Resource Kit for National Cyber Security Awareness Month

What is Cyber Security Awareness?

The Oxford English Dictionary defines awareness as "The quality or state of being aware; consciousness." Aware is defined as "Informed; cognizant; conscious; sensible."

The purpose of cyber security awareness presentations is simply to focus attention on cyber security. Awareness presentations are intended to allow individuals to recognize information technology security concerns and respond accordingly.

• The learner is the recipient of information
• The information reaches broad audiences
• Attractive packaging techniques are used

We can characterize a user's cyber security awareness level by describing it as the actions a user takes in a given security situation. Do they know about any policies governing that activity? Do they follow the policy? What happens when they are confronted by a new situation that is not addressed by the policy?

Why is Cyber Security Awareness Important?

To protect the confidentiality, integrity, and availability of information in today's highly networked systems environment requires that all individuals:

• Understand their roles and responsibilities related to the organizational mission
• Understand the organization's information technology security policy, procedures, and practices
• Have at least adequate knowledge of the various management, operational, and technical controls required and available to protect the IT resources for which they are responsible

Cyber security awareness programs impress upon users the importance of cyber security and the adverse consequences of its failure. Awareness may reinforce knowledge already gained, but its goal is to produce security behaviors that are automatic. The goal is to make "thinking security" a natural reflex for everyone in the organization. Awareness activities can build in these reflexes both for the security professional and for the everyday user.

Critical Success Factors for Awareness Activities

• They are based on the organization's policies
• They have senior management support
• The focus is on people at all levels of the organization
• They are effectively planned:
  • Based on user's needs, roles, and interests
  • Identifies security problems in the organization that need addressing
• They use appealing materials and methods

Awareness programs usually use repetition to reinforce desired behaviors and attitudes about security.

What is National Cyber Security Awareness Month?

National Cyber Security Awareness Month is an annual effort to increase awareness and prevention of online security problems, spearheaded by the U.S. Department of Homeland Security and the National Cyber Security Alliance. The EDUCAUSE/Internet2 Computer and Network Security Task Force promotes and participates in the annual campaign, joining forces with a range of organizations from the public and private sector to expand cybersecurity awareness on campuses across the country. The Security Task Force is offering a range of programs and resources. Among them are a National Cyber Security Awareness Month resource kit for colleges and universities, a cybersecurity video contest for students, and a cybersecurity awareness resource library. To see more resources, visit the EDUCAUSE Connect Security Awareness Resource Page.

How Do We Plan for National Cyber Security Awareness Month?

The following worksheet will help you to think about how your institution might go about implementing a plan to take advantage of National Cyber Security Awareness Month.

Indiana University offers a sample kit with creative materials based on a 1950's horror theme, and outlines plans for their use that you can adapt to your institution's needs quickly. With a bit of a printing budget (or your own high quality printer) and some coordination, you can pick and choose which materials will best help you to increase your community's security awareness. Some of the materials are even provided in Spanish! These materials were created and used at Indiana University for National Cyber Security Awareness Month 2005. Indiana University grants permission for non-profit educational use, as long as the credit line and the copyright statement remain on the materials.

Cal Poly Pomona's 2007 presentation describes the development of their Cyber Security Fair in great detail. Tips for starting your own cyber security fair are offered on such topics as determining the target audience, structuring the event, developing a support network, selecting presentation topics & speakers, as well as the associated costs.

The winning videos from the 2007 Computer Security Awareness Video Contest, as well as the 2006 contest, are available for use in campus security awareness campaigns during student orientation, National Cyber Security Awareness Month, and throughout the year.

2008 Campus Events

Please share the URL or plans for your NCSAM-related initiatives with the participants of the Security Discussion Group or send an e-mail to: Security-Task-Force@educause.edu. You can also view the list of 2005, 2006, and 2007 campus events and activities centered around National Cyber Security Awareness Month.

• Auburn University
• Brown University
• Cal Poly Pomona Cyber Security Fair 2008 held in conjunction with the Wellness Fair 2008 (October 23, 2008)
• Colorado State University
• Dartmouth College Securing the eCampus 2.0: Building a Culture of Information Security in An Academic Institution (November 11-12, 2008)
• Illinois State University
• Indiana University
• Massachusetts Institute of Technology 2008 Cyber Security Awareness Day (November 5, 2008)
• North Dakota State University IT Security Conference for K20 2008 (October 21-22, 2008)
• Northern Kentucky University 2008 IMI Security Symposium & Expo (October 3, 2008)
• Ohio University Information Technology Security Seminar (ITSS) 2008 (October 15, 2008)
• Purdue University
• Rochester Security Summit (October 29-30, 2008)
• Rockefeller University
• Rutgers, The State University of New Jersey
• Texas State University-San Marcos Cyber Security Awareness Day 2008 (October 22, 2008)
• Texas A&M University Security Awareness YouTube Channel
• University of Arizona Security Awareness Week 2008: Security Awareness For Everyone (SAFE) (November 3-7, 2008)
• University of Connecticut
• University of Delaware
• University of Florida Information Technology Security Awareness (ITSA) Day (October 8, 2008)
• University of Georgia
• University of Idaho Computer Security Awareness Symposium (CSAS) 2008 (October 9, 2008)
• University of Maryland Cyberethics, Cybersafety, and Cybersecurity (C3) Institute
• University of Massachusetts Amherst
• University of Memphis Cyber Security Expo (October 16, 2008)
• University of New Hampshire
• University of New Mexico
• University of Northern Colorado
• University of South Carolina
• University of Tennessee Cyber Security Summit 2008 (October 21-22, 2008)
• University of Texas at Austin
• University of Texas at San Antonio
• University of Virginia
• VA SCAN 2008 Conference (October 6-7, 2008)
• Washburn University
• Western Illinois University
• Who's Watching Charlottesville (University of Virginia)

Resources

• "Building an Information Technology Security Awareness and Training Program," National Institute of Standards and Technology Special Publication 800-50, Oct. 14, 2003
• "Developing Security Education and Awareness Programs" by Shirley Payne
• Indiana University National Cyber Security Awareness Month Campaigns and Downloadable Material

Sample Resolutions or Decrees

• State Cyber Security Proclamation 2005 Template