Security Awareness is the 3rd working group of SIG-ISM. The goals of the working group were presented at the SIG-ISM Open Workshop at TNC18. The attendees were then asked to discuss the existing methods and materials and their effectiveness.
SANREN:
Renier: “You cannot raise security awareness alone”.
SANREN are sponsoring a student white hack competition (annual conference + competition). Around 100 students participate in the first round, 30 - in the second round. Students get very creative - hacking includes even social engineering attacks.
The main aim is to increase awareness at their institutions.
The organisers are using a software from Switzerland - “Hacking Lab” (commercial)
In addition, some universities offer Information Security courses that are open to all students. The best way to make it more popular is to find ‘champions’ at universities.
DFN:
Not reaching out to end users, but raising awareness between people from government, those responsible for funding of the universities
2 day meetings - always add security related subjects on the agenda (presentation)
First reaction - positive, but hard to get commitment
Audience not tech savvy
Maybe a demo or an exercise would help
How to speak to someone - presenting information they need in a way they understand
SURFnet:
Internal security awareness campaign
Theme based: confidential information, being safe on public wifi, what to do when travelling
Material - Cybersafe yourself campaign, testimonials of people from the organisation, videos
Posters + information on the intranet
Will have swag useful for the holiday season + leaflet with information
How effective is it? - hard to measure
How many people are working on it - 2-3 working on preparation (incl. communications person)
Rolf: Communication ideas - how to talk to the management. CEO Forum - how should we communicate so that you would understand our topics, how to sell security to senior management? - maybe have a VC or interview with Chris Hancock & EU CEO
CERN:
https://security.web.cern.ch/security/training/en/index.shtml
Ongoing since 2010
Phishing campaigns every year, around 20% people fall for it
Shortly after a campaign more people report
NORDUNET:
Phishing campaigns every month, same number of people fall for it, but different persons
DeiC:
Offering it as a service to the members
University of Munich - course for students on how to set up a security awareness campaign
Inventory of all initiatives + lessons learned
We should put together information about those initiatives on the wiki + materials + contact