Testing security awareness can be fun

NETWORK WORLD NEWSLETTER: M. E. KABAY ON SECURITY
06/23/05
Today's focus: Testing security awareness can be fun

Dear security.world@gmail.com,

In this issue:

* An interesting approach to testing security awareness
* Links related to Security
* Featured reader resource
_______________________________________________________________
This newsletter is sponsored by Oracle
SAN and SMP, Pooling or Provisioning - what does it all mean?

Find out with the Oracle Grid Computing Glossary! Like any
technology, grid computing is made up of a specialized set of
terms and acronyms. This comprehensive glossary provides a
definition of important grid-related terms.
http://www.fattail.com/redir/redirect.asp?CID=107098
_______________________________________________________________
Wireless & Mobility: Commanding Broadband Everywhere | New Event
| Apply for a complimentary seat

Technology is rapidly solving the complexities of
anytime-anywhere wireless broadband. Are you ready with
enterprisewide answers for own wireless networks? Which
devices? Which apps? Which technologies? Qualify and attend
this direction-setting event compliments of Network World. Click
for cities, dates and reg details
http://www.fattail.com/redir/redirect.asp?CID=106965
_______________________________________________________________

Today's focus: Testing security awareness can be fun

By M. E. Kabay

I recently ran across a neat idea for security training. After
providing employees with articles and PowerPoint training to
help them identify and resist phishing attacks, you can test the
effects of the training by creating your own phishing attacks
using a fake site that looks like a company page but isn't.

The fake site can ask visitors to enter their user IDs and
passwords. Most employees (but not all) will resist the phishing
simulation and either not visit the fake site at all or refuse
to provide the requested confidential information. You can
provide additional education in a nice way to the ones who get
tricked.

I very much support the use of tests as an aid to increasing
security awareness and measuring the effectiveness of awareness
and training programs. There are a few provisos that can help
you avoid trouble, though.

From a motivation standpoint, the most serious risk of testing
is that employees can feel abused by what they might perceive as
trickery or deceit. Even people who resist the tricks may resent
the attempt. People who fail the test may feel even more angry
or hostile.

I have long argued that the way to make tests acceptable is to
engage the cooperation of the people who will be tested. As part
of your awareness or training program, you can explain to your
colleagues that they will be tested - not to punish individuals
but as a measure of the effectiveness of the programs.

Going further, you can even make tests fun, in a geeky sort of
way, by turning them into contests. For example, it costs very
little to establish some enjoyable prizes for winners (perhaps
randomly drawn from the pool of winners) such as T-shirts,
fleece sweaters in cold climates, attractive windbreakers, or
other desirable items. Even dinner for two at a nice restaurant
might be appreciated and yet cost relatively little from a
corporate standpoint. Gift certificates for a variety of stores
(books, sports, clothing, hardware, food) might please people
with different interests. The contest could be more elaborate,
with teams competing against each other for cooperative fun and
rewards.

The main point is to remember that few people enjoy being
deceived, even if someone else thinks that it's in their own
best interest. Even fewer people enjoy being singled out as
failures, and some of those can become nasty or even start
thinking about lawsuits.

Make your tests honest, open and fun.

RELATED EDITORIAL LINKS

Links to several free PC security tests collected by David
Stockbridge & Bill Barto
http://lists.gpick.com/pages/Security_Testing.htm

Security Awareness Training from infotex (PDF)
http://tinyurl.com/az3kh

The need for Security Testing: An Introduction to the OSSTMM 3.0
http://www.securitydocs.com/library/2694
_______________________________________________________________
To contact: M. E. Kabay

M. E. Kabay, Ph.D., CISSP, is Associate Professor in the
Division of Business and Management at Norwich University in
Northfield, Vt. Mich can be reached by e-mail
<mailto:mkabay@norwich.edu> and his Web site
<http://www2.norwich.edu/mkabay/index.htm>.

A Master's degree in the management of information assurance in
18 months of study online from a real university - see
<http://www.msia.norwich.edu/>
_______________________________________________________________
This newsletter is sponsored by Oracle
SAN and SMP, Pooling or Provisioning - what does it all mean?

Find out with the Oracle Grid Computing Glossary! Like any
technology, grid computing is made up of a specialized set of
terms and acronyms. This comprehensive glossary provides a
definition of important grid-related terms.
http://www.fattail.com/redir/redirect.asp?CID=107098
_______________________________________________________________
ARCHIVE LINKS

Archive of the Security newsletter:
http://www.networkworld.com/newsletters/sec/index.html

Security Research Center:
http://www.networkworld.com/topics/security.html

Instant sign-up for Security News Alert:
http://www.networkworld.com/isusecna

Instant sign-up for Virus & Bug Patch Alert:
http://www.networkworld.com/isubug
_______________________________________________________________
FEATURED READER RESOURCE
CALL FOR ENTRIES: 2005 ENTERPRISE ALL-STAR AWARDS

Network World is looking for entries for its inaugural
Enterprise All-Star Awards program. The Enterprise All-Star
Awards will honor user organizations that demonstrate
exceptional use of network technology to further business
objectives. Network World will honor dozens of user
organizations from a wide variety of industries, based on a
technology category. Deadline: July 8. Enter today:
<http://www.networkworld.com/survey/easform.html?net>
_______________________________________________________________
May We Send You a Free Print Subscription?
You've got the technology snapshot of your choice delivered
at your fingertips each day. Now, extend your knowledge by
receiving 51 FREE issues to our print publication. Apply
today at http://www.subscribenw.com/nl2

International subscribers click here:
http://nww1.com/go/circ_promo.html
_______________________________________________________________
SUBSCRIPTION SERVICES

To subscribe or unsubscribe to any Network World e-mail
newsletters, go to:
<http://www.nwwsubscribe.com/Changes.aspx>

To change your e-mail address, go to:
<http://www.nwwsubscribe.com/ChangeMail.aspx>

Subscription questions? Contact Customer Service by replying to
this message.

This message was sent to: security.world@gmail.com
Please use this address when modifying your subscription.
_______________________________________________________________

Have editorial comments? Write Jeff Caruso, Newsletter Editor,
at: <mailto:jcaruso@nww.com>

Inquiries to: NL Customer Service, Network World, Inc., 118
Turnpike Road, Southborough, MA 01772

For advertising information, write Kevin Normandeau, V.P. of
Online Development, at: <mailto:sponsorships@nwfusion.com>

Copyright Network World, Inc., 2005