Elevating Security Awareness

Increasing the Relevance and Scalability of End-User Education

Topics: Information Technology, Information Security, IT Governance, Data Management

Making Risks Relevant

Infrequent Board Exposure to Security Issues

Security awareness among executives and boards tends to spike when mainstream media covers an incident or the institution suffers an attack, but some leaders may also misunderstand data security as a technical issue that is controlled by the IT function. CIOs and CISOs struggle to keep leadership engagement at an appropriate, constructive level that acknowledges the possibility of data losses and seeks the best ways to minimize the impact and cost of incidents.

Practice 4: Board Education Memos

Ripped From the Headlines

Turning mainstream news into education opportunity

At Brown University, the CISO takes news stories about data breaches and converts them into one-page education memos that the CIO distributes to the cabinet and board. Incidents that involve a real campus vulnerability or those that affect Brown directly are prioritized, but the CISO also writes memos (primarily for the president and provost) when peer institutions are affected and when breaches receive media attention in mainstream publications that trustees are likely to read.

Proactive education keeps focus strategic, not reactive

Brown’s focus on getting relevant information to leaders as events occur saves time by keeping executives and trustees up to date, and also achieves a goal set by many CIOs: make sure executives are appropriately informed and educated about security, and approach new funding and initiatives proactively.

Not Investing in Tailored Awareness Education

Institutions use myriad channels to broadcast security messages across campus, but most communication is untargeted and unrelated to the personal priorities that drive end-user behavior; only one in every seven institutions customizes security messages through tailored workshops and role-based training. While push messages and standard training might reach all campus audiences without large expense, ineffective messaging can distract end users from important lessons and does little to enhance security.

Practice 5: Unit-Level Risk Profiles

Framing Policies in Terms Users Understand

Work with unit-based IT to itemize academic activity

When ordering units to comply with security policies in the abstract, IT typically invokes generic risks and institutional consequences. Before engaging with departments, ask for details about local projects involving data and devices that present risks. CISO meetings with academic departments will be more focused and productive when constituents discuss real department-level vulnerabilities.

Make abstract risks relevant to academic goals

Help end users understand the potential risks of data breaches by describing risks and potential consequences in the context of projects and missions close to academic and professional goals. A conversation tailored to concrete department activity will gain greater attention and long-term compliance than a presentation focused on generic institutional consequences.

Practice 6: Personal Risk Audits

Security Begins at Home

A personal security mini-MOOC

To raise the profile of ybersecurity on campus at Rochester Institute of Technology, staff converted existing security modules for students, faculty, and staff into a unit organized around “personal self-defense” rather than institutional protection. The focus of six in-person or online modules is how individuals can protect themselves in the course of their digital activity, and it is positioned as a service rather than a compliance responsibility.

Embedded in orientation and onboarding

After offering personal risk audits first for administrative staff through in-person courses, the IT team at RIT expanded the modules across campus. Today, the IT team offers self-defense services to incoming students, slots modules into onboarding for new faculty and staff, and will present in-person for a private department audience at the request of local administration or IT leaders.

Tie Personal Habits to Institutional Policies

Self-defense practices match university policy

The key to the success of personal risk audits is that secure personal behavior is linked directly to institutional policy. Each module in the digital self defense course finishes with an explanation of campus policy, and reasons why additional controls are necessary to protect sensitive institutional data.

Hygienic habits are "always on"

Phishing attacks have increased across higher education in the last decade, and RIT has seen the volume and sophistication of attacks grow. However, the average number of campus constituents who fall for a phishing email (i.e., those who click on a link or reply) has dropped by 80% since the introduction of digital self-defense courses. Hygienic habits that support safe personal computing stay “on” when students, faculty, and staff come to campus.

Hardwiring Breach Response

Demonstrating Vulnerability