___________________________________________________________________________

2009/TEL40/SPSG/013
Agenda Item: 3d

Cyber Security Awareness Raising Workshop

Report

Purpose: Information
Submitted by: United States

Security and Prosperity Steering Group

Meeting
Cancun, Mexico
26-29 September 2009
 Cyber Security Awareness Raising Workshop Report

Introduction

As many APEC economies become increasingly reliant on information communications technology

(ICT), it is becoming increasingly important that all computer users within economies are aware of the
steps they need to undertake to securely use their computers and practice safe and secure behaviour
while using the Internet. The majority of cyber related incidents are the result of error or negligence,
and therefore many member economies are conducting awareness raising programs and activities to
educate all users within their economies about secure internet use.

At APEC TEL 37, Australia and the United States jointly proposed a self-funded project to ultimately
develop a coordinated activity amongst APEC economies to raise the level of cyber security
awareness of critical infrastructure owners and operators, small and medium businesses and end
users within the region. Korea, Canada and Malaysia cosponsored the project.

The first element of this project was a one day workshop which was held on 14 October 2008 at
APEC TEL 38 in Lima Peru. Recognizing that economies face similar challenges in raising
cybersecurity awareness and can benefit from good practices and lessons learned of other
economies, the aim of this workshop was to share information and experiences from cyber security
awareness raising programs. The workshop also considered the development of a coordinated effort
amongst economies to raise the level of cyber security awareness of critical infrastructure owners and
operators, small and medium businesses, and end users within the region.

This report outlines economy case studies, the outcomes of the workshop, and also identifies
potential options for further collaboration in the area of cyber security awareness raising.

Economy experiences

The first session of the workshop provided the opportunity for economies to share information on their
own awareness raising activities.

Peru, Australia, Japan, Malaysia, Korea and United States provided presentations on their awareness
raising activities within their own economies targeting government agencies, critical infrastructure,
business, and consumers. The Asia Pacific Computer Emergency Response Team (APCERT)
addressed the workshop on their awareness raising activities and those of their members. The
presentations from the workshop can be found at Attachment A.

Thailand and Singapore also provided information on their cyber security awareness raising activities,
which is included in this report.

Australia

The Australian Government has three key priorities for maintaining Australia’s electronic security:
1. Reducing the e-security risk to Australian Government information and communications
systems;
2. Reducing the e-security risk to Australia’s national critical infrastructure; and
3. Enhancing the protection of home users and small and medium enterprises (SMEs) from
electronic attacks and fraud.

A National E-security Awareness Week was piloted in 2006 and became an annual event from 2008.
The Department of Broadband, Communications and the Digital Economy coordinates the Week in
consultation with government agencies, police, industry (including software vendors and ISPs), and
community groups. The overarching message for the 2008 Week was “Stay Smart Online” with three
underlying key messages:
1. Secure your computer;
2. Secure social networking; and
3. Secure you wireless connection.
These messages were promoted through a series of real world and virtual events as well as
mainstream media. Hard copy materials were developed, including postcards and stickers which were
distributed at events and through partner organisations such as financial institutions and community
groups.

Five top tips were used to highlight the key things that users need to do to protect themselves online:
1. Install, update and use your security software;
2. Use strong passwords and change them regularly;
3. Be careful when sharing personal information online;
4. Think before you click – if it looks too good to be true it probably is; and
5. Be smart and stay informed – visit www.staysmartonline.gov.au and sign up for the new Stay
Smart Online Alert Service to get up-to-date advice on the latest e-security risks.

Some of the key lessons learnt have been that there is fine balance between educating about the
risks involved in online activities and maintaining trust and confidence in the public. Furthermore,
public-private sector partnerships enable the message to reach more people and a broader audience.
Some users still prefer hard copy materials about cyber security rather than access websites and
electronic materials.

Other awareness raising activities conducted by Australia include an information website targeted at
consumers and small businesses (www.staysmartonline.gov.au), an advisory service in simple, non-
technical language and a schools package designed to teach children how to be secure online.

Japan

Information security awareness raising activities in Japan are aimed at all users of information
systems including corporate users, government, individuals, and the critical infrastructure sector. The
Japanese Government established the first national strategy on Information Security in 2006. The
strategy is a three year plan from 2006 to 2008, and is based on a collaborative approach to
information security, involving central and local governments, critical infrastructure, businesses, and
individuals.

The 2 February is Japan’s annual “Information Security Day”, which begins a month of related events.
These events are organised and run by government agencies and other related organisations.
Previous activities have included a “Check PC!” campaign. This campaign included a website
informing users how to enhance PC security, and was widely publicized on public transportation and
in the media. In 2007, lectures on the safe use of the internet were conducted in over 130 places
within the activities of “e-net Caravan”. The Anti-bot Measures Project “Cyber Clean Center” launched
in December 2006 has its portal site which provides a free BOT removal tool.

The Japanese Government has also focused on awareness raising activities regarding the protection
of critical infrastructure. Ten sectors have been selected as “critical infrastructure”, including
telecommunications, electricity, medical services and railways. The Capability for Engineering of
Protection, Technical Operation, Analysis and Response (CEPTOAR) Council was established to
promote information sharing across business entities within each sector.

Korea

Information security awareness raising activities in Korea are aimed at increasing awareness about
the importance of information security, encouraging internet users to utilize appropriate cyber security
applications, and educating specialists from Korea’s information technology (IT) sector. Awareness
campaigns are focused on providing information on practical methods for strengthening online
security.

An annual ‘Information Security Week’ takes place on the third week of June. Activities conducted
during the Week include awareness raising seminars, symposiums and workshops for IT specialists,
the provision of guidelines and booklets, and cyber security summits. Annual Information Security
Awareness awards began in 2002 and are awarded to members of the public, who participate in
awareness slogan and poster competitions, and to companies, who participate in information security
competitions.
Korea holds other awareness raising campaigns focused on specific cyber security issues, such as
privacy protection. For example, in 2007 the ‘delete not-used-homepage’ campaign was held. In 2003
the campaign’s slogan was ‘delete my personal information on websites’. Events such as music
concerts are held, where booklets and information are distributed, and an online security course is
available for the general public, which attracts thousands of participants annually.

Malaysia

Malaysia’s national cyber security policy is designed to facilitate Malaysia’s move towards a
knowledge based economy. Part of this policy is focused on building a culture of security and capacity
building.

In 2007 CyberSecurity Malaysia was officially launched to build a culture of security awareness
through a series of awareness programs targeted at youth, parents, home users and organisations. It
is a non-profit organisation and partners with other organisations with relevant materials, such as the
European Network and Information Security Agency and Microsoft.

CyberSecurity Malaysia’s awareness raising outreach program is targeted at all internet users. The
program is aimed at:
 ensuring all internet users are aware of current online threats and dangers;
 promoting safe and responsible online behaviour; and
 promoting best practices and positive use of the internet.
Cyber security awareness raising initiatives include the provision of publications and safety guides,
video clips, posters, exhibitions and road shows. CyberSecurity Malaysia also uses a digital mascot
‘Nic’, who appears on websites, in videos, quarterly cyber security newsletters, awareness posters,
brochures, and other publications. Nic appears in videos aimed at children and teenagers that
address cyber security issues, such as email and spam, safe internet banking, cyber stalking and safe
online chatting behaviour.

Some of the challenges CyberSecurity Malaysia has faced include

 producing relevant content that is simple but not oversimplified;
 convincing the private sector that security measures do not drive business away, and can
actually be good for business; and
 attracting the necessary financial investment required for content delivery.

As for future activities, CyberSecurity Malaysia is concerned with producing innovative and relevant
content for target audiences, encouraging public private partnerships, and measuring the
effectiveness of campaigns.

Peru

The High Tech Crimes Investigation Division (DIVINDAT) of the Peruvian National Police Force was
established in 2005 to investigate and fight against transnational and national crimes relating to
information and communication technology. DIVINDAT’s strategy consists of:
 preventative action, including cyber security awareness events, informative websites, and a
school outreach program;
 dissuasive action, including virtual security patrols and visits to internet cafes to provide
information; and
 investigative action.
In June 2007 the Computer Crimes Law was incorporated into the Penal Code, to cover some of the
most common cyber security threats in Peru including fraud, extortion, sexual blackmail and child
pornography.
Peru highlighted the challenges they face in getting access to information to continue investigations
from Internet Service Providers. Without legislation, privacy and commercial reasons are given to
restrict law enforcement officials from gaining access to this information.

Thailand

The Thai ICT Security Awareness Program aims to:

 promote ICT security awareness among Thai citizens;
 provide a free software tool for citizens to limit exposure to harmful online content, especially
children; and
 educate the public about the new Computer-Related Crime Act 2007.
The program is targeted at students, parents, teachers, law enforcement officials, and service
providers such as ISPs and internet cafés.

The program consists of two parts. Firstly, a free software program titled “ICT Housekeeper”, which
was developed in collaboration with a local university based on the specific problems faced by Thai
society, such as excessive online game playing and exposure to inappropriate content on the internet.
The basic features include:
 preventing underage users from accessing inappropriate websites;
 managing computer usage time; and
 limiting gaming time.
Approximately twenty thousand “ICT Housekeeper” CDs have been distributed and the program is
available for free download at http://hk.mict.go.th.

The second part of the program includes ICT security awareness seminars for target audiences
throughout Thailand. The seminars are aimed at heightening awareness of the “ICT Housekeeper”
program and “Computer-Related Crime Act 2007”. A number of these seminars are held for students,
parents, teachers, and for law enforcement and service providers.

Singapore

Singapore’s cyber security initiatives are developed through its cyber security Infocomm Security
Masterplan I and II (ISMP I and ISMP II). The cyber security awareness raising aspect of ISMP I was
a series of outreach programs targeted at the general public and at the private sector. These
programs aimed to raise awareness about the risks of ill-informed online activities and encouraging
organisations to devote sufficient attention and effort in the security upkeep of their information
systems. The government also worked with the various infrastructure owners and operators to
ascertain the adequacy of their cyber protection measures, and assessed the adequacy of cyber
security in the public sector through a series of tests.

ISMP II builds on ISMP I. Its key approach is to ensure that awareness raising and outreach activities
conducted collaboratively by like-minded partners from the public and private sectors. Government
and industry have formed the Cyber Security Awareness Alliance. This Alliance seeks to build a
positive culture of cyber security in Singapore where by users adopt essential security measures such
as firewalls and anti-virus software, and encourage the adoption of essential security practices by the
public and the private sector.

In the public sector, students are an important target group as they are among the most active internet
users. The Alliance works in collaboration with the Infocomm Clubs in schools. In the private sector,
outreach programs are targeted at small and medium-sized Enterprises, which form 90% of
businesses in Singapore.

United States of America

The National Cyber Security Division (NCSD) of the United States Department of Homeland Security
(DHS) is dedicated to the mission of securing cyberspace and America’s cyber assets. NCSD utilizes
a multi-pronged approach to addressing this challenge. Accordingly, NCSD maintains an awareness
program focused on raising cybersecurity awareness, and promoting the use of good cybersecurity
practices. In collaboration with public, private, and international entities, NCSD focuses on the shared
responsibility all internet users have to protect their piece of cyberspace.

NCSD provides funding to the National Cyber Security Alliance (NCSA) to assist in efforts to promote
cyber security awareness. NCSA represents a collaborative effort among government and industry.
NCSA focuses on the following key stakeholder communities: consumers, small and medium
businesses, and the education community. NCSA aims to create a culture of cyber security
awareness through the provision of tools and information necessary to prevent cyber crimes and
attacks.

DHS sponsors a National Cyber Security Awareness Month on an annual basis, which is held each
October. While awareness activities are conducted year-round, Awareness Month represents the
premier effort. Awareness Month is aimed at: raising awareness of cyber security risks and available
services; building a common culture of shared priorities across all stakeholders; developing the next
generation of leaders in cyber security; and motivating organisations and individuals to secure their
part of cyber space. During awareness month, NCSD together with established partners, such as
NCSA

The 2008 National Cybersecurity Awareness Month represented the fifth annual awareness month
celebration. The theme was “Our Shared Responsibility” to reflect the interconnectedness of the
globalized world, and to promote the message that cyberspace cannot be secured without the help of
all computer users. The following activities were accomplished during National Cybersecurity
Awareness Month 2008 and represent the type of activities that are conducted on an annual basis.

 Television, radio and print/Internet interviews were used to generate awareness of National
Cyber Security Awareness Month and cybersecurity;
 Stakeholder events at the national and local level were used to drive media attention and
awareness within their perspective audiences;
 National Cyber Security Awareness Month Toolkits were distributed to stakeholders to get
major corporations, government agencies and organizations to advertise and mention the
campaign through web banners, speeches, events and media interviews;
 Cyber security, safety and ethics K-12 lesson plans were developed and distributed to
schools across the country to provide educators with lesson plans during National Cyber
Security Awareness Month;
 Speaking engagements at several national and regional events;

The campaign was evaluated by the number of media impressions generated; cyber security events
held; companies and organizations endorsing the month; and how many government organizations
promoted the month. Awareness Month 2008 was the most successful campaign to date for
generating media attention and press coverage, with a reported 133 million media impressions.

Asia Pacific Computer Emergency Response Team (APCERT)

The Asia Pacific Computer Emergency Response Team (APCERT) engages in awareness raising
activities targeted at security incident response communities, security experts and policy makers.
APCERT also has an outreach and awareness raising program targeting relevant organisations and
member team governments. Each year at the APCERT Annual Conference, member teams report on
incident trends, statistics and new projects, and participate in an annual communication drill.

A summary of the activities of each member team was given for:

 Australian Computer Emergency Response Team (AUSCERT) organised a one day seminar
for E-Security Awareness Week, as well as a survey on home user behaviour.
 The Korea Internet Security Centre (KrCERT/CC) operates a website for general public,
which provides easily accessible security tools and services.
 The Taiwan National Computer Emergency Response Team (TWNCERT) participates in a
Social Engineering Drill twice a year and has developed 41 Cyber Security E-learning
websites.
  The Thai Computer Emergency Response Team (ThaiCERT) runs a regular program that
involves websites providing articles in Thai relating to computer security, a mailing list to
members, seminar events of Information Security Alliances, and a second website (work in
progress) aiming for building a cyber community in Thai. ThaiCERT also runs an ad hoc
program involving guest speaker for workshop or seminar events arranged by either the
government or the private sector, and a one day seminar or conference on Computer Security
Awareness.
 The Japan Computer Emergency Response Team/ Coordination Centre (JPCERT/CC)
engages in awareness raising activities aimed at a technical audience. JPCERT focuses its
awareness raising programs on a technical audience, including the critical infrastructure
sector. An awareness raising workshop for software and control system vendors is held
annually. JPCERT runs an awareness raising outreach program to ISPs in conjunction with
the Japan Network Information Centre and the Japan Registry Services.

Some of the key lessons learnt have been scare tactics are ineffective, but financial incentives to
motivate companies to implement security best practices work effectively, as do examples based on
real business cases.

Outcomes from discussion session

The second discussion session of the workshop proved to be a useful exercise. Participants
considered similarities and differences between economies’ experiences. From this exchange,
participants noted the more effective awareness raising activities and successful approaches for
overcoming key challenges.

Lessons learned from economy experiences

There were a number of similar themes that many economies raised as important for the
commencement and success of awareness raising activities. Participants discussed successful
tactics and approaches as well as challenges from their economy’s experience.

These are discussed in more detail below.

Government Leadership

A number of economies emphasised the importance of government agencies demonstrating

leadership in the area of cyber security. Government entities can leady by example for the nation with
an emphasis on cybersecurity, which may impact other governmental bodies as well as the broader
community that government has a responsibility to support; and, government can also contribute
successful awareness raising activities. Governments can use their position to raise awareness and
set the course for collaboration amongst entities, including all levels of government, the private sector,
academia, and the general public within an economy. This can also have a positive impact upon
other areas of the country’s economy.

A successful approach by governments in some economies has been the use of scorecards, which
rank the level of cyber security within government agencies. These systems worked on a voluntary
basis and were conducted by an independent third party. Publicising scores can create a competitive
environment for good security practices and encourage ‘on the ground’ improvements. Scores can
also be used as a benchmark to build a business case for improved resourcing for cyber security.

Some economies have dedicated information security officers within agencies and these officers can
work to improve cyber security awareness, particularly with employees. Employees are also internet
users. Secure behaviours learnt in the workplace can also be transferred to friends and family.

Government agencies can also work in partnership with the private sector to develop collaborative
activities. Australia, Japan, Korea, Malaysia, Singapore and the United States have developed strong
alliances with industry and community groups to extend the reach of cyber security awareness
messages and the number of activities.
Seminars as a cost effective activity

Seminars and conferences were a key feature of many economies’ awareness raising programs. They
can facilitate engagement of particular segments of the community. This can include small
businesses and school children to be targeted with specific messages. Seminars and activities
targeting schools students have been quite popular in some economies, particularly in Thailand.
These can be cost effective if agencies can provide expert speakers and schools and other
community organisations provide the facilities to host events.

Ensuring decision makers and business have an appreciation of cyber security threats and their
potential impact is extremely important. Some economies have invited “white hat” hackers to present
at conferences to demonstrate how to compromise systems. This can be a good tool to influence
decision makers about the nature of the problem and importance of preventive measures.
Conferences are also a way of educating organisations about the nature of the problem. This may
then influence spending decisions to improve cyber security defences or awareness raising
campaigns for staff.

Legal frameworks and prosecutions as an awareness raising instrument

Presentations and discussion sessions also highlighted the need for legal frameworks to address
cyber security issues. Cybercrime is not as tangible as traditional criminal activity. Publicizing positive
outcomes resulting from legal successes against cybercrime can be a platform for awareness raising.

Cyber security legislation can also be useful awareness raising instruments. Laws can serve as
instruments to convey the importance of cybersecurity to combat cyber crime; ensure people know
that they are protected against threats; and also serve as reminders that entities need to continue to
protect themselves.

In addition, some economies have found the publicity about cyber crime and prosecutions an effective
tool to raise awareness about the problem and its consequences for cyber criminals.

Resources for SMEs are needed

A number of economies have resources dedicated to assist small to medium enterprises (SME) to
improve their security. Workshop participants raised the idea of a security ‘health’ check as a
mechanism to raise awareness. This could take the form of a program or questionnaire inquiring
about the security practices of the business. This health check could point out to businesses their
potential vulnerabilities and provide assistance and information so remedial action can be taken.

Some economies have a one stop shop to assist SMEs improve their internet security. Korea has a
service where SMEs can call trained experts to assist with setting up software and find out information
on security practices. Other tools are available in other economies that allow businesses to identify
their security needs, the current mechanism they have in place and the vulnerabilities in their current
standard of protection.

All stakeholders have a part to play

One of the key similarities between all economies awareness activities is importance of including a
number of stakeholders. Government ministries, regulators, the operational community and Computer
Emergency Readiness Teams/Computer Incident Response Teams (CSIRTS/CERTs), community
organisations, small and medium businesses as well as multinational companies, and individual users
have a role to play in awareness. This reinforces that many stakeholders have a role to play and it
would be difficult to make significant progress unless multiple parties within an economy are engaged.
The U.S. refers to this as a “shared responsibility” among stakeholders.

Ministers and regulators can raise awareness about the laws against cyber crime in each economy
and promote the reporting of cyber security incidents. CSIRTs/CERTs can also play an influential role
in providing technical expertise to inform awareness raising programs.
Industry can be a key partner as they also have strong technical expertise and understanding. Some
companies have presence in more than one economy and are able to share information, knowledge
and resources on other economies activities.

Community organisations often have the ability to reach particular segments of the community.

Communicating Awareness - Messaging

The development of strong key messages was a theme discussed throughout the workshop.
Economies discussed how to have an impact through communications related to awareness raising
activities.

There were a few tactics noted by the participating economies regarding awareness raising. First,
economies identified the need for actionable information. This may require tailoring information for
both a technical and non-technical audience so stakeholders will know what actions to take.

Next, economies noted the need for consistent messaging. Messages need to be repetitive and
reinforced so that they can become a learned behaviour. While consistency and repetition are very
important, there is also a need to tailor messaging for specific groups.
There are a number of different types of Internet users within economies and these groups need
slightly different messages. Children and teenagers in particular use the Internet differently from their
parents. Therefore messages need to be different for each group. It is important to understand the
motivations for individuals’ behaviour and modify awareness messages accordingly. This also requires
tailoring information for both a technical and non-technical audience so stakeholders will know what
actions to take. This can also include the type of message, when it is delivered to the user and how it
is delivered to the user. Malaysia has used a mascot, Nic to impart strong security messages. This
has assisted in delivering the messages to consumers but is not the answer in isolation.

It is also important to seek a balance between communicating the risk and promoting trust and
confidence in the use of online channels. There are enormous benefits to every economy through the
adoption of e-commerce and e-government services. However users need to understand some
activities online have risks attached and they need to manage these risks when connecting to the
Internet. Economies recognized the need to focus on developing messages that communicate this
balance.

Finally, once key messages are developed, it is critical to reinforce and amplify the message. One of
the key ways of getting messages out to the public is through the media. The media is always looking
for a new story. Therefore trying to keep the message fresh is important to attract attention from the
media, and the consumers of that message. In addition to the media, it is also important to use other
creative mechanisms and strategic opportunities. Focusing on a new emerging security threat is a
technique some economies have used.

It was also mentioned that awareness raising activities and messages have to be a coordinated and
deliberate activity. Continuing to reinforce the need for good security practices with similar key
messages is important to change the behaviours of individual users.

Finally, it is important that all Internet users take responsibility for their own security. The security of
one user’s system impacts on all internet users. Successfully communicating this to all Internet users
and the steps they need to undertake to be more secure is the key challenge for all APEC economies.

Challenges in implementing awareness raising activities

A number of key challenges in implementing awareness raising activities were identified during the
workshop. Obtaining the necessary political will from government leadership; obtaining requisite
financial and personnel resources, and the difficulty in galvanizing other stakeholders have been
regarding the need for the partnership.

One of the key challenges for economies is educating policy makers and other high level officers
about the need for awareness raising activities. Political will is extremely important in getting the
necessary resources to implement awareness raising activities. Some economies such as Korea have
had a major incident which has highlighted the importance of good security practices to decision
makers. Other economies without such history need to develop a strong business case to gain
attention and resources.

One of the challenges in building a business case is getting evidence to articulating the losses from
cyber security threats. Many organizations are unwilling to provide figures on the losses from cyber
security threats. This makes it different to provide decision makers with strong evidence of the losses
associated with cyber-security threats.

Getting key industry partners on board has been challenging in some economies; however
engagement is necessary and can greatly assist in efforts. For example, financial institutions can be
a key conduit to customers. An opportunity to educate banks’ customers on changing their passwords
and other secure behaviours is in the interest of a bank’s business.

Having a budget for activities is something that is common to all economies. Some economies have
gotten around this by leveraging partners such as schools and community organisations. In Thailand,
the Ministry has provided ‘experts’ for seminars when other organisations within the economy such as
schools or community organisations have provided a venue. This is an excellent example of
collaborative activities.

Using partners overcomes one of the challenges in getting the message out to everyone. Community
organisations, schools, financial institutions and industry all have different channels to reach different
target audiences. These groups can carry targeted messages to different target audiences. Using
partners enables limited resources to be maximized and increases the reach of key messages.

Building strong public private partnerships has been a key element to the success of many awareness
raising programs. These partnerships can allow economies to improve the reach and sustainability of
awareness activities. The United States and Singapore have developed alliances focused on
implementing awareness programs targeted at home and small business users.

Many organisations have developed strong policies for cyber security however these need to be
implemented effectively. One of the key flaws in this implementation is the lack of awareness of the
policy, particularly within organisations. Organisations need to take responsibility and be accountable
for their own security. In some economies, individual employees are the weakest link. Increased
awareness is needed in this area, as these employees are also users in their homes. Increased
awareness of good security practices in the workplace can translate to improved security at home.

Measurement is also a key challenge in many economies. It is very difficult to measure the
effectiveness of awareness raising programs and change in behaviour. The number of messages that
are reaching their target audiences can be measured through media articles, website hits and the
amount of materials distributed. However how to measure the extent to which these messages
translate into behavioral change is problematic

Some economies such as Japan and Chinese Taipei have implemented a scorecard approach where
an independent third party evaluates the security of a government agency and provides them a mark.
These marks can then be used to benchmark performance against other similar agencies and gain
resources for improved security measures.

Potential program of work for SPSG

The final discussion session of the workshop centred on what APEC economies can do collaboratively
around cyber security awareness raising. Workshop participants were asked to consider the following
questions:
1. How can APEC economies work together to promote common messages?
2. How can APEC economies collaborate to improve cyber security awareness?

Out of group discussions, a number of activities were highlighted by workshop participants for SPSG
consideration. These are discussed in more detail below.
Raising awareness within APEC

Workshop participants highlighted the opportunity to engage with APEC at all levels to improve
awareness within APEC itself. This engagement could draw attention to the issue of security from
leaders to working groups.

Leaders statement

Workshop participants highlighted the need for the importance of raising the importance of the issue
with decision makers. The Bangkok Declaration includes references to the importance of cyber
security and raising awareness amongst consumers and small businesses. However the highest level
of influence within APEC is the Leader’s declaration. Including text on cyber security awareness
raising may be a good mechanism to highlight the importance of the issue.

Raising awareness amongst APEC working groups

Workshop participants highlighted that APEC delegates would also be a target for awareness
activities conducted by the SPSG. Any work would also work to raise the profile of the SPSG outside
TELWG. A suggestion was made by Singapore that posters could be produced to be put up in
delegation rooms during working group meetings. Messages could focus on the need to protect your
passwords when using common computers and making sure that you scan portable devices before
using them in your own laptops. It is also important to educate delegates who are also users of the
Internet in their homes and the office.

Collaborative awareness raising activity across economies

One of the key benefits of a collaborative activity will be the development of a key set of coordinated
messages that are relevant to all economies. The workshop presented a number of ideas where
economies could work collaboratively to deliver a coordinated awareness activity.

Suggestions included an APEC wide Awareness Week, an APEC cyber security poster competition
and/or a slogan competition.

The development of a common slogan across all economies could be pursued. A common slogan
such as “Your security is my security” could be used across all APEC economies on awareness
raising materials. A contest across all economies could also be held to develop a slogan or a poster
for all economies to use and promote safe online behaviours. The winner of this contest could be then
used in all APEC economies for the next year. A specific theme or security threat could be proposed
by SPSG and this could guide competition participants when coming up with their entries.

The APEC TEL website could be harnessed to promote these activities. An APEC TEL press release
could be issued to launch the collaborative activity in all economies. Economies could also undertake
promotional activities to launch the contest and encourage participation.

Development of good practice guidance for economies

While a number of economies have developed programs for raising awareness on cyber security
threats, other economies are at the early stages of implementing programs. The SPSG could consider
developing a simple, best practice guidance document to assist economies in implementing national
awareness raising programs. The document could include guidance on:
 developing good messages appropriate for target audiences;
 developing strong public-private sector partnerships and leveraging private sector reach and
resources; and
 developing mechanisms to measure the success of awareness raising programs.

Awareness activities need to keep pace with the dynamic threat environment. Accordingly, this
document could also be used to develop awareness raising activities on emerging trends and issues
beyond personal computers such as mobile phones and smart phones. As connectivity to the Internet
via mobile handheld devices becomes more widespread, awareness programs will also need to look
at these issues.
Improved information sharing between economies

A number of economies are implementing different awareness raising activities and valuable lessons
can be learnt from sharing experiences between economies. Futhermore, economies can leverage
investments of other economies and adopt good practices and/or materials. For example, materials
that reference good practices or tips can be translated. In this way, economies can save resources in
development costs and use that cost savings to invest in other activities.

A dedicated session in the SPSG agenda would also allow economies to share new awareness
raising materials developed between meetings. The SPSG could also develop a matrix of
demographics, key messages and best practices that is updated annually.

These formal sessions within the SPSG could be complemented by intercessional activities.
Webchats could also be used intercessionally so experts can talk about their current activities and
lessons learnt.

Conclusion

As demonstrated by the robust dialogue in the workshop, and the substantial amount of work that is
already underway in many economies, it is clear that success in broader cybersecurity awareness
activities includes awareness raising activities.

It was agreed by participants that there is need for sustained cyber security awareness within the
APEC region, and member economies expressed interest in furthering collaboration through APEC
wide activities. Some APEC economies have long running awareness raising programs where others
are beginning to establish programs. Improved information sharing and sharing of resources will
assist all APEC economies to improve cyber security awareness.

The report outlines common good practices and proposed opportunities for future collaboration on
cyber security awareness raising for SPSG’s consideration. This program includes a set of activities
and collaborative work between economies, such as the development of a simple, best practice
guidance document to assist economies in implementing national awareness raising programs.

Australia and the United States would like to thank the speakers and participants for their contribution
and sharing of cyber awareness raising experiences during the workshop