This post is the seventh in a series of what I consider the top ten topics for any security awareness program. Selecting the right topics with greatest value for your organization is key to a successful program. This series is not designed to tell you what your awareness program must have, instead these posts are designed to give you recommendations, a place to start. For the seventh topic I like to focus on encryption. Now this may sound a bit odd for an awareness topic since encryption can be technical, but there is a reason to the madness. We in the security community are always telling people to encrypt their information to protect it. The problem is many end users do not understand what encryption is, as such they may use it incorrectly. The second problem is they may not understand encryption's limitations. The classic example is encrypted websites. End users may think that since a webpage has the lock on it, and the connection is encrypted, then the website must be secure. As we know the website is not secure, only the data traveling between those two points. With that said, here are some of the key learning objectives I feel are important. The first is to simply demonstrate what encryption does, for many it may appear to be black magic. One of my favorite lessons is to simply show a cleartext document, perhaps some text from "Alice In Wonderland" and explain how anyone can access and read that document. Then show that same text but encrypted, or ciphertext. Then explain that no one can read it unless they have the key. Explain what a key is (something you are, something you know, or something you have). Provide examples of what can be encrypted, such as your laptop, communications or a USB stick. Just as important is NOT what you cover. As we have mentioned repeatedly, you have limited time in your program, focus on topics with maximum ROI. Something that has little ROI is discussing SSL certificates. What is the value in spending five minutes explaining to end users how SSL certificates work? Very few people fully understand them (I've been at this for fifteen years and still get confused). Also, how often do criminals used fake or compromised SSL certificates? Sure it happens, but the attacks are rare, we have far more low hanging fruit to deal with. Another topic NOT to cover is the different types of encryptions such as symmetric versus asymmetric. For the end user, they could care less and rightfully so. These are technical issues only security professionals should be worried about, not the end user. PREVIOUS POSTS IN TOP TEN TOPCIS SERIES #1 - You Are The Target #2 - Social Engineering #3 - Email and IM #4 - Social Networking #5 - Browsers #6 - Passwords
