Of course, this story is both a case studyand a cautionary tale. Indeed, if you followthis recipe you will soon find out if yourexecutive team is really serious aboutchanging the corporate culture and makingsecurity an integral workforce value. Theirreaction may surprise and disturb you.

The mission, the medium,the messageThe mission, as described to the securityprofessional recruited to undertake it,was to “change corporate culture.” Theexisting corporate culture was one thatallowed laxness in all aspects of security(i.e. physical, personnel and cyber).

The medium was the establishment of aglobal security team to provide a range ofservices (policies and standards, securityassessments, operational support, aware-ness and education, etc.) for a confedera-tion of organizations operating in over100 countries, with a collective workforceof over 100,000 people. In many ways,this environment was even more challeng-ing than that of a multi-national corpora-tion. On one hand, the confederationshared a global brand, a global client base,and a global body of methodologies andtraditions. On the other hand, they weredetermined not to share liability.

The message that this global entitywanted to convey to clients and govern-ment regulators throughout the world,and to its own workforce, was that ittook security seriously.

Meaningful content andpersuasive deliveryThe best military professionals understandthat Psychological Operations (PSYOP),i.e., winning hearts and minds, is anessential element of InformationOperations (IO) in any successful endeav-or, whether a war or a peace-keeping mis-sion. Likewise, the developer of the pro-gram examined in this case study under-stood that awareness and education need-ed to be incorporated into a comprehen-sive IO effort in order to change the glob-al entity’s deeply entrenched corporate cul-ture, that was hostile to security and lack-ing in command structure.

Within the global security team, theintelligence function, the communicationsfunction and the awareness and educationfunction were aggregated together.

The concept was revolutionary. Theintention was to escalate awareness andeducation into something much morethan emblazoning reminders about pass-word security, software piracy, email eti-quettes, computer viruses and so on oncoffee mugs, key chains and wall posters.The intention was to infuse awarenessand education efforts with real-world,real-time intelligence, and produce acampaign that was timely, engaging andcompelling to the workforce.

The new unit’s objectives reflected thisbold and sweeping vision:• To analyze intelligence and conduct

research relevant to cyber security in

general and the cyber security of theEntity X in particular.

• To heighten the level of securityawareness, inculcate core security val-ues and increase security competencyat all levels throughout Entity X.

• To enable and enhance global securi-ty team communications on strategicinitiatives and activities, and ensurethat they are of the highest caliber.

• To enrich the cyber security cultureof Entity X through participating inand contributing to industry andgovernment initiatives and activities.

7May 2006 Computer Fraud & Security

WAR & PEACE IN CYBERSPACE

Case Study: a bold newapproach to awarenessand education, and how itmet an ignoble fateRichard Power and Dario Forte

Below is a case study on the launch of a powerful, unique and comprehensiveawareness and education program for a global entity, which we will refer to as Entity X. In the course of the case study, we will articulate the essential components of an effective and economical program, and explore some of thecritical issues involved in developing it, rolling it out and institutionalizing it.

Dario Forte Richard Power

Chief Security Officer

Intelligence Officer (designed program, championed

it to executives)

Communications Officer(rolled out program)

Figure 1: Awareness and Education Hierarchyunder the CSO

The Intelligence Officer (in thisinstance, someone with extensive writ-ing and speaking skills) reported direct-ly to the Chief Security Officer (CSO).The team’s Communications Officerreported to the Intelligence Officer.See Figure 1. The Intelligence Officerand the Communications Officershared responsibility for the Awarenessand Education function. TheIntelligence Officer designed the pro-gram, based on concepts of 21stCentury Influence Warfare, generatedits content, based on open source intel-ligence, best practices, etc., providedthe strategic vision and championedthe program at the executive level. TheCommunications Officer took the pro-gram to market, i.e. rolled it out,socialized it, spread its reach andadministered it, on an ongoing basis,within global entity on a manageriallevel.

Investment and empowermentJust as the developer of Entity X’s GSIprogram started with a bold, innovativeorganizational approach (i.e., integrat-ing intelligence, communications andawareness/education into an integratedunit), this adventurer also started outwith a bold, innovative motivationalapproach:• Instead of talking down to the work-

force, show them how they areinvested in security for better orworse – both in their personal andprofessional lives.

• Instead of playing to their fears (ofeither the bogey man or gettingfired), engage, initiate and empowerthem.

• Instead of just citing dry policies andstandards in the workplace, providethem with common-sense advice onbest practices for security in aspects ofpersonal lives (i.e. child safety online,identity theft, personal firewalls, emer-gency preparedness in the home, travelsecurity for vacations, etc.).

Following these principles, the developer believed, Entity X could

demonstrate how many security con-trols required in the work place (e.g.,strong passwords, secure laptops, regu-lar backups) carry through to the homeenvironment, and thereby heightenedattentiveness and strengthen adherenceto them in both realms. Followingthese principles, the developer of thisprogram believed, Entity X couldestablish trust with its workforce, andget them to view security as an integralvalue essential to living and workingwell in the 21st Century.

Three phase approachTo achieve the stated GSI objectives,e.g., “to heighten the level of securityawareness, inculcate core security val-ues and increase security competency atall levels,” in a labyrinthine and large-scale global environment with a corpo-rate culture, which was both manydecades old and passively hostile tosecurity, demanded a phased approachto introduction and implementation.

The program’s developer designed athree-phase plan.

Phase I: engage everyoneeconomically and effectivelyPhase I focused on the roll out of a five-point initiative to reach the entire work-force with cyber security fundamentals:• Create a task force composed of par-

ticipants from IT, Human Resources,Risk and other stakeholders repre-senting both global and local organi-zations within Entity X. However,regardless of this case history, we doactually suggest you involve the legaldepartment as well. Almost all of theprojects the authors have worked onduring the last three years gave ussuch a feedback.

• Launch a bi-monthly electronicnewsletter to be both delivered inevery user’s inbox and posted onintranet portals. Regarding this topicthere are several organizations whichdelivery a monthly (even a bi weekly)newsletter. However, in this casethere is the risk of getting a bad

response in terms of impact (toomany newsletters = lack of interest).

• Incorporate a 45-minute PowerPointpresentation on the security responsi-bilities of Entity X’s workforce intothe two-day new hire orientationprocess.

• Establish a globally, and annually,observed Security Day within EntityX to bring the workforce together foredification and entertainment.

• Deliver a 45-minute e-learning mod-ule on the fundamentals of securityto be used both for all new hires andfor incentive and remedial training ofthose already assimilated into theworkforce. In some countries, this ismandatory by law. In Italy, for exam-ple, each employee shall follow anannual training, oriented to Privacyand Data security.

By the end of Phase I implementation,Entity X’s global security team couldreach the entire workforce in four dis-tinct ways:

• As they come into Entity X via newhire orientation.

• On a bi-monthly basis via e-mail andthe intranet.

• Annually through on-site and virtualSecurity Day events.

• And additionally, at least once more,through the use of the e-learningmodule as an orientation or remedialtraining resource.

The theme of the electronic newsletterwas “practical tips for computing both atwork and at home,” and delivered viaemail and the intranet, it cost nothing toproduce or distribute.

The newsletter’s content included:• Password security.

• Child safety online.

• Laptop security.

• Identity theft.

• E-mail security.

• Home PC security.

• Social engineering.

8Computer Fraud & Security May 2006

WAR & PEACE IN CYBERSPACE

9

• Virus/worm defenses.

• Internet usage.

• Telecom security.

• Back-up & recovery.

• Economic espionage.

• Physical security (office and home).

• Business travel security.

• Emergency preparedness (office andhome).

The e-learning module covered the fun-damentals of cyber security for the end-user, and was organized into seven sub-ject areas:

• Creating strong passwords.

• User-oriented anti-virus measures.

• Physical security (including laptopsecurity).

• Appropriate Internet and email usage.

• Software piracy.

• Backing up your files.

• Counter-espionage: How to thwartsocial engineering.

Each subject area included two impor-tant security controls for the user toexercise, and three test questions (bothmultiple choice and true or false). Theelectronic newsletter and the e-learningmodules were also translated into over20 languages.

The 45-minute PowerPoint presenta-tion for new hire orientation was an

electronic file, provided as a template,so that local organizations withinEntity X could adapt it and expand itas needed. It included suggested com-ments on the Notes pages for eachslide to help those whose primary taskwas not IT security in delivering thepresentation effectively. Its theme was“Your Role in Entity X’s Security.”The presentation referenced excerptsfrom relevant policies and standards,included a simple but powerful check-list, and provided hyperlinks to theglobal security team’s on-line awarenessand education resources.

Delivered by the Intelligence officer,the length of the on-site Security Daybriefing could be tailored for one houror two-hour sessions, and its contentcould be calibrated for different audi-ences (e.g., technical or non-technical,executive or administrative). It wasglobal, not US-centric, and providedan overview of major security concernsin work and life, a summary of EntityX’s “Global Security Strategy,” and apractical checklist for security in boththe audience’s personal and professionallives.

Phase II: A rising tide liftsall the boatsPhase II featured regional, two-daytechnical security training seminars forIT professionals. The model devisedmade it possible for organizations with-in Entity X to provide their IT profes-sionals with expert-level instructionthat would otherwise be cost-prohibi-tive. World-class instructors were con-tracted for on the global security team’sGSI budget dollars, and participatinglocal organizations only had to covertravel and lodging expenses of the smallnumber of IT professionals within theirown groups designated to receive thetechnical training.

Because the two-day seminars wereorganized on a regional basis, even thetravel and lodging expenses were some-what more modest than they mightotherwise have been for the organiza-tions or the individuals themselves.

The curriculum of the technical IT secu-rity training centered on a range areasselected to provide an immediate boostin core competencies throughout thepool of Entity X’s IT professionals,including:

• Windows & Internet attacks andcountermeasures.

• How to do security assessments.

• Global intrusion detection framework.

• Global incident response.

• Preparation for both CertifiedInformation Systems SecurityProfessional (CISSP) and CertifiedInformation Security Manager(CISM) tests.

There was another benefit to Entity X asa whole, an invaluable although intangi-ble one. At each of the seminars, partici-pants from different countries, with dif-ferent backgrounds and different areas ofexpertise studied, broke bread andclinked glasses together for three days –talking shop, sharing frustrations, trad-ing scuttle-butt and bonding deeply inways that cannot be measured, but thatprove priceless at moments of peril. Suchtraining also sends a very important mes-sage to each of the participants – you arevaluable to us, and we are investing inyou.

Another element of Phase II was toexpand the program, and leverage theresources created in Phase I, to incorpo-rate general security awareness and edu-cation (i.e., Physical Security, PersonnelSecurity & Crisis Management).

Leverage existing AWED resources todeliver general security awareness andeducation to all Entity X’s people globally.

So, for example, the electronicnewsletter and the PowerPoint presenta-tion for new hire orientation began toprovide information on emergency pre-paredness and security guidelines fortravel to high-risk destinations, as well ason cyber security. On-site Security Daybriefings included updates on terrorism,global warming and bird flu, as well ason hacking, financial fraud and laptoptheft. And a complimentary e-learning

May 2006 Computer Fraud & Security

WAR & PEACE IN CYBERSPACE

Lifting the blindfold on user's awareness couldmake IT security second nature

10

module, dealing with physical and per-sonnel security issues, was developed.

Phase III: deliver vitalintelligence and earlywarning to the executivesPhase III brought the capstone to thepyramidal program: bi-weekly securitybriefings for top echelons of Entity Xexecutives.

The program’s developer, who was, aswe mentioned earlier, primarily hired asan intelligence officer, designed a brief-ing format based on a few simple rules:

• No executive wants to read a lengthyreport, or even one of only a fewpages. No executive wants to hearabout a problem without being toldwhat is getting done about it.

• Every briefing must include five sec-tions: one on each Entity X’s threegeographical regions (i.e., Europe,Middle East and Africa, Asia Pacificand Latin America), plus one on anoverriding global issue, and one onissue from cyberspace.

• Each briefing must be contained on asingle eight-and-one-half-inch byeleven-inch page, with no more thanone or two paragraphs for risks andthreats in each section, and includingat least one or two bulleted itemsoutlining mitigation efforts beingundertaken to address them.

• Distribution of the briefings must betightly controlled by the CSO, andlimited only to the handful of execu-tives designated to receive it, andthose on the global security teamrequired to prepare it.

Other elements of Phase III were intend-ed to roll-out methods for measuring theeffectiveness of the awareness and educa-tion program, and for incorporatingsecurity knowledge and compliance intoperformance criteria.But something happened along the way…

Don’t be surprised If….In an internal survey of IT directorsand managers in both the global and

local entities taken a year after theestablishment of the global securityteam, more than 80% reported that theglobal security team had strengthenedEntity X’s overall security posture. Theresults also indicated increased relianceon the global security team in general(over sixty wanted its help in conduct-ing annual security reviews) and on theawareness and education program inparticular (70% of those who had notalready adopted it planned to withinthe next year).

Attendee evaluations for regional tech-nical cyber security training held inEurope and Asia also highlighted theeffectiveness of the program:

• More than 65% percent of Asianattendees and over 70% of Europeanattendees reported that class objec-tives were relevant to their needs.

• More than 70% of both Asian andEuropean attendees reported gainingnew knowledge and skills.

• More than 60% of Asian attendeesand almost 60% of European atten-dees reported that the training wouldhelp them do their job better andmore effectively.

Local entities participating in on-siteSecurity Day briefings on “SecurityChallenges in Your Person andProfessional Life” grew from three inter-national cities in the first year to eightinternational cities the next year to aprojected 20 international cities in thethird year.

Grateful readers of the electronicnewsletter, from all over the world,emailed the global security team with per-sonal queries, concerns and suggestions.

The program outlined in this casestudy is a model that can be appliedeffectively and economically in manyenvironments. If you have over a work-force of 100,000, you can provide it forless than two US dollars per person peryear.

So how does the case study end? Well,sadly, in ignominy.

Once the security professional taskedto change this old and intractable

corporate culture had actually gainedtraction, and was succeeding in raisingthe level of awareness and deepeningcore competencies throughout EntityX’s global environment, the executiveleadership did a very strange thing, itindirectly let it be known that it didn’twant to know as much as it was learn-ing about its own environment, andthe risks and threats inherent in it, andit really didn’t want its workforce toknow that much either, and not onlythe awareness and education programbut the whole global security teambecame a shadow of itself, and its man-date shriveled up and blew away.

Others could have stayed on to clockthe hours, on a faux or enfeebled mis-sion, just to collect that excellent pay-check every two weeks. But not the par-ticular security professional whose visionwe have outlined here, he had to walk.He sleeps better at night, and has had abitter lesson.

Do you find it so remarkable that theexecutive mandate can be so fickle or sothin-skinned? There are many securityprofessionals who will see a bit of theirown story in this cautionary tale.

What’s the morale of the story?When they bring you in and tell youthey want you to “change corporateculture,” do not take them at theirword. Progress incrementally. Do notget too far ahead of your overlords, andkeep an eye on the General Counsel. Ifhe is small-minded, he may convincethem their greatest liability is in know-ing, rather than in not knowing.

About the authors:Richard Power (www.wordsofpower.net)is an internationlly recognized authorityon cyber crime, terrorism, espionage, andso on. He speaks and consults world-wide. Power created the CSI/FBI Surveyand his book Tangled Web is considered amust.Dario Forte (www.dflabs.com) is one of theworld’s leading experts on IncidentManagement and Digital Forensic. FormerPolice Officer, he was Keynote at BlackHatbriefing and lecturer in many Worldwiderecognized conferences. He’s also Professorat Milan University at Crema.

Computer Fraud & Security May 2006

WAR & PEACE IN CYBERSPACE