Last month, I posted a diary titled "The Many Paths to Security Awareness", which discussed various job positions, what motivates people in those jobs, and what messages you might use to take advantage of those motivators.  The end goal is that, when faced with a security-related decision, you see a move in the positive direction.  As a security professional, you want people in your organization or your customers' organizations to "make the right choice" when they're put on the spot.

First of all, I'd like to thank everyone very much for participating in the survey that was part of the original story.  I used the survey results, along with interviews and my own experience to write a paper on this topic (one of my last requirements for my sans.edu masters degree ! ).  You can find the paper here ==> http://www.sans.edu/resources/student_projects/ , along with a presentation that summarizes the information.  The presentation got posted as a PDF, so the nifty powerpoint animations don't work, but the message is all there.

There were lots of things in the results that you'd expect - for instance, CEO's are motivated by regulatory compliance, avoiding lawsuits and shareholder value, but some of the results were a bit of suprise:

When I started this, I had thought that protection of Intellectual Property (IP) would be of primary concern to Engineers and others that actually create said IP.  However, what I found was that, more and more  the value of IP is being given a real dollar value, and any compromise of IP is being worked into corporate risk assessments.  So protection of IP is now on the radar of lots of CEO's, and protection of IP can be used to influence security decisions at that level.

Folks in a Helpdesk role are motivated by uptime of Corporate Systems, compliance with Corporate Policies and personal financial incentives, but more overtime does NOT count as a financial incentive !  Also, personal workstation downtime almost didn't register as a motivator (this one kind of surprised me).

Something that we all live with is that IT groups are still taking the lead in developing, monitoring and enforcing security policies.  However, what is FINALLY happening is that HR is now starting to take the lead in some of this.  In many organizations, things like reports from the content filter that monitors and enforces web usage policies are now the responsibility of HR, with IT there to provide the service and act as an expert consultant.  This is a good thing to see, because HR is actually placed to do real enforcement of policies like AUP's (Acceptable Use Policy) and Web Surfing Policies, where in many companies IT could only watch and shake their heads.

What didn't work across the board was any security task that people couldn't immediately see value in on their own (without a lesson from security school).  So, for instance, if you want to implement password complexity where it hasn't existed before, it's probably worth a bit of an awareness message ahead of time or no-one is going to be buying into it.

Again, the full results are in the paper, the power point covers the high points.

Anything you'd like to add to the list is welcome, by all means use the comment form to add to this story !

================== update 05/11/2010 ==================

I've had a few requests for the original Powerpoint presentation for the paper (the posting on the sans.edu page is a PDF).  You can find it here ==> diaryimages/RVANDENBRINK - MGT438 Presentation - 0425.zip

=============== Rob VandenBrink, Metafore ===============