I’ve been thinking about Security Awareness and different ways of teaching it as a mindset. We infosec folks think about it all the time, cultivating it as part of our general focus on situational awareness; the general public, corporate and government leaders, SMBs – not as much, perhaps.
It’s only when some epic breach like TJX, Heartland, or the recent Google hacks happen, that most people go ‘Huh?’ Security people channel their inner Homer Simpson and go ‘D’Oh!’
I’m sure other security professionals have thought about how effective security in general was approached and taught during World War II; citizens were reminded in public places that ‘Loose Lips Sink Ships’ and that ‘Careless Talk’ cost lives.
So, if we were going to use this approach today, what would we say? What would resonate and be graphically memorable?
- Lost Laptop – Work Stop
- Data Breach – Painful Teach
- DLP Works for Me!
- Stolen Data in Motion, Crosses the Ocean
What would you suggest, dear reader, to teach staff to lock Desktops when they’re away from their office? Or to not store unencrypted corporate data on USB drives, laptops, netbooks, PDA’s etc.,?
The posters above are courtesy of the New Hampshire State Library and Eyewitness to History. The latter site has an excellent list on how to safeguard information from the enemy, the Ten Prohibited Subjects and more.
Are pithy slogans and eye-catching graphics enough? Do we need Quentin Tarantino to make a movie? I’m re-reading NIST SP 800-50 and thinking about this more. There are all sorts of posters out there too:
In fact, it’s a niche industry! But, how effective are posters at increasing lasting security awareness with true stickability? Some very interesting insights and research were assembled by Ross Anderson and mentioned on the ISC2.org blog on 11/15/09, titled ‘Psych and sec‘. These papers and articles on psychology, behavioral economics, social attitudes towards risk, security usability, and more, remind us of the academic contributions other disciplines bring to security awareness.
What do you think? Do security posters work in your organization? Is there enough user-centered design in security mechanisms, or not enough?
I read a great post by Will Irace on the Cassandra Security site and I agree with him ~ it’s all about trusting people and educating/training them to do the ‘right thing’ and why.
Later friends…
Bill Wildprett
Suspicious Minds 