I was reminded of this when I came across an article about climate change – How to get action on climate change? Hint: Don’t scare us out of our wits – which points out that dire warnings about global warming may well be counter-productive.

Now, I’m not saying that we shouldn’t tell students about the potential consequences of poor information security, but that should be just one small part of our message, with the rest of it being positive – how we can make things safer to our mutual benefit. A carrot is often is often better encouragement than the threat of the stick.

Some Further Reading

• Study Finds That Fear Won’t Don’t Do It: Why Most Efforts at Climate Change Communication Might Actually Backfire
• Apocalypse Soon? Dire Messages Reduce Belief in Global Warming by Contradicting Just-World Beliefs – Matthew Feinberg and Robb Willer; Psychological Science 2011 22: 34 originally published online 9 December 2010

Several public libraries in the UK have reported finding keyloggers attached to the back of PCs. These devices, which look a lot like normal USB flash drives, monitor the keystrokes – including usernames and passwords – of all users of the PCs. So, if you used one of these PCs to access your bank account, your Facebook profile, or your email, your identity might have been compromised.

Hardware keyloggers are very small and, unless you look carefully at the back of the computer – and know exactly what you’re looking for – they can be almost impossible to detect. Here’s an example:

As well as being difficult to spot, they’re also relatively cheap (<$100) making them ideal for aspiring criminals.

One of the most dangerous (and unrecognized) aspects of hardware keyloggers is that SSL (Secure Sockets Layer) encryption is bypassed - the keyboard entries are intercepted before they’re encrypted. So looking for the lock icon on your bank website isn’t going to help you.

What does this mean for your security awareness training? Even if your offices are locked down and a hacker couldn’t gain access to install a hardware keylogger, you should still be concerned. If your staff are using the same password for their Hotmail account as for your corporate email system, or if they’re accessing your corporate systems from a public computer, you could be in trouble. This is a topic that you do need to cover – perhaps as one of your monthly security reminder emails.

You can read more in this post on the Sophos blog: Hardware keyloggers discovered at public libraries; and in this report from the Manchester Evening News: Cyber-crime alert after ‘bugs’ found in library computers

This time, it’s an iPhone issue. German researchers claim to be able to steal passwords stored on a locked Apple iPhone in just six minutes … without cracking the iPhone’s passcode.

Read more in this post on the Sophos blog: VIDEO: How to steal passwords from a locked iPhone

Medical identity theft occurs when someone obtains health care services e.g. treatment, prescription drugs … using the identity of someone else, or when they use another person’s identity to submit false bills. The guide – Medical Identity Theft: FAQs for Health Care Providers and Health Plans – covers:

• red flags that might indicate a problem,
• advice on responding to incidents, and
• how to help your patients avoid identity theft.

Another useful resource is the FTC’s Facts for Consumers: Medical Identity Theft – a brochure in PDF format which can be made available to your patients.

Here’s a short (5 minute) YouTube video from UNLV called HIPAA Happens that illustrates some possible scenarios.

Send the link around to your staff in an email or, better still, post it to your Cosaint training portal with a short mastery test so that you can track students’ understanding of the subject.

This article from PC World – What Cloud Computing Means For the Real World – is an excellent overview of some of the benefits that you can reap by replacing insecure practices commonly found in the workplace.

Further Reading: You can find out more about cloud computing security through the resources available at the Cloud Security Alliance.

Here’s an excellent post on the subject – HIPAA: It’s About the Information! – from Rebecca Herold (“The Privacy Professor”). It focuses on fax machines (a topic that we covered in an earlier post on this blog) but the same thinking applies to any equipment that you use to access, process, or store sensitive information.

For more about this topic, see these posts from our blog:

• Fax Insecurity
• Photocopiers and Information Security

Simon Herring of Ubersecure writes:

The targets of these attacks are companies that have recently posted on job search sites. So what’s the connection? If you’ve posted a job opening, then it’s only logical that someone at the targeted business is expecting a resume or curriculum vitae (CV). They are, after all, trying to fill a vacant position. This means an email with an attached resume isn’t really “unsolicited email”, making it more likely to be opened by the recipient.

Over the past year or so, more and more attention has been placed on malware installation through social networks, shortened URLs, and other vectors. But email attachments continue to be a threat. So, it’s probably time to remind your staff that

1. malware is still being passed around in email attachments;
2. email scanners don’t always detect malware; and
3. email attachments you might not consider to be ‘unsolicited’ might still be infected.

References:

• E-mails Containing Malware Sent To Businesses Concerning Their Online Job Postings (FBI – Jan 19, 2011)
• Fraud Advisory for Businesses: Corporate Account Take Over (United States Secret Service, the Federal Bureau of Investigation, the Internet Crime Complaint Center (IC3) and the Financial Services Information Sharing and Analysis Center (FS-ISAC))

This short post from CSO Online – ShmooCon 2011: Your Android’s dirty little secret – is a useful reminder that everyone needs to be wary of 3rd party applications for smart phones, and also to be generally aware that smart phones are really just hand-held computers and thus subject to most of the security threats that PCs are exposed to. And it’s not limited to Android-based phones – iPhones and Blackberries are also vulnerable.

Whether or not you officially support smart phone use by your staff, smart phone security is a topic that you really must include in your security awareness training.

So I took a step back and did a little research into the more general topic of employee engagement. First, let’s look at what employee engagement actually means. Here’s a definition that I like:

Engagement can be seen as a heightened level of ownership where each employee wants to do whatever they can for the benefit of the internal and external customers.

Ref: Wikipedia – Employee Engagement – downloaded Monday, January 24, 2011

Note that there’s no mention of giving away coffee mugs with slogans, or pasting motivational posters to walls!

So how do we achieve this? During my research, I stumbled on a short blog post titled The Ten C’s of Employee Engagement. It lists 10 key elements that contribute to improving employee engagement in a general business sense:

1. Connect
2. Career
3. Clarity
4. Convey
5. Congratulate
6. Contribute
7. Control
8. Collaborate
9. Credibility
10. Confidence

In thinking about how this applies to the engagement of end-users in information security, ‘Career’, ‘Control’ and ‘Collaborate’ didn’t seem to apply very well to end-user engagement (although they would clearly be critical to building a successful IT/IS team), and the definitions of ‘Credibility’ and ‘Confidence’ seemed to be pretty much the same. So I’ve reduced the number to six – here they are:

1. Connect
   Leaders must show that they value employees. Employee engagement is a direct reflection of how employees feel about their relationship with the boss.
    
2. Clarity
   Leaders must communicate a clear vision. Success in life and organizations is, to a great extent, determined by how clear individuals are about their goals and what they really want to achieve. In sum, employees need to understand what the organization’s goals are, why they are important, and how the goals can best be attained.
    
3. Convey
   Leaders clarify their expectations about employees and provide feedback on their functioning in the organization.
    
4. Congratulate
   Exceptional leaders give recognition, and they do so a lot; they coach and convey.
    
5. Contribute
   People want to know that their input matters and that they are contributing to the organization’s success in a meaningful way. In sum, good leaders help people see and feel how they are contributing to the organization’s success and future.
    
6. Confidence
   Good leaders help create confidence in a company by being exemplars of high ethical and performance standards.
    

Note that there’s nothing in this list about giveaways to persuade people to attend training sessions, or posters to remind them about security every time they turn a corner, or Flash animations and games in web-based training courses. In fact, as the blog author points out, the root causes of employee engagement might be less about the employees, and more about effective leadership.

And that means end-to-end leadership from the executive ranks to line management. As security educators, if we want to make a real difference to security (not just be compliant with regulations), we need to bear that in mind when putting together our training and communications programs. We need to include training and communications elements for managers and executives. This is a theme that I’ll revisit in future blog posts.

Note: The blog post I quoted above was based on an original post on the Ivey Business Journal. The original link location is no longer available on that site so, if anyone knows where there’s a copy of the original article/research paper, please let me know.

Cloud-based applications are already widely used – some of the better known examples being Google Docs, Windows Live, Salesforce, Acrobat.com, Dropbox, and KnowledgeTree. And they don’t require IT approval for a user to set up an account – anyone can sign up with a credit card.

Once employees start using a cloud-based application, security questions start popping up very quickly. Where’s the data being stored? Who has access to it? How is it being backed up? How stable is the cloud service provider?

It’s possible that most use of these services by your employees involves only data that’s unclassified. But that’s not a risk that you can afford to take. And use of a cloud-based application could break the law, and/or agreements with partners – especially if an employee uploads data to a cloud service that stores data in another jurisdiction e.g. out of the country.

You could try restrict use of these applications by blocking access from your network, but that’s probably impractical. And, as with many things, it’s likely that users will find ways to bypass your security measures.

So what’s the solution? Clearly, the first step is to establish a clear IT policy that covers the use of external services. This will probable be part of, or a supplement to, your Acceptable Use Policy. Make it fair and reasonable, or users will find ways to circumvent it.

Then, as with all policies, you’ll need to tell your staff about:

• Why the policy is needed, and the implications of failing the follow the policy.
• What employees CAN do with cloud-based services – probably a list of approved cloud-based services.
• What employees CAN’T do with cloud-based services.
• Who to talk with if they have questions.

The final point is particularly important since cloud computing is such a new field that many of the legal and technical issues have yet to be resolved.

Some Further Reading:

The main problems with using PowerPoint as a staple of your development toolkit are that:

1. It doesn’t offer you any kind of testing solution.
2. It doesn’t allow you to track whether students have or haven’t viewed/completed the course.

There are a number of ways that you can work around these problems. You could:

• Import the PowerPoint presentation into a commercial e-learning tool such as Articulate and turn it into a SCORM format course.
• Save it as a PDF file, and import it into an LMS such as Cosaint which allows you to add a quiz developed within the LMS.
• Save it as a PDF file, and hand-code a quiz and LMS interface code.

Which is the right way for you is going to depend on your budget, and your level of technical expertise. But, if you choose the right approach, you can go from a set of PowerPoint slides to a simple online course + test in a few minutes.

Obviously, this is a case where training helpdesk staff about social engineering attacks, and having well-understood procedures for handling urgent requests is critical.

Using a refresher course means that students:

• don’t have to repeat the training that they took the previous year; and
• are only taken out of the workplace for a short period of time compared to the more extensive training they receive at the beginning of the program.

Cosaint’s refresher course has the following overall structure:

1. REFRESH – Briefly reviews all of the topics covered in new-hire training and any previous annual courses.
    
2. UPDATE – Introduces any new security trends that we’re seeing, and highlights any problems that have become apparent over the last year.
    
3. TEST – Requires students to do a comprehensive mastery test that includes questions about the topics covered in the new-hire training as well as the new materials in the refresher course.
    

We’re currently in the process of writing the 2011 course, and we’re looking for suggestions for new topics to be included in section 2. To give you some ideas, last year we introduced the following topics in addition to our review of material previously covered:

• poisoned search results
• rogue security software
• security issues with Adobe Acrobat Reader
• the risks of social networks

If you have any ideas about topics that we should introduce or highlight in our 2011 refresher training course, please feel free to post them in the comments section of this post, or send them to me using this form. Thank you, in advance, for your suggestions.

1. Your CFO Might Disagree
2. Classes Clash With Other Duties
3. Training Managers and Executives
4. Web-based Training Without Bookmarks

You and I might think that information security is a fascinating subject and be prepared to read about it for hours, but I can almost guarantee that your CFO will hit the roof if you take all 10,000 of your staff away from their jobs for a full day of security awareness training.

Before presenting your proposal to senior management, take a moment to figure out the financial impact. For example:

Keeping the required time to a minimum is also a strong reason for using web-based rather than classroom training. As I noted in my previous posts on outlining web-based and classroom training, using web-based training can save you a lot of student time by eliminating classroom “tasks” such as seating students, handing out and collecting feedback sheets … For more details, see:

• 6 Easy Steps to Outline Your Web-Based Security Awareness Course
• 4 Easy Steps to Outline Your Security Awareness Class

Time can be just as much a problem in a smaller organization – especially if you’ve decided to carry out the training in the classroom. Quite often, it’s difficult to take critical staff away from their posts for the full duration of a classroom session.

This is another reason for considering web-based training since it can be taken on-demand, and fitted around other duties.

Managers and executives are one of the worst groups for ignoring training, and this is particularly troublesome because they’re quite often the targets for social engineers and phishers.

Keeping training short and highly focused on issues related to the business helps but, right now, this is a problem that I don’t have a good solution for.

I haven’t seen this one for a while, but it’s still worth mentioning. As noted in #2 above, one of the great benefits of web-based training is that you can stop and start a course, and fit it in around your other duties. But this depends on the course supporting ‘bookmarks’.

Develop a web-based training program without bookmarking, and you’re throwing away one of its main benefits.

• Too Expensive – 5 Reasons Why Security Awareness Training Programs Fail – Part 3
• Poor Delivery – 5 Reasons Why Security Awareness Training Programs Fail – Part 2
• The Wrong Content – 5 Reasons Why Security Awareness Training Programs Fail – Part 1
• 5 Reasons Why Security Awareness Training Programs Fail

Initial price is often the thing people focus on most, but it’s seldom what causes a program to fail. I’ve seen quite a few awareness programs fail because they just cost too much to run on an ongoing basis.

Here are just three of the ways that I’ve seen awareness training programs fail because they were too expensive.

1. Classroom Training for Large Numbers of Students
2. Gold-Plated Requirements
3. Failure to Include Admin Costs

A few years ago, I came across a consultant who adamantly insisted that the ONLY way to carry out information security awareness training was in the classroom – no matter what the situation, or size of the client.

I’m sure he was right that classroom training is (usually) much more effective in transferring knowledge from the instructor to the students than web-based courses.

However, for any organization larger than (say) 50 employees, or with high staff turnover, the cost of web-based training will be significantly lower than the cost of classroom sessions – some of the potential savings being the elimination of:

• instructor costs
• paper (course handouts, policy documents, signature sheets)
• room costs/rental
• travel for out-of-office participants

With the cost of web-based awareness training for general staff dropping every day (prices of a few dollars per student per year being possible for larger purchases), classroom training is best kept for special situations and audience groups.

All too often, what starts out as a simple and affordable project becomes unwieldy and expensive as requirement after requirement is added.

• You wanted 6 simple web-based courses to be run on a simple, vendor-hosted, learning management system (LMS) so that you can get your US staff trained.
• Your IT department decided that it should be run on an in-house server, and integrated with several of their administrative tools.
• The HR department added the requirement that the LMS should have a built-in web conferencing tool and an employee competency management system.
• The Training department insists that the courses must be ‘interactive’ with Flash animations, and video clips.
• Your VP for International Operations insists that all overseas offices receive the same training, so you’ll need to translate all of it – including all the Flash animations – into 12 different languages.

By the time all this is over, a project that might have cost $5K is looking more like $500K and just won’t happen.

So, when putting together your requirements, ask yourself (and others) – do you really NEED everything on your wish list?

When putting together the budget for an awareness training program, the things that come to mind most readily are:

• For classroom training: trainers (contractors?); classroom rental; printing of materials
• For web based training: course development costs; licensing of content; learning management system license purchase, or rental

Some of the things that frequently slip under-the-radar are account administration costs – most notably the labor required for adding new students and maintaining student lists, technical support – and the time and effort required to generate reports.

This is often the case when an IT or security department is setting up the program and simply assuming that HR will manage the system once it’s in place. And, all too often, that’s not the way that it plays out!

• Poor Delivery – 5 Reasons Why Security Awareness Training Programs Fail – Part 2
• The Wrong Content – 5 Reasons Why Security Awareness Training Programs Fail – Part 1
• 5 Reasons Why Security Awareness Training Programs Fail

Sophos has posted a warning about one such hoax spreading rapidly on Facebook where users are warning each other about a “Christmas Tree” virus – said to be carried by a rogue Facebook application. Here’s a example of the message that’s being circulated:

WARNING!!!!!! ….. DO NOT USE THE Christmas tree app. on Facebook. Please be advised it will crash your computer. Geek Squad says it’s one of the WORST trojan-viruses there is and it is spreading quickly. Re-post and let your friends know. THANKS PLEASE REPOST!

A little research (perhaps a search on a reputable site like Snopes.com) would quickly show that this is a hoax. But that doesn’t stop the message being widely distributed by worried Facebook users, and, at this point, the hoax is probably spreading faster than reports of genuine Facebook viruses (maybe because it has an easy-to-remember name rather than the obscure names given to viruses by software companies?).

Even if you’ve banned the use of Facebook and other social networks, similar hoaxes and scams are likely to be circulating by email in your organization. And they’re often very disruptive in the business environment if they’re distributed widely, and can also make it more difficult for you to warn users about real threats that they might face.

So, what should you do?

Two Things to Teach Your Staff

#1 – Spotting Hoaxes

First and foremost, you should teach your staff how to recognize a suspect email or message. There are some fairly obvious classes of scams and/or hoaxes such as:

1. humorous hoaxes – amusing messages which can clog the email system, but aren’t generally malicious in intent
2. chain letters – generally only intended to clog up the email system, but some carry malicious messages for those who don’t forward the letters which can cause distress to some users
3. nuisance hoaxes – messages intended to worry or scare users but not much more
4. malicious hoaxes – messages designed to persuade users to carry out actions that could cause damage – typically to their PC
5. scams – emails or other messages sent with the purpose of financial (or other) gain – includes phishing, and spear-phishing messages

If you want some simple examples of email hoaxes and scams to educate your staff, I’ve included some taken from Cosaint’s course on ‘Secure Use of Email” course at the end of this blog post.

#2 – How to Respond

Once you’ve taught your staff about some of the signs to look for, you should teach them what you want them to do next. Do you want them to contact your Help Desk with queries, or should they be encouraged to determine for themselves if an email or message is fake and act accordingly?

If the latter, you should provide some suggestions for resources that will help them do this. I usually recommend Snopes.com but you might have other sources that you prefer – let me know if you have any suggestions, and I’ll add them to the list.

The following materials, extracted from Cosaint’s ‘Secure Use of Email’ course, are being made available to you for use in your own awareness program. Feel free to include them in your email security reminders or newsletters, or use them in staff meetings. If you’d like to see the original course, which covers this topic and much more, please contact Cosaint.

License for Use This work by Cosaint, Inc. is licensed under a Creative Commons Attribution-NonCommercial 3.0 Unported License. Based on a work at blog.cosaint.net.

Sometimes you’ll get an e-mail which warns you about a “virus”. Or it might alert you to a wonderful “free offer”. Most of these hoaxes are designed to scare you and/or to waste the time of everyone who receives them. But there are some malicious hoaxes which try to persuade you to delete a critical file on your computer. So you do need to be careful.

Remember! The only virus warnings you should pay attention to are those sent by the Help Desk and even these should not be forwarded. So, don’t spread hoaxes. If you’re not sure whether a warning is real, ask the Help Desk.

Example 1 – A Humorous Hoax – The Work Virus

This is an example of a humorous hoax. While it’s too obviously false to worry people, we don’t recommend that you forward it to your entire email address book since it only serves to clog up email systems.

Example 2 – Another Humorous Hoax – Bad Times

This is an example of a humorous hoax. There are various versions but all are very obviously fake! We don’t recommend that you forward it to your entire email address book since it only serves to clog up email systems.

Example 3 – A Chain Letter – Irish Friendship Wish

This is a typical chain letter. The only thing that a chain letter does is to clog up email systems so you shouldn’t forward them.

Example 4 – A Nuisance Hoax – Hackingburgh Virus

In May 1997, this email circulated the internet. There are a couple of pointers that this is a hoax. Firstly, the FCC doesn’t issue virus warnings of any kind. Secondly, the supposed virus has characteristics that no known virus exhibits. Since the recommended “advice” doesn’t harm users’ computers, one could classify this as a nuisance hoax.

Example 5 – A Malicious Hoax – SULFNBK

This is a malicious hoax which attempted to persuade readers to delete an operating system file called Sulfnbk.exe – a Microsoft Windows 95/98/Me utility used to restore long file names. Sadly, many people panicked and deleted the files from their computers needlessly, causing considerable work for system administrators.

Example 6 – A Scam – Nigerian (or 419) Scam

This is a form of scam that can be traced back to the 1920′s or earlier and is sometimes known as the “Advance Fee Fraud”. Someone has a large amount of money that needs to be moved and they can only do it with your help. They offer to set you up as a business partner where you set up a legitimate bank account and let them use it to transfer the cash – often millions of dollars. So all you have to do is to send them some money – maybe $10,000 or so to start the process …

These days, the most of the scammers use email and a lot of them – albeit not all – seem to be based in Nigeria hence the name used to describe the scam. You can find out a lot more about this form of scam on Wikipedia.

In this post, we’ll look at how you can employ a very similar process in developing your outline for a web-based security awareness training course.

Before You Start

During the process, you’ll be using an Excel spreadsheet to gather data. You can download the blank spreadsheet from [here], or the example shown below from [here] – about 32kB in each case. This spreadsheet is NOT the same as the one we used for outlining classroom training!

Step 1 – How Much Time Do You Have?

As before, let’s start with a quick and simple question. How long will your students have to take this course? 30 minutes, an hour, two hours, or more?

Note that the time doesn’t have to be available in one, uninterrupted period as long as your course is going to have some form of bookmarking so that students can start, stop and re-start in response to business circumstances.

Enter this value (in minutes) into the spreadsheet in line S1.

Now ask yourself how long an average student will spend on a typical slide (or page), and how long they’re likely to spend on a typical test question. Don’t worry about being precise – you can always change these values later.

Enter these values (in minutes) into the spreadsheet in lines S2 and S3.

Step 2 – Introduction and Instructions

This is a little different to the situation we had when talking about our classroom session. When using (asynchronous) web-based training, we don’t have to worry about allowing time for students to arrive, get seated and settle down. But there are certain tasks that we are going to have to fit into our time budget.

Rather than think in terms of time, let’s think in terms of slides.

• At the start of the course, we’re going to need:
  • a title slide;
  • one (or more) slides that explain the structure of the course;
  • probably one or two more if you have icons and symbols that you use in the course; and
  • perhaps a few more if there are any special features of the course that need to be explained.

     

• At the end of the main course content, we’ll probably have:
  • a slide or two before the end-of-course mastery test; and
  • one or more slides after the test giving the results of the test.

At this time, enter the number of slides – not estimated minutes – allocated for each administrative task into your Excel spreadsheet in lines A1 through A6 like this.

If you read the previous note on outlining a classroom session, you might notice that we’ve only used 5 minutes of student time on administrative tasks in our web-based course compared with about 18 minutes in the classroom setting. This time-saving – small though it might seem – is a useful feature of web-based training.

Step 3 – The Main Topics

Think about the topics that you want to cover. Create a list of at least 6, but no more than 12, topics for each hour of training time that you have. At this time, resist the temptation to add lots of detail – if you have great ideas, write them down on a separate piece of paper. And don’t worry about the opening or closing sections. But – unlike the way that we handled classroom sessions – don’t include any interactive exercises at this time.

Using the same example, as before, my list of “topics” for this course is:

1. Why passwords are important
2. Our password policy
3. Three basic rules
4. Ideas for creating strong passwords
5. Handling passwords safely

Copy these topics into lines T1 through T12. Note that I haven’t attempted to assign slide counts yet.

Step 4 – Interactive Exercises

Now think about any interactive exercises that you plan to include. In this course on password secutiy, we’ll include a simple password strength checker, and an exercise where students have to guess why particular passwords are poor choices. And we’ll take a guess at how long a typical student will spend on each of these interactive exercises.

Enter this data into lines E1 through E4 of your Excel spreadsheet like this.

Step 5 – The Mastery Test

Getting near to the end. Most courses will include an end-of-course mastery test which is used to gauge whether the student has ‘completed’ the course or not. Some courses might also include one or more pop-quizzes within the body of the course. We’re going to include a 10 question mastery test in this course, but no pop-quizzes.

This data is entered into your spreadsheet in lines Q1 through Q4 like this.

Step 6 – Assigning Slides To Your Topics

The final step. Return to the “Main Presentation” section of the spreadsheet and, whilst keeping an eye on the ‘Estimated Time’ and ‘Estimated Slide Count’ at the top of the spreadsheet, assign slide counts to each of the topics that you’d identified. Keep your eye on the ‘Estimated Time’ at the top of the sheet which will be displayed in red if you exceed the maximum time specified in Step 1.

If you’ve identified too much content, you’ll have to either trim the content or adjust some of the other parameters that you’ve used. If you do have to trim content but still believe that it’s important, consider creating a PDF that the students can download at the end of the course.

Eventually, your results may look something like this.

You’ll see that this class fits in comfortably within the time allowed. Our outline is complete.

What’s Next? Writing the Content

The estimates for the time are based on the assumptions in number in lines S2 and S3 of the spreadsheet. These will clearly vary according to how much content you put on each slide and/or how complex the subject matter is. So choose numbers to suit your own content development style.

Now, you can go ahead and create blank slides in PowerPoint to act as a template for the actual writing. This will help you to avoid spending too much time on some topics, and not enough time on other topics.

As for writing the content, you can either write your own, or you can contact Cosaint to talk about licensing our library of security awareness training content.

Here’s the link: http://www.facebook.com/security – share it with friends and family who also use Facebook.

The 90-9-1 principle says that, in broad terms, for every 100 people signed up:

• 90 of them will ‘lurk’ i.e. read posts but not contribute in any meaningful way
• 9 of them will participate from time-to-time – perhaps commenting on a post, or contributing a short post themselves.
• 1 person will be active and will post content regularly.

Clearly, the numbers can be skewed one way or the other by external factors. For example, at a university where I taught a few years ago, posting to the class discussion groups was a required part of the course, and failure to do so would affect the students’ grades. So participation rates were MUCH higher! Nevertheless, the principle does describe pretty accurately most of the situations that I’ve seen online.

So why do I bring this up in a blog about information security awareness? Because, from time-to-time, I meet someone who’s trying to set up an forum for discussing security issues within their organization. My first question is always “How many people will be signed up for the forum?”

To avoid a forum becoming – essentially – a monologue, you’re going to need 3 or 4 active users which means that (realistically) you need to have 300+ users signed up for the forum. If you don’t think you can achieve this number very quickly, it would probably be wisest to spend your energy elsewhere.

Some further reading:

• The 1% Rule – Wikipedia
• Participation Inequality: Encouraging More Users to Contribute – Jakob Nielsen’s Alertbox, October 9, 2006
• Quantitative Analysis of User-Generated Content on the Web – Ochoa, Xavier and Duval, Erik (2008): pp. 19-26. in “Proceedings of the First International Workshop on Understanding Web Evolution (WebEvolve2008)”, 22 Apr 2008, Beijing, China. ISBN 978 085432885 7.