BETA Version 2.1: July 2010
If you're just getting started with a Security Awareness Program and you just need the basic information, check out the Quick Start Guide. Other resources of interest might include the Cybersecurity Awareness Resource Library and the National Cyber Security Awareness Month Resource Kit.
This section is for campuses with an existing Security Awareness Program who can dedicate more time and resources to developing their own materials.
Establishing an annual schedule for educating your community helps to deliver a more coherent message and allows subsequent communications to build on previous ones. The schedule can be based on your community's needs as identified through a risk assessment analysis, or can be based on best practices and standards. For example, you can use the following strategies:
Break the year into three topic areas as follows:
- Confidentiality (July through October)
- Integrity (November through February)
- Availability (March through June)
Each of the four month periods can be further broken down into a development cycle:
- Month One - Problem identification, topic selection, budget
- Month Two - Development of themes, materials, etc.
- Month Three - Production of materials, venue arrangement, train the trainer
- Month Four - Publish materials, conduct training/events
Selection of topics can be further fine tuned by local, national and world trends and new requirements.
- Confidentiality - FTC Red Flags deadlines, new State Privacy Laws, reports of Social Engineering incidents, New Malware, Increase of Malicious Web Sites, Attacks on Banking Transactions, Improvements in Encryption solutions, etc.
- Integrity - Business process improvement and training opportunities during other projects, implementation of additional verification and testing procedures following discovery of problems, etc.
- Availability - Annual Disaster Recovery and Business Continuity training and planning to mitigate expected problems, debriefing and additional improvements following events such as adverse weather damage.
Now that you have the basic framework for a security web site in place, it's time to decide whether to take it to the next level. While it may seem trivial, maintaining an effective web presence can be a time-consuming task. Numerous tools exist to make this process easier, but the rule of thumb is that the larger and more comprehensive the site, the work required to maintain the site is inversely proportional to the amount of effort spent on building the site and associated management tools. Review this guide, and then make decisions upfront about how much time (&/or money) you can invest - and then plan accordingly.
This document provides a great start, offering five key elements for a successful web site, plus a list of numerous other college and university security web sites.
It's nearly impossible to fight every fight, especially on a higher education budget. There are countless security and privacy issues out there, and your site can't possibly serve as your school's comprehensive resource for all of them; there simply aren't enough hours in the day. Start to listen and learn what applies most to your constituents. Communicate with your incident response staff, and focus on content that will best fill in the security gaps at your institution.
As the Quick Start Guide mentions, leverage the work of other EDUCAUSE institutions who make their work available, in addition to other non-EDU resources, such as sites by the National Cyber Security Alliance and the US Federal Government. You can find great topics and plenty of reusable content - either to link to or repurpose on your site.
Using a Content Management System
The most effective way to maintain an updated web site is to employ some sort of web content management system. Many open-source systems are freely available, easy to setup and deploy, and have large development communities. That said, the rule of thumb applies - designing a site that makes it simple for multiple users to contribute content to and yields a more extensible framework means you'll spend a bit more time building the site infrastructure.
Leveraging Social Networking and Related Media
Many security awareness professionals utilize social media, such as Facebook, Twitter, blogs, and more. These can be powerful yet easy way to connect with members of your college/university community, especially students. Tools like this bring most of the infrastructure with them, so you need only worry about the content. Remember though, most Facebook and Twitter users are used to checking in with these tools for new and updated information. If you let your content become stale, people may not feel it's worth their while to check in with your pages.
Location Location Location
Just as in the real world, location in cyberspace can assist you immensely. Choose an effective URL, or even better, start an information security campaign or brand and package the URL as part of that. Several institutions currently employ this approach:
- Purdue University | www.purdue.edu/securepurdue
- Ohio State | buckeyesecure.osu.edu
- Montana State University | www.montana.edu/itsecurity
- Rochester Institute of Technology | security.rit.edu
- Duke University | security.duke.edu
- Notre Dame University | secure.nd.edu
- Indiana University | keepITsafe.iu.edu
If you're not quite ready to being an entire campaign or brand, start small. A good URL will be easy to remember, type, and say verbally, such as at an event or over the phone. You may decide a brand is the way to go later (as you read through this guide), and a web site can always be redesigned or tweaked to include updated campaigns and themes.
Web Standards Can Help You
Building a site that follows good Web practices can only serve to help you, now, and in the future. Marketing and design companies try to sell people on concepts such as search engine optimization, which is really just smoke and mirrors. There's no secret or trick with modern search engines (like Google, Yahoo, or Bing) - except good, clean, well-formed HTML that complies with web standards. Other benefits of taking web standards into account are: better usability, improved accessibility for screen readers and other such devices, and an extensible infrastructure that allows you to easily repurpose your content for a wide array of audiences and consumption mediums.
Additionally, well-formed content will also give way much more easily to redesigns and rebranding. Remember, the more effort you put in to building a site, the greater the flexibility and robustness later on.
For more about web standards, visit:
Campus specific posters allow you to address those security issues that present the greatest threats at your campus. By creating posters specific to the audience, one can more effectively deliver the message. we put together a series of 50's style cartoon characters promoting safe use of computers and internet/network connectivity that were posted throughout the entire residence hall system.
When we were promoting an emergency text messaging system, we had one poster targeting the student demographic and another to market to staff and faculty.
Since the emergence of YouTube, and its popularity, we have created short informational videos that can be played on our television network system. It gives us another means to deliver the message to be careful while on the internet.
- Protect Your Password: http://www.purdue.edu/securepurdue/training/
- Spam Guard: http://www.purdue.edu/securepurdue/training/
Additional materials could include postcards, bookmarks, flyers, screensavers, etc.
- Talk like a Pirate Day (September 19th)
These are examples of the printed/digital materials that can be utilized but there are other things as well that one can do to promote computer security awareness.
Newsletters are a good way to supplement your security awareness message. Their expanded format lets you stretch out beyond incident bullets and headline splashes on home pages. They can provide in-depth explanations of current threats, promote local security initiatives, and allow you to reach you audience on a personal and emotional level through shared stories, such as dealing with identity loss after the theft of a laptop.
If you haven't prepared a newsletter before, begin by looking at others publications for inspiration and what might work for you (see below for some examples). For some general tips on newsletter development, read Newsletter Design and Publishing or Graphic-Designs for Hard Times and 12 Most Common Newsletter Design Mistakes from the Design & Publishing Center. Free templates like those in the Microsoft Office gallery are available to help get you started quickly.
A newsletter can be presented in a variety of formats. Consider your audience and resources when selecting what works best for you and your campus. Are you trying to reach a specific audience? If so, where do they get their information? Are you trying to stand out from other messages bombarding your campus? You may decide that with all of the electronic communication a hard copy of your newsletter in key offices may catch your readers attention.
Here are examples of the most common formats. You may decide to go with one or a combination of two or more:
- Blogs: MIT's Security News, also available as a Twitter or RSS feed
- Online: Secure IT! produced by the Information Security Group at Brown University
- PDFs: Virginia Tech's quarterly newsletters (can be made available online or used to produce hard copies for distribution)
- Podcasts: Information Security News Podcasts produced by Northwestern University Information Technology (NUIT)
- Push lists: MIT's IS&T Security FYI Newsletter
- Targeted toward a particular audience: Purdue's CERIAS newsletter
Some other examples:
- Longwood University's "The Security Minute"
- New York University
- University of Alabama's "Frontline"
- University of Arizona's InfoSec Monthly Update
- University of Rochester
If your time is at a premium, consider using customizable materials from such sources as the Multi-State Information Sharing and Analysis Center (MS-ISAC). Their "Cyber Security Tips Newsletter" is produced monthly and can be readily adapted for local use, as Rutger's in their Cyber Security Newsletter. Here are two examples: April 2010 and July 2009.
SANS's OUCH! newsletters are another good resource. It's also free and available for reprinting in whole or in part as needed. The University of South Florida's monthly security newsletters show how OUCH! can be used, providing helpful tips for your audience with a minimum of work.
You may also wish to supplement your newsletters with RSS feeds from other news sources.
- Internal: Work with RAs, departments, HR, and others.
- External: Contact local or national security awareness groups, professional societies (e.g., ISSA, ISACA, InfraGard, IEEE security & privacy group), or student groups (e.g., ACM student chapters, physical safety & security student groups, AS IS.
- Visit these websites for examples: UVA, Indiana University, University of Massachusetts, etc.
Information security alerts and advisories are used to warn the community of actual and potential threats. They can be delivered through e-mail and other traditional channels and should be incorporated into your institution's centralized messaging service when available. Avoid the temptation to be too wordy or too technical. You need to consider your audience, their attention span, and their technological "savvy."
Creating a template for your alerts and advisories will help recipients scan the information quickly
- Tagline (teaser)
- Why the audience is receiving the message (what's the threat?)
- What your institution is doing
- What the audience should do
- Links to more information
An issue faced by most of us is how to ensure that the recipients know that the communications they've received are "official" and not part of a phishing attempt. We addressed this at RIT by drafting a Signature Standard that required specific elements in official communications
To reach students, you need to go where the students are. Students are heavy users of Web 2.0/social networking sites such as Facebook. (Twitter has not gained the same level of acceptance, but is easily incorporated by linking Facebook status postings to Twitter through Facebook Connect. In response, many information departments are incorporating a Web 2.0 presence into their communications strategies. Use of tools such as HootSuite, TweetDeck, etc. enables easy one-time publishing of content that you can push to different social media sites. The Higher Education Information Security Council (HEISC) is now using Twitter(@HEISCouncil) as an additional communications vehicle.
For information about RSS feeds, see the Quick Start Guide.
- Res Hall Meetings
- Management Meetings
- Wellness or Other Campus-Sponsored Fairs
The IT world can be a confusing place, filled with complex and methodical information. As a result, many common terms, processes, and names in the IT world must be equally precise - some requiring four or five words to accurately describe. This has given way to hundreds of various acronyms over the years - many that while are worlds apart in terms of functionality, can look, sound, or have very similar spellings.
The precision that computers and networks operate around constantly requires IT professionals be meticulous in nature, seldom leaving room to classify anything as minutia. For instance, when setting up a firewall ruleset, a network administrator who confused SNMP with SMTP could cause a relatively dangerous vulnerability.
The security and privacy world is no different - often requiring understanding of these IT processes and names. If your security awareness program includes more and more of these, consider using a glossary to help your users understand your documentation a bit better. It may also help them grasp a firmer understanding of the scope and/or mission of your agenda.
Several institutions have begun such projects:
- Indiana University | Information Security & Privacy Program Glossary
- Cal Poly Pomona | Security Awareness Central
Top of page
Questions or comments? Contact us.
Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.