Security Education

Most organizations now provide security education for employees.

Required Reading

No required reading

Lecture

13-Advice

Papers in Lecture

• Redmiles, Elissa M., Sean Kross, and Michelle L. Mazurek. “How I learned to be secure: a census-representative survey of security advice sources and behavior.” Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. 2016.
• So long and no thanks for the Externalities: The rational rejection of security advice by end users by Cormac Herley
• Rader, Emilee, and Rick Wash. “Identifying patterns in informal sources of security information.” Journal of Cybersecurity 1.1 (2015)
• Boyd, Maia J., et al. “Understanding the security and privacy advice given to black lives matter protesters.” Proceedings of the 2021 CHI conference on human factors in computing systems. 2021.
• Hielscher, Jonas, et al. “Selling Satisfaction: A Qualitative Analysis of Cybersecurity Awareness Vendors’ Promises.” Proceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security. 2024.
  • Additional materials

Learning Outcomes

Topics

• Security training
• Balancing costs and benefits

Understand

• Training does not always work
• Factors to consider when selecting training
• Testing if training is effective

Remember

• Benifits and costs of training

Apply

• Try asking friends or family about the training they have been given at work and co-ops.
• Do a mini self diary study. Note down every time you have to make a security decision for a day and what knowledge you needed to make a good decision.

Activities

Complete UWaterloo Security Training - Note that for researchers Information Security Services recommends 2 hours and 20 minutes of training time in cyber security a year.

Resources

News

• After cybersecurity lab wouldn’t use AV software, US accuses Georgia Tech of fraud