Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Security Awareness Training is Boring SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Security Awareness Training is Boring

I love the directness of Marcum Ranum's perspective on security awareness training. "If it was going to work, it would have worked by now," he wrote. Indeed, whenever I perform social engineering testing, too many people willingly give up sensitive data, click on a link or launch that fateful attachment.

Maybe the problem with many security awareness programs is that they are borning. Come up with something unusual and personally-relevant to the attendies, and I bet the audience will remember your message. Below are some tips and a video clip.

Select a Different Format

Call your annual security awareness session a "Security Awareness Session," and you're guaranteed to hear sighs and excuses for not being able to attend. How about something in a less standard format? Thinking out loud here:

  • Add a security "commerical" interruption to an unrelated meeting or a conference call.
  • Create a challenge for people to report unsafe IT practices they observe. Without identifying the offenders, but with prizes.
  • Sponsor a bagels and donuts breakfast with a 10-minute data security discussion.
  • Create a drawing for a prize. The cost of entry is a tip on improving IT security.

Of course, the format will depend on your corporate culture, but the idea is to take a less ordinary approach to spreading your message.

Make the Message Personally-Relevant

People tend to care about their well-being more than the well-being of their company. To make your message heard, make it useful for your colleagues as individuals, be it in the context of phishing for email credentials, on-line financial fraud, or spyware. By helping them protect their personal data on-line, you will show them how to act when corporate IT assets are threatened.

Example: A Video Clip

How about peaking the employees interest in your program with a short video clip? I found a service called Animoto that will let you upload a bunch of photos, and automatically generate a nice-looking videos from them. (30-second videos are free.)

Here's an example I created using generic photos I found via EveryStockPhoto. For best results, use the photos specific to your company or industry. (For attribution purposes, here's the list of the Creative Commons images I used from Flickr: 1, 2, 3, 4.)

My video clip attempts to entice the audience to sign up for a hypothetical security awareness session. Of course, you can also use a more specific video to spread your particular security awereness message.

For additional tips about security awareness training, see the summary of the diaries we published about a year ago on this topic.

-- Lenny

Lenny Zeltser
Security Consulting - SAVVIS, Inc.

Lenny will be presenting at the SANS D.C. conference in December.


216 Posts
Nov 19th 2008

Sign Up for Free or Log In to start participating in the conversation!