Appropriate use policy must be understood by users:
Relevance: meaningful at a personal level
Roles: different responsibilities, duties, levels of security
awareness, authorizations:
info owner: determine value and security level
info custodian: maintain integrity & confidentiality of info in their
control
info user: consumer of info. proper handling
Responsibilities general ones that apply to everyone, specific ones
dependent on role
Repercussions punishments
Awareness program:
Continuous
Comprehensive: everyone
Coherent: understood
Cost effective: security as a process that continuously reduces losses
by preventing incidents rather than a cost whose services are not used
until after there is an incident.
Design choices:
what message, how to say it, how to get it to everyone
Delivery method: web site, login message, web-casting (pushing web
content to desktop), newsletter, posters, trinkets
Content: varied
Timeliness: current events. International Computer Security Day (last
business day in November).
Cost is biggest concern of awareness program; can be minimized by
integrating with existing training, newsletters etc.
general awareness to broad audience
focused awareness to specific groups, individuals
Change security from enforcement organization by awarding & rewarding.
Lack of awareness: users bypass security features to make life
simpler
legal recourse needs prior notification