Stories from the Front Lines - Building an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats, First Edition (2014)

Building an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats, First Edition (2014)

CHAPTER 14. Stories from the Front Lines

Bill Gardner Marshall University, Huntington, WV, USA

Abstract

Not every organization is the same. As a result, there are a wide variety of experiences when people start building their own information security awareness programs. In this chapter, we ask those in the trenches about their experience in building information security awareness programs in their own organizations.

Keywords

Stories

Questions

Answers

We asked information security professionals about their experience in building their own information security awareness programs and here is what they had to say.

Phil Grimes

Phil Grimes is a parent, a biker, and an information security professional with experience in providing security assessments and penetration testing services to organizations ranging from small businesses, financial institutions, eCommerce, telecommunications, manufacturing, education and government agencies, and international corporations. Phil started learning networking and Internet security as a hobby harassing AOL in 1996, developing his technical skill set independently until joining the professional security industry in 2009. After a change in his career trajectory in 2012, vulnerability research and exploit development became the main focus of attention. Phil's experience in application security, penetration testing, mobile/smartphone security, and social engineering has proven successful in assessments for high-profile customers both domestically and around the globe. An accomplished speaker and presenter, Phil has engaged on various topics for Notacon, for CUISPA conferences, and at the Central Ohio ISSA InfoSec Summit in addition to various other speaking appearances to a wide range of audiences.

Q: Thanks for taking part in this Q&A. Please tell us about yourself.

A: I'm an independent security researcher with focus on vulnerability research and exploit development, mainly targeting Web applications and humans. I've been involved in the “hacking scene” since the mid-1990s and have always had a passion for breaking systems, whatever they might be. I broke into information security in 2009 but took a break in 2013 to resume my independent research work. I've spoken to technical and managerial audiences around the country on a wide variety of topics aimed at user awareness and educations as well as demonstrations about how various attacks are carried out.

Q: What constitutes an information security awareness program in your opinion?

A: In order for a security awareness plan to work, it has to engage the employees. There has to be some reason for the individual to “buy in” and this usually goes beyond work. Correlating security issues to the user's daily lives will put the risk into terms that they understand and help them to realize how all facets of our technical lives intertwine with many parts of our physical lives inadvertently. Encouraging the people to police themselves (and each other) and to reward those who speak out when things aren't right will help change the culture from one of complacent silence to one of engaged interaction.

Q: Why are social engineering and other nontechnical attacks so successful?

A: Humans are the weakest link in computing and business. Understanding that, attackers leverage devastating attacks on the human element within an organization by understanding psychology then using normal human behavior and societal norms to get people to do things that they shouldn't or wouldn't normally do. Combined with technical attacks, and an endless combination of the two, the organization finds itself fighting a constant uphill battle where they must be “right” every day to succeed and being “wrong” only once could cripple or destroy it completely.

Q: How do you get management buy-in for a program?

A: Here's the million-dollar question. The fact is that the only way to accomplish this is to show them the fallout that can/will result from NOT making progress in this arena. Security is always treated as the stepchild and isn't made a priority by the decision makers until after it's too late. Part of the awareness program has to be testing our users. Oftentimes, that has to be the first component and has to be leveraged before any plans are formalized because it provides metrics and allows tangible proof to be given to management in support of why we need to make this a priority.

Q: What are the biggest challenges to building an information security awareness program for organizations?

A: Getting management buy-in.

Q: Is budget an issue?

A: Yes, but it doesn't need to be. One hour, once or twice a quarter for meetings, and give the security team the ability to test the users, analyze the results, and correlate this data to what's presented at the meetings. There doesn't need to be a huge budget for this.

Q: What were the political obstacles that needed to be overcome?

A: This ties into the previous questions. Getting the buy-in from management and overcoming the budgetary objections lay the foundation for this. There is always the element of interpersonal relationships within the organization that must be considered. Politics is an ugly side effect of being in business and this must be considered when creating the security awareness plan.

Q: What metrics are useful for measuring the success of an information security awareness program?

A: We test our users by implementing various controlled attacks against them and get a dataset that allows us to gauge the various metrics that we'll use to tailor the awareness program. Things like “we sent 100 e-mails and 30 were opened, 18 clicked the malicious link inside, and 3 reported it as suspicious.” Being able to create situations that allow our security teams to formulate these statements will allow for the security awareness program to be targeted toward the relevant threat and allow us to create a program based around rational response.

Q: What failures and pitfall did you encounter in information security awareness programs?

A: Lack of consistency, lack of metrics, lack of follow-through, lack of policy, lack of enforcement, lack of importance placed upon the program.

Q: What were the successes you encountered in information security awareness programs?

A: I've conducted user awareness sessions for a particular client for several years running and it's been really fulfilling to see familiar faces come up and recite something they've learned in my session or to have them engage me and/or each other during (and even after) my sessions to talk about how they've done things differently. It's been a great success to see them change their way of thinking.

Q: What is the best training cycle for a program?

A: I believe quarterly is adequately if the program is comprehensive. This keeps the material fresh in their heads and makes it something that's always on the back burner.

Q: What learning and teaching styles work the best?

A: I don't think this is something one person can answer. How I teach may not work for someone else. How I learn certainly wouldn't. In creating a program that is targeting a wide range of individuals, I've seen success with several schools of thought. Beat it into their heads over and over again, which is tedious and expensive. Make a “conference-style” day of it to allow for different sessions that employ different techniques so the people can experience different flavors and find what suits them. I've also seen several styles wrapped into one where the audience listened, spoke, read, and participated in various segments throughout the program. I believe getting feedback from the audience is important because the security awareness program must be a living, breathing, dynamic beast that constantly evolves to meet the needs of both the business and the individuals.

Q: What is your advice for others building their own programs?

A: Just do it. If you're already doing it, keep doing it. As long as we're trying, that's better than doing nothing. Be happy with baby steps but don't accept complacency.

Q: What is the advantage of building your own program over buying a prebuilt information security awareness program from a vendor?

A: There is no “silver bullet.” While there is a framework for this as with anything, the war is won and lost in the details. Using this framework is great but there is a lot of introspection that an organization must perform when using these frameworks to build a program. Anything less is simply lulling the organization into a false sense of security.

Q: Is there anything we haven't covered that you would like to add?

A: Building a security awareness program is vital to every organization. Your people are your best investment and can be more valuable than any IDS/IPS, any firewall, and any antivirus you can purchase. But like any security tool, they must be tested and tuned regularly.

Amanda Berlin

Amanda Berlin is a network analyst at a regional medical center in northern Ohio. She has recently changed focus to information security-related topics. She manages the internal phishing campaign at her company to promote user education about phishing and hacking through an award-based reporting program, as well as having other system administration-related and network administration-related responsibilities.

Q: Thanks for taking part in this Q&A. Please tell us about yourself.

A: My name is Amanda Berlin, and I work for a medium-size medical center in Ohio. I've been in IT for approximately 10 years and a part of the networking team in our organization for 4 years (2010). Our network team is in charge of the organization's infrastructure and security. I've always been interested in security and just recently have had the opportunity to become more active in the information security community and start on a path to becoming a penetration tester. I'm also the lead and major contributor of our information security awareness program called “Something Smells Phishy.” In this program, our users are subjugated monthly to targeted phishing e-mails with malicious links or attachments.

Q: What constitutes an information security awareness program in your opinion?

A: One that works to reduce the likelihood of employees introducing threats into an environment. Only one click on a phishing e-mail can compromise your environment and the weakest link is the human element. The program should slowly start at the basics, like not clicking on suspicious links/attachments in e-mails and learning what constitutes as suspicious. Then, build up to things like pretexting, tailgating, USB drive drops, and more advanced techniques.

It should contain easy-to-read, concise content that will engage and entertain the audience as well as a reward system to encourage the users to act upon the information they have learned. It needs to be encouraging to the users as well as memorable. No one wants to feel like you are talking down to them because they should have known better. It's our job to show them what they need to know to get by. Each occupation has their own specialty; we need to remember not to expect them to know the ins and outs of information security. Just like we're not required to know the same about what they do every day. Positive reinforcement will go a long way in making what you say stick with them.

Having the ability to adapt and grow with the changes in your environment and with the advancements of the threat landscape when planned and executed properly can save a lot of time and headache.

Q: What was the reason for building your own program?

A: There were several reasons we made this decision. The first and most obvious was to increase our security posture through education. We knew that no training had been put in place before in our organization. Many of us had seen firsthand how little our employees knew about the best practices with anything security-related.

Another driving factor was that we thought it wouldn't be too difficult to do at a low cost. With the talent that we have on staff, we were willing to take a chance and see how much of an improvement we could make. We were approved for $1000 worth of prizes for our awards. This money was split up into different denomination gift cards to be used as prizes for users that would report phishing attempts. This amount when compared to already established security awareness programs is a huge cost savings.

Q: How did you get management buy-in for your program?

A: I am extremely lucky to have such security conscience management. Our CEO is a former CIO, and the entire leadership team understands how important information security is. One major turning point was the result of our 2013 penetration test where several employees were successfully phished that resulted in the exploitation of our network. We were able to show them the low cost of what we believed would majorly improve our chances to mitigate these attacks.

Q: What was your biggest challenge to building an information security awareness program for your organization?

A: So far, there have been two major challenges. The most outward-facing would be the notification to the employees about the program. In my opinion, we didn't go far enough with spreading the word on what the point of the entire program was. This was the one area that was weak with management buy-in. I feel that we had the means to spread word of the program in several fashions and was denied the opportunity. Once several high-ranking individuals were successfully phished, more chances presented themselves, giving me access to reach more people by different media.

The second and more inner-facing issue is mining the data. We have over 2000 mailboxes on our exchange server. While I've used PowerShell to strip out a list of accounts to target, having to manually merge that with the SET xml and keep track of that in a spreadsheet is not fun. My idea is to have a python script with a MySQL backend to parse the data from the xml, pull in data live from Microsoft AD, and report.

Q: Was budget an issue?

A: Nope.

Q: What were the political obstacles that needed to be overcome?

A: We didn't have any major political obstacles. Of the few minor issues we had, one was some of the older employees felt like we were trying to get them in trouble. We had one notorious complainer let us know that she'd never trust our department again. I also sent out a phishing campaign that was a spoof of an Amazon receipt. It caused one of our employees to call Kohl's and cancel their credit card as well as call PayPal and start a fraud claim. As a measure of good faith, we gave that particular user a gift card as well.

Q: What metrics are useful for measuring the success of an information security awareness program?

A: We are using the difference in reporting over time from phishing e-mails, legitimate both from external sources and from our internal campaigns. Before starting this campaign, we would rarely get reports of suspicious-looking e-mails, computer activity, or Web sites. We now get them daily and have been able to take reactionary and proactive steps to block and report e-mails that have made it through our spam filtering.

The metrics we are currently using are percentage of links clicked per campaign, percentage of user/pass given up per campaign, and percentage of reports monthly.

Q: What failures and pitfall did you encounter in building an information security awareness program?

A: I think so far the only failures would be the lack of reach of the program details to our users as well as my personal failures when running campaigns. I personally liked hitting them with the element of surprise. I wanted to see what our level of exposure was without any prior warning or training. However, others thought that we might have been better off pounding the program into people's heads before running them. While a difference of opinion, I still think it's a pitfall.

As far as my personal failures go, in the beginning, I had a couple of occurrences where SET didn't do exactly what I had expected. This made me have to rerun the campaign quickly while people were trying to log in. I think I would have gotten higher numbers of clicks and log-ins if I had made sure to test more beforehand.

Q: What is the best training cycle for a program?

A:

1. Phish.

2. Educate—right after being phished and the entire user population (posters, e-mails, PowerPoint, videos, etc.).

3. Repeat—with a more advanced campaign. Make sure to include repeat offenders each time until they make a report.

It's my thought that the repetitive process of phishing to grab their attention, and then teaching them what they did wrong, is a great way to make the training stick. There's nothing like a mistake or getting your hand caught in the cookie jar to leave a lasting impression.

Q: What learning and teaching styles did you use for your program?

A: We set our program up to be able to grow with the speed at which our employees learned. Starting out slow, I used theHarvester.py to get as many e-mails from the Web for our organization. This allowed us to attack the most likely candidates that someone without inside access would be able to discover. After that, I progressed to the most used mailboxes and then a random sampling of everyone. If a user clicked and gave up their password, they were automatically redirected to a PowerPoint slide on what phishing actually is, how it can hurt us, and what they can do to help.

We also have training modules created on a variety of topics to help users learn to be more secure. These modules are lumped in with our other required learning for the year as an employee, always with an emphasis on reporting suspicious behavior.

Q: What is the advantage of building your own program over buying a prebuilt information security awareness program from a vendor?

A: Overall, the cost and the ability to customize the program to easily fit your organization's needs.

Q: What were the successes you encountered in building an information security awareness program?

A: There was overwhelming positive feedback and encouragement from our employees. I had several people joke with me about it as well as asking questions and starting discussions about information security. I've had individual departments reach out to me to do some smaller training sessions.

Also, there has been a huge improvement in our employee's security knowledge and reporting skills. The amount of reports of legitimate outside phishing attempts has skyrocketed. We went from 36% successful internal phish rate down to an 11% and then to a 1%. While the first three months were all the same type of campaign, I still consider it a successful metric.

Q: What advice do you have for people who are currently building their own information security awareness programs?

A:

1. Plan everything out in as much detail as you can. It would be nice to have a good 6 months or even a year of ideas set aside if you plan on actively phishing users.

2. Know what you are trying to accomplish.

3. Try to identify potential pitfalls and make sure you have good responses.

4. If you have a help desk or several groups of people that will be contacted about your program, make sure that they project a unified view of the expectations of users as well as the positives of the entire process.

5. Make it into a game or contest. People love winning things, especially if they have a good chance at it. Make sure the game/contest rules are explicitly set beforehand as well.

Q: Is there anything we haven't covered that you would like to add?

A: For me, this project not only has been a lot of fun but also has been an amazing learning experience. For someone just starting to become active in the information security community, this was a great first step. Being on both the red and blue team side is a great place to be. You can figure out where your company's weaknesses are and then take active steps to mitigate them. I encourage everyone as a network or system administrator to take the steps to begin one of these programs in your company. No matter how big or how small, we all need to take steps at making businesses more secure.

Jimmy Vo

Jimmy Vo is a security consultant in a firm based in southeast Michigan. Prior to being a security consultant, he was a security and systems analyst for an organization in the financial sector. His focuses are security monitoring and security assessments. He is an active member of OWASP Detroit and MiSec. Jimmy holds a master's degree from Boston University in Computer Information Systems.

Q: Thanks for taking part in this Q&A. Please tell us about yourself.

A: I'm currently working as a security consultant in a firm based in Michigan. My current role with security awareness however is the same as my last job. At my prior job, I was the lone “security” guy among other many other roles for a small company.

Q: What constitutes an information security awareness program in your opinion?

A: In my opinion, security awareness is just like a business function. It must support the company goals and deliver value. The value is getting coworkers to care about security and not look at it like an annoyance. A security awareness program can vary based on the organization but key components would include metrics that matter, delivering awareness material and evaluating effectiveness.

Q: What was the reason for building your own program?

A: There were two main reasons why I decided to build a security awareness program at my previous job:

(1) Spear phishing was becoming more and more used.

(2) Security awareness in my mind is building culture. I was trying to build a security program at the time, and the first part of it was to build a culture around security. Security awareness program addressed this.

Q: How did you get management buy-in for your program?

A: Management buy-in was very simple since I did not have to procure thousand-dollar appliances. It was a time investment, which I had a little to spare (or I thought). The executive team took security very seriously due to the business they were in.

Q: What was your biggest challenge to building an information security awareness program for your organization?

A: The biggest challenge was being consistent. I was on a very small team responsible for many other functions in the business. It took time and planning to manage the program, and there were times where the time was not available. Prioritizing delivering projects versus focusing on security awareness was pretty simple. Delivering projects brought income; security awareness did not have a direct ROI. That was a huge challenge.

Q: Was budget an issue?

A: Budget was not an issue, it was just time.

Q: What were the political obstacles that needed to be overcome?

A: No political obstacles in getting the program started.

Q: What metrics are useful for measuring the success of an information security awareness program?

A: The only metric that was used was the numbers of phishing attempts reported. It didn't measure much; however, it was data.

Q: What failures and pitfall did you encounter in building an information security awareness program?

A: The biggest pitfall/failure was the lack of experience in building a security awareness program. The other was related to the challenge of lack of time.

Q: What is the best training cycle for a program?

A: I think the training cycle is relative to your organization: My organization shows great disparity in generations and learning styles.

Q: What learning and teaching styles did you use for your program?

A: Since the awareness program was very young and I left the organization shortly after it was made, I used monthly newsletters with useful information.

Q: What is your advice for others building their own programs?

A: My advice would be to see it through and stick with it. If you don't have the time, make the time. Also remember some awareness is better than no awareness. It doesn't have to be a perfect program at first.

Q: What is the advantage of building your own program over buying a prebuilt information security awareness program from a vendor?

A: The advantage is cost savings. However, quality can suffer if you were in a position like I was. The lack of experience really affected the quality of the program.

Q: What were the successes you encountered in building an information security awareness program?

A: My coworkers found a lot of value in my newsletters. I approached security issues that my coworkers face every day at home: phishing (from fake banks), malware, passwords. The idea was if they care about these issues at home, it'll translate to the workplace.

Q: What advice do you have for people who are currently building their own information security awareness programs?

A: Just give it a shot. There are plenty of resources out there. There is a NIST document for security awareness. SANS has great amount of content. Make sure you get continuous feedback and make the program fun. If it's boring, it's ineffective. If your program is ineffective, you're wasting everyone's time.

Security Research at Large Information Security Company

This interviewee did not want his name attached to this interview because he works at a company that sells prebuilt information security awareness products.

Q: Thanks for taking part in this Q&A. Please tell us about yourself.

A: In the past life, I was the senior systems engineer for a managed IT services company and the head of security. I included secure architecture into the systems we designed and delivered and provided SAT courses.

Q: What constitutes an information security awareness program in your opinion?

A: It has to start from the top level of the organization. You have to have management and C level buy-in to build and establish a program. At the very basics, a security awareness program teaches the users what to look for and not to be tricked by hackers and persons of malicious intent. Once you have a program and you begin testing it, when you have users who do not fall for phishing campaigns or report attempts at trying to be socially engineered over the phone, you've succeeded. A true program also tests the upper levels of management and C levels to see if they will get through their title in the wind as the reason why they need access to certain data or will break company policy because “it's my company.”

Q: What was the reason for building your own program?

A: I established my own program out of need. At the company I worked at previously, we were desperate to have security in our daily lives. I saw the need and I filled it. By the end, everyone was on board, and as a company, we were able to provide much better services to our customers because we could assure them their data were safe with us because of XYZ reason.

Q: How did you get management buy-in for your program?

A: I showed management the need for a program. I did a simple audit of our infrastructure as well as our people and current policies were in place. I showed how easily an attacker could get in and steal our secrets as well as I showed how simple changes would make it that much harder for an attacker. Once I showed it at a low technical level, the program sold itself.

Q: What was your biggest challenge to building an information security awareness program for your organization?

A: Getting people to accept change. Change is hard. No one likes it and everyone seemingly does everything they can to resist it. I went with the approach of let's give this a try for two weeks. If it doesn't work for us, we'll revisit it. At the end of the two-week period, everyone was in sync and the old way was forgotten about.

Q: Was budget an issue?

A: No it was not. I found cost-affordable solutions that could be deployed.

Q: What were the political obstacles that needed to be overcome?

A: The resistance to change as I mentioned above is the biggest obstacle. Also, the thought of testing and the users not being aware they were being tested. No one wants to fail. It had to be made clear it was a test and the outcome would NOT have an impact on performance reviews.

Q: What metrics are useful for measuring the success of an information security awareness program?

A: An internal phishing campaign to users and social engineering attempts and then rating how many fell for it and how many didn't.

Q: What failures and pitfall did you encounter in building an information security awareness program?

A: I would have had failures had I not consulted people of a like mind and sought guidance. Don't assume people know everything. No one knows everything.

Q: What learning and teaching styles did you use for your program?

A: I showed users how quickly as an attacker I could pull an e-mail list out of thin air using services like Maltego and theHarvester. Then how quickly I could clone their Web site and record credentials when they were entered using SET. It scared some people but it made everyone sit up and listen.

Q: What is your advice for others building their own programs?

A: Talk to other people who have done it. Seek advice and ask questions.

Q: What is the advantage of building your own program over buying a prebuilt information security awareness program from a vendor?

A: Because prebuilt isn't made for your company. They're not tailored and will not cover everything that you need to be successful.

Q: What were the successes you encountered in building an information security awareness program?

A: The successes came when users started to correctly identify malicious attempts by attackers. Instead of clicking on a link, they would report it and move on. That felt great.

Q: What advice do you have for people who are currently building their own information security awareness programs?

A: Don't quit. It takes a lot of effort but it's worth it.

Harry Regan

Mr. Harry Regan, CISSP, CISM, is a security, information technology, and operations professional with over 30 years of commercial, federal, and defense experience. He has functioned in executive, senior technical staff, and consulting engagements with assignments encompassing corporate and program management, computer and network operations, and executive-level consulting. Mr. Regan has extensive experience with physical security, as well as information security and privacy program development, threat and vulnerability assessments, technology countermeasures, supervisory control and data acquisition (SCADA) systems, building and industrial infrastructure protection, NERC critical infrastructure protection (NERC CIP), and regulatory compliance. Mr.Regan received a BA in Economics from Catholic University and an MS in Information Technology and Operations Research from the American University.

Q: Thanks for taking part in this Q&A. Please tell us about yourself.

A: Between 2002 and 2008, I ran a small security consultancy focused on financial services, healthcare, and higher-education security issues. In 2004 and 2005, I was engaged to collaborate on a series of security awareness training modules for a state college system. There were three tiers of training—student, faculty/staff, and management.

Q: What constitutes an information security awareness program in your opinion?

A: A security awareness program needs to educate the attendees as to why they should be trained, provide guidance as to activities and behaviors that are dangerous, explain why those activities are dangerous, and provide examples of the ramifications of what noncompliance is— that is, personal or institutional harm, penalties, and liability.

Q: What was the reason for building your own program?

A: As with many college systems, the state had suffered a number of data breaches and was facing penalties under the Gramm–Leach–Bliley (GLBA) Act and other privacy legislation. The lack of adequate data protection and end-user education has reached the state Attorney General's attention and a mandate to rectify the security programs in all state agencies was issued.

Q: How did you get management buy-in for your program?

A: In this case, it was easy—threats of loss of autonomy from the agency from the Attorney General's Office were the biggest business driver.

Q: What was your biggest challenge to building an information security awareness program for your organization?

A: Our biggest challenge was the balance of freedom versus openness. In academic environments, free expression of ideas, sharing of information, and openness in discussing conflicting ideas are emphasized. But the concept of a security program in general with rules and restrictions and controls runs against the grain with many of the stakeholders. The very idea of a formal security program—even though specifically called for under GLBA—was a point for rigorous debate, rather than being accepted as an operational necessity.

Q: Was budget an issue?

A: Yes. The Attorney General's Office took the position that the college system should have already had a mature security program in place already—including a security awareness program—so this was an “unfunded mandate.”

Q: What where the political obstacles that needed to be overcome?

A: When we started building the program, we had to debate the legal team on whether we could or could not say something was a regulatory violation. We were constantly being accused of helping the Security Manager in empire building. The best weapon we had against that was periodic letters from the Attorney General's Office threatening to put state auditors in the system to oversee operations.

Q: What metrics are useful for measuring the success of an information security awareness program?

A: Using a learning management system as the training delivery mechanism and having quizzes embedded in the material allowed us to track both the completion metrics and the embedded training metrics—so over time, you could see improvements in understanding not only during the training but also at the end of training.

Q: What failures and pitfall did you encounter in building an information security awareness program?

A: The student version was successfully implemented. The staff and management training got mired in pushback and political turmoil, the reasoning being phrased as a resource and priority problem: we don't have time to take this training—besides we are professionals and don't need this training, so it's a low priority that I take it—continued malware outbreaks and network breaches notwithstanding.

Q: What is the best training cycle for a program?

A: In my opinion, semiyearly is the best cycle. I believe that more frequent than that makes the program a chore to be dealt with rather than a beneficial refresher. But I also believe that the program needs to be revised and refreshed on a semiyearly cycle as well, so that people are not seeing the exact same material over and over. In programs like that, people just tune out at some point.

Q: What learning and teaching styles did you use for your program?

A: We used a situational approach:

■ Separate training by role—students, faculty/staff, and management received different trainings.

■ Story narrative—we used a series of vignettes with different characters demonstrating good and bad security behavior to punctuate points in the training.

■ Embedded quizzes—were used to test knowledge at points during the training and capturing the quiz results in addition to the final results.

Q: What is your advice for others building their own programs?

A: Don't plan security awareness and a once-and-done program. It has to be reviewed and renewed as technologies and threats change. It has to be germane to the audience as well—not a one-size-fits-all approach. Lastly, and probably the most difficult to achieve, it has to be engaging to the audience—having a series of slides simply preaching to the user is an approach that will fail.

Q: What is the advantage of building your own program over buying a prebuilt information security awareness program from a vendor?

A: Building your own allows a degree of customization most prebuilt programs can't touch. Also, if you build your program using a learning management platform (Moodle, DigitalChalk, etc.), you can use that same platform for other training and collaborative sessions as well.

Q: What where the successes you encountered in building an information security awareness program?

A: We had our best success with the student version and our worst time with the management version. The management tier seemed to be saying “Security education is important for my team—but I can't afford to take the time….”

Q: What advice do you have for people who are currently building their own information security awareness programs?

A: Don't assume your audience has any technical background. Even terms like Web, URL, and network may require some context for some users. Be conscious of your tone in the training—don't preach—don't dictate. Rather, inform and try to bring your audience along with you—this is much easier to say than to do. It is perfectly okay if the users are entertained while they are learning!

Q: Is there anything we haven't covered that you would like to add?

A: Remember, what you're putting together is a “system,” so you should go through requirements, design, development, and test phases. Have real users test the content and flow before general release is always a good idea—and be willing to accept criticism.

Tess Schrodinger

Tess Schrodinger has twenty years in law enforcement, investigation, forensics (bullets and blood, not 1 s and 0 s), and industrial security. She holds a bachelors degree in sociology from George Mason University, a master's degree in security management, and a graduate certificate in Cyber Security Technology.

Q: Thanks for taking part in this Q&A. Please tell us about yourself.

A: Thanks for asking me to contribute!

When I was a little girl, there was a book I read about a girl who collected ways to defeat different dangerous situations that was similar to the popular The Worst-Case Scenario Survival Handbook that was published many years later. There was something about learning all these interesting tips and tricks and methods to defeat situations that threatened your life or security, and all these years later, I still enjoy learning about new threats and then ways to mitigate or neutralize them. So, to me, it is just as interesting to learn how to escape quicksand as it is to secure my laptop. And, I like to share what I have learned with others.

I have approximately 15 + years in forensics and security. I am one of those people that if I won the lottery, I would probably retire and “go to school” for forever (taking long breaks off to explore the world). I love to learn and I love to teach and share. I homeschool my daughter with the help of my retired parents and I have been a proponent of education and security awareness for almost my entire life.

Q: What constitutes an information security awareness program in your opinion?

A: In my opinion, an information security awareness program is truly robust if it is planned, is consistent, and targets a specific audience.

“Planned” means that is not an occasional occurrence or an afterthought. A planned program will have a clearly stated objective, a defined focus, and a specific audience or set of audiences. Planned also means it's not a lethargic half-assed response to a mandatory contractual requirement that is so minimal that it barely meets the expectations at best or is just “going through the motions.”

“Consistent” means that it's not a one-time occurrence like an initial security brief that is long forgotten years later. There is repetition of material and testing of the staff to see if they are retaining or getting value from the program and then adjusting the approach accordingly to accommodate your assessment of the impact. I attended a course in how to create a security awareness program and one of the things that was echoed was that you have to tell someone something ten times for them to maybe register it once. I have always taken that advice to heart, so I don't just cover a topic once, I cover it multiple times but I keep it fresh by reiterating the same message but changing up the method of presentation.

A “specific audience” means that the materials and presentations are tailored to the audience. Thought is given to ensuring that their level of education, background, and current responsibilities are taken into account when the material is presented to them. “One size fits all” is better than nothing but it is not the optimal approach. When I sit down with my team composed of programmers and network specialists, I do not use the same presentation that I would with a group of administrative assistants. I may be conveying the same message but I need to speak in their language to their level and put the material in a context that makes it relevant to them so they do not tune me out.

Q: What was the reason for building your own program?

A: There is a contractual requirement in my world to provide a minimum level of security awareness and education. I would have done it anyway but I confess I have used the “mandated” aspect of things to “motivate” a few surly antieducation types to attend.

Q: How did you get management buy-in for your program?

A: My management understands the contractual requirement for a program and is relatively supportive to the program, but there have definitely been budgetary issues in the few recent years that have affected the program.

What I have found over the years is that when you speak to leadership or management, you are often speaking to people who are not focused on security so much as they are focused on dollars. I think it is imperative to be able to translate the risk of neglecting to educate your users into a dollar amount and learn how to illustrate a solid return on investment (ROI) to them.

I once worked very closely with the general counsel of a firm. He was a very busy man and a very intelligent man, but most of the time, he did not see the value of educating our people. He was not against it but he was also not seeing that it was worth the effort. One day, I sat down with him and I laid a pair of handcuffs on the table. He looked at them with raised eyebrows and I explained that if we did what I was suggesting, there was a good chance he would not be on CNN wearing those any time soon. Suddenly that synapse fired and he saw the value. For him, it was not dollars that did it but a possible legal charge or arrest if he was negligent.

Management is going to come from different backgrounds and is sometimes motivated by different agendas, but I found that if you can communicate to them the value of educating the staff, they will get the message and they will support you. For years after that handcuff incident, my general counsel would introduce me to folks as “the woman that keeps me out of jail!”

Learn how the business mind thinks. Learn how to translate the value of educating staff into a language they will understand, not just when educating them but when soliciting buy-in from leadership to support and fund your security awareness efforts.

Q: What was your biggest challenge to building an information security awareness program for your organization?

A: I have a wide range of staff I have to educate. They range from janitorial staff to highly technical engineer types. I learned early on that I had to tailor my approach. Getting the basics across to an on-site vendor that barely speaks English is going to be different than delivering the same message to a very busy engineer who already feels like they know everything and can't be bothered to waste time listening to what I have to say.

I have also found that security can be especially dry and boring to many who don't live in our world. Users often fail to see how they can be targeted and they are often ignorant as to the threats that are around them or the vulnerabilities they can pose through their own actions. Security is also often inconvenient or out of their normal pattern of behavior so it's a change they are being asked to make that can be mentally or physically uncomfortable to many. Couple that with the incredible speed at which new threats and attack vectors occur, it's enough to make some people throw up their hands and give up. When it comes to technology-related security, I have heard many people state that they just can't keep up and don't have the slightest idea of how to even begin to start or keep up once they have so they decide to just do nothing.

Q: Was budget an issue?

A: I am fortunate enough to have a small budget but it has definitely been slashed, and to be honest, I often supplement with my own money because I feel it is important and I have seen enough of a return on investment that I don't feel bad about contributing. I will often purchase treats or pick up a little prize to give away to those who attend my briefings. I got a Starbucks' card or last year I got those little mini books with the Spy versus Spy figurines for $8 and gave one of those away at each of my monthly briefings. I once calculated that it's worth the $8 to me personally to not have to stay overnight or on a weekend to clean up a mess they've made because they didn't know any better.

Q: What were the political obstacles that needed to be overcome?

A: Dealing with the group that handles all of the organization's communications has been the most frustrating. I have had occasions where I have put together an entire series of e-mail messages to be used for a year for my team and I have had that group come back and have me change the shade of green in the banner. While I do understand some of the changes that need to be made from a 508 compliance perspective (something I have learned a lot about recently), many of the changes they demand have no rhyme or reason to them and it can be incredibly frustrating to continuously have to rework education materials with numerous small changes over and over again.

Many years ago, I proposed an active shooter briefing that I was forbidden to do because “it might be scary” to the staff. I rather thought it would be a heck of a lot scarier to be trapped in our facility with an active shooter and not know what to do but they ignored me. It gets frustrating sometimes when a group of people that have nothing to do with security and know absolutely nothing about security suddenly decide they want to tinker with your content or forbid it outright. But, I have learned ways to be flexible and ways to get my message across that do not involve formal approval by a group of red pencil-wielding people who have nothing better to do than to nitpick my font choice and color selections or try to sanitize everything to the point where it can't possibly offend anyone. There are times when I do have to deal with them and get formal approvals so I try to work within what I have learned their parameters are but I do my best to avoid it if at all possible.

Q: What metrics are useful for measuring the success of an information security awareness program?

A: In my opinion, employee reporting is one of the biggest metrics I use to measure the success of my program. When I first took over my sites, there was pretty much no reporting of any types of suspicious behavior or questions around security concerns. Several years later, I can hold up binders full of reports from my staff of suspicious behavior reporting and personal reporting and several binders of suspicious e-mails forwarded to me.

I think the moment I realized I was making an impact and people were listening was when the head of our IT department had sent out an e-mail to the entire organization to do something and almost 100% of my staff refused to do it until I confirmed that his e-mail was legitimate and it was not a “trick.” I had just one week before that I told them about how it was possible for people to hack the e-mail accounts of a senior leader or send e-mails that look like they come from important internal departments. I actually had a project manager tell his entire team to hold until he had cleared it with me. While this was incredibly annoying to have to deal with several hundred frantics and worried phone calls and e-mails over the next 24 h, it was also pretty awesome to see how many people had paid attention and forwarded his e-mail to me with words to the effect of, “I remember that stuff you told us and I am not going to do this unless YOU say it's okay!”

Another time, I had sent an e-mail to one of my staff requesting some information I needed. I had just recently done a briefing on social engineering and part of me wondered if they would even question it but so often you feel like no one is listening to you so I didn't think much of it. I had to smile when they replied with a “test” saying they'd be happy to get that information to me but they wanted to make sure I was who I said I was so would I please tell them my son's name. I don't have a son, I have a daughter so I smiled and replied to them with the correct information and ALSO corrected another comment they had made about my boyfriend who was overseas at the time as they knew where he was but had deliberately asked how he was enjoying his stay in a completely different country. They apologized for “questioning” me, as many senior leadership types often get angry if challenged or questioned but I praised the fact they paid attention and stopped to question my request. I have had many more instances like this and I feel that reporting metric is what truly shows how effective my program has been.

Q: What failures and pitfalls did you encounter in building an information security awareness program?

A: After knocking the wood of the desk I am sitting at, I can say with pride that I have not really had any failures in building my programs. I did almost have a hurricane take out one of my events one year but we managed to skirt it. Pitfalls, again, would be dealing with people who feel they should have some role in approving my material when they don't understand it and seem determined to justify their own jobs by insisting on a series of edits or changes or feel that the material is too scary or potentially offensive to present to staff. By potentially offensive, I am referring to their constant need to sanitize every aspect of an item. I once, and I am not kidding, reformatted an entire series of e-mail communications to accommodate their request that they all be in Arial instead of Times New Roman. I made all the changes (due to the formatting, it wasn't a quick highlight and change) and thought I was done. It took them two and a half weeks to come back and insist I change the Arial font from 11 point to 10 point. That's when I had to take one of my infamous “time-outs” and go to Starbucks so I wouldn't make inappropriate comments in a work environment.

Q: What is the best training cycle for a program?

A: My personal training cycle consists of the following:

1. An initial security briefing before they start work. This is usually done during the first week but sometimes I will be flexible and coordinate with them to accommodate special projects they are on. I have briefed staff in hotel lobbies, cars, bars, and other places. I keep a copy of my initial briefing (it does not contain any sensitive or proprietary data) on my iPad and I make sure I work closely with my project managers to ensure everyone gets briefed in a timely manner and their first brief is in-depth and thorough.

2. A monthly theme that I put out a small presentation on. Most of my folks are incredibly busy and do not have much spare time to read or review volumes of material. I will use custom-made graphics as e-mail signatures that link to my internal network site where they can look at current and past materials. I will e-mail the presentation to those who are off-site or working in a remote location. Once a year, I will have a security refresher briefing for all staff to remind them of their responsibilities, update them on any new threats or vectors of concern, and educate them on any new regulations or requirements they need to be aware of or that are coming down the pike.

3. A yearly theme/topic that I usually gear a series of monthly brown bags around. If you only offer one briefing on a topic once a year, then you only get the people that can make that one briefing. Instead, I will select a Friday each month and offer a brief at lunch time that people can attend. This way, instead of them only having one opportunity a year to make the briefing, they will have twelve opportunities.

4. A yearly one-time large security awareness day event. I will typically bring in several speakers and arrange to serve lunch. I try to make sure the presenters are entertaining and interesting and on subjects that will be of interest. There exists a wealth of resources who would be happy to come in and speak to your people; all you have to do is ask.

5. Special one-off briefings that address specific current concerns or threats that have evolved or presented themselves.

Q: What learning and teaching styles did you use for your program?

A: I try to keep my security education fun and interesting. I have movie posters from various genres having to do with security hanging in my office. Decoration? Sure. But they also prompt conversation. If you get someone talking about something that interests them, you can often slide security into the discussion in a relevant way that has context and then it's interesting and they are really listening because they are talking about something they enjoy not struggling to stay awake while you drone on in front of a conference room. I can slip security into a conversation on anything from Star Trek to James Bond to Doctor Who.

I also keep books and different cartoons in my office to try and make those anchor connections with people. They can't help but scan my bookshelf when they come in, and usually, there is a title that catches their eye and prompts a question or suggestion from them. I have over 400 people I am responsible for educating and I know who my runners are, I know who my foodies are, and I know which ones are Trekkies and which prefer Star Wars. I know who my former military officers are and my LEOs (law enforcement officers). As I learn more about my staff or their likes and dislikes, I try to tailor my training to them. An example would be the recent March Madness. No offense, but I am not at all into basketball. My office, however, was very excited about it. I came up with the idea of March Security Madness and did an entire basketball theme around it to include a suspicious behavior reporting bracket for them to hang in their cubes.

Posters are a great tool and I use those around my different facilities, making sure to change them out periodically so they don't get boring. There are a number of free poster sources online and you can also browse a Google image search of “security education posters” and make your own using ideas you find there. I'll often see a poster idea and then customize it to work for my site or topic.

Many of my folks are super busy so I try to keep my education short and sweet other than the initial brief when I have them hostage for an hour or during my annual awareness event when I can fit in a few blocks of longer briefings or presentations.

I try to keep things “sexy.” Humor goes a long way but try and keep it in good taste so you don't end up having issues with HR for offending people. I find puns and things that are relatively safe for the elementary school-age level are usually pretty safe for the work place.

I try to be respectful during religious holidays by going with a seasonal theme such as “winter” or “spring” and staying away from “Christmas” or “Easter.” Big bright catchy colors go a long way and cartoons and visuals can often convey an entire page of bullet points in a much more entertaining way. Think of things that go hand in hand with that season. For example, I once did a TRASHINT piece around the Christmas holidays and pointed out what nosy folks could learn about them from the boxes they threw away after presents were opened. I had actually prepared for that the year before by taking photos in my neighborhood of people's trash at the curb and then posting photos and asking, “Which house would YOU rob?” or “Who has which laptop or router or game system?”

I keep a large bulletin board in each facility that is devoted to security awareness education. I will sit down each New Year and pick twelve topics I want to cover that year and figure out a theme to tie to each. I will create an e-mail signature that ties into that topic and then post a print out of a small short deck I created on the bulletin board. It's usually only nice slides because that's what I can fit on my board, three across and three down. Sometimes, I will go by the party store and get rolls of wrapping paper or those inexpensive cardboard cutouts to spiff the board up or catch everyone's attention. If you are thinking to yourself that this sounds suspiciously like those bulletin boards they had in each classroom in elementary school, you would be CORRECT! That is, the idea only geared toward a more adult audience!

Once I have posted the boards, I will then upload the PowerPoint presentation to my internal security site on our firm's intranet and link the signature picture in my e-mail to it. This way, the folks I have that work remotely or on-site in distant states still get exposed to the material.

Once each year, I will host a security awareness day and I will bring in speakers and internal vendors to talk to my staff. It can be difficult to command an audience at a voluntary event like that but I have found providing food whether it's popcorn or cupcakes or when I get the occasional approval for budget I will provide lunch. I try to bring in those I have heard speak before and who have an interesting message. It doesn't always even have to do specifically with security, but if I know my folks are really interested in something, I will try to bring someone in for that topic. One year, I managed to arrange to bring in a polygraph examiner from a local agency and he spent almost two hours explaining the process and equipment in detail and then hooked various people up and taught the entire audience how to read the results along with him. It was an absolutely standing room only but many people came to the briefing prior to that or staid for the one after that so it was not necessarily a topic I needed to provide education on but one I knew they would be interested in.

I also make an effort to invite other security professionals to my big event. I will go through the building to each business and speak to their security person or department and then invite them to come. When they are there, I make sure to introduce them to the contacts I have and help them form new relationships to strengthen their security programs as well.

Many federal and local agencies have public or business liaisons that will come speak for free as it's part of their job to reach out and do things like that. I am a certified antiterrorism officer levels I and II and can brief on that topic, but to all my staff, I'm just “Tess” and it's not very exciting. BUT if I bring in a man with a gun and a badge who is from somewhere else, suddenly, it's like I have brought in a rock star to dazzle them with exciting information and stories! We could present the exact same material but it's different when I bring in a stranger to do it. I take advantage of that and use it to build excitement in the staff to attend the talk.

Q: What is your advice for others building their own programs?

A: Marketing. You have to market yourself and your program not only to the staff you are trying to educate but also to the leadership you are trying to get support and money from. Take some time to learn how marketers use colors or themes or ideas to capture attention and communicate messages. Don't expect your people to read something just because you told them to. Make them WANT to read it.

Be creative and interesting. Think about how you like to learn. Would you rather have me drone on and on and on about why it's important we wear our badges and report unescorted strangers or would you rather have me post a few posters and then reward those who “capture” unbadged strangers in our space and turn them in with gift cards to Starbucks or giant candy bars? (Yes, I have done both of these.)

Be approachable. I have found over the years that many people in security treat users like idiots and they can feel that vibe either consciously or subconsciously. Being someone they can talk to means they will also be more likely to listen to you. Remember that this is not their job and they are not educated like you. It may seem like a total no brainer to you to lock your computer when you get up to use the restroom but put yourself in the shoes of an older administrative assistant who is still a bit overwhelmed by Facebook (like my mom) and something that simple doesn't even occur to them. Many people are pretty decent folks at heart and don't think like an adversary or bad guy so it's just foreign to them to think someone will steal from them or use their systems to do bad things. There is no need to terrify them into submission but this is something you have to keep in mind as you are educating them on how to keep themselves and the enterprise safe. Don't just tell them what to do, tell them WHY to do it and what could happen if they don't. Then, reinforce that with stories and case studies to make it REAL to them and not just “stuff that happens in those James Bond picture shows.”

Reward them! Yes. Reward them. When they do good, give them a pat on the back. HAVE their back when necessary. I recently had a young woman who was very new to my organization challenge an old grizzled senior that tried to piggyback into the facility with her when he forgot his badge one day. He yelled at her for questioning who he was and really gave her a hard time. Her boss asked me to say something and I did. I made sure to send an e-mail out to the entire site praising her questioning a stranger trying to access our site and that she had done the right thing. I then had a talk with the man who yelled at her and he ended up apologizing to her for his behavior.

Another time, I had a receptionist come to me with a concern around someone trying to access one of my server rooms. To begin with, I was rather stunned she even registered that this was odd but to tie it to the fact it was the server room really amazed me. I checked it out and it was indeed… something to be interested in. I was so proud of her that I sent out an e-mail to the entire team and her boss and praised her for catching what she did. I asked some of the senior leadership to personally stop by her desk and thank her and make an appreciative comment to her and I also nominated her for a small internal award. She told me later that I made her feel like a super star but that it also reinforced her desire to want to do a good job and do what was good for the team. Adults, like children, often react better to positive reinforcement than negative punishment so I encourage you to recognize your folks, whether it's an e-mail to the team, a formal letter to their boss, nominating them for an award, or just simply going to their office and saying, “Thank YOU.”

Q: What is the advantage of building your own program over buying a prebuilt information security awareness program from a vendor?

A: This is a hard question for me to answer because I have never purchased a prebuilt security awareness program from a vendor so I really can't make that sort of comparison. Instead, I will say that the reasons I do NOT purchase a security awareness program from a vendor are as follows:

1. Cost. I don't mind buying a $20 Starbucks card to give away to one lucky user who comes to my briefing but I don't have the budget to purchase a formal prebuilt education product and I am not going to pay out of my own pocket.

2. It's a one-size-fits-all solution that I'd have to tailor anyway OR pay extra to have tailored.

3. You are stuck with what they give you and if you don't like it, that's it.

4. I have skills and resources to create my own for virtually no cost.

If the decision is between buying a prebuilt product and not having any security education at all, by all means, BUY IT! But if you have the skills and some creativity and enjoy teaching others, I don't see any distinct disadvantage of doing it yourself.

Q: What were the successes you encountered in building an information security awareness program?

A: My biggest successes have been seeing a tremendous increase in people coming to me with concerns, questions, or requesting guidance.

Q: What advice do you have for people who are currently building their own information security awareness programs?

A: Respect your audience. Understand what they do and do not know and solicit their feedback. Don't speak down to them or be condescending. Try to keep things short enough to respect their time yet comprehensive enough to get the message across. Keep in mind that while this is your job to educate them, they might not recognize that it is also their job to learn from you. I find that if you make things fun or interesting, it engages them more and makes them want to listen and make that connection. Don't make security another chore, make it something they want to do or, at the very least, don't “hate” to do. Obviously, you will always have that one person that hates everything but I have found this works pretty well in general.

Q: Is there anything we haven't covered that you would like to add?

A: Something that is very big in my world is sharing. Some of us are good at coming up with ideas or materials and others truly struggle with it. One of the things I have noted is that so many folks in this community are more than happy to share their materials with you. If you are one of those that is good at it, then I encourage you to share if you are able to. While I have respect for those who are trying to make a living off of selling security awareness materials, not every security program has the luxury of that kind of cost. And some programs don't even have budgets at all. Reach out to the security community and you will find they are usually fairly happy to share resources and materials with you.

Security Analyst at a Network Security Company

This interviewee wished to remain anonymous due to his work in the defense industry.

Q: What constitutes an information security awareness program in your opinion?

A: An InfoSec awareness program is all encompassing of an organization's information. It covers much more than just computer security. It covers how employees deal with the information that they have in their brain about the organization and information they provide or is given to them about the organization in the course of their normal duties within the organization. This covers not only anything from computers to telephones but also such mundane things as discussing an organization's information in a public place such as a restaurant.

Q: What was the reason for building your own program?

A: In the course of my employment within different Department of Defense (DOD) organizations such as the Department of Defense Dependents Schools (DoDDS), Defense Logistics Agency (DLA), or US Army, information security awareness was an ongoing effort. While DOD has an overall awareness program, it is always best to customize and target different types of personnel with different levels of awareness. The awareness that a system administrator, an executive assistance to the General Officer, a school principal, or a K–12 teacher need to have is vastly different.

Within DOD, there are also operations security (OPSEC) and counterintelligence (CI) awareness programs. In many aspects, these programs overlap because obtaining information that employees know or have access too is what the opposition is attempting to obtain.

Q: How did you get management buy-in for your program?

A: Since it was a mandated training for all of DOD, there was no need to get buy-in from management. The most difficult part was tracking the percentage of employees who had fulfilled their annual requirement for training. Even with an automated system to track these numbers, the percentages fluctuated with employees been hired, retiring, or leaving the organization to work elsewhere. It was hard to get management to accept that these numbers would fluctuate and that achieving 100% on a large organization that is always in flux was not going to happen on a certain date.

Q: What was your biggest challenge to building an information security awareness program for your organization?

A: To convey to employees that this training was necessary and tracking the percentage of employees who had taken their training for management reporting. It took a long time for people to understand the necessity of such training, but as real-world examples could be shown, people understood the requirement for the training.

Q: Was budget an issue?

A: No, budget was not an issue due to the mandate for the training applied to all of DOD.

Q: What where the political obstacles that needed to be overcome?

A: The biggest political obstacle was the syndrome of “another annual training requirement” that was expressed by both employees and management.

Q: What metrics are useful for measuring the success of an information security awareness program?

A: The number of employees who had completed their training requirement. Ongoing random testing by an organization is also very useful, having a team perform phishing, telephone-based social engineering, or attempted physical access tests whether employees have absorbed and are actually applying the information that is conveyed during the training. Success is tracking these metrics over several years and showing an improving trend. As with auto accidents, they will happen, the goal is to have an ongoing downward trend.

Q: What failures and pitfall did you encounter in building an information security awareness program?

A: Even though employees received awareness training about phishing, many still fell victim to them and gave up log-in credentials. I believe that awareness training is something that you must do and that not having a security awareness program so makes the situation worse by admitting defeat. Looking at this from another perspective, what if the program prevents several attempts targeted as personnel that could have resulted in large or catastrophic compromise of information? You may never find out about that success since the program was effective in that instance.

Q: What is the best training cycle for a program?

A: The training is required on an annual basis. Since DOD employees must also take training that overlaps with similar topics and content, the training was required to be done within 1 year. This was automatically scheduled within the online learning management system. Employees were notified via e-mail when the training was due. Some employees took the training right away once they were notified that it was added to their learning plan; others waited until they received their 30-day notice. Once an employee took the training, it was automatically scheduled again with a due date 1 year from the last completion date.

Q: What learning and teaching styles did you use for your program?

A: Due to the volume of employees, the training was provided via computer-based training. The training materials changed each year and were uniform across all of DOD. Other portions of the security awareness program are always performed via an in-person instructor-led sessions, such as the CI awareness training.

Q: What is your advice for others building their own programs?

A: Be creative! The program needs to go beyond just another annual training requirement. This includes everything from awareness posters hanging in common areas to coffee shop $5 gift cards for answering a question during an instructor-led training session. You are essentially marketing or selling this information to the intended audience; if you can't gain their attention, you won't accomplish much.

Q: What is the advantage of building your own program over buying a prebuilt information security awareness program from a vendor?

A: Customization! While you can supplement a prebuilt program with additional materials, the information may not be exactly what your organization needs if using a prebuilt program. It may be best to start out with a prebuilt program to get your awareness program off the ground and then tailor it specifically to your organization by doing your own organic materials in the future.

Q: What where the successes you encountered in building an information security awareness program?

A: After people experience that the awareness training can apply both to their personal information and to the organization's information, they see the positive aspect of having to the take the training. One employee commented to me that a stranger approached him to borrow his BlackBerry to make a phone call while waiting at a bus stop. The employee declined because something didn't feel right and that was confirmed when the stranger pulled out his own phone to make a call several minutes later.

The greatest success I experienced was making a video about the threat that 802.11 wireless presents to organizations. This was while I was part of the Regional Computer Emergency Response Team (RCERT)–Europe in Mannheim, Germany. We made the video using a van parked in a Walmart parking lot with a large antenna aimed several hundred feet away at an office building just inside the perimeter fence of the Army installation. The video showed us wardriving at first, detecting the access point, and then parking to exploit a server via the wireless network.

The video was memorable and stuck in people's heads because in addition to the humans, we placed 4 ft inflatable aliens within the video. One rode shotgun in the passenger seat of the van, one stood by the antenna in the parking lot, and other looked on as the server was exploited. While this video was intended to US Army personnel in Europe, it made the rounds all over Army installations worldwide. It was even adopted by the Army Signal School at Fort Gordon. Even though the video was totally staged and no Army network was ever in any danger, the association of the aliens with the danger of wireless stuck in people's minds. The video was made in 2002, and years later, people still asked about the video once they knew I worked at the RCERT–Europe. Plus, now it is in this survey too!

Q: What advice do you have for people who are currently building their own information security awareness programs?

A: Be creative! The program needs to go beyond just another annual training requirement. You are essentially marketing or selling this program to the intended audience; if you can't gain their attention, you won't accomplish much. If your organization has a sales department, use the talent within that department to come up with a marketing strategy. If you have a public relations personnel, ask them for advice to how to best reach your audience. Remember that many people won't remember much of the Super Bowl game each year other than a few highlights of the game and those 30 s commercials—your program needs to have few key nuggets of InfoSec that people will remember!

Q: Is there anything we haven't covered that you would like to add?

A: Nope.

Ernie Hayden

Ernie is a highly experienced and seasoned technical consultant, author, speaker, strategist, and thought leader with extensive experience in the power utility industry, critical infrastructure protection/information security domain, industrial control system, cybercrime, and cyberwarfare areas. His primary emphasis is on project and business development involving cyber and physical security of industrial controls, smart grid, energy supply, and oil/gas/electric systems and facilities with special expertise on industrial controls and NERC critical infrastructure protection (NERC CIP) standards. Hayden has held roles as Global Managing Principal–Critical Infrastructure/Industrial Controls Security at Verizon, held information security officer/manager positions at the Port of Seattle, Group Health Cooperative (Seattle), ALSTOM ESCA and Seattle City Light. In 2012, Ernie was named a “Smart Grid Pioneer” by SmartGridToday and published an article on Microgrid security in Jesse Berst's SmartGridNews. Ernie is a frequent author of blogs, opinion pieces, and white papers. He has been cited in the Financial Times, Boston Globe, EnergyBiz Magazine, and Puget Sound Business Journal. Many of his articles have been posted to such forums as Energy Central, Public Utilities Fortnightly “SPARK,” and his own blog on infrastructure security. He is an invited columnist for the “Ask the Experts” discussions on www.searchsecurity.com and he published an article regarding electric grid security versus compliance in Public Utilities Fortnightly magazine. Other thought-leadership articles have included a chapter on “Cybercrime's Impact on Information Security,” in the Oxford University Press Cybercrime and Security Legal Series, and several articles in Information Security Magazine, including his original research on data life cycle security and an article on data breaches in the same publication. Ernie is a very active contributor in global security forums. His past includes membership in the Cloud Security Alliance where he was the leader for the Information Lifecycle Domain in the Cloud Security Guidelines document Version 2. He has also been an instructor, curriculum developer, and advisor for the University of Washington Information System Security Certificate program in Seattle.

Q: What constitutes an information security awareness program in your opinion?

A: The key point for an information security awareness program is to get the regular employee to be your first line of defense for the information security program. In other words, they need to be aware that their actions (or inactions) can lead to breaches of data and the security of the company. Hence, they need to understand that their role is the everyday eyes and ears for the company's security.

Q: What was the reason for building your own program?

A: I have held the equivalent of four CISO positions—each one was the first true information security manager for each of the companies. Hence, the security program I needed to enact was truly a start-up for each company. One area that I included in each of the companies was a security awareness program of one sort or another.

My reason for this was as noted above—I view each employee to be the first line of the company's defense for InfoSec. Hence, they need to understand their roles and they need to understand what to do if they see a problem that could be indicative of an InfoSec issue in progress.

Q: How did you get management buy-in for your program?

A: The management buy-in was relatively easy since the management wanted a security awareness program anyway. The management caused some challenges when they were concerned that InfoSec became a “police function,” and then in one company, the management was very strong in stopping the program until it was modified (e.g., putting notes on chairs if an unattended desktop was unlocked was viewed as being too much a “police function” and needed to stop).

Q: What was your biggest challenge to building an information security awareness program for your organization?

A: The biggest challenge is time: the time it took to develop the program, the time it took to develop the presentations, etc. That was the biggest issue since all four security awareness programs were built along the concept of “guerilla marketing”—basically quick, cheap, and effective. This detracted from me doing my other roles.

Q: Was budget an issue?

A: Budget was an issue—there were no funds for a “formal” security awareness program. But I could get some funds for small things like simple handouts and posters, designed and made by me. But, purchasing any security awareness products on the outside was not allowed for the programs due to the lack of funds.

Q: What where the political obstacles that needed to be overcome?

A: The first one at one company was the management's view that InfoSec was and could be a “police function” and they were very worried that security awareness could go too far in this direction.

Otherwise, there weren't too many political obstacles—especially because I made the security awareness program interesting, informative, and fun.

Q: What metrics are useful for measuring the success of an information security awareness program?

A: None—I didn't have time to be that sophisticated. However, I did track how many individuals attended my lunch-and-learn presentations.

Q: What failures and pitfall did you encounter in building an information security awareness program?

A: No failures per se… especially since anything being done was more than had ever been done before.

Q: What is the best training cycle for a program?

A: I tried to do presentations for all new employees and monthly.

Q: What learning and teaching styles did you use for your program?

A: One aspect I tried to use was to help the employee best understand how they can protect their own data.

For instance, I would do lunch-and-learn classes in November/early December to teach employees about online/Internet fraud, theft, etc. I would help them best understand good practices for protecting their own passwords, credit card numbers, etc., with the hope and “plan” so to speak that they would bring these good security practices back into the office space.

Q: What is your advice for others building their own programs?

A: Start small, start simple, and every little bit you do “counts.” You don't need to buy outside posters, handouts, trinkets, etc., to be successful.

Take advantage of company newsletters. I usually have an article in each newsletter about InfoSec, what to watch out for, etc.

Take advantage of company meetings, new employee orientation for security awareness presentations, etc.

Q: What is the advantage of building your own program over buying a prebuilt information security awareness program from a vendor?

A: I've never used a prebuilt program but my opinion is that your own program can weave in corporate culture, corporate stories, organizational issues, etc., more so than a prebuilt program.

Q: What where the successes you encountered in building an information security awareness program?

A: The occasional person who would thank me for either teaching them how to be more secure or hearing a story about how someone would share a story of a new lesson-learned or how a security near-miss was prevented.

Q: What advice do you have for people who are currently building their own information security awareness programs?

A: Start small, start simple, and every little bit you do “counts.” You don't need to buy outside posters, handouts, trinkets, etc., to be successful.

Take advantage of company newsletters. I usually have an article in each newsletter about InfoSec, what to watch out for, etc.

Take advantage of company meetings, new employee orientation for security awareness presentations, etc.

Q: Is there anything we haven't covered that you would like to add?

A: Nope… thanks!