SANS ISC: The Many Paths to Security Awareness

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Promoting Security Awareness  is an ongoing challenge in our field.  Without a good understanding of Security Awareness and issues, getting appreciation at the senior management level for security issues is a real problem.  Security Awareness is critical in influencing business decisions to include (and hopefully fund) security components into every project, protecting the corporate assets from both theft and lawsuits.

However, Security Awareness does not mean the same thing to everyone in a company. 

Senior Management, for instance, will be more concerned with legal and regulatory requirements, as well as the impacts of security on overall corporate performance. 

Department managers will be more zoned in on budgets and funding, as well as directing their reporting groups towards policy compliance. 

People who work on the actual deliverables of the company may be concerned about personal incentives, system uptime, or may be influenced by corporate policies.

Awareness for developers tends to concentrate on secure coding and peaceful co-existence with system administrators who are enforcing policies at a technical level in the Datacenter and desktops.

From a Security Awareness perspective the blanket term “end user” grows to encompass many audiences – not only folks with basic desks and phones, but developers, senior managers, salespeople, engineers, health-care professionals, all kinds of people with different concerns, different goals, and a different set of reasons/excuses for exceptions to one thing or another. 

Sadly, even today almost everyone tends to view security concerns as impediments to their job rather than as actions and factors that assist and support them.

So how do we influence our coworkers or customers to factor Security Awareness into their daily decisions and actions? 

The short answer is "it varies". 

The best answer that I’ve seen is that we need a toolkit of methods, and for any particular audience we need to dip into that arsenal and pick the 2 or 3 or 5 methods that we think will work best to deliver your message successfully, get them to take your message to heart and see that desired positive change in behavior. 

Over time, the goal of Security Awareness is to have your organization or client organization realize measurable movement towards the positive side of spectrum  - both of actual awareness of security concerns and measurable security behaviors and metrics.  As in most things, Security Awareness is all about the journey, there is no destination – you can always get better, but you never “arrive.”

I’m very interested in how people are delivering security messages to their organizations and customer organizations, raising awareness and influencing behaviors (in a positive way) in that process.  If you have a moment, we’d really appreciate your input in the survey attached to this diary.  It's set up as a matrix, feel free to indicate whichever methods you've seen used successfully in your situation.  Multiple answers are ok and are encouraged (just please don't click them all).  Feel free to post any text input either in the survey text fields or in the diary comments (at the bottom of this page)

We’ll collect data on this survey and report back in a follow-up diary in a couple of weeks.
 

 (This survey requires Javascript - If you are running Noscript or a similar tool you will need to "permit" this site)
(Depending on your browser this survey will open in a new browser tab or a new browser window)

=============== Rob VandenBrink Metafore ===============