A security awareness program that develops a well-rooted community is essential for helping colleges and universities withstand cyberattacks.
In the 1990s, Space Biosphere Ventures constructed Biosphere 2. The biosphere was occupied by a crew of researchers for a two-year period and was designed to investigate whether the researchers could be sustained only by food grown within the dome. The researchers grew many types of plants in their quest to develop a self-sustaining environment. One of the surprising results from their efforts was that as many of the trees grew, they became weak because they did not develop stress wood. A tree grows stress wood to strengthen its roots and structure in response to wind. Without wind, the trees did not grow strong roots.
Many writers have drawn analogies between the importance of trees having strong roots and the need for people to have strong roots in order to overcome adversity, or, conversely, the role of adversity (winds) in developing strength or roots. I thought it would be interesting to look at rootedness in the context of security awareness.
Building a Well-Rooted Culture
In many ways, effective security awareness has the same effect on developing rootedness in people that wind has on trees. Without steady winds, trees do not develop roots and will topple from strong gusts. Without the winds generated by an ongoing security awareness education program, our communities will not be able to withstand the gusts of cyberattacks. Security awareness programs must communicate regularly to their communities not only how to recognize and respond to specific cyberthreats but also how to employ good daily cybersecurity practices.
Over the last 15 years, I've built a security-awareness program at the Rochester Institute of Technology (RIT). I take the complexities of good cybersecurity practices and recast them for my audience, doing the work of a technical communicator by explaining complex concepts and making them relevant and actionable to my audience. A key goal for me has been building a culture of digital self-defense1 to ensure our community is able to withstand cyberattacks and other online threats. In fact, "digital self-defense" is how the Information Security team has branded security awareness efforts at RIT.
To help our community members develop strong roots, we employ a programmatic approach to security awareness. It is not enough to communicate only about specific cyberattacks (gusts) as they occur. That is a reactive approach, and while we certainly leverage opportunities, those gusts would "topple" our communities if we did not help them develop roots. Good security practices must become habitual. Our end users must develop strong roots to face the adversity of cyberattacks.
Although it may help satisfy compliance requirements, annual security awareness training does not provide the steady winds necessary to help a community develop strong roots. An ongoing focus on only one type of threat (such as phishing) helps a community build roots and become resistant to threats from that direction, but it doesn't improve the community's ability to stand firm against other types of threats.
Developing a Strong Root System
Here are some recent and upcoming security awareness initiatives RIT is using to help its community develop strong roots.
- Topical calendar: Like many campuses, RIT Information Security schedules monthly or periodic communication and training on the wide variety of threats our communities face. For the last several years, the EDUCAUSE Higher Education Information Security Council (HEISC) Awareness and Training Community Group has worked to create annual security awareness campaigns, providing blog posts, social media posts, and additional resources that are easy for different universities and colleges to adopt.2 RIT leverages selected topics to augment our monthly topical calendar.
- Social media: RIT Information Security maintains an active presence on Twitter, Facebook, Instagram, and Pinterest. Over the years, we have also dabbled in Snapchat and shorter duration initiatives such as FourSquare and PokemonGo! RIT Information Security has an account on RIT's active Reddit community. We try to be where our community is.
- Self-phishing: Over the last year, the RIT Information Security team has conducted a self-phishing program with the assistance of a vendor. We found that our community is resistant to the types of phishing attacks (winds from certain directions) that we have built awareness around over the years. We are also learning where we need to provide reinforcement. Leveraging the perspective of Jessica Barker, we're careful to create a positive learning environment.3 (We are caring for our "trees" rather than hitting them with an axe when we need to adjust how they are growing.)
- Security escape room: In the fall of 2019, we launched our information security escape room. Participants help free Ritchie (the RIT mascot) from the lair of Phishy before Phishy turns Ritchie into a tiger fish. Participants solve puzzles designed to help them understand how to create strong passwords and identify phishing attempts.
- Digital Self Defense Dojo: The Digital Self Defense (DSD) Dojo gamifies security awareness by providing the opportunity for participants to earn merit badges in specific desired security behaviors and practices.4 As they earn badges, participants achieve different levels of belts, ranging from an orange belt to a tiger belt.
- Tiger Tech Talks: In conjunction with the RIT Libraries, the Information Security team provides an informal monthly talk and discussion about key security topics. We launched the series with discussions about recognizing phishing and business email compromise attacks and using password vaults.
The analogy of steady winds enabling trees to develop strong roots works for security awareness education. Rootedness is a good way to articulate the results and culture change we should expect from a consistent and proactive security awareness program. Leveraging the damage from gusts of cyberattacks to teach key concepts about security is important. However, the steady breeze and resulting strong roots will make the biggest difference in helping our communities withstand cyberattacks.
For more information about information security governance, compliance, data protection, and privacy programs, please visit the EDUCAUSE Review Security Matters blog as well as the Cybersecurity Program page. Access additional information security and data privacy resources through the Awareness Campaign page.
Notes
- Ben Woelk, "Building a Culture of Digital Self Defense," Security Matters (blog), EDUCAUSE Review, September 20, 2016. ↩
- Valerie Vogel, "Security Awareness Made Simple: 2019 Security Awareness Campaign Materials," Security Matters (blog), EDUCAUSE Review, December 17, 2018. ↩
- Jessica Barker, "The Human Nature of Cybersecurity," EDUCAUSE Review, May 20, 2019. ↩
- Julianne Basinger, A Campus Culture of Cybersecurity, (Washington DC: The Chronicle of Higher Education, 2019). ↩
Ben Woelk is Information Security Program Manager at the Rochester Institute of Technology, host of the Hope for the Introvert podcast, and President of the Society for Technical Communication.
© 2019 Ben Woelk. The text of this work is licensed under a Creative Commons BY-NC-ND 4.0 International License.