One of the biggest challenges in information security is raising the awareness of our communities so that they recognize threats and understand how to defend themselves. The difficulty of that challenge is exacerbated with up to 30 percent turnover of students, faculty, and staff yearly. It's a multiyear process, but the key is to stick with it and not be afraid to try new ways of raising awareness and enrolling your communities so that they become part of your security team. I've provided a list of key components to building that security culture below. I've also provided some examples of our work at the Rochester Institute of Technology (RIT).
You can't change or create a culture overnight, and gains may seem almost imperceptible at times. Recognize that you need to think of security awareness as a key component of your information security strategy. (Yes, you need a security awareness strategic plan.) A strategy enables you to identify long-term goals. Security is often reactive. For example, we might respond to phishing attempts by warning our communities as the attempts occur, rather than employing a phishing simulation program1 so that they'll recognize phishes on their own. To create (and harden) a security-aware culture, you must be proactive. It's not always possible to get ahead of specific threats, but we can train our communities to recognize many of them.
Have a Plan
Thinking strategically requires a plan. A plan enables you to define how you'll reach the goals defined in your strategic plan. What communication vehicles are already available? What needs to be developed? Where do your audiences (you have at least three: faculty, staff, and students) get their information? Are there community or departmental leaders they follow? What topics should you cover and when? (EDUCAUSE provides a calendar of topics and member-created content that you can leverage.)
Brand Your Security Awareness Efforts
RIT's security awareness efforts are branded under Digital Self-Defense. A brand helps make your security awareness efforts visible and memorable. Almost every communication or event around security awareness at RIT bears our "DSD guy" (seen above). After more than a decade, most constituents recognize him. (Your university or college might have requirements around branding that may or may not make security awareness branding possible. However, you can still use a common layout and design in your communications.)
Leverage Existing Opportunities
What existing opportunities are available for improving security awareness? Are there orientation events for students, faculty, or staff? Are there benefits or wellness fairs in which you can participate? Have you contacted departments to schedule security awareness discussions? Have you created an ongoing security awareness class, either in person or online? Have you put posters on your buses? Given away swag with security awareness messaging at orientations? Look around and see what existing opportunities you can leverage.
Be All Over Social Media
Where do your constituents get their information? Your university or college may have official news outlets or communication mechanisms. Does everyone follow them? Do students even read e-mail anymore? Who's using Facebook? Twitter? Instagram? Pinterest? Snapchat? The rapidly evolving social media landscape offers opportunities, as well as challenges. Go where your audiences are. They're unlikely to come to you. (As I write this blog post, we're in the midst of our annual social media "like" campaign [https://www.rit.edu/security/content/enter-our-contest] and expect to surpass 10,000 followers in our social media outlets.)
Identify and Leverage New Opportunities
Has your campus become a hotbed for Pokémon™ GO!? Have you thought of how you might leverage Poke Stops where students congregate? Maybe set up a security awareness table. Hang posters at Poke Stops inside buildings. What about Snapchat? Snapchat filters are really popular. Did you know that Snapchat allows you to create custom geofilters? Why not create some security awareness-oriented filters and offer them at high-traffic times and locations?
Hire Students with the Right Skill Sets and Mindsets
One of the strengths of our security awareness program at RIT is that we hire technology-savvy students with strong communication skills. After a while, you'll probably find that well of inspiration you draw from has started to run dry. Student employees are a great source of innovative ideas and more importantly, they're students. They understand how students communicate and how best to get their attention. Give them the freedom to be creative.
Enroll Your Community
It's not really a secret, but we know as security professionals and IT organizations that we cannot secure our campuses without partnering with our user base. Have you thought about how you might enroll your users in your efforts? In fall 2015, we began our Digital Self-Defense Team program. The purpose of the program was twofold: we wanted to develop a sense of shared responsibility around information security, and we also wanted to begin measuring our successes with a survey. With small incentives for taking the survey, we had over 600 survey participants from a faculty/staff population of about 3,000. Almost half of the survey participants signed on to the Digital Self-Defense Team. That's a growing population of security advocates on campus.
Volunteer and Network
I've been a member of the Higher Education Information Security Council (HEISC) Awareness and Training Working Group for almost 10 years. The innovative ideas and helpfulness of the group to new members are without parallel. Participation in the working group ensures a steady flow of new ideas and solutions to problems faced by all of us. Each of us has ideas to share, and the working group has developed a number of security awareness resources available today.2 I invite you to join us.
- Learn more about phishing simulation programs and read these 10 key points about implementing a campaign.
- The HEISC Information Security Guide: Effective Practices and Solutions for Higher Education includes several resources developed by the Awareness and Training Working Group: a quick start guide, detailed instruction manual, cybersecurity awareness resource library, and National Cyber Security Awareness Month resource kit.
Ben Woelk, CISSP, is the program manager for the information security office at the Rochester Institute of Technology, where he has developed a leading information security awareness program. He is also adjunct faculty at RIT, teaching classroom and online courses in Computing Security Fundamentals and Technical Communication.
© 2016 Ben Woelk. This EDUCAUSE Review blog is licensed under Creative Commons BY-NC-SA 4.0.