Blog:

One of the things I enjoy about security awareness is that something that at first looks very simple becomes very complex. An excellent example is what topics you want to focus on for your awareness program. For larger organizations, or for organizations in different parts of the world, you may have to adjust your security awareness program based on different cutlures. An excellent example is SMS. Depending on the region, you may or may not want to cover SMS. If I was working with an organization based in the West, especially the United States, SMS may be low in my priorities. While SMS may be popular

When I first started in information security the Internet was truly the wild, wild west. Security was something no one considered, computers were wide open and almost any system was easy to attack. Computers by default had almost all their services enabled and no firewall to protect them. All an attacker needed to hack a computer was remotely scan for vulnerable systems and launch the 'exploit du jour'. In fact that is precisely what hackers did, launching automated scripts or even worms such as Code Red, Sadmind or SQL Slammer, compromising millions of systems. In August of 2004 that radically changed.

Today I would like to discuss one of the most commonly misunderstood issues in security awareness and education, passwords. I believe that protecting your passwords are important, especially now as we move to cloud computing and just about everything you do online requires a password. However, what we are teaching people about passwords is outdated. How people use passwords, and how threats attack them have radically changed in the past ten years. Unfortunately, what we are teaching people has not kept up and I'm hoping we can start changing that. In addition this post is in part motivated by the excellent paper The Rational

One of the challenges we have in security awareness is metrics, how do we measure the success of our awareness program? I believe this is one of the weakest areas of awareness (and so do others), and to be honest information security in general. A lot of people far smarter then me are trying to solve this problem, if you are interested in learning more about information security metrics in general, I highly recommend the securitmetrics.org maillist. Another great place to get started is Andrew Jaquith's book Security Metrics. One of my favorite insights is his criteria for good metrics.

1. Consistently measures (no subjective criteria).
2. Cheap to gather (preferably
   ...

In January of this year the National Highway Traffic Safety Administration released a report called "Analyzing the First Years Of the Ticket or Click It Mobilizations". The paper is extremely detailed, so I recommend if nothing else read the introduction. For you metric nerds out there you may enjoy the whole paper (as their methodology is well detailed). While the report is focused on the use of seat belts, it has fascinating applications to the world of security awareness. The report focuses on 2000 - 2006, when most states in the United States began campaigns (called Ticket or Click-It) promoting and requiring the use of seat belts. Just like security awareness, the goal

I really believe that one of the key factors to a successful awareness program is communication. And one of the best ways to communicate is presenting in person to a group of people. Often this is not an option as this does not scale, it can be difficult to get employees together in the same room, especially when you have offices around the world. It can also cost much more then other options, such as online training. But when you can get people in the same room, presenting, when done well, can make a big impact. As such I'm always trying to find new and better ways to present. My greatest fear is "Death by Power Point". One of my golden principles is to have as little text as

Okay, I had some ideas all lined up for a blog post, but Cormac Herley's paper The Rational Rejection of Security Advice by Users really got me thinking. I posted my initial thoughts on his paper the other day, but I wanted to take things a step farther. As you may remember (of if you have not read his paper) Cormac does a cost benefit analysis on three different security awareness topics and determines they are not cost effective. While I may not agree with all of his analysis or findings I agree with that different topics have different ROI (Return On

Recently Cormac Herley of Microsoft Research released a whitepaper titled The Rational Rejection of Security Advice by Users. The paper discusses the cost issues of awareness training and education and includes a cost analysis of three awareness topics. He then documents why he feels these areas are not cost effective and questions the value of awareness programs. After reading the document I wanted to share with you some of my own thoughts. On some parts I agree with Mr. Herley, on some parts I disagree and some I feel he is just dead wrong. The biggest difference between Mr. Herley and me

We now get to the third and final part of communicating your awareness program, HOW. For any successful security awareness program, I feel this is the most important part. Unfortunately, I also feel this is the part most organizations screw up, resulting in an ineffective program that does more harm then good. The reason is simple, very few organizations put any planning or effort into it, good communications is hard. In a way it is a totally different mind set for security geeks, this is more marketing then security. Lets start off with some of the most common problems and challenges. In later postings I will describe how the challenges can be