Blog: SANS Securing The Human: Category - Communication Skills

Blog: SANS Securing The Human:

Guest Blog - Taking a Generational Approach to Security Awareness

Editorial Note: This is a guest blog post from Paula Fetterman <>. We feel she came up with an amazing idea and asked her to share it here.

In Feb 2014, I had the opportunity to attend the RSA Security Conference in San Francisco. While attending an early morning session (thank goodness for caffeine), I heard Todd Fitzgerald's presentation on "Generations Defined By Moments" and soon became very intrigued and engaged (yes...unusual for me at an early morning session). His premise was that each generation approaches security (and life) differently because of


Job Description for Security Awareness Officer

Organizations around the world are beginning to address the human when securing their organization. The days of just compliance focused training are gone, we need to also effectively change behavior. To achieve that, you need the right person in charge. Below is an attempt to describe what the job description of a security awareness officer could look like.

Security Awareness Officer

This individual is overall responsible for our security awareness and education program. Ultimately this person's job is to reduce risk to our organization by ensuring all employees, staff and contractors know, understand and follow our security requirements and behave in a secure manner.

Our Security Awareness Program


Engage With a Story - Hacking a Utility

A target groups we are attempting to reach on cyber security are the engineers and operators who run critical infrastructure, such as those responsible for power generation, oil refineries, and water plants. This may not be as sexy as some other industries, but without it life as we know it would literally shutdown. As such, it is critical we engage and train those who maintain it.

One of the most effective ways we have learned to engage is to explain to people they are a target. So many people have the misconception that they are not a target, that they do not have value. Once they understand they have value, they are far more likely to listen and to change behavior. One of the most effective ways to communicate this is to tell a story, walk them


Symantec, How Could You?

One of the great things about awareness training is not only do staff become more aware and prevent incidents, but they start reporting attacks also, they become human sensors. Today I got just such an email from an employee reporting a phishing attack (click on email for larger view). The email was all about clicking on the link right away, play an interactive online game, and claim your free USB stick if you are one of the first 250 people to register. This email hits just about every hot button you can find about phishing emails. So the employee was spot on to report it.

However the email is legitimate, even worse its sent out by Symantec, a company that is supposed to promoting security, not confusing people. At first I did not believe


Why Just One Year Just Isn't Enough

Sometimes I'm asked the question why should an organization continue to pursue their awareness training year after year. After all, once people are trained isn't that good enough? Unfortunately no, in so many ways. Think about it, if you kept your computers locked down and secure for just one year, could you stop securing them after that? Absolutely not, their security would quickly degrade. The HumanOS is no different, and here is why.

Your training should be aggressively updated at least once a year (we update our training twice a year at SANS). You would be amazed at how fast technology, attackers and the latest risks change. Over 60% of our training content changes every year, to include new examples, key