Blog: SANS Securing The Human

Blog: SANS Securing The Human

Show-n-Tell and Sharing at the #SecAwareSummit

Folks, as we gear up for the upcoming Security Awareness Summit in Dallas TX on 10 Sep, I wanted to share with you on how you can prepare for the event to make the most out of it. If you will be attending the event, some things to consider.

  1. SHARING: We are very excited about having six amazing speakers lead the event. However this is only just one of the many opportunities for you to learn. We are asking attendees to bring and share examples of their own awareness program. This can be newsletters, posters, mouse pads, calendars, stickers or any other resource you created that was a big hit. If possible, bring multiple copies to share with your peers. If you bring any large items, such as a poster, we will be happy to hang it for others to see.

  2. SHOW-N-TELL: If you like, take the sharing to the next level. During lunch any ...

Technical Guidance on Phishing Assessments

Several weeks ago we released thePhishing Planning Kit, a resource to help organizations plan and maintain an effective phishing assessment program. This kit is based on the suggestions, lessons learned and feedback from numerous security awareness officers who are actively leading their own phishing assessment programs. The reason we released the kit is that most organizations that have problems with their phishing assessment is not due to technical issues but how they failed to properly communicate and execute it.

EJ recently asked for some technical questions on rolling out his phishing program (see the comments in the Phishing Planning Kit post), and I wanted to take a moment to answer his questions. First, the simplest way to address most of your technical issues is to use a phishing service. There are many to choose from and all are similar and good, including


OUCH! is out - Encryption

The August edition of OUCH! has been released. For this month we focus on encryption. Far too often we tell people to use encryption to protect themselves and their information, but we do not explain what encryption is, why they should use it or how. Chris Crowley is our Guest Editor for this month and he does an amazing job explaining a complex topic in very simple terms. As always you can download and share the latest version of OUCH from

Also, do not forget our new OUCH archives, where you can find past editions online at


Guest Post - Measuring Human Risk - #SecAwareSummit

Editor's Note: This is a guest Blog Post from Dan deBeaubien. Below is a description of his upcoming talk on "Measuring Human Risk - What is Your Security Score" at theSecurity Awareness Summit 10 Sep in Dallas.

Assuming that we know what to do in a given circumstance related to cyber security - install a firewall, do an audit, train our staff, whatever, and, also assuming that many resources abound to address these situations as they arise, the emergent issue is often where to start. We can't do everything, everywhere - we need to know where to begin, and where to go next. In my role at Michigan Tech, and working closely


The Hardest Part in Awareness - Deciding What NOT To Teach

There are many challenges to implementing an effective awareness program, challenges from gaining management support and effective communication to selecting your metrics and measuring your impact. However one of the biggest challenges I run into, and one that surprises most people, is deciding what topics or learning objectives NOT to cover. Think about it, you only have so much time and resources to communicate your program, this limits you in what you can communicate. In addition, and even more importantly, people can only remember so much. The more Do's and Don'ts you bombard people with, the more likely they are going to do a brain dump and tune you out. The challenge then becomes prioritizing what you want to teach and focusing only on the