In our introduction to system and network security course a major emphasis is creating a “security mindset” – we want the participants to think critically about security. This can be difficult, particularly when security is not part of an organization’s thinking.
Some companies are spending time and money on “security awareness”. The idea is to have courses, seminars, programs and even posters trying to make employees aware of cybersecurity issues. The problem with many of these efforts is that they do not focus on people’s thinking – they generally focus on actions. “Don’t share your passwords!”, “Keep the door locked”, “Brush your teeth” – they all sound like momma’s commands. Perhaps because of that they go in one ear and out the other.
Instead, people need to be aware of the issues of computer security. They need to understand not just threats and countermeasures (such as having a strong password), but also how attacks can impact the organization. That impact can range from lost revenue to lost lives. Beyond that people need to consider the security aspects of all they do. Whether someone is designing software, managing a network or surfing the web (at lunch, of course!), their actions can impact an organization’s security. If they don’t understand the consequences of their actions and the impact on the organization and its people, they are not likely to act securely.
How do we work to build this mindset and how can it help your organization? We work to build it by exposing the learners in our course to threats, countermeasures and impacts. Rather than discussing every possible threat (and we’d never finish if we did), we categorize the threats and discuss the principles and concepts. Whether a threat is to an Oracle database or a Linux server there are certain fundamental characteristics or traits we can discuss. This is especially useful in classes with participants from different backgrounds and with different needs. By stressing the essentials we show how to look at security issues at their causes. This allows for a general understanding rather than creating specialists (Learning Tree has other follow-on courses for that).
Now we’d like your help. We try to distill issues from many cybersecurity areas down to their fundamentals. What we need are example cybersecurity issues you find interesting. Don’t post company challenges you are facing, of course! What do you see in the news that you want to learn more about? Biometrics? Awareness? Cross-site scripting? (We do discuss those, but maybe you’re interested in, say, heart rhythms as an authentication method.) Whatever it is, let us know in the comments below.
Looking forward to seeing you in one of our upcoming classes,