18/06/2010

Raising Awareness
to create a culture of cyber security

Belhassen ZOUARI

CEO, National Agency for Computer Security, Tunisia

Head of the Tunisian Cert (tunCERT),
E-mail : b.zouari@ansi.tn

Workshop on Building Trust and Confidence in Arabic E-Services

Beirut, 25-27 May 2010

Introduction
Today, ICTs (information communication technologies) are
increasingly becoming essential in our lives,

This ICT dependence brings out new risks that represent

a real threat to our societies.

The main way to be safe is to prevent those threats.

It is indeed a national challenge for every country.

1
 18/06/2010

ICT based Vulnerability

for Economic & Social Activities
In today’s digital age where we live and work, citizens and
businesses find ICTs very important for carrying out daily
tasks.
At the same time, more and more citizens and businesses
are at risk of information security breaches.

In an age ever more reliant on digital information and within an information

society, there is an increasing number of dangers.

A high number of end-users are unaware of their exposure to

security risks !

How a Cyber security process is effective

3 pillars have to be considered

 Technology
ICT/Security tools, etc.

 Organization
Policy, procedures, regulation, ...

 Social behaviour
Cultivating a Culture of Cyber security

2
 18/06/2010

Why should every country raise awareness

About cyber security?
 To build new reflexes and good practices while using ICTs
 To enhance users confidence in ICTs and to build Trust,
 To minimize risks related to social engineering,
 To protect both data and privacy
 To protect network integrity
 To protect users and especially Children
 To alert users from risks and penalties behind hacking and
abusing through Internet.

Because An ounce of prevention is worth than a pound of cure!

Which public is concerned by awareness?

It is important to define the specific audience that is
targeted by the awareness program.
From the simple user to the computer professional, everyone
must be conscious about cyber security :

 Home user (kids, teenagers, youths, adult and simple users)

 Students
 Employees (All organizations' personnel)
 Mid-level managers
 Executive managers (key decision-makers, Stakeholders, etc)
 System administrators (Webmasters, Application Developers, etc.)
 Third parties
 Communities (NGOs)

3
 18/06/2010

Awareness action plan principles

A long term objective
Cultivating the Culture of Cyber security
- Continuous action
- Diversifying media/channel materials

Through
 Public relations activities,
 Educational programs,
 Events and initiatives that target home users,
 Education audiences and higher education,
 Child safety online

Tunisian case of study to build a

culture of cyber security

STRATEGY - REALISATION - DIFFICULTIES - CHALLENGES

4
 18/06/2010

Tunisian way of raising awareness and

building confidence
Tunisia recognizes the importance of increasing the
public's awareness of cyber security and crime issues.
- aiming to build a security reflex in every Tunisian

Public activities, educational programs, events and initiatives that

target home users, small businesses, schools and children online are
featured throughout a national awareness plan

Tunisian way of raising awareness and

building confidence

Using different communication ways :

 Tunisian national televisions,

 Radio stations,
 Fair and expositions,
 Seminars and conferences,
 Collaborating with clubs and associations,
 Distributing specific documents and CDs, videos and cartoons,
 Integrating cyber security in the educational courses,
 Mailing list,
 Web sites: www.ansi.tn, www.nacs.tn, tuncert.ansi.tn
 Etc.

5
 18/06/2010

Awareness through Tunisian nationwide

Each Tunisian has the right to take benefit from the
awareness program.
Giving piece of information to the national and regional
community about all what is dealing with security incidents.

Tunisia is working to bring the cyber security culture through

the nation wide.

NACS’ experts and tunCERT’s teams are working to help covering

different parts of Tunisia and organizing training sessions and
workshops in almost allover the country.

Tunisian strategy to carry out a cyber security

awareness
 Selecting awareness topics
(child online protection, cybercrimes, etc.)
 Building a educational program
 Ensuring a communication framework
Flyers, guides, CDs, web sites
Implementing awareness initiative, using a variety of channels
Evaluating the effectiveness of the project
Difficulties !
Updating and improving the project
Facing the challenges !

6
 18/06/2010

Oriented campaigns

 Decision makers
Diversified contents
 Professionals
 Teachers
Prospectus Posters Emails
 Students
 Users
Radio Emission Cartoon Video Spot
 Journalists
 Lawyers
Attack Simulation Guide

Emailing and Call Center

Information & Alerts on observed vulnerabilities and malicious activities

Useful information Broadcast through Mailing-Lists :

- More than 8000 members
- 150 emails send in 2009 (more than 400 product vulnerabilities)
- Classification
.Faille .Virus .Spam .Hoax .Précautio .Administrateur .Alerte
n
.Outils .Open- .Annonce .Livre
source

Objet : ………….. 1- vulnérabilité critique dans ………….., qui permet ……

Systèmes et Plates-formes concernés : ……
2- vulnérabilité moyennement critique dans ………….., qui permet ……
. Administrateurs (Professionnels

Effets 3- ………………..
. Faille (simples utilisateurs)

Signes Visibles
1- “Nom du Produit”
Moyen de Plates-formes Concernées : ……
.VIRUS

propagation
en Sécurité)

Versions Concernées : ………

Propagation à Brève Description :
l’échelle Nationale ……..
Propagation à …….
l’échelle Pour plus de détails : (urls)
Internationale

Plus de détails (urls)

SOLUTION
……….
Mesures ……….
Préventives
2- “Nom du Produit”
…………………

7
 18/06/2010

Child/Parent oriented actions

Sometimes … shocking !

8
 18/06/2010

Other kind of awareness actions

 Simulation Platform for typical cyber attacks
(phishing, identity theft, remote controlling, …)

Return on Security Investment (ROSI)

Number of nodes Cost of Economic Impact of Return on
implementing cyber incidents in the Security
Security solution lack of security Investment
USD solutions USD (= B-
B-A)
(A) (B)
50 18.800 131.040 112.240

100 37.350 233.370 196.020

500 196.380 916.200 719.820

1000 448.215 1.729.568 1.281.353

source : Computer Economics 2005

The project’s benefits

Tunisian information security awareness program is also :
 Providing a focal point and a driving force for a range of awareness,
training and educational activities related to information security,
 Communicating important documents, guidelines ,
 Providing general and specific information about information security
risks and controls to people who need to know (such as parents),
 Making individuals aware of their responsibilities in relation to
information security.
 Motivating individuals to adopt recommended guidelines or practices.

This project helps creating a stronger culture of security, one with a

broad understanding and commitment to information security.

9
 18/06/2010

The program’s difficulties

 Geographical Coverage:
Need to reach far parts of Tunisia (northwest, west central and
southern parts).
 Targeting some specific critical business:
Doctors, Accountants, Entrepreneurs, etc.
Some categories require more effort and even specific effort, such as
the Policymakers, lawyers (Lawyers, Judges, Prosecutors), etc.

 Difficulty for content development

(Communication and development of educational content).

 Conducting surveys for feedback on the effectiveness of the effort.

 High investments for a result that is not immediately palpable.
Efforts are not easy to measure !

Facing challenges
 The end result of the awareness project may not be instantaneous.
 Continuous improvement cannot occur without a good sense of
how the existing program is working

statistic, feedback, etc.

negotiations about the comply our objectives,

clarification of budget,

next and further steps.

Once the baseline requirements have been solidified, a feedback strategy can be designed
and implemented.

Formal evaluation and feedback mechanisms are critical components of the

security awareness project.
 Feedback mechanism must be designed to browse the
progression relatively to the objectives initially established.

10