Abstract
Security champions are regular employees who have deeper knowledge in information security and a direct connection with the security team. Through this connection, they can facilitate the diffusion of security knowledge to employees and back to the security team. We worked with a German organization with more than 20,000 employees that decided to create such a program, starting with a three day in-person workshop with n = 17 young apprentices to train them to become security champions. Internal and external speakers were invited, to pass on their security knowledge to the apprentices. We contributed to the workshop program with Serious LEGO, security mythbusting exercises, and Q&A sessions. However, our main goal was to evaluate the workshops' impact on the participants. We gathered data through interviews, surveys and observation before, during and after the workshop. We found that the workshop did indeed influence the security behavior of young employees. However, the external security experts presented outdated or incorrect security knowledge, and recommended secure behaviours that contradicted company security policies. We identified incentives and motivations that participants brought to the role. In addition to tailoring security training content appropriately, we identify preparatory steps, and support that organizations need to put in place to support security champions who take on the role.
Originalsprog | Engelsk |
---|---|
Titel | EuroUSEC '23 : Proceedings of the 2023 European Symposium on Usable Security |
Antal sider | 16 |
Forlag | Association for Computing Machinery (ACM) |
Publikationsdato | 16 okt. 2023 |
Sider | 237-252 |
ISBN (Trykt) | 9798400708145 |
DOI | |
Status | Udgivet - 16 okt. 2023 |
Begivenhed | The 2023 European Symposium on Usable Security - Copenhagen, Danmark Varighed: 16 okt. 2023 → 17 okt. 2023 |
Konference
Konference | The 2023 European Symposium on Usable Security |
---|---|
Land/Område | Danmark |
By | Copenhagen |
Periode | 16/10/2023 → 17/10/2023 |