People First

Intensive IT and comprehensive network coverage have transformed the daily activities of the online community at the National University of Singapore. The Internet and open networks on campus have enabled advanced teaching and research, but they also have exposed users to greater risk of cyberattacks that could result in service disruption, data corruption or the loss of confidential information.

The university has installed in-depth defensive IT security strategies and state-of-the-art technologies to protect its network. Users need to be vigilant and proactive in efforts to combat cyberthreats within the university community and to collaborate with regional and international partners to respond to cyberthreats that cross borders.

Even the strongest precautions may not be adequate, however, if no one pays attention to them. It has long been recognized that the weakest links in IT security are the people sitting in front of the computers. To secure those human links is not an easy task.

Given NUS’s large population of students, faculty and staff, and an average of 20,000 machines online at any given time, the Computer Centre’s IT security team is always on its toes to safeguard the online community. Enlisting those students, faculty members and staff to combat security threats would be easier if they saw the issue as a concrete threat to academic freedom or a factor that added to their workload.

The indifference and diverse culture (one-third of those enrolled are international students) of the NUS online community were IT security headaches until we found the cure: Make IT security fun!

We had our first NUS IT Security Day in 2001. It has grown into a weeklong event of fun-packed activities promoting IT security awareness. IT Security Week, as we now call it, consists of IT security workshops and seminars, IT security carnivals, freshman awareness camps and hacking challenges.

IT Security Week opens with a grand IT security fun fair. Participants see performances and exhibitions and participate in competitions that test their IT security knowledge, while IT security vendors and industry representatives showcase their cutting-edge technologies. Security Week also provides an opportunity to show off the university’s own IT security.

One of the most interesting competitions is the hacking challenge. The online game invites students to hack and crack several applications by progressing through levels of increasing difficulty. At the end of the day, winners of the competition take home prizes, including high-end PDAs, video games and MP3 players.

To win, participants need a deep understanding of common security holes and a certain level of programming skill. This competition lets the IT Security team see how hackers think and how they might foil security measures.

Along with a series of more traditional seminars and technical sessions addressing higher-level issues for management staff and IT professionals, we hold freshman awareness camps in various residence halls to educate students about current concerns, such as copyright law and peer-to-peer downloads.

The ultimate goal of these competitions, and the whole of IT Security Week, is simple: to reach out to NUS staff and students and make them aware of the new trends in security threats so that they can take precautions.

Now that the community has adopted the right mind-set on security, the benefits have been tremendous. The latest Computer Centre satisfaction survey shows that 90 percent of students and staff rate university IT Security as good or excellent. We’ve seen a significant reduction in reported incidents, and security vulnerabilities have been reduced by 90 percent over the past three years. This couldn’t be achieved without an effective IT security awareness program.

The most important thing we learned is to know the audience and to think about what they need. Information security is everyone's concern. More important, it should be fun.