Blog: SANS Securing The Human: Category - Security Awareness Planning

Blog: SANS Securing The Human:

Cyber Rules for the New School Year

Sending your kids off to school is always an exciting time as you know they are about to grow another year. Its also a great time to re-establish house rules concerning electronics and online activities. We want our kids to learn how to use and leverage 21st century technology, but we also want to protect them from its unique risks. Below are the new rules this year for the Spitzner household. These rules are designed for 13 and 10 year old boys, feel free to adapt as you see fit. As kids get older, I'm finding technical controls to be less and less effective, instead you need a family Acceptable Use Policy. Here is ours, I would love to hear what yours are, post your comments online or email us at


Show-n-Tell and Sharing at the #SecAwareSummit

Folks, as we gear up for the upcoming Security Awareness Summit in Dallas TX on 10 Sep, I wanted to share with you on how you can prepare for the event to make the most out of it. If you will be attending the event, some things to consider.

  1. SHARING: We are very excited about having six amazing speakers lead the event. However this is only just one of the many opportunities for you to learn. We are asking attendees to bring and share examples of their own awareness program. This can be newsletters, posters, mouse pads, calendars, stickers or any other resource you created that was a big hit. If possible, bring multiple copies to share with your peers. If you bring any large items, such as a poster, we will be happy to hang it for others to see.

  2. SHOW-N-TELL: If you like, take the sharing to the next level. During lunch any ...

Technical Guidance on Phishing Assessments

Several weeks ago we released thePhishing Planning Kit, a resource to help organizations plan and maintain an effective phishing assessment program. This kit is based on the suggestions, lessons learned and feedback from numerous security awareness officers who are actively leading their own phishing assessment programs. The reason we released the kit is that most organizations that have problems with their phishing assessment is not due to technical issues but how they failed to properly communicate and execute it.

EJ recently asked for some technical questions on rolling out his phishing program (see the comments in the Phishing Planning Kit post), and I wanted to take a moment to answer his questions. First, the simplest way to address most of your technical issues is to use a phishing service. There are many to choose from and all are similar and good, including


OUCH! is out - Encryption

The August edition of OUCH! has been released. For this month we focus on encryption. Far too often we tell people to use encryption to protect themselves and their information, but we do not explain what encryption is, why they should use it or how. Chris Crowley is our Guest Editor for this month and he does an amazing job explaining a complex topic in very simple terms. As always you can download and share the latest version of OUCH from

Also, do not forget our new OUCH archives, where you can find past editions online at


Guest Post - Measuring Human Risk - #SecAwareSummit

Editor's Note: This is a guest Blog Post from Dan deBeaubien. Below is a description of his upcoming talk on "Measuring Human Risk - What is Your Security Score" at theSecurity Awareness Summit 10 Sep in Dallas.

Assuming that we know what to do in a given circumstance related to cyber security - install a firewall, do an audit, train our staff, whatever, and, also assuming that many resources abound to address these situations as they arise, the emergent issue is often where to start. We can't do everything, everywhere - we need to know where to begin, and where to go next. In my role at Michigan Tech, and working closely