Security Awareness Quick Start Guide
Helpful Hint: If your campus already has an established Information Security Awareness Program and you're able to dedicate more time and resources to developing your own materials, check out the more advanced Security Awareness Detailed Instruction Manual.
Quick Start Guide
This guide is for campuses just getting started with an Information Security Awareness Program. It may also serve as a checklist to assess an institution's existing program.
What is an Information Security Awareness Program?
An Information Security Awareness Program is an organized effort to make employees and customers aware of risks to personal and institutional information and information technology, and to provide them with the skills and knowledge necessary to avoid those risks. While the program can be focused on one specific group (e.g., leadership), to be effective in its maturity the program should address all stakeholders, including leadership, employees, customers (i.e., students), and partners (i.e., external service providers). As explained in the SANS blog “Seven Keys to Success for a More Mature Security Awareness Program,” the program should include leadership support and a cross-functional advisory team, identifying and prioritizing risks, creative and engaging communications, as well as metrics.
Why an Information Security Awareness Program?
Community members must understand security and privacy compliance requirements.
- Breaches can have serious legal and financial implications.
- Certain breaches must be investigated and reported promptly.
Community members have a critical role in risk mitigation.
- Attackers are focusing on community members; it is important that they understand the risks to their credentials, and other dangers.
- Community members need to understand how to work with security solutions.
1) Establish an Information Security Program
Without an effective security awareness program, you'll find it difficult to help community members understand the risks they face, the secure methods they should use, and the precautions they should take to keep themselves and others safe. Of course, the first thing to do is get your information security program started. It is important to develop support from senior management for the information security program in order to ensure appropriate human resource allocation and financial support.
2) Develop a Security Awareness Plan
Creating a security awareness plan will help ensure that you have identified your key messages, know who your audiences are, and determine how and when you will communicate with these audiences. Faculty, staff, and students all require different methods of achieving a meaningful level of security awareness. Your IT organization (or information security office) cannot protect your institution alone. The support of the user community is essential.
The materials in this section provide the tools needed to develop your awareness plan and also provide examples of techniques used by other schools. You'll find it helpful to develop a strategy. If you don't, you may find yourself mired in operational issues and may not be able to see any kind of improvement in secure user behavior year after year. But don't forget to "think outside the box" as you develop your plan!
EDUCAUSE provides a number of resources to help institutions develop and improve their information security programs. While larger institutions may have resources dedicated to information security, many schools may handle information security issues as part of their operational information technology services.
Before getting started, we encourage you to check out the following resources. A few minutes of reading now may save you hours of work later by increasing your chances of getting started down the right path on the first try.
- The Successful Security Awareness Professional: Foundational Skills and Continuing Education Strategies (ECAR Research Bulletin, 2016)
- Know Which Way the Wind Blows: Security Awareness that Soars (EDUCAUSE Security Professionals Conference 2019 workshop)
- SANS Security Awareness Annual Report (2019)
- SANS Security Awareness Roadmap and Maturity Model
- SANS Security Awareness Planning Toolkit
- NIST Special Publication 800-50: Building an Information Technology Security Awareness and Training Program (identifies the four critical steps in the life cycle of an information security awareness and training program)
- REN-ISAC Alerts and Advisories (consider using this website as a resource when preparing campus communications regarding information security issues)
Survey community members to learn which social media sites are visited frequently and utilize these communication channels for security messages. To reach students, you must be where the students are (e.g., Facebook, Twitter, Instagram, Tumblr). We've found that many students rely on these sites for up-to-date information.)
The Cybersecurity Awareness Resource Library has some examples of campus Facebook, Twitter, and Tumblr pages.
3) Adopt and Modify "Key Messages"
Your audience will only have so much time and patience to hear your messages. Select your messages carefully, present them in an easily digestible format, and try to limit the number of concepts or topics introduced to your audience in each message. Remember, the typical attention span of an audience is 5-10 minutes. If your materials or presentation require more time than that, think about how to break up the content and how to re-ignite audience interest throughout the presentation. Here is a list of sample key messages that are common to most institutions of higher education:
- Unexpected email messages that have you click on links, open attachments, or disclose sensitive information can be seriously malicious…learn about phishing now!
- Passwords that are simple, short, based on dictionary words, or lack upper & lower case letters, numbers, and symbols, are easily guessed by hackers. Change your password now!
- Consider using passwords that are at least fifteen characters or passphrases.
- Enable two-factor or multi-factor authentication whenever possible.
- Security is everyone’s responsibility. Ask about your role in protecting sensitive information today.
- Information security is a shared interest. Things you do to protect institutional data may very well help to protect your personal information as well.
- Information security breaches are serious, expensive, and can cause life-long impacts on victims.
- Institutions that think they have not been hacked probably just do not know that they have been hacked. Be humble; learn today what you can do to prevent a breach.
After you develop your key messages, back them up with “how to” resources. In other words, do not just tell people to avoid phishing, show them how.
- New Employee Orientation or Faculty/Staff Training
- New Student Orientation
As you develop resources for your program, consult the following resources that address most facets of information security and privacy.
- The Yin and Yang of Security and Privacy EDUCAUSE Review article about information security and privacy as two of the three top IT issues campuses are facing in 2019)
- OnGuard Online (FTC)
- SANS Reading Room
- Stay Safe Online (NCSA) Resource Library
- Review the guide's Toolkits and Hot Topics pages
- Join the Security Community Group or the HEISC Awareness and Training Community Group
4) Establish a Security Awareness Website
Establishing an information security awareness website allows you to communicate effectively and efficiently with members of your institution's community. It can quickly become a trusted resource to:
- provide timely and updated information
- compile external repositories of accurate information for more in-depth reading
- act as your communication hub, promoting additional resources, such as Facebook pages, Twitter profiles, and RSS feeds
If you creating or revamping your program's website, the toolkit Developing Your Campus Information Security Website provides excellent tips, as well as links to other college and university websites. If you're just starting out, don't worry about having to provide authoritative resources for every subject and topic. Leverage the work of other EDUCAUSE peers and that of external organizations, like the National Cyber Security Alliance, and focus on building a comprehensive list of key groups and constituencies on your campus.
Additional ideas for website components:
- Videos and media by the Federal Trade Commission (FTC)
- Cartoons can be linked from your website or shared through social media (e.g., xkcd)
- Anti-Phishing Working Group Public Education Initiative
- US-CERT Cybersecurity Tips for non-technical users
- Center for Internet Security/MS-ISAC Monthly Cybersecurity Newsletter
- SANS Security Awareness Monthly Newsletter, OUCH!
5) Use HEISC Awareness Posters and Videos in Campus Settings
Between 2006 and 2013, the Higher Education Information Security Council (HEISC) hosted an information security awareness video and poster contest. The winning videos and posters—developed by college students, for college students—are available for colleges and universities to use in campus security awareness campaigns during National Cybersecurity Awareness Month in October, student orientations, and throughout the year. Consider using these materials in your campus awareness campaigns whether you print posters for shared student spaces or incorporate the videos into your campus cable channel programming.
- You can access all winning videos on the HEISC YouTube channel.
- You can access all winning posters on the HEISC Security Awareness Pinterest page.
- Host student video and/or poster contest on your campus. We've developed a handy DIY toolkit for campuses interested in hosting a student video and poster security awareness contest.
6) Publish in Existing Campus Communication Channels
Publishing campus newsletters will allow you to focus on the current security awareness issues that confront your institution. You can also tailor these newsletters to a specific audience (students, faculty, and/or staff) for more targeted campaigns. If your budget allows for printing newsletters, be sure to include an electronic version of each publication on your website, too.
Sample newspapers and articles targeting college and university community members:
- California State University Channel Islands secureCI's Monthly Information Security Newsletter
- Grand Rapids Community College Information Security Awareness Newsletters
- University of Colorado Information Security Newsletter
- HEISC Monthly Security Awareness Blog Posts (annual Campus Security Awareness Campaign materials)
Messages can also be delivered at appropriate cycles in the campus newspaper to remind the community of risks such as false claims about expired accounts, IRS email scams, or Valentine’s Day viruses. You can take advantage of your IT department’s monthly or quarterly newsletter to publish an article on security. Since information security is not limited to the IT department, you can offer to write an article about data classification or data protection in the finance department’s newsletter, or in other departments’ newsletters. Use your campus television network (if you have one) to run a short security awareness video.
If you have limited resources and cannot create a campus security awareness newsletter, consider sharing the SANS Security Awareness Newsletter, OUCH! This free resource is published monthly in multiple languages, and each edition is carefully researched and developed by subject matter experts. (OUCH! is distributed under the Creative Commons BY-NC-ND 4.0 license, so you may share the newsletter on your campus; the only limitation is that you cannot modify or sell it.)
7) Participate in National Cybersecurity Awareness Month (NCSAM)
National Cybersecurity Awareness Month (NCSAM), celebrated every October since 2004, was created as a collaborative effort between government and industry to ensure everyone has the resources they need to stay safer and more secure online. Since its inception under leadership from the U.S. Department of Homeland Security and the National Cyber Security Alliance, NCSAM has grown exponentially, reaching consumers, small and medium-sized businesses, corporations, educational institutions, and young people across the nation. There are opportunities for everyone on campus to get involved.
- Conduct community-based security awareness events on campus or regionally.
- Visit the NCSA YouTube channel where you'll find many cybersecurity-related videos.
- Additional awareness resources are also available (e.g., fact sheets, backgrounders, infographics, logos and graphics, research, and social media posts).
8) Measure the Effectiveness of your Program Annually
One way of measuring the effectiveness of a security program is by employing the use of an annual user survey. This can be augmented with other types of data that you would collect over time. Consider retaining yearly data for the following:
- User awareness surveys
- Number of incidents and help desk incident reports
- Number of stolen mobile devices
- Participation at security events
- Awareness quiz scores
- Completion rate of security awareness courses (e.g. PCI, HIPAA, basic security, etc.)
Another way to measure success is to incorporate a “just-in-time” component into your program. For example, with your administration’s permission, launch a non-malicious simulated phishing email to your audience quarterly. Connect those who do not recognize it as phishing and click on links in the message to an educational splash page. Count how many persons were connected to the splash page, and see if over time more recipients recognize these messages as possibly phishing, and fewer click on the links.
Comparing the data over time, one would hope to see better answers on surveys, fewer incidents, etc.
- ECAR Research Bulletin (2013): Measuring the Effectiveness of Security Awareness Programs
- A Guide to Effective Security Metrics
- SANS Security Awareness Metrics blog post and Security Awareness Metrics Matrix (part of the Security Awareness Planning Toolkit
- Security Metrics EDUCAUSE Library Page
- Training Evaluation Field Guide (US Office of Personnel Management)
- Delivery Method Matrix (MIT)
- Checklist for Training Process Audit (Scribd)
9) Automate Services
Information Security has the daunting task of staying abreast of the latest threats and risks. Because threats evolve and surface daily, the ability to understand and distribute the information is a challenging task. Information security RSS feeds like the SANS Security Awareness Tip of The Day, US-CERT's Security Alerts, and REN-ISAC's Weekly Watch make critical breaking news and security tips pertaining to the latest threats immediately available to anyone who subscribes. Leveraging such automated services can reduce workload on information security staff while providing valuable awareness to end users (students, faculty, and staff). You can share these alerts with your community by linking to social media and embedding RSS feeds on your campus website.
The information in this document is only a guide, though it is an excellent starting point! If you'd like help building your awareness program or have questions for other security awareness professionals in the higher education community, consider joining the HEISC Awareness and Training Community Group for additional guidance.
Top of page
Questions or comments? Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).