The document discusses promoting security awareness at companies. It outlines objectives like making security relevant and easy to understand. It addresses common objections like programs being too expensive or employees not paying attention. The document recommends focusing on cultural change, empowering employees, and using various mediums like training, newsletters and contests to deliver ongoing security awareness messages. The overall goal is for employees to feel security enables and benefits them.

1. Be secure, be aware.
Be Security Aware.
PROMOTING SECURITY AWARENESS AT YOUR COMPANY
11/22/2009
© 2009 InfoSecurityLab, Inc.

2. So you want your company to be security aware… I
OBJECTIVES
The Objections II
What the Professionals Say III
What You Can Do IV
Delivering Security Awareness V
Questions VI
© 2009 InfoSecurityLab, Inc.

3. SO
Security Awareness is the a process of making people aware of the
YOU WANT YOUR COMPANY TO BE SECURITY
risks to the things they value, and how they can safeguard against
those risks.
You Know:
 Awareness means people will be more secure.
 Awareness requires time and money.
You Have Tried:
 Policy
 Edicts
 Emails
 Persuading Your Manager
AWARE…
How do you convince people to listen?
How do you make Security Awareness important?
© 2009 InfoSecurityLab, Inc.

4. OBJECTIONS
Typical Objections
 It is too expensive.
 It takes too much time.
Self Inflicted Problems
 Our employees do not pay attention to it.
 Our employees do not care about security.
 Security Awareness Programs don’t work.
The Odd Objections - “Where did that come from?”
 We’re not ready for Security Awareness.
 Security is not relevant to our business.
© 2009 InfoSecurityLab, Inc.

5. Quotes
WHAT THE PROFESSIONALS SAY
“ As strategists, we can apply all manor of software/hardware technology to control and safeguard the activity on our
information infrastructure. While the most important, and at the same time weakest, link in the security chain are
people, there are no (publicly acceptable anyway) hardware modifications available to control human behaviour.
Awareness, however, is the wet-ware solution that we can install in the human brain that offers the only chance to
strengthen this link. ”
- Tom Giangreco, Director of Information Security, SchoolsFirst Federal Credit Union
“ Information security can only be successful if it is seen as an integral part of the day-to-day work responsibilities, and
it is therefore necessary that everybody in the organization understands the importance of information security,
employees as well as top management. The long-term success of an information security program can only be
effective if there is awareness and support throughout the organization. Security awareness and training controls
have been identified as a mandatory part of an information security management system, and sponsorship for
information security needs to start at the top .”
- Angelika Plate, Owner AEXIS Security Consultants, Secretary of ISO/IEC JTC1 SC 27 "IT
Security Techniques", Editor of ISO 27001, Co-editor of ISO/IEC 27002 and 27006.
“ There is probably no more effective countermeasure, dollar for dollar, than a good security awareness program.”
“Although it is important for an awareness program to ensure that the right things are covered, the critical success
factor for an awareness program is the delivery methods. The advice must be simple. It must be made
personal…Advice that is realistic, understandable, actionable, and repeated is useful. ”
- Ira Winkler, “Spies Among Us”, President Information Security Advisors Group, author
of “Spies Among Us”, “Zen and the Art of Information Security”, and “Corporate
Espionage”
“ There is only one way to keep your product plans safe and that is by having a trained, aware, and a conscientious
workforce. This involves training on the policies and procedures, but also – and probably even more important – an
ongoing awareness program. ”
- Kevin Mitnick, “Art of Deception”, founder of Mitnick Security Consulting, author of
“The Art of Intrusion” and “The Art of Deception”
© 2009 InfoSecurityLab, Inc.

6. A Change in Tactics
WHAT YOU CAN DO
Do not use Fear, Uncertainty and Doubt.
F.U.D.
Fear – is not security awareness. If we are aware of risks and
how to protect against them we have little reason to be afraid.
Uncertainty – is not security awareness. People who are
trained how to handle problems are certain of what to do.
Doubt – is not security awareness. People who are trained, and
kept up to date do not doubt their skills, and know what to do.
© 2009 InfoSecurityLab, Inc.

7. A Change in Tactics
WHAT YOU CAN DO
 Promote a security as a cultural and behavioural change.
 Focus on changing long term patterns and attitudes about security.
 Focus on security enabling people, not as restricting rules.
 Make security something everyone can understand and act on.
 Show how security applies to all parts of life - at work and home.
© 2009 InfoSecurityLab, Inc.

8. Make It Relevant Make it Easy to Understand
WHAT MAKES SECURITY AWARENESS SUCCESSFUL?
• It must relate to a person’s life. • It must be explained in
• It must relate to a person’s job. words and terms that
anyone can understand.
• It must show how security can improve things
they value (job security, ability to perform, make • It must include actions that
money & be rewarded) anyone can perform.
• It must include ideas and
situations that people can
relate to.
Empower People Make it Fun
• It must make people feel they • It must be enjoyable to
are important. participate in.
• It must make people feel that • It must provide for growth and
security is for them and not learning.
against them. • It must help people feel like
• It must make people feel that they are helping everyone
security makes their job easier. around them.
• It must make people think and
laugh.
© 2009 InfoSecurityLab, Inc.

9. Answer the Challenge
OVERCOME THOSE OBJECTIONS
 It is too expensive. Choose inexpensive solutions, even homegrown. Make
them simple, and demonstrate them to management. Seeing is believing.
• Time and money spent is less than for fixing a breach.
• The money that is spent on various security tools far exceeds the money that
is required to teach employees to not open email attachments, not share
usernames and passwords, and to follow proper procedures.
 It takes too much time. Do not make it a graduate course in security. Make it
simple, useful, short, and fun. Time is wasted when the activity is not valuable.
 Our employees will not pay attention to it, or do not care about security.
Security Awareness Programs don’t work. Make the program useful, relevant,
and not just about work. Employees will pay attention when it benefits them.
Give them valuable lessons they can use anywhere.
 We are not ready for Security Awareness. Security is not relevant to our
business. Ask them if security at home, or while shopping online, or while
travelling would be useful to employees. You get a chance to talk about security,
and get some of your message included.
© 2009 InfoSecurityLab, Inc.

10. Match the Medium to the Audience
DELIVERING SECURITY AWARENESS
Security Awareness is a Marketing issue – how to present and sell the message.
Consider:
 How to make security appealing to employees and their values
 How to communicate across the entire company
 What mediums are a good fit for the company
Some Mediums You Can Use:
 E-Learning
 Classroom Training
 Newsletters
 Emails
 Posters
 Web Portals
 Seasonal Messages
 Contests
 Lunch-and-Learns
© 2009 InfoSecurityLab, Inc.

11. QUESTIONS
Our mission:
“ Provide Security Awareness solutions that are meaningful to every employee. ”
Remember:
Be secure, be aware. Be Security Aware.
Daniel Blander, CISM, CISSP
daniel.blander@infosecuritylab.com
© 2009 InfoSecurityLab, Inc.