As most of us know, security awareness is the knowledge and understanding members of an organization possess to protect both physical and information based assets. Over the past several years, security training has become more prevalent in all industries as organizations begin to realize that there is value in training individuals to be the first line of defense against compromise. I have had the opportunity to work closely with several K-12 public school districts to support their technology infrastructure and have noticed a gap in the level of concern that is present about securing information assets.
The overarching purpose of this project was to gather data to to support an initiative of security awareness training in K-12 programs as well as start the security awareness conversation in the K-12 education industry.
- Develop assessment methodology focusing on
- security, access control and phishing.
- Develop education materials that can be distributed to K-12 educators.
- Gather data to show that security through education applies to K-12 education.
- Improve the security awareness knowledge of K-12 educators in the selected district.
- Provide data to a sponsor school district to support new security initiatives.
In order to obtain results in a repeatable way, several various research methods were utilized in obtaining data. It should be noted that not all of the materials created were in direct relation to the data gathered throughout this project but rather just focusing on three specific areas of interest. These include:
- Surveys sent to staff
- Developed assessments to log physical security offenses
- Phishing Emails
In order to establish a baseline level of knowledge for the participants in the research in this identified K-12 district, two surveys were used both delivered through anonymous Google Forms to the staff that were going to be assessed.
Due to time constraints, utilizing a survey tool that automatically aggregated the results and created a final report was determined to be necessary. While there are many various online survey tools, Google forms was chosen as the delivery method since the receiving audience of the form was familiar with this form of survey delivery. The participating school district suggested using this method as the participants would be more comfortable knowing it was coming from the district as opposed to an outside source.
The initial survey questions were a subset of those found in a security awareness survey published by SANS through their Securing The Human initiative.
The final survey questions were a similar subset of those found in the initial survey with some additional open ended questions.
Physical Security Assessment
There was only one building assessed during the data gathering phase of this project which was the participating school district’s high school. A total of 26 rooms were assessed looking for the following offenses:
- Number of passwords on sticky notes
- Number of characters found in each password
- Number of passwords found in plain view
- Number of passwords found under keyboards
- Number of computers not locked
With the help of Chris Hadnagy and Social-Engineer Inc, two rounds of phishing emails were sent to a total of 107 end users.
The first phishing email is found below:
The second phishing email is found below:
The same page was displayed for both iterations of phishing found below:
First Physical Security Assessment
Phish 1 results:
Phish 2 results:
Second Physical Security Assessment
The surveys revealed an overall improvement in the understanding of materials surrounding security awareness topics including password strength, physical access and access control. The surveys also showed that developing content for security awareness has a positive effect on the understanding and adoption of security practices in K-12 teachers. Additionally, the survey provided metrics as to baseline initial security knowledge and validate it’s methodology in terms of aggregating data from various disciplines.
The physical access assessments showed an overall improvement in the amount of passwords that were found in the assessed classrooms. While the amount of computer workstations that remained unlocked stayed the same, it should be noted that they were in previously different locations then the first physical assessment.
The access control assessments showed an overall decrease in the size of the password entropy for the passwords found between the first and second assessments. This can be attributed to the decreased number of passwords that were found during the second physical assessment.
The phishing assessments showed an overall improvement in the number of click responses that were recorded between the first and second phishing campaigns.
Despite the results that were attained throughout this project, it is difficult to measure a learner’s education. Moody and Sindre (2003) discussed two different types of learning assessments: performance based and perception based. Performance based assessments are based on achievement tests often times measuring the differences between two groups. Perception assessments are surveys that are passed out to end users asking them to identify understanding about an issue relative to what they think they understand. While the information gathered in this project are largely perception based assessments, this was due to the time limitations associated with providing a standardized education and the development of the deliverable course is the ultimate performance based assessment methodology.
Further Research and Recommendations
Based on the acquisition of data that was performed in this project, being able to replicate the results is extremely important. While gaining access to K-12 school districts may be difficult, it is imperative to continue the research in the field of security awareness when targeting K-12 educators. Though financial sources are often limited in K-12 institutions, the amount of risk that is mitigated through providing training to staff members, greatly outweighs the potential of data disclosure to undesirable sources.
Further phishing email campaigns should be conducted to validate the findings of this project and further support the hypothesis that “security through education does have a statistical impact on K-12 educators”. While phishing email campaigns like the ones conducted in this project have a monetary value associated with them, there are free alternatives such as the Social Engineer Toolkit (SET).
The involvement of an industry expert would also be helpful to help target specific individuals in spear phishing campaigns. One component that was not done throughout this project was target profiling for individuals and in the real world, it is likely that end users could be victims of specifically targeted attacks which they are not educated about.
Further physical access controls should be defined for both assessment purposes and for protection of student data. The criteria for data research provided in this project were extremely basic and school districts should not only measure based on the criteria used in this project. It is recommended that they consult with a physical security expert.
Further password policies should be developed for all school districts, especially for educators in the industry. Microsoft’s minimum requirements when password policies are enabled are eight characters consisting of three of four character classes: upper case letters, lower case letters, numbers and symbols. While these are the minimal requirements, school districts should be looking towards password requirements above twelve characters with a password reset policy at the most of ninety days. While this would cause potential technical constraints and issues, the increased security posture of the organization would benefit overall.
For the specific participating school district, it was recommended that further security awareness training be conducted on a regular basis in conjunction with annual assessments to start improving their security posture overall between all of the schools. Since only a portion of the entire school district was measured, there are still a lot of end users that need to be educated.
Incorporating security awareness components into the training educators receive is only the first step of the potential of this training program with the possibility to lead into student education. While students in K-12 are already being taught a wide variety of materials, by the time they graduate in current culture, they are exposed to much different scenarios then the course material was created for years ago. The program that should be developed for cyber security / security awareness education should be malleable enough to be updated annually to focus on new threats that students would face along with modernizing the delivery mechanism. K-12 students are much more used to using mobile devices rather than traditional desktop computers and the course content should be directed towards that delivery mechanism.
This project would not have been possible without the sponsorship of Nick Griswold and the guidance of Chris Hadnagy. The infosec community is growing every day and it is an awesome to be able to work with industry experts directly. Thanks again to both of you.
Moody, D & Sindre, G. (2003). Evaluating the Effectiveness of Learning Interventions: An Information Systems Case Study. Retrieved from http://is2.lse.ac.uk/asp/aspecis/20030097.pdf