A short while ago I stumbled onto the Twitter account of an Information Security Awareness program at my alma mater the Rochester Institute of Technology (RIT). I was immediately impressed by the following they had among their social networks and after digging a bit deeper into their activities I couldn't help but reach out to Ben Woelk who manages the group and generously agreed to an interview with us. 1. How did the idea for an RIT InfoSec group come about? Was there any specific event that triggered its creation?Ben: It’s actually a Facebook Page. We started to put together a Facebook group, but the page makes more sense for publishing information to an audience, rather than trying to foster discussion and rely on group members to post. This was our first venture into social media. I realized we needed a social media presence after the Virginia Tech shootings. I heard that there was a lot of use of social media to get information before it was officially released. Our other reason for being there is that’s where our students “live.” 2. Are there many reported infosec related incidents at RIT? If so what are the yearly averages and what are the most common?Ben: I can’t share any details on this, except to say that the number of incidents is trending upward, as in much of higher education. 3. The group has quite a following with over 6,000 fans on Facebook and an additional 1,300 on Twitter, what do you feel have been the most effective tactics to grow your audience?Ben: We actually have a contest administered very carefully outside of Facebook so we don’t violate their terms of service. We provide one $100 Barnes & Noble gift card to a full time student who “likes” us between mid-August and October 1. We typically get about 1000 followers each fall. We’ll pick up a few hundred more organically during the course of the year. Our Twitter account following has just evolved organically and the audience isn’t the same. We tend to have quite a few security folk who follow the Twitter account. We haven’t run any contests. Everything we post to the Facebook page is also tweeted. We’ve just redesigned our website and migrated to a Drupal framework. (Painfully!) Our new website will autopublish posts to Facebook and Twitter. 4. Which types of awareness strategies and events do you have planned for this year?Ben: We put a lot of effort into new student orientation. We have an hour or so on the program each year and have used a number of techniques over the years, ranging from many smaller facilitated sessions to a primary speaker to this year’s Lightning Talks. (You can view this year’s program at http://www.youtube.com/watch?v=ef5XMlfQPxs). I’ve had experience with Lightning Talks through the Society for Technical Communication and their yearly Summit conference. It seemed like a good technique to keep the students’ attention. It was well received.
- We also produced a deck of cards with information security messages and graphics. (We leveraged many of the posters at http://www.rit.edu/security/content/awareness-posters-and-videos)
- We try to share interesting security tidbits several times a week on Facebook.
- We do alerts and advisories as needed and we plan to provide a post or two on various topics each month.
- We have a series of pamphlets.
- We’ve sprinkled security tips around campus through FourSquare.
We try to do things strategically and I’ve actually co-taught a seminar on building awareness programs at the past two EDUCAUSE Security Professional’s conferences. (I’m active in the EDUCAUSE Higher Education Information Security Council and was the co-chair of the Awareness and Training Working Group until recently.) 5. What has been the most rewarding part of building this resource?Ben: The most rewarding part is feeling like we’re making a difference by reaching our audience where they reside rather than just relying on traditional methods. I’ve been very active in EDUCAUSE and we’ve been able to share our strategies and tactics with many other higher educational institutions. I’ve also benefited from hearing what other schools are doing. Moving into social media has been rewarding personally and professionally as we’ve been able to be relatively leading edge in our techniques. 6. What are the next steps for your organization? Are there any resources or maybe a wish list you have that you feel could take your efforts to the next level?Ben: Our next steps are to continue to be actively engaged with our community. I would like to see us move into YouTube and produce short security snippets. Determining good metrics for security awareness is also an ongoing problem across the industry. I’m on Twitter @benwoelk and my blog is at benwoelk.wordpress.com. (I’m also making my Cyber Self Defense students blog at https://ritcyberselfdefense.wordpress.com) Thanks again to Ben for participating in our interview, you're a credit to the industry and security awareness efforts. Are you trying to build an information security program? Feel free to ask Ben further questions in the comments! Do you run a similar information security awareness program? If so let us know, we'd love to hear what you're up to (and perhaps feature you too!).