Chapter 7 Security Awareness Program

making people understand implications of security on their ability to perform their jobs
importance of security
use of security measures
reporting violations

Appropriate use policy must be understood by users:
Relevance: meaningful at a personal level
Roles: different responsibilities, duties, levels of security awareness, authorizations:
info owner: determine value and security level
info custodian: maintain integrity & confidentiality of info in their control
info user: consumer of info. proper handling
Responsibilities general ones that apply to everyone, specific ones dependent on role
Repercussions punishments

Awareness program:
Comprehensive: everyone
Coherent: understood
Cost effective: security as a process that continuously reduces losses by preventing incidents rather than a cost whose services are not used until after there is an incident.

Design choices:
what message, how to say it, how to get it to everyone
Delivery method: web site, login message, web-casting (pushing web content to desktop), newsletter, posters, trinkets
Content: varied
Timeliness: current events. International Computer Security Day (last business day in November).

Cost is biggest concern of awareness program; can be minimized by integrating with existing training, newsletters etc.
general awareness to broad audience
focused awareness to specific groups, individuals

Change security from enforcement organization by awarding & rewarding.

Lack of awareness: users bypass security features to make life simpler
legal recourse needs prior notification