Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Security Awareness Training is Boring SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Security Awareness Training is Boring

I love the directness of Marcum Ranum's perspective on security awareness training. "If it was going to work, it would have worked by now," he wrote. Indeed, whenever I perform social engineering testing, too many people willingly give up sensitive data, click on a link or launch that fateful attachment.

Maybe the problem with many security awareness programs is that they are borning. Come up with something unusual and personally-relevant to the attendies, and I bet the audience will remember your message. Below are some tips and a video clip.

Select a Different Format

Call your annual security awareness session a "Security Awareness Session," and you're guaranteed to hear sighs and excuses for not being able to attend. How about something in a less standard format? Thinking out loud here:

  • Add a security "commerical" interruption to an unrelated meeting or a conference call.
  • Create a challenge for people to report unsafe IT practices they observe. Without identifying the offenders, but with prizes.
  • Sponsor a bagels and donuts breakfast with a 10-minute data security discussion.
  • Create a drawing for a prize. The cost of entry is a tip on improving IT security.

Of course, the format will depend on your corporate culture, but the idea is to take a less ordinary approach to spreading your message.

Make the Message Personally-Relevant

People tend to care about their well-being more than the well-being of their company. To make your message heard, make it useful for your colleagues as individuals, be it in the context of phishing for email credentials, on-line financial fraud, or spyware. By helping them protect their personal data on-line, you will show them how to act when corporate IT assets are threatened.

Example: A Video Clip

How about peaking the employees interest in your program with a short video clip? I found a service called Animoto that will let you upload a bunch of photos, and automatically generate a nice-looking videos from them. (30-second videos are free.)

Here's an example I created using generic photos I found via EveryStockPhoto. For best results, use the photos specific to your company or industry. (For attribution purposes, here's the list of the Creative Commons images I used from Flickr: 1, 2, 3, 4.)

My video clip attempts to entice the audience to sign up for a hypothetical security awareness session. Of course, you can also use a more specific video to spread your particular security awereness message.

For additional tips about security awareness training, see the summary of the diaries we published about a year ago on this topic.

-- Lenny

Lenny Zeltser
Security Consulting - SAVVIS, Inc.

Lenny will be presenting at the SANS D.C. conference in December.


216 Posts
ISC Handler
Nov 19th 2008

Sign Up for Free or Log In to start participating in the conversation!