Jump to content

Internet security awareness

From Wikipedia, the free encyclopedia

Internet security awareness or cyber security awareness is how much end-users know about the cyber security threats their networks face, the risks they introduce, and mitigating security best practices to guide their behavior.[1][2] End users are considered the weakest link and the primary vulnerability within a network.[1][3][4] Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element (end users). This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.[4]

Cyber security awareness, training, education

[edit]

A cyber security risk mitigating end user program could consist of a combination of multiple approaches including cyber security awareness, cyber security training, and cyber security education. The below table that provides a comparison of the approaches.[1]

Awareness Training Education
Attribute “What” “How” “Why”
Level Information Knowledge Insight
Objective Recognition Skill Understanding
Delivery Method Media

Including: video, newsletters, posters

Practical Instruction Including: lecture, case study workshop, hands-on Theoretical Instruction Including: discussion seminar, background reading
Impact Timeframe Short-term Intermediate Long-term

Cyber threat awareness does not necessarily lead users to applying threat protections.[5] Research on cybersecurity awareness education has shown inconsistent results, with some studies suggesting limited effectiveness and experts advocating for the customization of training programs to enhance awareness.[6]

There are several different delivery methods that can be taken to provide cyber security awareness,[4] including posters, guides, tips,[7] videos, and newsletters.[1] Game-based training may be effective for young people.[8] A mixed approach, applying multiple methods, may be more effective than a single approach.[9]

Topics

[edit]

Some possible cyber security awareness topics include but are not limited to the following.[10][11][12]

Anti-Malware Protection: Security end user awareness guidelines include device scans for malware and updating the anti-malware application definitions.[10]

Data Protection and Privacy: There are various types of data that might be mandated to be protected from unauthorized disclosure, including personally identifiable information (PII), protected health information (PHI), intellectual property (IP), and other sensitive information.  Security awareness guidelines include teaching related to data classification, encryption, data anonymization, and data masking or data obfuscation.  Permissions and who can access data, which includes file sharing via email attachments, are additional safeguards that could be discussed. Another data protection control that could be included is backing up data[10] as it could be restored if the original becomes unavailable.

Device Management: involves knowing how to protect mobile devices and computers.  Device Management is also concerned with security related to Bring Your Own Device (BYOD).  Security awareness guidelines include encryption, protecting the system with a password, PIN, or multi-factor authentication, and other forms of credential.  Additional awareness tips include end-users downloading, installing, and reviewing applications and the requested permissions from unknown sources.[11][13]  According to,[11] another awareness tip is to read reviews and comments about the application before installing it.  Additionally, the use of public WIFI is another discussion point.[11]  Device management also relates to maintaining an accurate inventory of assets from purchase to disposition. This includes knowing when to wipe a device and media sanitization.

Incident Response: An incident is any observable event of malicious intent.  Security awareness guidelines for end-users include what types of events are considered suspicious or malicious, who should be contacted if an incident occurs, and what actions should be taken in the event of an incident.[10]

Internet of Things Security: are remotely controlled capable, resource constrained devices with embedded sensor chips that interact with people and objects to collect data and provide it to remote sources on the Internet for additional analysis in an effort to personalize and customize a user's experience. These devices include but are not limited to smart speakers, wearable devices like smart watch, surveillance cameras, lights, door locks, thermostats, appliances and cars.  Guidelines include maintaining an asset inventory, patch control, and changing default credentials.[14]

Insider threats in cybersecurity (internet security) are security risks that come from individuals within an organization, such as employees or contractors, who have access to its systems and data.[15][16][17][18] These threats can include data theft, sabotage, fraud, or espionage, posing significant risks due to the insider's knowledge and access.[15][16]

Password Management: A password is a string of secret characters used to authenticate a user's account. Security awareness guidelines suggest presenting requirements for creating a strong password or Passphrase, how frequently passwords should be changed, and how to protect passwords.[10]  Additionally, guidelines suggest the need to change all default passwords and to not share passwords with others.[19]  Additional protection options could include making end-users aware of using multi-factor authentication, password managers, and awareness of various password-related threats like password cracking.

Patching: Software and system changes to update, improve, or resolve weaknesses are usually released via a patch.  Security awareness guidelines include the timely installation of security patches [10] as well as implementing vulnerability assessment and vulnerability management.

Removable Media: are storage devices that could be added or removed from a running computer, such as CDs, DVDs, removable SD cards, and USB drives (including flash drives, thumb drives, external hard drives). Security awareness guidelines include drive encryption and following the policy and guidelines presented at the organizational level regarding the use of personal removable media on organizational systems.[19]

Safe Web Browsing: Security awareness guidelines regarding securely navigating websites include looking for the padlock icon on the URL bar before entering sensitive information like credentials, credit card information, or personally identifiable information.[11]   Another visual indicator is "https" reflecting in the web address.[11]  The padlock and "https" indicate that the entered information will be secure while data is in transit.[11] It is paramount to also understand that valid TLS connection ("https" / padlock) does not indicate trustworthiness as also malicious actors utilize secure connections. Lastly, guidance could be shared to set privacy options on the browser or use the incognito option to limit the information shared.[20] Yet another guideline is to consider using a virtual private network (VPN).[20]

Scareware is another type of social engineering ploy that displays a pop-up alert that attempts to create a sense of urgency and panic by notifying the user that viruses have infected their computer or has been hacked. The alert instructs the user to click on its link to enter information or download software that will remedy the issue when, in reality, this very action is what will compromise the user’s device. The consequences can vary from having sensitive data stolen from the user’s machine, preventing access to certain files, shifting the social engineering tactic to ransomware, or coercing the user into providing credit card payment information to authorize fraudulent transactions.[21][22]

Social Engineering involves interacting with humans in hopes that they will disclose sensitive information, including phishing attacks.[23] Security awareness guidelines include not opening suspicious emails from unrecognized senders, not clicking on suspicious links in emails or on websites, not opening attachments in emails, not disclosing information, and not responding to suspicious emails or contacts provided therein.[10][19]

Public awareness campaigns

[edit]

The President of the United States announced in 2004 that October would become the official Cybersecurity Awareness Month. The goal of such a month is to increase awareness of the most common cybersecurity threats and adopt basic practices conducive to their prevention. This initiative was built upon the collaboration of the private and public sectors in an exchange of expertise, with the intent of creating a safer digital world.[24]

Microsoft's Cybersecurity Awareness Month: Celebrating its 20th anniversary in 2023, Microsoft partnered with the National Cybersecurity Alliance and CISA to amplify cybersecurity best practices globally. Their focus includes educating organizations on multifactor authentication, updating software, recognizing phishing, and checking privacy settings. Microsoft also provides resources for small and medium businesses, which are often vulnerable to ransomware attacks.[25]

NIST's Cybersecurity Awareness Month: In 2023, NIST emphasized four key behaviors: (1) enabling multi-factor authentication, (2) using strong passwords and password managers, (3) updating software, and (4) recognizing and reporting phishing.[26] This annual event, celebrated every October since 2004, is part of a collaborative effort to provide resources and raise awareness about cybersecurity, thereby increasing national resilience against cyber incidents.[26]

See also

[edit]

References

[edit]
  1. ^ a b c d "NIST SP 800-12:63 cpr Chapter 13: Awareness, Training and Education". csrc.nist.rip.
  2. ^ Kim, Lee (April 2017). "Cybersecurity awareness: Protecting data and patients". Nursing Management. 48 (4): 16–19. doi:10.1097/01.NUMA.0000514066.30572.f3. ISSN 0744-6314. PMID 28353477. S2CID 9518792.
  3. ^ Kemper, Grayson (2019-08-01). "Improving employees' cyber security awareness". Computer Fraud & Security. 2019 (8): 11–14. doi:10.1016/S1361-3723(19)30085-5. ISSN 1361-3723. S2CID 201901451.
  4. ^ a b c "What is Cybersecurity Awareness Training & Why is it so Important?". FraudWatch International. 2018-12-21. Archived from the original on April 29, 2019.
  5. ^ Zwilling, Moti; Klien, Galit; Lesjak, Dušan; Wiechetek, Łukasz; Cetin, Fatih; Basim, Hamdullah Nejat (2022-01-02). "Cyber Security Awareness, Knowledge and Behavior: A Comparative Study". Journal of Computer Information Systems. 62 (1): 82–97. doi:10.1080/08874417.2020.1712269. ISSN 0887-4417.
  6. ^ National Institute of Standards and Technology. "Federal Cybersecurity Awareness Programs" (PDF). nvlpubs.nist.gov. Retrieved 2025-08-14.
  7. ^ Tasevski, Predrag (2016). "IT and Cyber Security Awareness – Raising Campaigns". Information & Security. 34 (1): 7–22. doi:10.11610/isij.3401.
  8. ^ Triplett, William J. (2023-01-01). "Addressing Cybersecurity Challenges in Education". International Journal of STEM Education for Sustainability. 3 (1): 47–67. doi:10.53889/ijses.v3i1.132. ISSN 2798-5091.
  9. ^ Abawajy, Jemal (2014-03-04). "User preference of cyber security awareness delivery methods". Behaviour & Information Technology. 33 (3): 237–248. doi:10.1080/0144929X.2012.708787. ISSN 0144-929X. S2CID 12289090.
  10. ^ a b c d e f g Wilson, M.; Hash, J. (2003). "NIST Special Publication 800-50: Computer Security" (PDF).
  11. ^ a b c d e f g Employee Security Awareness Training, June 2017
  12. ^ "Building a Security Awareness Program". www.gideonrasmussen.com.
  13. ^ "Securely Using Mobile Apps - SANS OUCH! Newsletter - June 2021". www.sans.org.
  14. ^ Forrest, Conner. "Ten best practices for securing the Internet of Things in your organization". ZDNet.
  15. ^ a b Cybersecurity and Infrastructure Security Agency. "Defining Insider Threats | CISA". www.cisa.gov. Retrieved 2024-01-15.
  16. ^ a b Cybersecurity and Infrastructure Security Agency. "Insider Threat 101 Fact Sheet" (PDF). www.cisa.gov. Retrieved 2024-01-15.
  17. ^ National Institute of Standards and Technology. "insider threat - Glossary | CSRC". csrc.nist.gov. Retrieved 2024-01-15.
  18. ^ U.S. Department of Homeland Security. "Cybersecurity Insider Threat | Homeland Security". www.dhs.gov. Retrieved 2024-01-15.
  19. ^ a b c "Common Cyber Threats: Indicators and Countermeasures" (PDF).
  20. ^ a b "Privacy - Protecting Your Digital Footprint - SANS OUCH! Newsletter - April 2021". www.sans.org.
  21. ^ "What Is Scareware? Defined and Explained". Fortinet. Retrieved 2024-09-17.
  22. ^ "What is Scareware? How to Identify, Prevent and Remove It". WhatIs. Retrieved 2024-09-17.
  23. ^ "Avoiding Social Engineering and Phishing Attacks | CISA". us-cert.cisa.gov. February 2021.
  24. ^ "Cybersecurity Awareness Month | CISA". www.cisa.gov. Retrieved 2024-09-17.
  25. ^ Jakkal, Vasu (2023-10-02). "Celebrate 20 years of Cybersecurity Awareness Month with Microsoft and let's secure our world together". Microsoft Security Blog. Retrieved 2024-04-03.
  26. ^ a b National Institute of Standards and Technology (NIST) (2023-10-25). "Cybersecurity Awareness Month". NIST.
Retrieved from "https://en.wikipedia.org/w/index.php?title=Internet_security_awareness&oldid=1360196975"