Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

The Many Paths to Security Awareness

Published: 2010-04-07
Last Updated: 2010-04-07 15:44:44 UTC
by Rob VandenBrink (Version: 1)
0 comment(s)

Promoting Security Awareness  is an ongoing challenge in our field.  Without a good understanding of Security Awareness and issues, getting appreciation at the senior management level for security issues is a real problem.  Security Awareness is critical in influencing business decisions to include (and hopefully fund) security components into every project, protecting the corporate assets from both theft and lawsuits.

However, Security Awareness does not mean the same thing to everyone in a company. 

Senior Management, for instance, will be more concerned with legal and regulatory requirements, as well as the impacts of security on overall corporate performance. 

Department managers will be more zoned in on budgets and funding, as well as directing their reporting groups towards policy compliance. 

People who work on the actual deliverables of the company may be concerned about personal incentives, system uptime, or may be influenced by corporate policies.

Awareness for developers tends to concentrate on secure coding and peaceful co-existence with system administrators who are enforcing policies at a technical level in the Datacenter and desktops.

From a Security Awareness perspective the blanket term “end user” grows to encompass many audiences – not only folks with basic desks and phones, but developers, senior managers, salespeople, engineers, health-care professionals, all kinds of people with different concerns, different goals, and a different set of reasons/excuses for exceptions to one thing or another. 

Sadly, even today almost everyone tends to view security concerns as impediments to their job rather than as actions and factors that assist and support them.

So how do we influence our coworkers or customers to factor Security Awareness into their daily decisions and actions? 

The short answer is "it varies". 

The best answer that I’ve seen is that we need a toolkit of methods, and for any particular audience we need to dip into that arsenal and pick the 2 or 3 or 5 methods that we think will work best to deliver your message successfully, get them to take your message to heart and see that desired positive change in behavior. 

Over time, the goal of Security Awareness is to have your organization or client organization realize measurable movement towards the positive side of spectrum  - both of actual awareness of security concerns and measurable security behaviors and metrics.  As in most things, Security Awareness is all about the journey, there is no destination – you can always get better, but you never “arrive.”

I’m very interested in how people are delivering security messages to their organizations and customer organizations, raising awareness and influencing behaviors (in a positive way) in that process.  If you have a moment, we’d really appreciate your input in the survey attached to this diary.  It's set up as a matrix, feel free to indicate whichever methods you've seen used successfully in your situation.  Multiple answers are ok and are encouraged (just please don't click them all).  Feel free to post any text input either in the survey text fields or in the diary comments (at the bottom of this page)

We’ll collect data on this survey and report back in a follow-up diary in a couple of weeks.
 

 

 (This survey requires Javascript - If you are running Noscript or a similar tool you will need to "permit" this site)
(Depending on your browser this survey will open in a new browser tab or a new browser window)

 

=============== Rob VandenBrink Metafore ===============

0 comment(s)
Diary Archives