As some of you may already know, NIST (the US National Institute of Standards and Technology) recently published a draft version on its strategy for promoting cyber security awareness and education.  This is a draft version and can be a bit hard to read, but it has three core goals.  From page 2 of the document, the three stated goals are.
  1. Raise awareness among the American public about the risks of online activities.
  2. Broaden the pool of skilled workers capable of supporting a cyber-secure nation.
  3. Develop and maintain an unrivaled, globally competitive cybersecurity workforce.
I'm excited about a national effort to improve cyber security, especially awareness and the work force.  The entire focus is on the human element, one that has been lacking for far too long. Being the security awareness weenie I am, I'm interested the most in goal number one, public awareness.   My concern with the strategy is there are so many players involved that the public will get a convoluted message.  There will be multiple sites that will be offering various resources.  What I would love to see is a single resource promoting a single message.  The most successful awareness campaign in US history has been Smokey the Bear.  Started in 1944 as part of a campaign to stop forest fires, it is estimated that 95% of adults and 77% of children instantly recognize the Smokey mascot and his message. One country doing this well is aeCERT in the United Arab Emirates.  They are using Salim to communicate their awareness message. Salim is the name of local boy, you see him everywhere in the UAE.  Salim is a common Arabic name which can mean 'safety', he has been so successful that people in Dubai do not contact their local CERT, they contact Salim.  I would love to see NIST come up with a cyber Smokey the Bear or Salim for here in the states.  Unfortunately, when it comes to marketing a message, this is where government/security greatly fail.  I hope NIST has a budget for some marketing help.
About the Author
Thumbnail

Lance Spitzner

Director, SANS Security Awareness
Lance Spitzner has over 20 years of security experience in cyber threat research, system defense and awareness and training. He helped pioneer the fields of deception and cyber intelligence with his creation honeynets and founding of the Honeynet Project. In addition, Lance has published three security books, consulted in over 25 countries and helped over 350 organizations build programs to manage their human risk. Lance is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. Before working in information security, Mr. Spitzner served as an armor officer in the Army's Rapid Deployment Force and