Security Awareness Quick Start Guide

Helpful Hint: If your campus already has an established Information Security Awareness Program and you're able to dedicate more time and resources to developing your own materials, check out the more advanced Security Awareness Detailed Instruction Manual.

Other resources of interest might include the Cybersecurity Awareness Resource Library, the NCSAM Resource Kit, and the year-round Campus Security Awareness Campaign materials.

Quick Start Guide

This guide is for campuses just getting started with an Information Security Awareness Program. It may also serve as a checklist to assess an institution's existing program.

What is an Information Security Awareness Program?

An Information Security Awareness Program is an organized effort to make employees and customers aware of risks to personal and institutional information and information technology, and to provide them with the skills and knowledge necessary to avoid those risks. While the program can be focused on one specific group (e.g., leadership), to be effective in its maturity the program should address all stakeholders, including leadership, employees, customers (i.e., students), and partners (i.e., external service providers). As explained in the SANS blog “Seven Keys to Success for a More Mature Security Awareness Program,” the program should include leadership support and a cross-functional advisory team, identifying and prioritizing risks, creative and engaging communications, as well as metrics.

Why an Information Security Awareness Program?

Community members must understand security and privacy compliance requirements.

Community members have a critical role in risk mitigation.

1) Establish an Information Security Program

Without an effective security awareness program, you'll find it difficult to help community members understand the risks they face, the secure methods they should use, and the precautions they should take to keep themselves and others safe. Of course, the first thing to do is get your information security program started. It is important to develop support from senior management for the information security program in order to ensure appropriate human resource allocation and financial support.

2) Develop a Security Awareness Plan

Creating a security awareness plan will help ensure that you have identified your key messages, know who your audiences are, and determine how and when you will communicate with these audiences. Faculty, staff, and students all require different methods of achieving a meaningful level of security awareness. Your IT organization (or information security office) cannot protect your institution alone. The support of the user community is essential.

The materials in this section provide the tools needed to develop your awareness plan and also provide examples of techniques used by other schools. You'll find it helpful to develop a strategy. If you don't, you may find yourself mired in operational issues and may not be able to see any kind of improvement in secure user behavior year after year. But don't forget to "think outside the box" as you develop your plan!

Resources

EDUCAUSE provides a number of resources to help institutions develop and improve their information security programs. While larger institutions may have resources dedicated to information security, many schools may handle information security issues as part of their operational information technology services.

Before getting started, we encourage you to check out the following resources. A few minutes of reading now may save you hours of work later by increasing your chances of getting started down the right path on the first try.

Social Media

Survey community members to learn which social media sites are visited frequently and utilize these communication channels for security messages. To reach students, you must be where the students are (e.g., Facebook, Twitter, Instagram, Tumblr). We've found that many students rely on these sites for up-to-date information.)

The Cybersecurity Awareness Resource Library has some examples of campus Facebook, Twitter, and Tumblr pages.

3) Adopt and Modify "Key Messages"

Your audience will only have so much time and patience to hear your messages. Select your messages carefully, present them in an easily digestible format, and try to limit the number of concepts or topics introduced to your audience in each message. Remember, the typical attention span of an audience is 5-10 minutes. If your materials or presentation require more time than that, think about how to break up the content and how to re-ignite audience interest throughout the presentation. Here is a list of sample key messages that are common to most institutions of higher education:

After you develop your key messages, back them up with “how to” resources. In other words, do not just tell people to avoid phishing, show them how.

As you develop resources for your program, consult the following resources that address most facets of information security and privacy.

4) Establish a Security Awareness Website

Establishing an information security awareness website allows you to communicate effectively and efficiently with members of your institution's community. It can quickly become a trusted resource to:

If you creating or revamping your program's website, the toolkit Developing Your Campus Information Security Website provides excellent tips, as well as links to other college and university websites. If you're just starting out, don't worry about having to provide authoritative resources for every subject and topic. Leverage the work of other EDUCAUSE peers and that of external organizations, like the National Cyber Security Alliance, and focus on building a comprehensive list of key groups and constituencies on your campus.

Additional ideas for website components:

5) Use HEISC Awareness Posters and Videos in Campus Settings

Between 2006 and 2013, the Higher Education Information Security Council (HEISC) hosted an information security awareness video and poster contest. The winning videos and posters—developed by college students, for college students—are available for colleges and universities to use in campus security awareness campaigns during National Cybersecurity Awareness Month in October, student orientations, and throughout the year. Consider using these materials in your campus awareness campaigns whether you print posters for shared student spaces or incorporate the videos into your campus cable channel programming.

6) Publish in Existing Campus Communication Channels

Publishing campus newsletters will allow you to focus on the current security awareness issues that confront your institution. You can also tailor these newsletters to a specific audience (students, faculty, and/or staff) for more targeted campaigns. If your budget allows for printing newsletters, be sure to include an electronic version of each publication on your website, too.

Sample newspapers and articles targeting college and university community members:

Messages can also be delivered at appropriate cycles in the campus newspaper to remind the community of risks such as false claims about expired accounts, IRS email scams, or Valentine’s Day viruses. You can take advantage of your IT department’s monthly or quarterly newsletter to publish an article on security. Since information security is not limited to the IT department, you can offer to write an article about data classification or data protection in the finance department’s newsletter, or in other departments’ newsletters. Use your campus television network (if you have one) to run a short security awareness video.

If you have limited resources and cannot create a campus security awareness newsletter, consider sharing the SANS Security Awareness Newsletter, OUCH! This free resource is published monthly in multiple languages, and each edition is carefully researched and developed by subject matter experts. (OUCH! is distributed under the Creative Commons BY-NC-ND 4.0 license, so you may share the newsletter on your campus; the only limitation is that you cannot modify or sell it.)

7) Participate in National Cybersecurity Awareness Month (NCSAM)

National Cybersecurity Awareness Month (NCSAM), celebrated every October since 2004, was created as a collaborative effort between government and industry to ensure everyone has the resources they need to stay safer and more secure online. Since its inception under leadership from the U.S. Department of Homeland Security and the National Cyber Security Alliance, NCSAM has grown exponentially, reaching consumers, small and medium-sized businesses, corporations, educational institutions, and young people across the nation. There are opportunities for everyone on campus to get involved.

8) Measure the Effectiveness of your Program Annually

One way of measuring the effectiveness of a security program is by employing the use of an annual user survey. This can be augmented with other types of data that you would collect over time. Consider retaining yearly data for the following:

Another way to measure success is to incorporate a “just-in-time” component into your program. For example, with your administration’s permission, launch a non-malicious simulated phishing email to your audience quarterly. Connect those who do not recognize it as phishing and click on links in the message to an educational splash page. Count how many persons were connected to the splash page, and see if over time more recipients recognize these messages as possibly phishing, and fewer click on the links.

Comparing the data over time, one would hope to see better answers on surveys, fewer incidents, etc.

Other Resources

9) Automate Services

Information Security has the daunting task of staying abreast of the latest threats and risks. Because threats evolve and surface daily, the ability to understand and distribute the information is a challenging task. Information security RSS feeds like the SANS Security Awareness Tip of The Day, US-CERT's Security Alerts, and REN-ISAC's Weekly Watch make critical breaking news and security tips pertaining to the latest threats immediately available to anyone who subscribes. Leveraging such automated services can reduce workload on information security staff while providing valuable awareness to end users (students, faculty, and staff). You can share these alerts with your community by linking to social media and embedding RSS feeds on your campus website.

The information in this document is only a guide, though it is an excellent starting point! If you'd like help building your awareness program or have questions for other security awareness professionals in the higher education community, consider joining the HEISC Awareness and Training Community Group for additional guidance.

Top of page


Questions or comments? Contact us.

Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).