Security Awareness Many Audiences, Many Messages (Part 2), (Fri, May 7th)
Last month, I posted a diary titled The Many Paths to Security Awareness, which discussed various job positions, what motivates people in those jobs, and what messages you might use to take advantage of those motivators. The end goal is that, when faced with a security-related decision, you see a move in the positive direction. As a security professional, you want people in your organization or your customers' organizations to make the right choice when they're put on the spot.
First of all, I'd like to thank everyone very much for participating in the survey that was part of the original story. I used the survey results, along with interviews and my own experience to write a paper on this topic (one of my last requirements for my sans.edu masters degree ! ). You can find the paper here == http://www.sans.edu/resources/student_projects/ , along with a presentation that summarizes the information. The presentation got posted as a PDF, so the nifty powerpoint animations don't work, but the message is all there.
There were lots of things in the results that you'd expect - for instance, CEO's are motivated by regulatory compliance, avoiding lawsuits and shareholder value, but some of the results were a bit of suprise:
When I started this, I had thought that protection of Intellectual Property (IP)would be of primary concern to Engineers and others that actually create said IP. However, what Ifound was that, more and more the value of IP is being given a real dollar value, and any compromise of IP is being worked into corporate risk assessments. So protection of IP is now on the radar of lots of CEO's, and protection of IPcan be used to influence security decisions at that level.
Folks in a Helpdesk role are motivated by uptime of Corporate Systems, compliance with Corporate Policies and personal financial incentives, but more overtime does NOT count as a financial incentive ! Also, personal workstation downtime almost didn't register as a motivator (this one kind of surprised me).
Something that we all live with is that ITgroups are still taking the lead in developing, monitoring and enforcing security policies. However, what is FINALLYhappening is that HRis now starting to take the lead in some of this. In many organizations, things like reports from the content filter that monitors and enforces web usage policies are now the responsibility of HR, with ITthere to provide the service and act as an expert consultant. This is a good thing to see, because HR is actually placed to do real enforcement of policies like AUP's (Acceptable Use Policy)and Web Surfing Policies, where in many companies ITcould only watch and shake their heads.
What didn't work across the board was any security task that people couldn't immediately see value in on their own (without a lesson from security school). So, for instance, if you want to implement password complexity where it hasn't existed before, it's probably worth a bit of an awareness message ahead of time or no-one is going to be buying into it.
Again, the full results are in the paper, the power point covers the high points.
Anything you'd like to add to the list is welcome, by all means use the comment form to add to this story !
=============== Rob VandenBrink, Metafore ===============
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.