Blog:

I just saw a fascinating ten minute video on human motivation by RSA (no, not that RSA, the Royal Society of Arts). The title of the video is RSA Animate - Drive, it focuses on human motivations in the workplace, especially in today's globally connected world. The video is fascinating for two reasons. First, how they use animation to tell the story. The have high speed video of a person drawing the key points discussed in the presentation. I'm a big fan of imagery, and not only is the concept but the imagery they use very powerful and creative. Thumbs up! In addition, the key points of the video are

When working with organizations on security awareness and education, one of the first things I like to start with is asking 'why', what is their motivation? The motivations for deploying an awareness program often has a large impact on how it is designed, implemented and supported. It often determines the priorities of the topics, budget, who will be in charge of the program, who is the target of the program, etc. As such, you want to pay careful attention to the reasons of 'why'. To help you get started, these are the four most common motivations I have see.

• Compliance: I always shudder a bit when

The organizers at the 13th Annual New York State Cyber Security Conference have kindly accepted me to speak again this year. My one hour talk will be on Securing The Human on 16 June. If you will be attending the event, or are even in Albany, please email me and lets meet up. I always love the opportunity to meet others working on the human issues and share lessons learned.This event is hosted by the New York State Office of Cyber Security and Critical Infrastructure Coordination. They are one of the most active state organizations I know in helping securing state

Recently Marcus Ranum (a person I greatly admire in information security) spoke at a security conference on how Software Insecurity is Our Biggest Weakness. Specifically, how insecure or poorly coded software, and the vulnerabilities they result in, is the number one risk to information security. This got me thinking about the importance of SDLC (Secure Development Life Cycle). SDLC is the documented processes and standards an organization uses to ensure that developers plan and create secure code from the ground up. The idea being if we can 'bake in' secure code from the beginning, we can

Facebook has been in the news a lot lately, primarily due to its security and privacy issues. As we have discussed previously, privacy in Facebook is quite complex (at least I get confused with the privacy options). As a result, what we often recommend organizations teach their employeess is, if they do not want their mom or their boss reading it, do not post it on Facebook. However, one thing I have not seen discussed is leveraging Facebook to help communicate your awareness program. A large percentage of your employees most likely use Facebook to communicate every day, why not use methods that are the most familiar with them? This is done by creating a Facebook Page. Facebook Pages are

A new survey by Trend Micro reports that workers consistently rank personal risk over corporate. Specifically, the survey of 1,600 employees found that "... employees were more focused on individual concerns and conveniences than their company's overall IT security." To be honest, I don't think anything in the report should be a surprise. Its human nature, most people are going to be more concerned about themselves then the organization they work for. However, it seems like organizations forget this when they roll out an awareness and education program. To often these programs are nothing more then a series of rules

As most of us know, Facebook (FB) has become the top social networking site on the Internet. With over 400 millions users, it is also one of the world's most popular sites period. As this has become one of the primary ways many employees communicate, organizations need to address Facebook policies of if/how it can be used in your organization. Even if your organization bans FB, you still need to address FB as how employees use it in their personal lives can impact your organization. The more I've been using FB, the more I've learned just how complex it is. In fact, there are blogs dedicated to how to use FB securely, such as the excellent blog

I'll be presenting an evening class on security awareness at SANS Fire in Baltimore. I'll be sharing lessons learned on several large awareness projects I've recently worked on, including one organization with over 90,000 employees and another awareness program for an entire country. I'll be talking at 7pm Thursday, June 10th. SANS is always a great event, not only tremendous training but a chance to meet old friends and make some new ones. Speaking of which, if you are around that night please be sure to stop by and say hi. I would love to meet others in the awareness field and get your input on what you think does and does not work for security awareness and

Security awareness assessments are one of the most common metrics used to measure the security of employees. Usually such assessments replicate common phishing or email based attacks. The reason these types of assessments are so popular is they are easy to reproduce and track, a key requirement for good metrics. The assessment works by first deciding on a common email attack to replicate. This email is then sent to a percentage of the employees and the results are tracked. Each email has a unique identification number tied to it, so you can determine which employees opened the email, which ones click on the links, and in some cases which employees actually submitted information. One of the

The more I work with the human issues of information security, the more I believe in the use of imagery. Images are a simple way to communicate complex messages across multiple cultures and languages. As humans, images are one of the most effective ways we remember a message (think of the saying 'a picture is worth a thousand words'). As an example, refer to the image in this blog post. This is an image we often use for communicating the concept of "You Are The Target". The goal of this message is to teach employees that they are the primary target. People often have the misconception that they have nothing of value, that cyber criminals do not target them.