Joining the security
month:
All research and development organizations
interested in disseminating information security's culture among internet
end users are invited to join the Security Month.
Why should my organization
participate?
Joining the Security Month brings several benefits to your organization,
including:
- Increase attendees awareness on information security issues
- Amplify the perception of risks and vulnerabilities we've been
exposed to on a daily basis
- Disseminate relevant information about information security
- Dispel some myths on information security concepts
What are the practical
advantages of joining the Security Month?
- Stimulate good practices within your corporate environment and/or
external audience, preventing losses of materials or intangibles in
your organization
- Associate your organizational image with a large international
security campaign
- Be part of a network of organizations all over Brazil and Latin
America promoting good practices on information security
- Implement campaigns and security policies within your organization,
or start an organizational change in this direction
- Learn about the culture of information security and activities of
other organizations, and start partnerships
Why does my institution
must enroll in the Security Month?
All organizations registering in the Security Month through the website
will have their planned activities announced on a map showing additional
progress reports. Organizations may register until October 30th 2016
through the website. However, we ask you to register your organization
as soon as possible, allowing more time to have your planned activities
announced in the website.
Planning the activities:
The activities may be performed during the
whole month of october. The scope of each activity depends
essentially on its objective and the organizational resources available.
Several activities may be performed during the Security Month. It's
important to say that each organization should define an initial schedule
and evaluate the actual availability of resources: human resources, time and
place.
How could my organization
participate?
There are several activities that your organization may perform and
report to the website during the Security Month. Following are some
examples:
- Café Philosophique talks
- Whole afternoon talks
- A single talk
- Movies
- Internal talks to increase security awareness
- Webcasting of other events in the facilities of the organization
- Chat with security experts
- Interactive simulations
- Presentations of novel security schemes, new security standards or
security policies
- Information security quiz
- Awareness activities with students
- Mini-course on information security
- Internal campaigns for adoption of strong passwords or other topics
- Debates on security topics
- Professor talks or special classes
- Round-table discussion of talks
- Round-table with experts
- Round-table with bloggers
- Exhibition of short videos about security to collaborators in online
talks
- Internal competition on security topics
- Happy-hour or lunch & learn events
Which topics my
organization could address?
The organizations may focus their activities on different topics of
information security, from "Internet Security" to
"Frauds". It all depends on the specific needs, priority,
confidentiality risks, integrity and availability of resources as
defined by your organization. The following is a list of recommended
topics on information security that may be addressed:
- Cloud security
- Cybercrime
- Internet security
- Passwords
- Phishing
- Privacy
- Frauds
- Cyber-bullying
- Security in social networks
- Security in wireless networks
- Social engineering
- Cryptography
- Mobile device security
- Good practices on e-mail use
- Secure shopping
- Backup
- Online game security
- Home computer security
- Malicious software
How to perform your
activities?
The development of the topics may be approached by several methods,
including:
- Analogies
- Real-life examples
- Simple and direct messages
- Interaction with the audience
- Memorable examples (e.g. using humor)
- Personal examples
In order to choose the right approach, you need to align it with the
organizational culture and the target audience. The final form may be
more or less formal depending on these considerations.
How can I promote the
actions in my institution?
The actions can be promoted in several ways, from sending an e-mail to
the list of students or collaborators, publication of posters on boards,
as well as through banner posted on the Intranet or the institution's
website. A series of support material are offered in digital format. The
institutions may use these materials to promote their actions. See more
in Materials.
Defining the target
audience
Organizations must specify in the description of their planned activity
if the audience is internal to the organization or if the event is open
for external visitors. Those organizations performing activities open to
the public must be prepared to receive e-mail requests from people
interested in attending the event in their region. These people may
contact you voluntarily when visiting the website and reading about the
activities in their cities.
How to engage the
audience?
Lack of engagement is the main difficulty to create a security campaign
even for such an important subject as information security. Although we
know and experience its relevance daily, this subject may look boring
and tedious to internet end users. Here are some strategies you can try
to overcome this resistance and engage your audience:
- To the internal people of your organization:
Present
good rationale and data on information security issues to directors
and managers as a first step to get support for local activities.
This can be followed by an investigation to learn the specific
security threats within your organization such as bad password
definition practices, access to phishing websites and non-compliance
with good practices.
Based on the results of the
investigation, we recommend you create a campaign to target those
issues detected and provide best-practice solutions. Since this is
an internal, local activity, the campaign may be more effective by
focusing on the specific issues of the organization. The information
security professional can work with the department of marketing or
human resources of the organization to increase the reach of the
campaign among collaborators.
- To the external public:
Universities and CSIRTs
(Computer Security Incident Response Teams) may be interested in
performing activities for the external public. These activities
should be focused on regional characteristics. Experts in the domain
– for example, a professor who is a reference in the field
– could teach courses or give talks to attract the public. The
activities may also include the participation of the local
community. In order to drive participation, you may distribute
gifts, offer free cultural attractions and invite celebrities to
some activities.
- To social network users:
The social networks should not
be forgotten. Among many possible activities, the organization may
stimulate good security practices in the updates of its Twitter or
Facebook's fan page; foster discussions on the hashtags
#securitymonth; create blogs on security awareness to reach
the younger public. Influent social network experts may also
collaborate to popularize good practices on information security.
Will the actions performed
by my institution be promoted by CAIS/RNP?
The actions of the institutions participating in the Security Month will
be promoted in several ways. Among them:
- Publication of logo, organization name and description of the action
on the website
- Publication of photos from the actions in the website gallery
- Publication of photos from the actions in CAIS page on Facebook
- Interview published in the blog (randomly selected institutions)
It is important that the institution send the actions and photos to
the organizing committee of the Security Month through the e-mail
meseg@rnp.br.
