Blog:

In our previous posts we discussed how communication is key to a successful awareness program. We also discussed that for effective communication you must first determine WHO your target is. Once you determine WHO you are targeting in your awareness program, you can then determine WHAT you want to communicate then finally HOW. In this blog post we are going to focus on the WHAT. To be honest, in general this is where I see organizations do the best at. As security geeks we are pretty good at figuring out what it is we want people to learn. However, just to be sure you don't miss anything, listed below are what I find to be the

I am excited to announce I will be teaching "Securing The Human" again this year at Blackhat Las Vegas, 2010. This intense, two day course covers everything you need to plan, deploy and maintain a kick ass awareness program. Trust me, it is a lot harder then you think. In addition, out of the 54 courses last year, this was one of the highest rated classes. If you would like more information about the class, email me. I'll be teaching the course twice, 24/25 July and 26/27 July. Sign up soon, Blackhat raises the training rates May 1st.

Sign-up here for "Securing The Human"

In a earlier posting we focused on communication, specifically how this was critical to any successful awareness program. We also broke communication down into three key categories; WHO, WHAT and HOW. Every awareness program should always start with WHO first. WHO you communicate your awareness program to determines WHAT information you will communicate, and HOW. So, lets taker a closer look at the WHO part, it is not as simple as it may seem (this is a theme you will see repeatedly for awareness :).

• Employees: Okay, this is where almost every awareness

Okay, I'm going to take a break for a moment from security awareness and discuss something I'm very passionate about, the Honeynet Project. This is an international, volunteer organization of security researchers dedicated to sharing information and findings on cyber threats. The group is also the leader in many of the latest honeypot developments. They recently kicked off a series of Forensic Challenges, these are real attacks on real systems you can to analyze. As part of the challenge you can even submit your analysis to be judged by experts in this field. You then can compare (and learn from) the analysis of your peers. This is a great and rare opportunity to develop your incident response capabilities. Learn more at

Often when I start an awareness program with an organization, the initial response is this will be simple. However, after I sit down with them and ask them a variety of questions, such as why they want such a program, what are the goals, who are the targets, and what are the key topics they want to teach, things quickly get more complicated. All the sudden deploying that firewall or configuring that IDS sensor looks a lot simpler. That is because with awareness you are dealing with humans, and humans are an extremely complex subject. In addition, to add to the complexity every organization has its own unique culture, requirements and structure. Combined, all the elements have to be taken into account when building an awareness program.

The key element in any awareness programs (and this is where most organizations fail) is that awareness is all about communication. To have a successful program, to really change people's behaviors, you have to effectively

Absolutely. I'm baffled how people could think it does not. Think about it. Go to a security conference and select several hundred attendees that have Windows laptops (I suggest CanSecWest, one of my favorite, technical conferences). Run a simple antivirus or scanning program on these computers and see how many are infected. Now, do the same at any other non-security conference (say a marketing or sales event) and see how many of those laptops are infected. You are most likely going to find far greater number of infected systems on non-security professional computers. Why? Because security professionals in general are more paranoid, more security aware, and more careful how they

I am very excited to officially announce the blog SECURING THE HUMAN. This is something I have been looking forward to for quite a while now. I have been actively involved in information security for almost twenty years . During that time I have seen both security threats and security professionals radically change. From changes in new tools and exploits to how the security community communicates and works together (thankfully much better in the past three years). However one thing has been consistent, the human is the weakest link. Cyber attackers are just like you and me, they will take the easiest path to get whatever they want. As we the security community get better and better at using technical measures to secure our resources, the human is only increasingly becoming the soft spot.

The blog is about fixing that problem, securing the human. Traditionally concepts such as awareness have gotten in a bad rap, in many ways deservedly so. Most awareness