Breakout Session 2: Awareness and Training

1. Breakout Session 2:Awareness and Training

2. B2: Awareness and Education • Identification of constituencies • Identification of challenge • Inventory of existing programs and products • Identification of gaps • Identification of gap-fillers • Recommendations

3. Methodology • Enumerate and discuss constituencies • Association, contribution, state of affairs, challenges • For each constituency • Awareness vs Training • Identify needs • Problem areas, repeat issues • Identify and discuss solutions • Existing programs • Programs ideas

4. Constituencies • Researchers • Scientists • Research Faculty • Research Assistants • Graduate students • Undergraduates • Institutional Review Boards/Human Subjects Committees • Visitors / affiliates • Faculty • Librarians • Students (resident versus non-resident) • Undergraduate • Graduate • Teaching Assistants

5. Constituencies (cont) • Administrators • Senior executives, CIO -- decision makers • Policy/compliance officers • Staff, employees, email users, basic users • Power users (tinkers, meddlers) • Data custodians • Auditors • Archivists • Human resources • Student affairs • Technicians • Security Professionals • System administrators • Database administrators • Network administrators • Web administrators • Helpdesk/support staff • Programmers (Coding)

6. Constituencies (cont) • Guests/Visitors/Transients • Collaborators • Onsite • Visiting • Members of existing community • Remote push/pull • Local • Regional • National • International • Private service partners • Contractors • Vendors • Consultants • Law enforcement • Internal • External • University services • Outreach • Alumni

7. Opportunities for Training • EDUCAUSE/Internet2 TF Security Education/Awareness Working Group • CIOs / some IT Professionals • National CyberSecurity Alliance • General Student Body • CEIAE (60+) – variety of programs (e.g., NIATEC @ Idaho State) • Curriculum development • Self-paced training for IT Professionals • Self-paced training for Researchers? • CISSE • Faculty Bootcamp • SANS (SANS EDU) • Technicians • Certifications • Usenix • Graduate Students • Computer Science Faculty

8. Opportunities for Training (cont) • IEEE • Graduate Students • Engineering Faculty • ACM / SIGSAC– online digital reference, journal • Computer Science Faculty • Students • Vendor • Certifications for IT staff • Free training for faculty • Open Courseware Initiative (give and take) • Source for Curriculum • Government online training (NIH, NSF, NOAA, etc.) • NSF Annual Security Awareness Training • Administrative staff • NSTISSC • Curriculum Standards • Etc (ISACA, ISSA, ACSE, …)

9. Challenges • Reaching users, particularly researchers and scientists. • Independent, focused on their sciences • Increasingly untethered science • Fear barriers to goals • Conflicting / varying requirements between external funding bodies and local facilities and classified research sponsors • Lack of understanding / perception of broad impact of security events / benefits of security • On the one hand they are paranoid about integrity of research but on the other they decry the inconvenience of security measures • Incorporating security awareness into the culture • Limited access to trained IT support

10. Fundamental Recommendations • Ensure that applicable aspects of security are considered at the institutional level – IRBs, job descriptions, orientation sessions, compliance training, etc. • Find and engage external organizations (higher education Presidential associations, professional organizations, academies, accreditation boards, NSF) that have the respect of and influence over these constituencies. • Promote and leverage existing opportunities. • Encourage NSF to be more aggressive in providing security awareness assistance (e.g., Guidelines for IT Security of NSF’s Large Facilities). • Encourage institutions to include technology support (IT Security) in grant proposals, especially graduate students (future researchers).