WG 3: Security Awareness

Introduction

Security awareness is an increasingly important topic. As information and communication technologies are becoming more and more part of our daily lives, our dependency on ICT increases as well. As with other technologies, there are risks involved when using ICT; risks that cannot be mitigated with technological solutions alone. People need to be made aware of these risks, learn how they can minimise these risks and be able to do so. 

Problem statement

Security awareness deals with these activities, but they are not trivial. There are a number of problems in the field of security awareness; below a list that applies to the NREN community:

• Often security awareness programmes are an afterthought, something that has to be done to be compliant. The result is that these programmes are not effective. 
• People are often portrait as the weakest link and are approached in such (negative manner) while they can also be an asset when empowered.
• Successful awareness programmes depend on a collaboration between a number of disciplines, most importantly the security experts and communications and marketing. Programmes often fail because such collaborations do not exist.
• Security awareness should not be a single activity, done once a year, but it should be a well thought-through programme with several activities throughout the year.
• People do not know how to set up a successful awareness programme. The community needs manuals and how-to’s to learn about targets, target groups, metrics, leadership support, et cetera. 
• NRENs and their constituents often lack funding and resources to develop a proper awareness programme. At the same time, everyone needs the same tools and content so it would be beneficial if we could pool resources or have a centralised service.

Goal

The goal of the security awareness working group is to address the problems mentioned above and provide the NREN community (as well as their constituents) with the tools and means to set up a successful awareness programme. 

Results

The following results will contribute towards our goal and are achievable by 2022 (given proper funding):

• A repository where NRENs can share materials of their own or developed centrally
• A framework on how to build and carry out a successful awareness programme
• Generic awareness materials and tools that are developed together and a process or means to localise these
• Explore potential centralised services such as a simulated phishing service and develop these
• A yearly recurring event on security awareness to organise workshops, share best practices and promote the materials

Scope and limitations

• The main focus of the activities is to develop materials that can be used by our constituents. However these should also be usable for internal security awareness programmes at NRENs.
• Content-wise the focus is on information security and privacy. We do recognise a link with physical security and safety and the repository is open for sharing such materials.
• Materials and tools are developed in English, but it should be easy to translate these into other languages.
• All our results should be as open as possible and free to use (in terms of licenses and property rights) within the NREN community.
• This working group will not campaign themselves, but the results should enable NRENs and their constituents to do so (B2B-approach). 

Collaboration

As with running a successful awareness programme, this workgroup should be a mix of several disciplines. While rooted in SIG-ISM we will reach out to other groups such as SIG-MARCOMMS, TF-CSIRT, WISE to invite them to participate in the workgroup. Also, the workgroup should have ties to other organisations that work towards similar goals such as ENISA.