Question:
I am interested to know from you guys what methods you have used to prick the consciousness of your end users - from the standard policy delivery & enforcement tools (e.g. neupart, policy matter, netconsent, et al), through posters & startup screens, right through to "guerilla tactics" rather like Chris Nickerson & hisd guys who did the job on the car dealer.
I had thought of gearing ideas around end user pain points - e.g. post-it notes with a PIN on a dummy credit card, etc. Interested in what low-cost ways others have used.
Thanks in advance guys
I had thought of gearing ideas around end user pain points - e.g. post-it notes with a PIN on a dummy credit card, etc. Interested in what low-cost ways others have used.
Thanks in advance guys
Answer:
........,
I have gone through several iterations of awareness initiatives. Web based, class based, print media based, campaign based you name it…
Information Security Practitioners usually skip a very important part of awareness programs, these programs are not security projects where you deliver a technical solution; awareness programs depend on the training component…
Here is the most important thing I learned: Adult psychology is different, you cannot train adults as you train kids.. When you put kids a in a class they simply listen and they learn. Adults never do, they keep questioning: “ Why I am here? Is this good for me? What will I lose if I do not listen? What is in it for me? etc” The questions above must be answered within security awareness initiative since they will keep occupying the short focus of the of the adult minds during training..
So the important structural shift of awareness program initiative is that this is not a project, this not about a portal with multiple choice questions with diagrams, this is not about an application that pops-up, this is about training, and the adult training rules apply.
Years ago, I was in charge of security awareness training of a large trading house.. Participation of all employees was mandatory. Everybody in the class (pre WebEx days) thought this was yet another training, and the eyes were focused on the clock.. I started the conversation with, “I am reading all your e-mail” Well, I got the attention. The whole class got mad . But we had established the training rationale, everybody wanted to how and why I was able to read their e-mail , they were questioning on who else can read their e-mail. Until that moment most of them thought the problems were someone else’s.
In order to share create the personal interest, the best way is to demonstrate vulnerability in day to day applications with live demonstrations (not the checklists, and the pop-quizzes) that employees can associate themselves individually. The demo should not be about the millions that a distant company lost (yes we all heard about TJ Max) or powerpointing defaced web sites to death to bore sales team away. There must be personal interest in security awareness program. Unfortunately not too many people care about the greater good of their employers or the security teams…A salesperson will be more interested so see his CRM database being stolen using his own small blackberry. Or displaying chain of evidence for intellectual property for design engineers, more examples can be given but I think everybody who has managed to read until this paragraph gets the idea; unless there is personal interest there won’t be success.
That being said classical program components like continuous improvement, cyclic approach, audit, measurement/metrics etc will help. ISO programs or the programs like neupart can be used as a good base program management.
-Regards,
- Yinal Ozkan