Security Awareness is the 3rd working group of SIG-ISM. The goals of the working group were presented at the SIG-ISM Open Workshop at TNC18. The attendees were then asked to discuss the existing methods and materials and their effectiveness.
SANREN:
Renier: “You cannot raise security awareness alone”.
SANREN are sponsoring a student white hack competition (annual conference + competition). Around 100 students participate in the first round, 30 - in the second round. Students get very creative - hacking includes even social engineering attacks.
The main aim is to increase awareness at their institutions.
The organisers are using a software from Switzerland - “Hacking Lab” (commercial)
In addition, some universities offer Information Security courses that are open to all students. The best way to make it more popular is to find ‘champions’ at universities.
DFN:
Not reaching out to end users at the moment, but raising awareness between people from government (those responsible for funding of the universities). During the 2 day meetings, DFN always add security related subjects on the agenda (presentation). The first reaction of the participants is mainly positive, but later they claim that security is hard to get commitment.
The audience there is not tech savvy. Maybe a demo or an exercise would help to convince them to take action.
It is imporant to think about the target audience - How to present the information they need in a way that they understand.
Rolf Sture (UNINETT): It would be useful to work together on generating ideas on how to communicate to the management. Perhaps the CEO Forum could contribute to this conversation and share their ideas on how to sell security to senior management?
ACTION: Sigita to investigate a possibility to schedule a VC or interview with Chris Hancock & some EU CEO.
SURFnet:
Has an extensive internal security awareness campaign. Theme based: confidential information, being safe on public wifi, what to do when travelling, etc. Materials are mainly from 'Cybersafe yourself' campaign + testimonials of people from the organisation, videos, posters, information on the intranet.
To raise even more awareness, this season the campaign will have swag useful for the holiday season + leaflet with information.
It is hard to measure how effective it is.
There are 2-3 working in the security awareness team (incl. communications person) - not full time though.
CERN:
Security awareness efforts ongoing since 2010: https://security.web.cern.ch/security/training/en/index.shtml
Phishing campaigns are organised every year, around 20% people fall for it. However, shortly after a campaign more people report suspicious emails.
NORDUNET:
Phishing campaigns are organised every month - the same number of people fall for it, but different persons.
DeiC:
Offering Phishing campaigns as a service to the members .
David Schmitz (LRZ):
The University of Armed Forces in Munich has a course module, which includes also conduction of security awareness campaigns:
https://www.unibw.de/inf/studium/downloads/mcyb-modulhandbuch-2018.pdf/download
(Page 34 or search for "awareness", unfortunately only available in German):
"... Sie kennen die Phasen und Methoden von Security-Awareness-Kampagnen und koennen diese unter Priorisierung identifizierter Risiken fuer Organisationen konzipieren und durchfuehren. ..."
which may be translated as
"... You know the phases and methods of security awareness campaigins and can design and conduct these based on prioritization of risks for the organization. ..."
At the end of the meeting it was agreed that it would be useful to put together this and other information about the security awareness initiatives on the wiki (materials + lessons learned + contact) to create an Inventory.