Excellent Awareness talk from British Airways

There were several great talks at the recent ENISA conference on raising IT Security Awareness. I would like to mention one here from Robert Hadfield of British Airways called “Silver Bullets, Kangaroos and Speed Cameras”, which is embedded below from Scribd.

Hadfield began by reporting on an experiment where 100 identical emails with an executable attachment were sent to employees marked as urgent. The result was that 84 people opened the email, and 69 also executed the attachment. So he said we have a problem with people. To justify a security awareness program he gave the following very wise reasons

1. Simple human error, ignorance or omission is most commonly at the root of any security breach
2. We need to enable employees to acquire security knowledge by using there own reason, intuition and perception. We must seek long term behavioural change.
3. Pound for pound, raising awareness will improve security far more effectively than any technical solution can ever hope to achieve.

He also noted that since the average cost of a security breach is about £50,000 then awareness programs can pay for themselves if they can prevent one or two of these incidents per year. Even so, how do you effect change on a group of 45,000 mostly disinterested employees? Hadfield found great success in meet-the-people workshops & roadshows, which were reported as a very effective awareness mechanism by other speakers and the ENISA workshop as well, and also the main conclusion from an ENISA survey conducted by PwC last year. Hadfield reports that over 200 workshops have been undertaken this year resulting in over 2000 people being trained. BA also uses other channels besides workshops, and one of their clever posters is shown below - a reminder to users to lock their desktops when wandering off for a coffee.

I am leaving out many clever observation and graphics so please take a look at the presentation for yourself.

IT Security Awareness presentation from British Airways, June 2009

My ENISA Awareness presentation

Last Friday I gave a presentation at an ENISA conference on raising IT Security Awareness. I have just one idea per slide and next to no text beyond the title. You can find the slides below on Scribd.

IT Security Awareness Tips

ENISA and Security Awareness

In June I will be speaking at an ENISA conference in London on security awareness. The conference theme is the “growing requirement for information security awareness across public and private organisations". ENISA is quite active in the space of security awareness, and you can see their portfolio of work here. Better security awareness might have prevented the loss of an unencrypted USB stick by an MI6 agent, which as reported recently, lead to a £100 million anti-narcotics operation being abandoned due to compromised data.

One interesting awareness report from ENISA is a survey on current awareness practices and success criteria. The report is short at 24 pages given the generous margins and large graphical embellishments. I have included an important chart below that shows a list of techniques and their effectiveness at raising awareness (as determined by the survey participants)

Classroom training (face-to-face interaction) was judged to be the most effective method, and by some margin. Promotional material had no redeeming features, and CBT courses were only slightly ahead of leaflets and just on par with regular mail outs. But please read the whole report to get the whole picture. In any case, the chart is a good discussion point for your next security team meeting.

Related Posts

• My ENISA Awareness presentation