Gavin's Security Awareness Standard (gSAS)

Learn the diligent steps to reasonably and responsibly educate users on good computer security practices.

Learn more

Overview

This guide is split into nine (9) simple sections and assumes the following:

  • You are educating people who use computer systems in a corporate environment and will apply this standard in principle.
  • You plan to customise training to suit your target groups, and motivate them to appreciate why security awareness is important.
  • You are applying security awareness training as a continuous process and working in the best interest of the business.
  • You are thinking critically and implementing specific solutions that are reputable, affordable, effective, and fit well with the target business’ operations.
  • You are solution focused, dislike procrastination and bureaucracy and aim to get things done.

1. Define, Motivate, Classify

1.1 Define and motivate - Define in simple terms what security awareness is and why it is important. Educate users about the core psychology and emotions social engineers often try to abuse to deceive them as users. Repeat training periodically to reinforce good habits across all staff. These core elements must at least explore abusing the following:

  • Trust
  • Fear
  • Urgency
  • Flattery
  • Sympathy
  • Guilt
  • Intimidation
  • Scarcity
  • Belonging
  • Commitment
  • Reciprocity

1.2 Classify – Train users to understand what types of data are confidential and non-confidential, who they can be shared with and they are permitted to share them.

2. Responsible Access

2.1 System access

2.1.1 Discourage unauthorised access – Train users to only access computer systems for which they have permission. Highlight that unauthorised access can get them in legal trouble.

2.1.2 Discourage sharing access – Train users to never give their access to anyone or use a computer system logged into by someone else.

2.2 Password Privacy

2.2.1 Encourage strong passwords - Use long and unique passwords or pass-phrases for all their accounts.

2.2.2 Encourage password managers – Encourage users, who struggle to remember strong passwords, to adopt a reputable password manager to help them create and manage passwords which are long, complex and hard to guess.

2.2.3 Discourage writing access details – Discourage users from writing their access details to any system.

2.2.4 Encourage environmental awareness – Train users to look out for people nearby who may be trying to follow them into restricted areas (tailgating) or see their access details when being entered (Shoulder Surfing). Also, train them to ask questions of strangers who are in private working areas.

3. Responsible Scepticism

3.1 Scrutinise Conversations

3.1.1 Encourage email scrutinising senders – Train users how to identify suspicious emails educating them on scrutinise an email’s sender, the body their message and any attachments.

3.1.2 Discourage following unknown links - Users must be discouraged from following untrusted/unknown links in emails.

3.1.3 Discourage responding – Users must be discouraged from responding to emails they believe are suspicious.

3.1.4 Scrutinise Calls – Users should be encouraged to scrutinise calls that try to extract information from them such as requesting details about technology in the business or personal details of anyone.

3.1.5 Scrutinise Instant Messaging – Users should be discouraged from responding to requests to share business or personal data through personal instant messaging channels.

3.1.7 Discourage from unknown sources – Train users to avoid clicking on links or attachments from untrusted sources.

4. Responsible Browsing

4.1 Scrutinise websites

4.1.1 Spot scam websites – Train users to identify potentially deceitful websites disguising themselves as reputable.

4.1.2 Discourage visiting shady websites – Train users to avoid websites that offer unusually free offerings or generate a lot of pop-ups and alerts.

4.1.3 Encourage HTTPS when logging in- Train users to identify HTTPS websites and to never log into websites not using with HTTPS before the website address in the address bar.

4.2 Scrutinise links

4.2.1 Discourage questionnaires and surveys – Train users to avoid participating in online questionnaires and surveys asking for personal information.

5. Responsible Media

5.1 Scrutinise Social Media

5.1.1 Discourage trusting online strangers - Train users to be highly sceptical of people they meet online and to avoid sharing confidential information with them.

5.1.2 Encourage independent verification - Train users how to independently verify different sources requesting confidential information or action from them.

5.1.3 Discourage fake news - Train users to avoid sharing controversial news from unknown/untrusted sources.

5.1.4 Encourage responsible posting – Train users to assess their social media posts before making it public and to avoid sharing sensitive content such as nude photos, embarrassing details confidential data.

6. Responsible Device Management

6.1 Encourage encryption - Educate users on how encryption works and how to use it on their devices to protect confidential data they are storing, sending or receiving.

6.2 Encourage anti-malware software – Train users how to use anti-malware software to scan for threats.

6.3 Encourage locking - Train users to not leave their workstations unlocked and unattended at the same time. Encourage them to manually lock their devices when not in use and how they can benefit from auto-locking functions.

6.4 Encourage secure disposal - Train users how to dispose of data safely.

6.5 Encourage software updates - Train users how to support the software update process and allow patches to install properly.

7. Responsible Reporting

7.1 Encourage reporting - Train users to promptly report internal security concerns to the appropriate team, even if the issue was triggered by them.

8. Responsible Lifestyles

8.1 Encourage family inclusion - Train users on how they can encourage their relatives to practice good security.

8.2 Discourage unauthorised systems – Train staff on the dangers of using unauthorised systems to transact work-related affairs.

8.3 Encourage news monitoring - Train users to stay up-to-date with Cyber Security news by following a credibly related blog.

8.4 Encourage minimalism - Train users to unclutter their systems regularly, organise and store important data in the designated areas.

9. Periodic Testing

9.1 Frequently test – Periodically launch simulated targeted attacks which tests the security awareness training previously provided.

9.2 Measure user awareness - Simulate tests that challenge users security awareness to attacks they were previously educated on.

This standard aligns with our FREE Security Awareness tips provided at Awareness.GavinDennis.com Check them out!

References:

  • “Kevin Mitnick - The Art of Deception” by Kevin D. Mitnick
  • “No Tech Hacking” by Johnny Long
  • “Kali Linux Social Engineering” by Rahul Singh Patel
  • “The Art of Human Hacking “ by Christopher Hadnagy

Share the link to this standard with the management in your company to help them with their due diligence responsibilities.