Feeds

Breathe life into your cyber security campaign

How to make users sit up and listen

Using blade systems to cut costs and sharpen efficiencies

Ah, another day, another government initiative designed to educate users about cyber risk.

The Canadian government has declared October “Get Cyber Safe” month. It has a web site, too, which advises users on how to avoid getting pwned. The advice list includes updating your malware signatures and not giving out your password.

How effective are these nationwide cyber awareness campaigns? And, by inference, how effective might a cyber security campaign for corporate employees be?

After all, technology is never enough to secure an organisation. Smart, alert staff are important too. And unless you can measure how successful a campaign is, it is difficult to justify investing in one.

Unfortunately, it is difficult to know how effective these things are. In May, the Australian Communications and Media Authority published an overview of international cyber security awareness-raising initiatives. It found that there are not many evaluations and no one seems to know whether they work or not.

Just a phase

In its draft National Initiative for Cybersecurity Education, published in August, the US National Institute of Science and Technology divides cyber security awareness into several broad phases: creating awareness, understanding the technical and social aspects, and accepting personal responsibility (security is not simply someone else’s problem).

Organisations evolve from there into acquiring protection tools and knowledge, implementing tools and techniques, and finally maintaining what they have already done through constant knowledge updates.

The Australian report too provides some useful guidelines. It advises cyber security awareness organisers to provide training in specific skills and to include interactive instructional techniques.

Users should be given practical activities and tasks to hammer home the lessons, rather than being taught dry theory that will quickly be forgotten.

The best campaigns also include a reporting function that allows users to report cyber security risks, says the report. And it advises organisers to offer a mix of long-term education and short, specific micro-campaigns.

Culture clash

What might these things look like in practice? We are going to have to use the C-word: culture. If I hear a vendor talk about the “culture of security” one more time, I’ll spit – but it has become a cliché because it is true.

It is hard enough to get people to agree on where to go for lunch

Building cultures is a tricky thing to do because it involves getting everyone behind a single vision. It is hard enough to get people to agree on where to go for lunch, let alone on something as yawn-worthy as a security awareness campaign.

But recent developments in the IT economy might provide the answer.

“Gamification” applies gaming elements to a corporate environment. The point where games and social networks meet turns out to be a pivotal one.

When a company like Zynga (of Farmville fame) files for a $1bn IPO on $850m in annual revenue after three years’ existence, you know that the concept that it is touting has legs.

The social gaming concepts that companies like Zynga promote could tie practical elements, reporting and monitoring into security awareness campaigns.

All play and no work

Gaming elements such as rewards badges, leader boards and progress bars could all be linked to security campaigns. Completing small tasks such as changing your password (and keeping it strong) could earn you points.

How committed are you to avoiding social engineering? Maybe a stooge caller trying to get employees to circumvent company procedures could earn them badges if they stick to the plan. Or mobile workers could be rewarded for connecting their managed laptops to the virtual private network for scheduled patching and maintenance.

Gamification can help keep security at the forefront of employees’ minds and encourage a cultural shift. How effective it can be depends on how imaginative you are, but capitalising on employees’ willingness to play and compete has to be a more effective way to encourage responsible behaviour among employees than simply waving a handbook and finger wagging.

In the second world war, we had posters proclaiming that “Careless talk costs lives” and radio broadcasts warning people of security dangers. Now we have social media and computer games that would have amazed our grandparents to perform the same task. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.