Blog:

One of the biggest challenges I see in security awareness is proving that it works, that it makes a difference. I want to see awareness move beyond just compliance and have it become an effective control in reducing risk. However to do that we have to be able to measure the impact. To be honest measuring the impact of any control is a common challenge in security. However I feel this is especially challenging in awareness as not only is awareness so immature, but we are trying to measure human factors, not technology. In a series of posts in the coming weeks I'll be posting about how human awareness can be measured, and as a result how you can measure the effectiveness of your program. In addition we will discuss some public reports

One of the biggest challenges for any country level CERT is how to reach the public. Awareness can be a complex and daunting topic and you have to communicate it to a wide range of ages. One way to help communicate an awareness message is to create an identity that people can associate your message with. In many ways this is marketing 101, but then again government organizations are often not good at marketing. One exception was Smokey Bear. In the United States I remember growing up listening to Smokey Bear telling me only I could prevent forest fires. This was a simple but highly effective awareness campaign developed by the United States Forest Service.

Thanks to everyone who joined us last night at SANS Las Vegas for my presentation Securing The Human. We had a really interactive crowd which makes events like these so much fun. As promised, I've posted the latest version of the presentation online for all to download and share. The focus of the presentation was on why humans are so vulnerable, how cyber attackers exploit those vulnerabilities, and what we can do to 'patch' the vulnerabilities. Throughout the presentation we compared the human to the idea of being nothing more then another operating system, however an operating system ten years behind all others in terms of security. After the event

I have been working a lot with PCI DSS and HIPAA lately. One thing that has surprised me about these two topics, from a security awareness perspective, is just how similar they are. In the past I've blogged on how most security awareness programs share the same 70% of content. Many of the threats and best practices are the same, regardless of who you are or where you are in the world. One of the key areas where I find awareness programs differe is their data protection policies. What I'm starting to see is that even here, those policies can also be similar. PCI DSS is an international standard developed by the Payment Card Industry. Any organization that

Compared to other disciplines within information security, security awareness and the human factor is still very immature. We have a tremendous amount of work to do to catch up. Then again, that is what makes awareness so exciting there is so much potential to make a difference. To help coordinate this global effort security awareness has a new twitter hash.

#securehuman

If you tweet about something security awareness related, I encourage you to add this tag so others can easily find it also. Happy tweeting!

I'll be presenting and teaching at several events in the next two months. If you would like more information about any of these events just email me.

SANS Vegas. I'll be presenting Securing The Human at SANS @Night on Tue, 21 Sep from 7pm - 8pm. I just recently updated the content and have some new ideas to share. Please stop by, I would love to learn what has and has not worked for you in security awareness and human issues.

SANS London. I'll be teaching the new two day course Securing The Human in London on 27/28 November. This course not only teaches you on how to build an effective awareness program that makes an impact, but how you can measure that impact.

SANS Chicago. SANS is

One of the things I like to cover in my Securing The Human talks is how bad we humans are at judging risk. What may have worked for us 100,000 years ago in the grass plains of Africa no longer works in the 21st century. Risks back then were the type of risks that ate us, however risks now a days are far more complex. One of the problems is we greatly over estimate risks that we should not, and underestimate the real risks. One of my favorite examples is to ask people what greatest things they are afraid of when they visit the ocean? One of the most common things I hear are sharks, or more precisley being eaten by a shark while swimming in the ocean. Now this is a pretty scary thought, I personally do not like the idea either.

After working on numerous security awareness programs for both large and small organizations, one thing I have noticed is what I will call the 70/30 rule. Roughly 70% of an awareness program shares the same topics and content as any other awareness program. This includes basic concepts such as social engineering, using email safely, passwords, encryption, etc. Only about 30% of an awareness program is unique to that organization, such as data protection policies or policies on personal devices. However we can even take this one step farther. That common 70% of content not only applies to the organization, but also applies to home. Think about it, the vast majority of attacks that target the human are the same attacks people face

Security awareness is still in in its infancy. As I work in this area I feel as if it is 2001 all over again, we are spending more time just making people aware of the problem then we are developing solutions. Since this field is still in its infancy there is a tremendous amount we can learn from each other. Whenever I present on security awareness I like to ask who likes their awareness program and what they like best about it. One of the common themes I continue to hear is people like customization. The closer the program is to their own organization, they more likely they will relate to and learn from it.

So what is the best way to customize your program? Well there are alot of

Every other month the Honeynet Project releases a new forensic challenge. These are captures of real attacks in the wild that the community can analyze, document and then submit for review. This is an amazing chance to learn. The Honeynet Project just releasedForensic Challenge 5 - Log Mysteries. This challenge takes you into the world of virtual systems and confusing log data. Figure out what happened to a virtual server using all the logs from a possibly compromised server.Challenge 5 has been created by Raffael Marty from the Bay Area Chapter, Anton Chuvakin from the Hawaiian Chapter, and Sebastien Tricaud from the French Chapter. Submission deadline is