Awareness is the Key to Security
June 20, 2003
Krizi Trivisani
Chief Security Officer
Amy Hennings
Systems Security Engineer
Copyright Krizi Trivisani, Amy Hennings 2003. This work is the
intellectual property of the author. Permission is granted for this
material to be shared for non-commercial, educational purposes,
provided that this copyright statement appears on the reproduced
materials and notice is given that the copying is by permission of
the author. To disseminate otherwise or to republish requires
written permission from the author.
Guy Jones
Chief Technology Officer
Agenda
•Security Implementation Reliance
•What is security awareness?
•Why is awareness important?
•The Security Landscape – The
Violation Situation
•GW’s Awareness Program
•Cultural Impacts of Security
Programs
•Questions
Security Implementation
Relies On:
Policies must be
developed,
communicated,
maintained and
enforced
Processes must
be developed that
show how policies
will be
implemented
Systems must
be built to
technically
adhere to policy
Process Technology
People
People must
understand their
responsibilities
regarding policy
What is Security Awareness?
Security awareness is knowledge of
potential threats. It is the advantage of
knowing what types of security issues
and incidents members of our
organization may face in the day-to-day
routine of their University functions.
Technology alone cannot provide
adequate information security. People,
awareness and personal responsibility
are critical to the success of any
information security program.
Why is Awareness Important?
Poor Awareness Exposed…
“It’s a frightening fact, but nine out of ten
employees would unwittingly open or
execute a dangerous virus-carrying email
attachment”
“Two-thirds of security managers felt that the
overall level of security awareness is either
inadequate or dangerously inadequate”
“Nine out of ten employees revealed their
password on request in exchange for a free
pen”
These things don’t happen as a result of
malicious intent, but rather a lack of
awareness of security risks.
Top Ten Most Common
Security Mistakes…
Passwords on Post-it Notes
2. Leaving your computer on, unattended
3. Opening e-mail attachments from
strangers
4. Poor password etiquette
5. Laptops on the loose
6. Blabber mouths
7. Plug and play without protection
8. Not reporting security violations
9. Always behind the times (the patch
procrastinator)
10. Not knowing internal threats
1.
The Security Landscape –
The Violation Situation 2001
Total Violations went from 354 to 5526 – an increase of 1,560%
Number of Violations
Security Metrics Comparison 2001
10000
8000
6000
4000
2000
0
Total Minor Violations
Total Severe Violations
Month and Total Violations
Total Violations by Month
January
February
March
April
May
June
July
August
September
October
November
December
The Security Landscape –
The Violation Situation 2002
Average number of violations per month in 2002 is 7197
Number of Violations
Security Metrics Comparison 2002
November
December
January '02
8000
7000
6000
5000
4000
3000
2000
1000
0
February '02
March '02
April '02
May '02
June '02
July '02
Total Minor
Violations
Total Severe
Violations
Total Violations by
Month
Month and Total Violations
August '02
September '02
October '02
November '02
The Security Landscape –
The Violation Situation 2003
Average number of violations (so far!) per month in 2003 is 9438
Number of Violations
Security Metrics Comparison
14000
12000
10000
8000
6000
4000
2000
0
Total Minor Violations
Total Severe Violations Total Violations by Month
Month and Total Violations
May '02
June '02
July '02
August '02
September '02
October '02
November '02
December '02
January '03
February '03
March '03
April '03
May '03
The Violation Situation Continued
Email Viruses Filtered
22,271 in December of 2001 increased to 97,660 in May of 2003
Number of Violations
Trend Virus Filter Monthly Comparison
200,000
150,000
100,000
50,000
0
Month and Total Viruses
June '02
July '02
August '02
September '02
October '02
November '02
December '02
January '03
February '03
March '03
April '03
May '03
GW’s Security Awareness Program
www.gwu.edu/~infosec
Features:
 Hourly feed from CERT with the most up to date
security alerts
 Links to policies, GW sites, and external security sites
 A security glossary
Information on:
 What is Information Security?
 The Information Security Office
 Reporting Security Incidents
 Risk Assessment
 Security Awareness
**Please note that our security web pages are only
available to our on campus users
GW’s Security Awareness
Program - Materials
Program materials
 Monthly posters focusing on a specific awareness topic
 Monthly article in GW Technology Today
 Brochures available for:
 New students (Colonial Inauguration)
 New employees (Orientation)
 Training programs
 Free security screen saver
 Online security tutorial – S.T.A.R.T.
 Sample password tester
 Animated security awareness banners
 In Pilot – “Protect IT” Security Awareness Workshop
 Next phase – Online quizzes
GW’s Security Awareness
Program - Materials
Online materials - www.gwu.edu/~infosec





Free security screen saver
Online security tutorial – S.T.A.R.T.
Sample password tester
Animated security awareness banners
Electronic version of monthly awareness posters
AWARENESS IS THE KEY TO SECURITY.
Awareness Requires a Change in Culture
Analogy - Seatbelts
"Culture does not change
because we desire to
change it. Culture
changes when the
organization is
transformed; the culture
reflects the realities of
people working together
every day."
“ It should be noted that
it took many years to get
the seatbelt usage up to
its present level, and it
takes a heavy hand from
the police to persuade
the stupid to do the
obvious.”
— Peter N. Wadham
— Frances Hesselbein
Key to Cultural
Transformation
"Out at sea it takes 30 miles for an oil tanker to reverse its
direction. It takes time and commitment to change, based
on foundational values, principles and quality relationships
to positively affect your company's culture -- its way of
doing things. "
— The Freeman Institute
Changing the Culture of Your Organization
Awareness is the Key to Security
As a student, faculty, staff or
contractor of The George
Washington University, it is
your responsibility to help in
the protection and proper use
of our information and
technology resources.
WE ARE COUNTING ON YOU!
Questions and Presentation Wrap-up
•
Recommended information sources
•
•
•
•
•
http://www.securityawareness.com/
http://www.humanfirewall.org/
http://cs-www.ncsl.nist.gov/
http://www.educause.edu/security/
http://www.nipc.gov/
Special Thanks to
Security Awareness Incorporated!!!