Which topics should a security training for non-IT persons contain?

Question

(I am not sure, if this question fits the security.stackexchange-board, but the list of askable topics does not exclude this question imho and there are some examples)

I've worked for several different companies of which some had outsourced their IT-department. This means that the people at the company mostly use technology, but have no deeper understand of it, especially when it comes to security.

Therefore I was toying with the idea to offer 1 or 2 small workshops / trainings, so they can get at least an idea of WHY computer security is important and WHAT exactly is important. I would like to do this because I think, human knowledge should be shared, no matter the recipient and both sides might learn. My colleagues might understand security better and I might understand their point of view better.

So I sat down and tried to come up with a list of necessary and useful topics, keeping the target audience in mind.

Am I missing topics, should there be other topics? What is necessary to learn, when you deal with computer security?

Topics:

1. Why computer security? (Costs, Ransomware stopping a complete company, ...)
2. Passwords (What is a good password, how to store, never use same PW on different accounts, ...)
3. Lock the screen when leaving the workplace (Because...? Did not find good examples of what could happen, also is this a high priority?)
4. Should I show a hacking example to visualize what it is? For example older phones / tablets are crackable pretty fast with open source software.
5. Social Engineering (2 colleagues got a call and became victims to the CLSID-Scam, door gliding, USB sticks in the parking lot, ...)
6. Internetsecurity (NoScript, deactivate Flash / JS, what's phishing, ...)
7. Backups
8. Email encryption
9. Protective measures (keep OS updated, use antivirus-software, dont use the admin-account as a default, ...)

I dont know which topics should be mandatory and in which order. The training might take 1 or even 2 hours. I would also create some cheat-sheets, so they can take away some written information, further reading etc.

Answer 1

I actually did a presentation similar to this a little over a year ago, and spent quite a bit of time deciding how to structure it. My target audience did include developers and other people quite knowledgeable in IT, but also managers and other non-programmers, so I tried to keep it fairly general, and not to technically complicated. As someone else pointed out, I think one important thing is not to come across as boring; you want this to be an enlightening talk that helps people realize that this is something they ought to keep in mind, and not just another list of dreary tasks that will get in the way of actual work.

To this end, I tried to center the whole presentation around the concept of security culture instead of jumping straight into too many technical details. With that in mind, I still managed to touch upon many of the themes you mention in your question.

Some of the stuff I mentioned in my talk

(or would touch upon today if I was to hold another similar talk):

• Confidentiality, Integrity and Availability (CIA): The central themes of information security, and a few should-be-obvious words about why these are important both to your company, and to individuals (if you can give people a little guidance that will help them stay safer beyond the workplace too, then that is only a plus, right? It might also make some pay more attention to you too - especially if you touch upon the safety of their kids/family too).
• A few words about the concept of "security culture" ("culture" as in "a set of ideas, habits and social norms, common to a specific group of people", or something like that, and the idea that security awareness should be a conscious part of this).
• Goals of thinking about security: Reducing the risk of unwanted incidents, preparing to handle them if / when they occur anyway.
• Keeping cost in mind (or return on investment if you like); thinking about what measures will be easiest to get started with, and which make the most sense. I would include a few words about good habits here; such things as update your systems, use good passwords, and avoid clicking suspicious links, be conscious of physical security (tailgaters!) etc. Perhaps include a few examples from real-world events, including screen shots of news articles about breaches, etc?
• Throw out a few questions related to what type of vulnerabilities or threats might be relevant to your particular company, and more. Examples: What are the "crown jewels" of our business? What is most important to us, and what may threaten them? How secure are we today, how secure would we like to be, and how can we get there in the future? In what areas would we want to improve our security stance? The point here is not to give people a checklist of things to do, but to get them thinking about the whole realm of security in general, and help take responsibility for parts of it, themselves.
• Give a few examples of typical security guidelines, and ask your audience if any of them (or similar) should be considered for your workplace.

Oh, and one more thing: Including a few appropriate real world examples of security problems will help keep your audience entertained (but don't overdo it).

I don't know if this is exactly what you were after, but I hope it may be of some use. Good luck with your presentation.

Answer 2

None of the existing answers mention this and its too long for a comment even if its not a thorough answer.

One thing you will absolutely need to avoid engendering in your audience is nihilism (i.e. I will get hacked no matter what I do). Its quite easy to scare people s@#$less (and temptingly entertaining depending on circumstances). But big part of selling security culture, as you put it, will be convincing the audience that meaningfully improving security is both a) not overly painful and b) possible.

All too often the attitude I encounter especially among millenials is that security is impossible, or if possible then so difficult as to be unworkable. Hell, I know better and still feel that way at times myself.

I recommend that each real world example (whether story or live demo) be presented with some easy steps (preferably 'step' singular) to avoid the same fate.

Answer 3

It's so unreal for them
that the only way to have it stick
is by showing them by real life example.

Ask them: Who knows what phishing is?
Ask them: So what kind of information leaked would be Problematic?
They say: If document ThisIsImportant.doc with accounting info about customer C would be leaked.
Ask them: Who has access to ThisIsImportant.doc?
They say: Patrick

Then tell them: SO, lets all together send a phishing email to Patrick pretending to be Patrick's boss!

Open Terminal (with green font, important!) in front of their eyes.
LIVE "Hacking"! They Love it!

1) ssh into the mail-server
2) touch mail.txt
3) vim mail.txt

To: [email protected]
Subject: Patrick, I need customer C info.
From: Patricks Boss<[email protected]>

Dear Patick,
I'm a little bit in a hassle, as customer C just called.
Please send me ThisIsImportant.doc so I can prepare a response.

Best regards,
Your BOSS!

4) :x!
5) sendmail -vt < mail.txt

Now ask Patrick to open his email and everyone will see an email form Patricks Boss that you wrote in front of their eyes.

Lesson Learned for them:
They should not blindly follow a Name/Brand/Uniform/etc. and use common sense.

After that you can tell them all the other stuff because now they believe you how real it actually is.

A year later however, they will still tell the story of how you "hacked" partick by impersonating his boss.

Answer 4

On the one hand you say you want to run workshops while on the other, you dive into some some quite hard-core topics with people who have limited knowledge of security. While I applaud your efforts, if it were me I would be looking to raise awareness and get people thinking about security rather than just presenting death-by-powerpoint / something which comes across as another tick-the-box compulsory training compliance exercise.

I'm not suggesting you shouldn't talk about all the things you've listed, but if you spend a day just on these you're going to bore your audience. OTOH if you can win their hearts and minds, then they'll think about security in their everyday work.

Exploring how they might be attacked as private individuals is one way to address this. Another is to get them to plan an attack on an arbitrary target.

Answer 5

Show them a Password Manager like LastPass or KeePass.

Most everyone I know has a TON of user ids and passwords. To help remember them they do things like use all the same passwords, write them down on sticky notes, or store them in unencrypted text documents.

Instead show them how to use a password manager. I showed a few of my non-IT friends how to use LastPass. Now they use a very strong passphrase to get into the password manager and let it manage all their logins. They love it!

Answer 6

Generally speaking, the more security measures you can abstract away from the user - the better!

For example:

• File storage should, if available, be done on a centralized server. Assuming you have resources with sufficient competence to set this up correctly, it is easier to maintain company-wide backups done by trained people than teaching each employee how to do private backups (and getting them to remember to do it!)

• If your environment supports it, use Windows Domain / Active Directory management policies where applicable (for example to introduce screen timeouts with password-only unlocking, or enforcing password length/character content as well as periodic password changes).

Comments to your suggestions:

1. Keep it simple - computer security = protecting your firm's assets. Information is power and information may even be money in a more direct sense (trade secrets, etc). Your specific argument will depend on what kind of work your company does and what/how you store it, but the essence should always be that unauthorized access to a computer system can do great damage to your company, either by destruction or theft (or both).

2. Definitely do this, but as mentioned earlier, use technical tools to enforce as many rules as possible to lessen the responsibility on the end-user.

3. Absolutely! It's not a very common attack vector, but it's one of the easiest "fixes". Therefore, it should be implemented immediately. Put up reminders near the workstations or at the exits.

4. Avoid this unless you can find specific examples that your employees can directly relate to (because you use the same hardware/software, or something similar). If you go this route, KISS - don't get lost in technical jargon. Use general concepts and non-technical terms as much as you can. Spend less time on explaining the problem and more time on describing the correct behavior for the user.

5. This can easily be among the most dangerous attack vectors and simultaneously the one that is hardest to teach your employees how to guard against. Save it for last - you want your employees to embrace the "security-minded culture" before you delve into this particular topic. The more they already know and think about safe procedures and the importance of ensuring authorization and correct protocols, the easier it will be to understand how a third-party can try to sneak past these barriers.

6. Definitely - use group policies to block Flash, Active-X, or enforce NoScript, etc., if at all possible! Again, the more of these mitigations you can add without the user having to do or manage anything, the better.

9. Again, if you can do this centralized, it would be all the better. Judging by your question, it sounds as this may not be the case for your company?

As for the order - I would recommend the same order as the problems might arise in. That is to say:

user login (passwords, lockscreen) 
  --> program startup (viruses, backups) 
    --> program use (phishing, social engineering, "bad" downloads/attachments).

Answer 7

I think kjartan's answer is spot on, but in more general terms of security awareness training there are just a few main components

1. What are you protecting? Information, data, and knowledge - the drivers of every aspect of your business.
2. Why does it need to be protected? CIA + non-repudiation. I think it's important to explain why it's important that users not share credentials.
3. How users can help you protect it. Simply a few basic rules about not clicking links, giving out information, picking up flash drives and plugging them in - the basic stuff.
4. Examples of incidents that happened and the associated cost in monetary and reputational damage.

If you need to go further than that, it's a great idea to explain what policies & procedures are and why they should be followed. Put it into simple terms for non-IT and non-business driven individuals. And then put it into business terms for the higher tier of employees and how what has been agreed upon has been deemed the correct level of security and business operations (e.g. Why these things exist besides just being an obstacle that they need to overcome to simply do their job). I think that's the key that regular users struggle with - "just let me do my job!"