Companies Aim to Build Security Awareness

Computerworld - From colorful rulers with security slogans printed on them to candy bars left on employee keyboards in return for a successful security audit, companies are pulling out all the stops to do the one thing that really matters when it comes to information security: change behavior.
It's not easy. New security policies often conflict with the way employees have done their jobs for years. For example, offices and departments that once operated with full and open information sharing are now being told that they must learn to control information, confront strangers who aren't wearing identification badges and refuse access to sensitive areas to anybody who can't produce identification - even the boss.
Industry experts and corporate trainers are relying more and more on slogans, posters, games, trinkets and rewards to raise awareness about the importance of information security and the ever-changing threats that companies face in cyberspace. And while these small reminders might not be the entire answer to changing employee behavior or to garnering senior management support, experts agree that they are important elements in an overall security program.
Playing Games
Charles R. Hudson Jr., security officer and information security project manager at Wilmington Trust Corp., a 2,700-employee asset management company in Wilmington, Del., said themes and slogans have worked very well in his security awareness program. This year's theme, says Hudson, is based around popular TV game shows. For example, trainees play a version of Jeopardy that relies on security-related material for the clues.
Wilmington Trust's program also includes rewards for employees who demonstrate security awareness in their everyday jobs, such as consistently logging off of their computers before leaving work. That means free sodas and lunches, candy bars, small cash prizes and other trinkets.
"It's not about money," said Hudson, who spoke at this year's Computer Security Institute (CSI) conference in Chicago. "Most of this stuff is 50 cents or less."
In addition to mandatory security briefings for new employees, Hudson said his program relies heavily on a company newsletter and a security intranet site to get the word out. Therefore, company security policies and examples of security horror stories at other firms "are just a few mouse clicks away," he said.
Dan Erwin, a security officer at The Dow Chemical Co., also uses horror stories from other companies to raise awareness and to spark senior managers' interest in security.
"The best way to get management excited about a disaster plan is to burn down the building across the street," said Erwin, who recently won CSI's lifetime