Security awareness programs are needed if we want to keep information security in the minds of our IT users. It gives a sense of responsibilities for those whom are handling the information assets i.e data, information, etc. There are a number of considerations to look at while developing such programs:
- Involve users - users must know that security is their responsibility
- Use simple language that users understand
- Use all available avenues or channels to disseminate the awareness message; use in-house communications as much as possible
- Keep things simple; information overload to users is not desired
- Plan and execute the programs in a formal manner
Security awareness programs can be very effective but unfortunately is one of the least frequently implemented.
Many of the components are cheap or at times do not incur cost at all, except for the time and energy to develop the components. Some components of security awareness are:
- Posters
- Brochures
- Trinkets
- Videos and CBTs
- Lectures, conferences and presentations
- Newsletters and bulletin boards
Using posters to create awareness is probably one of the easiest way. They are cheap and can be developed in-house. It is good to come up with a series of posters. These posters can be placed in common areas i.e notice boards, computers labs, or even sent to users as soft-copies.
"You Are A Target" is a poster developed with information on how cyber-criminals can make money from a hacked computer. The original works of this poster was from Brian Krebs and it was subsequently improved by SANS. The poster demonstrates to Ordinary Computer Users (OCUs) how information from their computers can worth money to the cyber-criminals. This poster is available for free and can be downloaded here.
Security Newsletters is another way to distribute security information and news to all users. It is also one of the most cost-effective component. It is quite a norm that the newsletters are sent via email nowadays. Some information like the latest threats, damages caused by viruses and developments in the security area are among the materials that can be published. The newsletter should have a good title as its banner to show that it is relevant to security.
Some samples of trinkets are hats, mouse pads, t-shirts, pens and mugs. Creating awareness through this method can be costly although it could attract the users. However, it has been noticed that the awareness messages should also be reinforced via other means.
Lectures, conferences and presentations are also some interesting methods to increase security awareness. Speakers can be invited to talk on security threats and how to counter them. Interesting topics may also include live demos on how easily the computers and their users can become the victims of cyber-criminals.
