Blog

Editor's Note:This guest blog post is from John Andrew at Honeywell.

How do we persuade folks who are resistant to Security Awareness' efforts? Great question! I was fortunate to pick up a rare last minute opening - to go on a 3 day backpacking & camping trip at Cumberland Island National Forest on the coast of Georgia. The backcountry orientation by the National Forest Service was great. One of the first things they brought to our attention was an old Smokey the Bear' poster. The poster began Repeat After Me Only you' [Readers fill in the blank — there was no additonal text on the poster]

We all knew how the awareness message' ended. Had it down cold. Only you can prevent forest fires.' Sharing this story is a roundabout way of saying that effective awareness' campaigns become part of the culture in

Earlier this week we released the latest edition of the OUCH! security awareness newsletter, "Passwords / Passphrases". We explain in simple terms how you can create strong passwords using passhrases, and some simple steps to using them safely. However with this release come some new changes we are excited about.

• Updated Look: We changed the look and format of OUCH! so its simpler to read (especially on computer screens) by moving to a single column format. The new version is also easier on printers as we use less color.


• E-Book Support: While tablets can read PDF documents, e-book files make reading documents easier and more interactive. Starting

As many of you know Verizon recently released their 2013 DBIR (Data Breach Investigations Report) which analyzes 621 known, documented breaches collected from 19 organizations. There is a huge wealth of information here, and if you have time read it. You can download it from http://www.verizonenterprise.com/DBIR/2013/

There is alot of humor injected, which makes this report surprisingly easy to read. I read the document from a human perspective and was amazed at just how much useful information applies to the Human Element. Below are my impressions, the most important I feel is the last one. Read on.

1. DBIR breaks attackers into 3 categories (crime, espionage, ...

Okay, this one is for the security community. I'm amazed and stunned how often our community arrogantly blames people for security risks, when it is ourselves that are only to blame. Let's pick on everyone's favorite flogging topic when it comes to people, passwords. You know, the topic where we blame users for being 'stupid' for constantly using such simple and basic passwords. We go through the trouble of teaching people to use long passwords, passphrases when possible, and then wonder why people don't follow our sage advice. We have even created cartoons on this.

Okay, lets say people learn and follow these steps. Now what happens? They can't login anywhere because the

SANS MGT 433 is a two day course that enables organizations to build high-impact, engaging awareness programs with a focus on changing behaviors. Based on the lessons learned from hundreds of organizations, we have been teaching this course for over three years now. The biggest hits of the course are the student interaction and labs that help you design and document your own customized awareness program project plan. We are excited to announce the course is now coming to London, taught by BP's Tim Harwood. Tim has hands on experience helping lead BP's awareness program for over 300,000 employees. Learn more or sign up at

• MGT433- 15/16 July - London