish priorities Decide on complexity level of the

message(s) Select awareness topics Maximize partnerships in development &

roll-out (create ownership)

NIST initiatives & deliverables NIST initiatives & deliverables should be APPLAUDED!should be APPLAUDED!

NIST initiatives & deliverables NIST initiatives & deliverables should be APPLAUDED!should be APPLAUDED!



•Numerous EDUCAUSE ResourcesNumerous EDUCAUSE Resources Security Task Force

www.educause.edu/security

Cybersecurity Awareness Resources CD ECAR Research Bulletins

EDUCAUSE & ECAR initiatives & deliverables EDUCAUSE & ECAR initiatives & deliverables should be APPLAUDED!should be APPLAUDED!

EDUCAUSE & ECAR initiatives & deliverables EDUCAUSE & ECAR initiatives & deliverables should be APPLAUDED!should be APPLAUDED!



•However: empirical data is lacking on However: empirical data is lacking on Security Awareness Program Security Awareness Program effectivenesseffectiveness

•No call from federal govt, private No call from federal govt, private industry or higher education to research industry or higher education to research the issuethe issue

•Recent Congressional hearings on cyber Recent Congressional hearings on cyber terrorism were void of awareness issuesterrorism were void of awareness issuesGenerally accepted “codes of practice” and mgmt stds (BS7799, ISO17799) lack concrete advice on

measuring awareness program effectiveness

Generally accepted “codes of practice” and mgmt stds (BS7799, ISO17799) lack concrete advice on

measuring awareness program effectiveness



•““Security Awareness, Training, and Security Awareness, Training, and Education Programs for the Education Programs for the Enterprise”Enterprise”

© 2005 Fred Cohen, Burton Group

•Recommends:• @ $10 to $100 per person per year@ $10 to $100 per person per year

• Dedicated FTEDedicated FTE

• Measuring effectivenessMeasuring effectiveness



“Security Awareness, Training, and Education Programs for the Enterprise”© 2005 Fred Cohen, Burton Group



•We must do something (better)We must do something (better)•Golden Golden (marketing) Rule: Rule:

Know thy audienceKnow thy audience•Challenging since our target Challenging since our target audience spans audience spans 4 generations4 generations (encompasses employees, students, faculty, staff, executives, and administrators)

And unlike “Tide” detergent and “Skippy” peanut butter, we probably can not afford to target niche markets

And unlike “Tide” detergent and “Skippy” peanut butter, we probably can not afford to target niche markets



•But developing a single awareness program for 4 distinctive, different generations of users won’t be easy either

•This latest demographic group seems to be:

•radically different and •immune to current communication

methods and messages



So, who are these users?So, who are these users?

•Traditionalists

•Baby Boomers

•Generation Xers

•Millennials

Source: Howe & Strauss, 2000, Millennials Rising: The Next Great Generation



The TraditionalistsThe Traditionalists

•Born 1900-1945

•Grew up in times of war & scarcity

•Value loyalty and structure

•Approx 75 million




The Baby BoomersThe Baby Boomers

•Born 1946-1964

•TV generation

•Optimistic yet competitive





The Generation XersThe Generation Xers

•Born 1965-1980

•PC generation

•Skeptical—downsizings & divorce





The MillennialsThe Millennials

•Born 1981 or after

•Internet generation

•Thrive on multi-tasking, interactivity & problem solving




Baby Boomers29%

Gen Xers17%

Millennials27%

Traditionalists27%


% of U.S. Population% of U.S. Population





•in 1982in 1982: More $$ spent on video games and computers than music and movies

•in 1983in 1983: Time Person of the Year: The PC

•in 1985in 1985: the CD/ROM was introduced

•Millennials have always had cable TV, answering machines, remote controls, touch-tone phones, etc.

Source: Turkle, 1984, The Second Self: Computers and the Human Spirit




•They are 27% of US population, >50% online

•Almost 1/3 have college-degreed parents or parent with some college education

•By age 21, 2X time: video games as reading

•Cell, instant & text messaging over landline

•Digital Natives

Source: Prensky, 2001, Digital Game-Based LearningNew Strategist Editors, 2001, The Millennials: Americans Under Age 25




•Internet: 1st choice to find something, entertainment, shop, communicate

•View traditional teaching methods as boring, slow and anything but engaging (this also includes non-interactive course mgmt systems)

Source: Prensky, 2001, Digital Game-Based Learning




•Because of gaming, they enjoy simulations, layers of activity, multi-tasking and teams

•Late 2004 Halo 2: $125M in 1$125M in 1stst Day Day Sales!Sales! (Spider-Man 2 had $115M its 1st weekend)

Source: Prensky, 2001, Digital Game-Based Learning


HALO 2HALO 2

© Microsoft Corporation

Halo2 trailer can be downloadedOr viewed at

halo.bungie.org/misc/halo2trailermirrors.html


The MillennialsThe Millennials• Forcing educators and marketers to

change message and medium


US Army Future Combat Systems videoCan be viewed at

www.army.mil/fcs/




• The need to update advertisements or awareness campaigns is nothing new

• So, why such a fuss?Joe Nemecheck



To be fair…To be fair…

Ricky RuddRicky Rudd




Casey AtwoodCasey Atwood



To be fair…To be fair… Ashton LewisAshton Lewis




Justin LabonteJustin Labonte



The ChallengeThe Challenge

• Many Millennials lack the desire to learn about computer systems (and security)

• Many believe they know enough already

• They expect educational and training experiences to be dynamic, challenging, flexible, innovative, and interactive (problem solving)

• They expect quick responses to their inquiries

Source: Lancaster & Stillman, 2001, When Generations Collide




•Purely educational environments may be able to adapt to these demands

•Can compliance be realized via games, online contests & animated spokespersons targeted at the Millennials?




•What can we do to ensure that “cartoonish” or gaming-oriented awareness programs stand out?

•Can we develop programs that are received, understood and followed when the target medium is a cell phonecell phone?




•And what about the other three generations of computer users?

•We can’t expect programs designed for Millennials to be effective for others

(and vice-versa)




•It’s time for collaboration– Teachers College + Behavioral Sciences

+ Business College + CompSci Programs

– Sales, R&D, Marketing & I/T Depts

•It’s time for research•It’s time for results!It’s time for results!




•Take the same skills and ingenuity that gave us “new mathnew math”, “Can Can you hear me now?you hear me now?” and “Where’s the Beef?Where’s the Beef?”




•Comprehensive information security awareness programs that will modify behavior in all computer users

•with Measurable results!with Measurable results!



In conclusion…In conclusion…

•It won’t be easy

•It won’t be cheap

•Consequences of not acting are even less attractive

•But it can be done!But it can be done! © Paramount Pictures



PoPo$$$$ible Approacheible Approache$$: :

• External ResourcesExternal Resources− NSF, NSF Cyber Trust Grants − Dept of Homeland Security, MS-ISAC

− President’s I/T Advisory Committee

− EDUCAUSE, ECAR− National Institute of Standards & Technology (NIST)

• Internal ResourcesInternal Resources−Interdisciplinary Team & Task Force(s)−National Cyber Security Alliance (NCSA) −Class Projects & Graduate Dissertations−National Centers of Academic Excellence in

Information Assurance Education (CAEIAE)



Some Good Awareness Some Good Awareness Programs:Programs:[1]

• Univ of Arizona ● Univ of N.Texas• George Mason Univ ● Oklahoma Univ• Univ of Georgia ● Univ of Tennessee• Indiana Univ ● EDUCAUSE• Univ of Maryland

[2]

[1] not an exhaustive list![2] out of College of Education – Technology Outreach ! ! !

Unfortunately, hard evidence on “effectiveness”is still lacking

Unfortunately, hard evidence on “effectiveness”is still lacking



Aspects of Good Awareness Aspects of Good Awareness Programs: Programs:

New employee orientation, and Annual reminders of responsible use, etc., and All-encompassing InfoSec Policy/Procedure, and Posters & “Awareness Days” (April ? , October ?) , and Vulnerability scans/tests, and Training, training, training, and Periodic press releases, articles, status reports,

and Executive support, and Regular staff discussions, and on and on and on…



So, until empirical data exists:So, until empirical data exists:

Know that something is better than nothing

Realize that your entire audience may not “get it”

And consider: Tracking incidents by generation, and Modifying your message & medium

accordingly

April 3-5, 2005


Michael G. Carr, JD, CISSP

Information Security OfficerUniversity of Nebraska

[email protected]

Barbara J. Hoskins, Ed.D.Asst. Dean, College of Health, Education &Human Development, Clemson University

[email protected]


Documents

Security Awareness Programs - Can One Size Fit All? Michael G. Carr, JD, CISSP Information Security Officer University of Nebraska [email protected] Barbara