I'd also add in an exercise in showing the consequences of not keeping
something secure. If you aim it at your audience you can do things
like;
To sales - Ask them what would happen if someone handed their
competitors a customer list and the sales made to those customers over
the last few years.
To HR - Ask them what would happen if the personal records of all
employees were handed over to a third party.
To administration - What would happen if the payroll information became
public knowledge.
Then follow that through with showing them how, if you ignore
information security concerns, you could be effectively doing the same
thing.
Al Sutton
Argosy TelCrest
http://www.secure-me.info/
Jose Varghese <jose.varghese@paladion.net> wrote on 27.09.2005,
06:29:35:
Try and make the learning environment as close to user's own desktop
** Use screenshots and examples from tools and software that the user
actually uses
Try to make the session participative
**Ask users to write down a complex password and discuss the
positives/negatives rather than just having a few slides on how to create a
complex password
Involve top management
** Have the Head of IT speak for the first 5 minutes before u start the
session.
Get a comments/feedback form completed before and after the training
** Pre-session - Encourage thinking on security by asking questions like "
What are the top 3 security risks facing our organization? Post-session- "
What are the 3 things you learned today"
Jose Varghese
Paladion Networks | Mumbai | India
Ph: +91 22 5591 0513 (Ext: 26) | Fax: +91 22 5591 3580,
Mobile: +91 98201 99818|
Application Security Intelligence : http://palisade.paladion.net
-----Original Message-----
From: Pranav Lal [mailto:pranav.lal@gmail.com]
Sent: Saturday, September 24, 2005 9:40 PM
To: security-management@securityfocus.com
Subject: Seeking user training techniques
Hi all,
I need to give end user training on information security. I usually have a
powerPoint presentation with text, some posters, a few cartoons if
applicable etc. I show the occasional movie. Also, I make the audience
participate by asking questions and keeping the session interactive. The
users like it but many a time once they are out of the class room they tend
to slip back into some of their bad old ways.
I have been thinking about including some games or simulation exercises in
the training to re-enforce the material that has been taught. Does any one
have any ideas on what I could include? Are there any resources that I could
look up in this regard? I would like the entire class to participate.
Note:
I realize that management has to enforce security policies and that training
alone cannot lead to a behavior change. I am trying to increase the
effectiveness of my training.
Pranav
