Skip to end of metadata
Go to start of metadata

BETA Version 2.1: July 2010

Handy Hint
If you're just getting started with a Security Awareness Program and you just need the basic information, check out the Quick Start Guide. Other resources of interest might include the Cybersecurity Awareness Resource Library and the National Cyber Security Awareness Month Resource Kit.

Detailed Instruction Manual (Advanced)

This section is for campuses with an existing Security Awareness Program who can dedicate more time and resources to developing their own materials.

1) Rotate Key Messages as Monthly Themes Throughout the Year

Establishing an annual schedule for educating your community helps to deliver a more coherent message and allows subsequent communications to build on previous ones. The schedule can be based on your community's needs as identified through a risk assessment analysis, or can be based on best practices and standards. For example, you can use the following strategies:

Break the year into three topic areas as follows:

  • Confidentiality (July through October)
  • Integrity (November through February)
  • Availability (March through June)

Each of the four month periods can be further broken down into a development cycle:

  • Month One - Problem identification, topic selection, budget
  • Month Two - Development of themes, materials, etc.
  • Month Three - Production of materials, venue arrangement, train the trainer
  • Month Four - Publish materials, conduct training/events

Selection of topics can be further fine tuned by local, national and world trends and new requirements.

  • Confidentiality - FTC Red Flags deadlines, new State Privacy Laws, reports of Social Engineering incidents, New Malware, Increase of Malicious Web Sites, Attacks on Banking Transactions, Improvements in Encryption solutions, etc.
  • Integrity - Business process improvement and training opportunities during other projects, implementation of additional verification and testing procedures following discovery of problems, etc.
  • Availability - Annual Disaster Recovery and Business Continuity training and planning to mitigate expected problems, debriefing and additional improvements following events such as adverse weather damage.

For additional suggested themes and ideas& see NCSAM Sample Kit or Cybersecurity Awareness Resource Library.

2) Customize a Security Awareness Website

Now that you have the basic framework for a security web site in place, it's time to decide whether to take it to the next level. While it may seem trivial, maintaining an effective web presence can be a time-consuming task. Numerous tools exist to make this process easier, but the rule of thumb is that the larger and more comprehensive the site, the work required to maintain the site is inversely proportional to the amount of effort spent on building the site and associated management tools. Review this guide, and then make decisions upfront about how much time (&/or money) you can invest - and then plan accordingly.

Key Tips and Examples

Read: Organizing Your Campus IT Security Website: Five Elements for a Successful Security Website

This document provides a great start, offering five key elements for a successful web site, plus a list of numerous other college and university security web sites.

Choose Your Battles

It's nearly impossible to fight every fight, especially on a higher education budget. There are countless security and privacy issues out there, and your site can't possibly serve as your school's comprehensive resource for all of them; there simply aren't enough hours in the day. Start to listen and learn what applies most to your constituents. Communicate with your incident response staff, and focus on content that will best fill in the security gaps at your institution.

Leverage the Rest

As the Quick Start Guide mentions, leverage the work of other EDUCAUSE institutions who make their work available, in addition to other non-EDU resources, such as sites by the National Cyber Security Alliance and the US Federal Government. You can find great topics and plenty of reusable content - either to link to or repurpose on your site.

Start Building

Using a Content Management System
The most effective way to maintain an updated web site is to employ some sort of web content management system. Many open-source systems are freely available, easy to setup and deploy, and have large development communities. That said, the rule of thumb applies - designing a site that makes it simple for multiple users to contribute content to and yields a more extensible framework means you'll spend a bit more time building the site infrastructure.

Leveraging Social Networking and Related Media
Many security awareness professionals utilize social media, such as Facebook, Twitter, blogs, and more. These can be powerful yet easy way to connect with members of your college/university community, especially students. Tools like this bring most of the infrastructure with them, so you need only worry about the content. Remember though, most Facebook and Twitter users are used to checking in with these tools for new and updated information. If you let your content become stale, people may not feel it's worth their while to check in with your pages.

Location Location Location
Just as in the real world, location in cyberspace can assist you immensely. Choose an effective URL, or even better, start an information security campaign or brand and package the URL as part of that. Several institutions currently employ this approach:

If you're not quite ready to being an entire campaign or brand, start small. A good URL will be easy to remember, type, and say verbally, such as at an event or over the phone. You may decide a brand is the way to go later (as you read through this guide), and a web site can always be redesigned or tweaked to include updated campaigns and themes.

Web Standards Can Help You
Building a site that follows good Web practices can only serve to help you, now, and in the future. Marketing and design companies try to sell people on concepts such as search engine optimization, which is really just smoke and mirrors. There's no secret or trick with modern search engines (like Google, Yahoo, or Bing) - except good, clean, well-formed HTML that complies with web standards. Other benefits of taking web standards into account are: better usability, improved accessibility for screen readers and other such devices, and an extensible infrastructure that allows you to easily repurpose your content for a wide array of audiences and consumption mediums.

Additionally, well-formed content will also give way much more easily to redesigns and rebranding. Remember, the more effort you put in to building a site, the greater the flexibility and robustness later on.

For more about web standards, visit:

3) Develop and Brand Campus-Specific Posters and Videos

Campus specific posters allow you to address those security issues that present the greatest threats at your campus. By creating posters specific to the audience, one can more effectively deliver the message. we put together a series of 50's style cartoon characters promoting safe use of computers and internet/network connectivity that were posted throughout the entire residence hall system.

When we were promoting an emergency text messaging system, we had one poster targeting the student demographic and another to market to staff and faculty.

Since the emergence of YouTube, and its popularity, we have created short informational videos that can be played on our television network system. It gives us another means to deliver the message to be careful while on the internet.

Additional materials could include postcards, bookmarks, flyers, screensavers, etc.

These are examples of the printed/digital materials that can be utilized but there are other things as well that one can do to promote computer security awareness.

4) Develop and Brand a Campus-Specific Security (Awareness) Newsletter

Newsletters are a good way to supplement your security awareness message. Their expanded format lets you stretch out beyond incident bullets and headline splashes on home pages. They can provide in-depth explanations of current threats, promote local security initiatives, and allow you to reach you audience on a personal and emotional level through shared stories, such as dealing with identity loss after the theft of a laptop.

Getting Started

If you haven't prepared a newsletter before, begin by looking at others publications for inspiration and what might work for you (see below for some examples). For some general tips on newsletter development, read Newsletter Design and Publishing or Graphic-Designs for Hard Times and 12 Most Common Newsletter Design Mistakes from the Design & Publishing Center. Free templates like those in the Microsoft Office gallery are available to help get you started quickly.

Selecting a Format

A newsletter can be presented in a variety of formats. Consider your audience and resources when selecting what works best for you and your campus. Are you trying to reach a specific audience? If so, where do they get their information? Are you trying to stand out from other messages bombarding your campus? You may decide that with all of the electronic communication a hard copy of your newsletter in key offices may catch your readers attention.

Here are examples of the most common formats. You may decide to go with one or a combination of two or more:

Some other examples:

Developing Content

If your time is at a premium, consider using customizable materials from such sources as the Multi-State Information Sharing and Analysis Center (MS-ISAC). Their "Cyber Security Tips Newsletter" is produced monthly and can be readily adapted for local use, as Rutger's in their Cyber Security Newsletter. Here are two examples: April 2010 and July 2009.

SANS's OUCH! newsletters are another good resource. It's also free and available for reprinting in whole or in part as needed. The University of South Florida's monthly security newsletters show how OUCH! can be used, providing helpful tips for your audience with a minimum of work.

You may also wish to supplement your newsletters with RSS feeds from other news sources.

5) Create Campus-Specific Training Materials

  • Examples...

6) Build Relationships (Internal and External)

  • Internal: Work with RAs, departments, HR, and others.
  • External: Contact local or national security awareness groups, professional societies (e.g., ISSA, ISACA, InfraGard, IEEE security & privacy group), or student groups (e.g., ACM student chapters, physical safety & security student groups, AS IS.

7) Communicating Policies & Procedures

8) Send Community Alerts as Needed (Use Credible Sources; Keep Messages Short & Simple)

Information security alerts and advisories are used to warn the community of actual and potential threats. They can be delivered through e-mail and other traditional channels and should be incorporated into your institution's centralized messaging service when available. Avoid the temptation to be too wordy or too technical. You need to consider your audience, their attention span, and their technological "savvy."

Key Elements of an Alert or Advisory

Creating a template for your alerts and advisories will help recipients scan the information quickly

  • Headline
  • Tagline (teaser)
  • Why the audience is receiving the message (what's the threat?)
  • What your institution is doing
  • What the audience should do
  • Links to more information

Sample advisory about scams affecting students (RIT, Spring 2010)

Authenticity of Communications

An issue faced by most of us is how to ensure that the recipients know that the communications they've received are "official" and not part of a phishing attempt. We addressed this at RIT by drafting a Signature Standard that required specific elements in official communications

RIT Signature Standard

New Technologies (Web 2.0, Facebook, Twitter, etc.)

To reach students, you need to go where the students are. Students are heavy users of Web 2.0/social networking sites such as Facebook. (Twitter has not gained the same level of acceptance, but is easily incorporated by linking Facebook status postings to Twitter through Facebook Connect. In response, many information departments are incorporating a Web 2.0 presence into their communications strategies. Use of tools such as HootSuite, TweetDeck, etc. enables easy one-time publishing of content that you can push to different social media sites. The Higher Education Information Security Council (HEISC) is now using Twitter(@HEISCouncil) as an additional communications vehicle.

Alert system (SMS messaging)
RSS feeds

For information about RSS feeds, see the Quick Start Guide.

9) Deliver Presentations through a "Road Show"

  • Res Hall Meetings
  • Management Meetings
  • Wellness or Other Campus-Sponsored Fairs

10) Tie-In Institution or IT-Specific Glossaries Where Acronyms are Defined

The IT world can be a confusing place, filled with complex and methodical information. As a result, many common terms, processes, and names in the IT world must be equally precise - some requiring four or five words to accurately describe. This has given way to hundreds of various acronyms over the years - many that while are worlds apart in terms of functionality, can look, sound, or have very similar spellings.

The precision that computers and networks operate around constantly requires IT professionals be meticulous in nature, seldom leaving room to classify anything as minutia. For instance, when setting up a firewall ruleset, a network administrator who confused SNMP with SMTP could cause a relatively dangerous vulnerability.

The security and privacy world is no different - often requiring understanding of these IT processes and names. If your security awareness program includes more and more of these, consider using a glossary to help your users understand your documentation a bit better. It may also help them grasp a firmer understanding of the scope and/or mission of your agenda.

Several institutions have begun such projects:

Top of page

Questions or comments? Contact us.

Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License.

security security Delete
awareness awareness Delete
training training Delete
education education Delete
information information Delete
educause educause Delete
heisc heisc Delete
Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.