Fostering E-Mail Security Awareness: The West Point Carronade

Over the last several months, the logisitics committee for the myNotebook initiative has been involved in a spirited debate about the effectiveness of group training exercises in helping to build safe computing practices. An article in the spring Educause Quarterly describes an experiment in which a bogus email was sent to cadets who had completed a four hour mandatory training program on computer best practices. Eighty percent clicked on the email link embedded in mail with the subject line: Problem with your grade report.

The article concludes:

While imperfect at best, the West Point Carronade exercise proved that the traditional classroom instruction model is necessary but not sufficient when it comes to learning. Students have to touch, feel, and experience the content in order to learn. The goal of any security awareness exercise should be to make security an attitude within the organization, campus, or university. Periodic launching of these types of awareness exercises will help minimize network downtime and maximize network performance as students become more judicious about handling e-mails.

As a result of the experiment outlined in this study, administration at West Point proposed a set of additional emails to collect social security numbers, other personal data, and downloaded music. The purpose of each exercise was to give immediate feedback on the dangerous behavior. I wonder if an institution like William and Mary could get away with organizing such naturalistic teaching methods–perhaps as part of the DIL?