"Securing the Human" on Your Campus: How To Successfully Deploy Your Security Awareness Program

There is an old adage, "A chain is only as strong as its weakest link." During the past decade, as server-side vulnerabilities have been reduced and perimeter defenses have improved, humans have become the weakest link in the security chain. Attackers have increasingly focused on leveraging human-targeted attacks to compromise organizations, set up persistent back doors, and gain internal footholds in a university's data infrastructure. Awareness, not just technology, is now a key factor in a university's ability to reduce risk, protect its reputation, improve governance, and in many cases be compliant. We are the gateway for important research, we hold personal records of future leaders of our country, and we are a critical part of the innovation critical infrastructure. Security awareness must be a critical part of the information security program at any university. This talk will describe a program that several universities chose to help deal with this important problem. The SANS Institute's Securing the Human program was purchased and deployed on each campus in the fall 2010. We will discuss the challenges in rolling out this program, describe some of the successes, and, most importantly, examine issues we encountered during the installation and deployment. This will be a "warts and all" presentation to help you decide how to deal with this important problem.