Blog: SANS Securing The Human

Blog: SANS Securing The Human

Guest Blog - Taking a Generational Approach to Security Awareness

Editorial Note: This is a guest blog post from Paula Fetterman <pj_unico@yahoo.com>. We feel she came up with an amazing idea and asked her to share it here.

In Feb 2014, I had the opportunity to attend the RSA Security Conference in San Francisco. While attending an early morning session (thank goodness for caffeine), I heard Todd Fitzgerald's presentation on "Generations Defined By Moments" and soon became very intrigued and engaged (yes...unusual for me at an early morning session). His premise was that each generation approaches security (and life) differently because of

...

Idea for Human Metrics - Tracking Updates

Its always challenging to find a good security awareness metric. By good, I mean not only does the metric need to measure a human behavior that I care about, but the metric is easy and low cost to repeatedly measure. So I'm always excited when I find what I feel is a good security awareness metric, and here is one I would like to share - updated devices.

The behavior we want to measure is are employees updating their devices? This is an important behavior, as we all know the more updated and current your devices are, the fewer vulnerabilities they have. For some organizations this is not an issue, as IT is responsible for keeping all the systems updated. However for other organizations, especially smaller ones, employees often update the

...

Trick for Rewarding Good Behavior

Just finished up SANS MGT433 class this week at SANS 2014 in Orlando. One of the things I love most about teaching is I always learn something new. One of the students had a great idea for rewarding. In general you want to avoid providing purely monetary awards for good behavior, you quickly run out of budget. Instead, recognition is not only cheaper, but often more effective. For example, if someone receives a "Microsoft Tech Support" phone call and stops the attack cold, an organization's first response is to often to reward the person with a gift card. Instead of providing just money make a hero out of the person, post a story about what she did, how she figured out the attack and where she reported it. Not only are you publicly recognizing the individual for their great work, but promoting and reinforcing the good behaviors that secure your organization.

One of our students took the idea one step further. Instead of just

...

Updating Your Awareness Training

A common mistake I often see organizations make with their security awareness program is failing to plan long term. Quite often organizations get caught up in the initial roll-out of their training, but forget to plan on updating their program at some point. Its key that you update your program at a minimum once a year. Some things to consider.


  1. If your only goal is to meet compliance requirements, keep in mind compliance standards are constantly changing, you need to update your program to stay current. In addition, which standards you fall under can also change. For example, while you may not think you fall under HIPPA, after a review of HR and accounts payable you may ...

New Poster Helps Your IT Admins Become Human Sensors

Most security awareness training is focused on changing human behavior. People already know how to perform a specific skill, awareness simply teaches them how to perform it more securely, such as when using email. However there are times when you need to teach people new skills. While not designed for awareness training, a new poster recently created by the SANS Forensics instructors fits the bill perfectly. This two sided poster, called "Know Normal - Find Evil" documents different ways a forensics expert can identify if a system is compromised or not. While designed for forensic professionals, I feel this poster is a great resource for almost any IT admin, even if they have no security experience. The poster identifies system processes,

...