A security awareness short list from SANS

Lance Spitzer has a short list for teaching security awareness. At the top of it is this: If you want people to take security seriously, personalize it.

"Don't talk about how it affects the corporation," he said. "Start with how they can protect their kids online and their own mobile device. Let them see what's in it for them."

Spitzer, training director for the SANS Securing the Human Program, wove that thread through his brief presentation at the SANS Security Leadership Summit Wednesday in Boston titled "Your Security Awareness To-Do List."

[Related: The 7 elements of a successful security awareness program]

Brevity, he said, is one of the elements of training that appeals to employees. While most organizations have security awareness programs, they are both unpopular and "immature, because they were developed by auditors for compliance. We want to take it to the next level and change behavior and, ultimately, culture," he said.

That, he said, involves three key principles:

Focus on limited key topics.

"The Human OS' is not very good at remembering a lot of different things, and you have limited time and resources," Spitzer said, "so focus on the fewest behaviors that will have largest impact."

For his program, he said, a "human risk analysis" yielded a "top seven" list: Vulnerability to phishing attacks; poor password security (not that they are too simple, but that they are being shared or re-using the same one for various sites); failing to patch or update devices; sharing too much on social media; not realizing you are a target; and accidental data loss or exposure.

That last one, he said, is caused frequently by auto-complete on email. "You meant to email Dave in accounts payable, but instead you accidentally emailed Dave, your kid's soccer coach," he said.

Spitzer said the latest Verizon Data Breach Incident Report, released just recently, "matches perfectly with what we have here when it comes to human risks. The key is that with fewer topics, you're more likely to change behavior.


A primary question he gets from organizations, Spitzer said, is: "How do we reach people?"

And the simple, effective answer, he said, is to, "focus on how people benefit 70%-80% of an awareness program also applies to people's personal lives."

The reality, he said, is that in the modern work environment, where people are working in multiple locations (including their homes) with multiple devices, their personal information is also at risk.

"Bad guys are targeting people at home," he said, "so it's not like they need one set of behaviors at home and a different one at work. It's the same across both. You want to make security part of their DNA."


Awareness takes repetition, Spitzer said, but it won't be effective it it's overdone. "You need to communicate regularly through the year to reinforce key behaviors," he said, "and we recommend that you touch people monthly. Quarterly is not enough, but weekly is too much it start to become noise."

The other key, he said, is to offer different ways for workers to consume that training. Different generations have different preferences, he said boomers might want lunch-and-learn events or newsletters, while younger workers would prefer webcasts and social media.

Also, let workers consume training on their own schedule. "If you schedule an event, 10% might show up everybody's busy," he said, "but when you offer it on their own schedule, it's more successful.

Finally, don't ignore awareness updates either, he said. "Your technology, standards and threats are constantly changing, " he said, "so you should update your content at least once a year, or more often if there's something critical."

Join the CSO newsletter!

Error: Please check your email address.

Tags security trainingSocial Media Riskspassword securitysecuritysecurity awarenessSecurity Leadershipphishing attacks

More about LanceVerizonVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place