All users with a networked computer should be required to attend a short seminar on basic security awareness. Table B.1 is an example awareness class that can be easily taught to large and small audiences:
Table B.1. Topics for Basic Security Awarness Class
Recommended Topics to Cover | Estimated Time |
|---|
Begin by presenting some of the fascinating statistical projections about security: how much damage has been done to the world by hackers, how much organizations are expected to lose, how many hackers are out there, etc. Here we want to simply get the audience's attention and show how big an issue information security is. | 3 minutes |
Discuss how a hacker enters an organization: Here we are looking to apply the security problem to the local facilities and make end-users understand that this is a real threat to the organization. | 3 minutes |
Discuss how hackers can gain information about an organization: Through friends employed at the organization Cold-call and email solicitations Dumpster-diving Walking around and looking for written passwords Probing systems, networks, and sniffing communications
| 3 minutes |
Discuss what hackers can do to an organization: Take down a system or desktop Read confidential information and emails Manipulate information, forge documents, etc.
| 3 minutes |
Discuss how end-users can help in security: Maintain good password protection Be sensible about downloading files or receiving attachments or disks Do not install unauthorized software on a desktop Remove modems and other external devices Keep desktop software and operating systems up-to-date Stay on the lookout for hackers and potential security issues Question people who sit down at a local computer or who are found wandering through the building unescorted When in doubt, ask the local security team /expert
| 10 minutes |
Discuss how an end-user should handle an incident: | 3 minutes |