Welcome

Skeeter Spray is a blog for the common Information Security Professional. Why Skeeter Spray? See Post #1

Thursday, March 31, 2011

Security Education…Removing the dread

We can all admit that security education isn’t ever going to at the top of the user’s
super-happy-fun time list, but we can make it a little less painful.  And maybe, just maybe, they will find it useful and tolerable.  However, before you send out or conduct your next training, take a little time to evaluate you user education program.  

Have you defined the goals of your training program, other than to provide training to users?   Identify what areas you need to educate users on and if necessary, define classes of users and the training needed for each group.   For example, you will probably have general users (probably will include all users) that you will want to provide the basics…passwords controls, screen lock, phishing emails, etc…   What about those users that might need specialized training, HR, Legal, and Finance personnel?  Depending on your business sector, you might need to provide additional training to these groups.  Once you have determined the training needs, how do you deliver it?

There are several different ways that you can deliver training.  The first is the mandatory, formal training that everyone has grown to dread.   But if you are developing your own formal training (vs. outsourcing) here are a couple of helpful tips:

·         Don’t just use a slideshow / presentation.  Mix it up, include videos or other motion tools
·         Find someone that has a nice, pleasing voice to do the voice over.  Don’t let the monotone guy do it again.
·         Consider conducting group training vs. delivering over the computer.  In a group setting, make it fun…ask questions with small prizes for answers (right or wrong)
·         Work with other teams that deliver training to incorporate security into their training.  For example, if you are training on a new HR system, have a 15 minute session on protecting Personally Identifiable Information.

Once you have the formal training out of the way, users once in awhile need a gentle reminder of security procedures / precautions.   I call this Tidbit Training.   A couple of sentences or maybe a couple of short paragraphs on the company portal or in an email (let the email support guys know first).   If you relate this to things that might happen to the users at home, will give more punch.   For example, if you relate clicking on phishing emails training to an email you received, chances are the users have also received one (probably the same one).  Then you can relate the dangers of their personal information stolen to company data being stolen.  

Another successful method is the use of a Security Blog on your internal network.  This can be a touchy area with some companies as your management might want approval prior to publishing articles.   If that is the case, it might not be worth the hassle.  However, if you have free reign, then it can be a very powerful tool as long you keep it to information the general user population can relate to. 
 
Every time I start working on a user education article, I think back to my Air Force days and Safety Training.  Everyone hated Safety training, but there was a weekly report from the Navy Safety Office (I know…I can’t believe I typed it) that had a humorous spin on stupid things Sailors and Marines had done.   It didn’t seem like safety training, but that is exactly what it accomplished.  So remember, make your users a little less dreadful when you are developing Security training.

~Skeeter