Security Awareness Programs - Can One Size Fit All? Michael G. Carr, JD, CISSP Information Security...
-
Upload
antonio-cottage -
Category
Documents
-
view
217 -
download
0
Transcript of Security Awareness Programs - Can One Size Fit All? Michael G. Carr, JD, CISSP Information Security...
April 3-5, 2005
Security Awareness Programs- Can One Size Fit All?
Michael G. Carr, JD, CISSP
Information Security OfficerUniversity of Nebraska
Barbara J. Hoskins, Ed.D.Asst. Dean, College of Health, Education &Human Development, Clemson University
2005 © Univ of Nebraska & Clemson Univ, unless noted
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
2005 © Mike Carr (University of Nebraska) & Dr. Barbara Hoskins (Clemson University).
Unless noted, this work is the intellectual property of the authors.
Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is
given that the copying is by permission of the authors.
To disseminate otherwise or to republish requires written permission from the authors.
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
•Agenda/FormatAgenda/Format•InfoSec Facts •Awareness Program History•Food for thought, recommendations
Source: 2004 AOL & NCSA Survey
2005 © Univ of Nebraska & Clemson Univ, unless noted
© 2003 Citibank, N.A.Used with permission
Citibank commercial on Identity TheftRemoved for copyright reasons
Security Awareness Programs- Can One Size Fit All?
2005 © Univ of Nebraska & Clemson Univ, unless noted
Zombies, Bots and BotnetsZombies, Bots and Botnets – – Computer Attacks on the RiseComputer Attacks on the Rise
Zombies, Bots and BotnetsZombies, Bots and Botnets – – Computer Attacks on the RiseComputer Attacks on the Rise
Security Awareness Programs- Can One Size Fit All?
1 in 12 e-mail messagescontains 'Mydoom' worm
1 in 12 e-mail messagescontains 'Mydoom' worm
We’ve all seen the commercials…
We’ve all read the headlines…
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
We’ve all pointed to hacking incidents (at other institutions)
We’ve enlisted experts (and sometimes even consultants!)
We’ve even helped others who’ve experienced security failures 1st-hand
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
So we’ve come up with catchy slogans and funny characters…
Passwords arePasswords arelike underwear…like underwear…Passwords arePasswords are
like underwear…like underwear…
All designed to make folks more aware
of the need for diligence
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
But despite our efforts…
Systems continue to get infected with “mass mailing” viruses, or
Become victims of “drive-by downloads”
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
Source: FTC
•ID Theft is also growing. In ID Theft is also growing. In 2002:2002:
•$47.5 BillionBillion stolen •9.9 million individuals affected•Upwards of 600 hrs over 4 years
spent straightening out
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
4%
29%
25%
20%
12%
9%
0%
5%
10%
15%
20%
25%
30%
Under 18 18-29 30-39 40-49 50-59 60 andover
ID Theft Complaints by Victim AgeJanuary 1 - December 31, 2004
Source: FTC, Feb 2005
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
•Malware continues to hit PCsMalware continues to hit PCs•2/3 of home users had not updated
their virus software within the last week •15% reported having no antivirus
software•Nearly 20% were infected with a virus•63% had been hit with a virus before
Source: 2004 AOL & NCSA Survey
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
•Spyware is on the riseSpyware is on the rise•80% of home computers were infected •88% did not know it•Avg infected computer had 93
components•95% said they never gave permission
for the programs to be installed
Source: 2004 AOL & NCSA Survey
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
•84% had financial & health info on the PC
•75% used home PC for banking, shopping
•50% of home broadband users do notdo not have a firewall (67% if dial-up is included)
•40% home wireless n/w are wide open!
Source: 2004 AOL & NCSA Survey
And despite…And despite…
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
And then there’s…And then there’s…
•Illegal digital music/movie downloads
•Ownership issues relative to Podcasting
•Intellectual property theft, in general
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
And…And…
•Increases in password cracking
•Increases in war driving, spam, spyware, etc.
•1% of US households fell victim to phishing attacks in early 2004
• > $400M in direct monetary losses (Consumers Union)
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
Recent BSA/ISSA InfoSec Recent BSA/ISSA InfoSec Survey:Survey:
• 65%-72% of senior executives admit being more aware of security issues
• Primarily due to news reports (i.e. ChoicePoint, Bank of America, AOL & CitiBank commercials) and unfunded federal mandates
But only 19% of I/T staff think that employees are truly aware!
Source: Jan 2005 BSA/ISSA Information Security Survey
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
How well are Privacy SealsHow well are Privacy SealsRecognized?Recognized?
Source: Mar 2005/Vol. 48, No. 3 Communications of the ACM
Web Shield
1. 2.
3. 4.
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
Recent UNLV Study:Recent UNLV Study:
•From 2002 to 2003• eCommerce Sales increased > 26% ($44.3B $56B)
• But consumers are generally unaware of
Purpose of privacy seals on websites
What companies must do to get one
What a genuine seal looks like!
Source: Mar 2005/Vol. 48, No. 3 Communications of the ACM
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
The need to educate The need to educate and and
raise awarenessraise awareness(even more)(even more)
is is
ParamountParamount!!
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
•Determine why our Determine why our messages have not messages have not been getting throughbeen getting through
Our job (if we accept it) is to…
•Work with educators, sales persons & marketers to develop effectiveeffective campaigns
Define & measure “effectiveness”
© Paramount Pictures
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
•> 15yrs ago, U.S. federal > 15yrs ago, U.S. federal government recognized the government recognized the relationshiprelationship
•Security Awareness Security Awareness Ability Ability to protect the CIA of informationto protect the CIA of information
•Computer Security Act of 1987Computer Security Act of 1987Required federal agencies
to provide mandatory training in computer security awareness
Required federal agencies to provide mandatory training in
computer security awareness
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
•In 1989, NIST published “Computer In 1989, NIST published “Computer Security Training Guidelines”Security Training Guidelines”
•US Office of Personnel Mgmt made US Office of Personnel Mgmt made these guidelines mandatorythese guidelines mandatory
•4 years later, US OMB required 4 years later, US OMB required NIST to update the GuidelinesNIST to update the Guidelines
•Special Publication 800-16Special Publication 800-16Originally mainframe-oriented,
these were formal recognitions that securityawareness training was warranted
Originally mainframe-oriented,these were formal recognitions that security
awareness training was warranted
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
•SP 800-16 SP 800-16 onlyonly provided a conceptual provided a conceptual framework for awarenessframework for awareness
•It lacked It lacked detaileddetailed guidance on programs guidance on programs
•““trinkets with promotional slogans”, trinkets with promotional slogans”, “awareness video tapes”, posters, flyers“awareness video tapes”, posters, flyers
•“…“…audiences tend to tune-out and, if audiences tend to tune-out and, if presented … repeatedly, the material will presented … repeatedly, the material will be ignored…”be ignored…”
GAO even developed recommendations:“attention-getting” and “user-friendly”
GAO even developed recommendations:“attention-getting” and “user-friendly”
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
•NIST SP 800-50 - “Building an NIST SP 800-50 - “Building an Information Technology Security Information Technology Security Awareness and Training Program” Awareness and Training Program”
•Recommends metrics to measure Recommends metrics to measure successsuccess– # of security incidents or violations [1]
– the % of users exposed to awareness materials
[1] Reporting may increase because of enhanced vigilance
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
•NIST SP 800-50 checklistNIST SP 800-50 checklist Assess training needs Develop awareness & training strategy &
plan Establish priorities Decide on complexity level of the
message(s) Select awareness topics Maximize partnerships in development &
roll-out (create ownership)
NIST initiatives & deliverables NIST initiatives & deliverables should be APPLAUDED!should be APPLAUDED!
NIST initiatives & deliverables NIST initiatives & deliverables should be APPLAUDED!should be APPLAUDED!
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
•Numerous EDUCAUSE ResourcesNumerous EDUCAUSE Resources Security Task Force
www.educause.edu/security
Cybersecurity Awareness Resources CD ECAR Research Bulletins
EDUCAUSE & ECAR initiatives & deliverables EDUCAUSE & ECAR initiatives & deliverables should be APPLAUDED!should be APPLAUDED!
EDUCAUSE & ECAR initiatives & deliverables EDUCAUSE & ECAR initiatives & deliverables should be APPLAUDED!should be APPLAUDED!
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
•However: empirical data is lacking on However: empirical data is lacking on Security Awareness Program Security Awareness Program effectivenesseffectiveness
•No call from federal govt, private No call from federal govt, private industry or higher education to research industry or higher education to research the issuethe issue
•Recent Congressional hearings on cyber Recent Congressional hearings on cyber terrorism were void of awareness issuesterrorism were void of awareness issuesGenerally accepted “codes of practice” and mgmt stds (BS7799, ISO17799) lack concrete advice on
measuring awareness program effectiveness
Generally accepted “codes of practice” and mgmt stds (BS7799, ISO17799) lack concrete advice on
measuring awareness program effectiveness
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
•““Security Awareness, Training, and Security Awareness, Training, and Education Programs for the Education Programs for the Enterprise”Enterprise”
© 2005 Fred Cohen, Burton Group
•Recommends:• @ $10 to $100 per person per year@ $10 to $100 per person per year
• Dedicated FTEDedicated FTE
• Measuring effectivenessMeasuring effectiveness
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
“Security Awareness, Training, and Education Programs for the Enterprise”© 2005 Fred Cohen, Burton Group
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
•We must do something (better)We must do something (better)•Golden Golden (marketing) Rule: Rule:
Know thy audienceKnow thy audience•Challenging since our target Challenging since our target audience spans audience spans 4 generations4 generations (encompasses employees, students, faculty, staff, executives, and administrators)
And unlike “Tide” detergent and “Skippy” peanut butter, we probably can not afford to target niche markets
And unlike “Tide” detergent and “Skippy” peanut butter, we probably can not afford to target niche markets
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
•But developing a single awareness program for 4 distinctive, different generations of users won’t be easy either
•This latest demographic group seems to be:
•radically different and •immune to current communication
methods and messages
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
So, who are these users?So, who are these users?
•Traditionalists
•Baby Boomers
•Generation Xers
•Millennials
Source: Howe & Strauss, 2000, Millennials Rising: The Next Great Generation
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
The TraditionalistsThe Traditionalists
•Born 1900-1945
•Grew up in times of war & scarcity
•Value loyalty and structure
•Approx 75 million
Source: Howe & Strauss, 2000, Millennials Rising: The Next Great Generation
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
The Baby BoomersThe Baby Boomers
•Born 1946-1964
•TV generation
•Optimistic yet competitive
•Approx 80 million
Source: Howe & Strauss, 2000, Millennials Rising: The Next Great Generation
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
The Generation XersThe Generation Xers
•Born 1965-1980
•PC generation
•Skeptical—downsizings & divorce
•Approx 46 million
Source: Howe & Strauss, 2000, Millennials Rising: The Next Great Generation
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
The MillennialsThe Millennials
•Born 1981 or after
•Internet generation
•Thrive on multi-tasking, interactivity & problem solving
•Approx 76 million
Source: Howe & Strauss, 2000, Millennials Rising: The Next Great Generation
2005 © Univ of Nebraska & Clemson Univ, unless noted
Baby Boomers29%
Gen Xers17%
Millennials27%
Traditionalists27%
Security Awareness Programs- Can One Size Fit All?
% of U.S. Population% of U.S. Population
Source: Howe & Strauss, 2000, Millennials Rising: The Next Great Generation
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
The MillennialsThe Millennials
•in 1982in 1982: More $$ spent on video games and computers than music and movies
•in 1983in 1983: Time Person of the Year: The PC
•in 1985in 1985: the CD/ROM was introduced
•Millennials have always had cable TV, answering machines, remote controls, touch-tone phones, etc.
Source: Turkle, 1984, The Second Self: Computers and the Human Spirit
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
The MillennialsThe Millennials
•They are 27% of US population, >50% online
•Almost 1/3 have college-degreed parents or parent with some college education
•By age 21, 2X time: video games as reading
•Cell, instant & text messaging over landline
•Digital Natives
Source: Prensky, 2001, Digital Game-Based LearningNew Strategist Editors, 2001, The Millennials: Americans Under Age 25
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
The MillennialsThe Millennials
•Internet: 1st choice to find something, entertainment, shop, communicate
•View traditional teaching methods as boring, slow and anything but engaging (this also includes non-interactive course mgmt systems)
Source: Prensky, 2001, Digital Game-Based Learning
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
The MillennialsThe Millennials
•Because of gaming, they enjoy simulations, layers of activity, multi-tasking and teams
•Late 2004 Halo 2: $125M in 1$125M in 1stst Day Day Sales!Sales! (Spider-Man 2 had $115M its 1st weekend)
Source: Prensky, 2001, Digital Game-Based Learning
2005 © Univ of Nebraska & Clemson Univ, unless noted
HALO 2HALO 2
© Microsoft Corporation
Halo2 trailer can be downloadedOr viewed at
halo.bungie.org/misc/halo2trailermirrors.html
2005 © Univ of Nebraska & Clemson Univ, unless noted
The MillennialsThe Millennials• Forcing educators and marketers to
change message and medium
Security Awareness Programs- Can One Size Fit All?
US Army Future Combat Systems videoCan be viewed at
www.army.mil/fcs/
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
The MillennialsThe Millennials
• The need to update advertisements or awareness campaigns is nothing new
• So, why such a fuss?Joe Nemecheck
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
To be fair…To be fair…
Ricky RuddRicky Rudd
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
To be fair…To be fair…
Casey AtwoodCasey Atwood
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
To be fair…To be fair… Ashton LewisAshton Lewis
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
To be fair…To be fair…
Justin LabonteJustin Labonte
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
The ChallengeThe Challenge
• Many Millennials lack the desire to learn about computer systems (and security)
• Many believe they know enough already
• They expect educational and training experiences to be dynamic, challenging, flexible, innovative, and interactive (problem solving)
• They expect quick responses to their inquiries
Source: Lancaster & Stillman, 2001, When Generations Collide
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
The ChallengeThe Challenge
•Purely educational environments may be able to adapt to these demands
•Can compliance be realized via games, online contests & animated spokespersons targeted at the Millennials?
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
The ChallengeThe Challenge
•What can we do to ensure that “cartoonish” or gaming-oriented awareness programs stand out?
•Can we develop programs that are received, understood and followed when the target medium is a cell phonecell phone?
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
The ChallengeThe Challenge
•And what about the other three generations of computer users?
•We can’t expect programs designed for Millennials to be effective for others
(and vice-versa)
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
The ChallengeThe Challenge
•It’s time for collaboration– Teachers College + Behavioral Sciences
+ Business College + CompSci Programs
– Sales, R&D, Marketing & I/T Depts
•It’s time for research•It’s time for results!It’s time for results!
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
The ChallengeThe Challenge
•Take the same skills and ingenuity that gave us “new mathnew math”, “Can Can you hear me now?you hear me now?” and “Where’s the Beef?Where’s the Beef?”
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
The ChallengeThe Challenge
•Comprehensive information security awareness programs that will modify behavior in all computer users
•with Measurable results!with Measurable results!
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
In conclusion…In conclusion…
•It won’t be easy
•It won’t be cheap
•Consequences of not acting are even less attractive
•But it can be done!But it can be done! © Paramount Pictures
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
PoPo$$$$ible Approacheible Approache$$: :
• External ResourcesExternal Resources− NSF, NSF Cyber Trust Grants − Dept of Homeland Security, MS-ISAC
− President’s I/T Advisory Committee
− EDUCAUSE, ECAR− National Institute of Standards & Technology (NIST)
• Internal ResourcesInternal Resources−Interdisciplinary Team & Task Force(s)−National Cyber Security Alliance (NCSA) −Class Projects & Graduate Dissertations−National Centers of Academic Excellence in
Information Assurance Education (CAEIAE)
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
Some Good Awareness Some Good Awareness Programs:Programs:[1]
• Univ of Arizona ● Univ of N.Texas• George Mason Univ ● Oklahoma Univ• Univ of Georgia ● Univ of Tennessee• Indiana Univ ● EDUCAUSE• Univ of Maryland
[2]
[1] not an exhaustive list![2] out of College of Education – Technology Outreach ! ! !
Unfortunately, hard evidence on “effectiveness”is still lacking
Unfortunately, hard evidence on “effectiveness”is still lacking
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
Aspects of Good Awareness Aspects of Good Awareness Programs: Programs:
New employee orientation, and Annual reminders of responsible use, etc., and All-encompassing InfoSec Policy/Procedure, and Posters & “Awareness Days” (April ? , October ?) , and Vulnerability scans/tests, and Training, training, training, and Periodic press releases, articles, status reports,
and Executive support, and Regular staff discussions, and on and on and on…
2005 © Univ of Nebraska & Clemson Univ, unless noted
Security Awareness Programs- Can One Size Fit All?
So, until empirical data exists:So, until empirical data exists:
Know that something is better than nothing
Realize that your entire audience may not “get it”
And consider: Tracking incidents by generation, and Modifying your message & medium
accordingly
April 3-5, 2005
Security Awareness Programs- Can One Size Fit All?
Michael G. Carr, JD, CISSP
Information Security OfficerUniversity of Nebraska
Barbara J. Hoskins, Ed.D.Asst. Dean, College of Health, Education &Human Development, Clemson University
2005 © Univ of Nebraska & Clemson Univ, unless noted