SlideShare une entreprise Scribd logo

Cybersecurity Employee Training

Paige Rasid
Paige Rasid

The critical element in Cybersecurity (employee training)

Technologie
1  sur  23
Télécharger pour lire hors ligne
Employee Training & Awareness A Critical Element in Cybersecurity Resilience @Ben_Smith Ben Smith, CISSP Field CTO (East), Security Portfolio
2© Copyright 2015 EMC Corporation. All rights reserved. Agenda 1 2 Looking in the mirror Failures of awareness, failures of behavior 4 Additional resources SAMPLE REFERENCE – “Hunting for Sharks’ Teeth (and Other IOCs)” https://blogs.rsa.com/hunting-sharks-teeth-iocs/ 3 What does success look like?
3© Copyright 2015 EMC Corporation. All rights reserved. • “It’s not about if you get breached; it's when you get breached.” • “Even large enterprises that have millions of dollars to spend on security got breached, so everyone is at risk.” • “The breaches we have seen so far are just the beginning – bigger breaches are coming.” • “Legacy security technologies are of limited value in the face of advanced persistent threats.” • “Security incidents can put you out of business.” What you will NOT hear from me today… Gartner, “The Future of Security Sales Revolves Around Digital Risk” (May 2015) [G00278090]
4© Copyright 2015 EMC Corporation. All rights reserved. • “We’re not very visible.” • “But we’ve never had a breach.” • “The probability of this happening is so low that I’ll take my chances.” Beware These Cop-Out Statements! Forrester, “Understand The Business Impact And Cost Of A Breach” (Jan 2015) [60563] It doesn’t matter if your company has a widely known public brand or not Don’t confuse luck with competence It’s unlikely that anyone in the organization knows the probability of certain security incidents happening
5© Copyright 2015 EMC Corporation. All rights reserved. • “We’re a small organization.” • “We have insurance.” Beware These Cop-Out Statements! Forrester, “Understand The Business Impact And Cost Of A Breach” (Jan 2015) [60563] A much bigger factor today than the size of your organization is whether you have information that is valuable to attackers now, or will be valuable in the future Read the fine print to ensure you know exactly what will be covered by your insurance policy, and remember… cyberinsurance is not a get out of jail free card
6© Copyright 2015 EMC Corporation. All rights reserved. • Education • Training • Awareness What is “Security Awareness”? Mark Wilson, “A Crash Course in Awareness versus Training versus Education versus Certification (An Off-Kilter Look)” (Feb 2014) http://csrc.nist.gov/organizations/fissea/2014-conference/presentations/fissea_2014_mwilson.pdf …study a topic in depth …produce relevant skills & competencies …focus attention, recognize & respond, change behavior
7© Copyright 2015 EMC Corporation. All rights reserved. • The good news (from the management front) – “Security awareness” as a priority has risen – 56% ► 71% (from 2010 to 2014) • The bad news (from the employee front) – 53% are aware of their employer’s current security policies – 38% say they have received training on staying secure at work – 22% of information workers are concerned about security Security Awareness, by the Numbers Forrester, “Reinvent Security Awareness To Engage The Human Firewall” (Dec 2014) [79821]
8© Copyright 2015 EMC Corporation. All rights reserved. • Staff are not emotionally involved • Objectives are not aligned with the ultimate goal • Bland and generic content fails to help the audience • Employers settling for one-time, compliance-driven approach Why Do Security Awareness Programs Fail? Forrester, “Reinvent Security Awareness To Engage The Human Firewall” (Dec 2014) [79821]
9© Copyright 2015 EMC Corporation. All rights reserved. • Behavior change is an ambitious (and necessary) goal! – Learning in the correct context – Repeating actions to embed knowledge – Rewarding staff to encourage new habits Awareness =? Behavior Change Forrester, “Reinvent Security Awareness To Engage The Human Firewall” (Dec 2014) [79821]
10© Copyright 2015 EMC Corporation. All rights reserved. 1. Speak a common language (business) to align incentives – Shift security and risk to a shared business issue from an IT- specific responsibility 2. Redefine data ownership to spread security and privacy mindfulness – Accountability = the business units, not IT 3. Cultivate “right choice” decision-making – Produce targeted security awareness training that is relevant for employees beyond the work environment 3 Key Processes to Change Culture & Behavior Forrester, “Instill A Culture Of Data Security And Privacy: Equip Your Workforce To Augment The Security Team” (Mar 2015) [101761]
11© Copyright 2015 EMC Corporation. All rights reserved. • “Crossover areas” of importance – Password reuse across accounts – Connecting to public Wi-Fi access points – Presence on social media sites – Social engineering – Phishing Beyond the work environment
12© Copyright 2015 EMC Corporation. All rights reserved. • Focus on discrete, clearly phrased, measurable outcomes in all objectives for security awareness • Avoid poorly-defined outcomes – “Increase the awareness of employees…” – “Ensure that all employees understand…” – “Effectively communicate corporate goals and principles regarding security risks” Define Measurable Outcomes Gartner, “Effective Security Awareness Starts With Defined Objectives” (Dec 2013) [G00258624]
13© Copyright 2015 EMC Corporation. All rights reserved. Define Measurable Outcomes Gartner, “Effective Security Awareness Starts With Defined Objectives” (Dec 2013) [G00258624]
14© Copyright 2015 EMC Corporation. All rights reserved. One Size Fits All? Gartner, “Segment Your Audience for Effective Security Awareness Communications” (Feb 2015) [G00271825] Office Bound Mobile Digital Immigrant Digital Native Coffee Machine Communicator Road Warrior Tablet TravelerFacebook Friend Group behavior Individual behavior Watch your mouth Watch your typing • Lock up before you leave • Keep your desk clean • Avoid loose talk in public • Be aware of the dangers of multichannel multitasking • Be aware of the risks of mixing work and pleasure • Protect your devices • Be aware of shoulder surfing • Avoid loose talk in public • Don’t share devices • Don’t share credentials • Be aware of media dangers • Humanize data
15© Copyright 2015 EMC Corporation. All rights reserved. • Management buy-in & sponsorship • Cross-functional “campaign” approach • Marketing, branding – One-line tagline used with all communications • Identification of “awareness vehicles” Case Study: Large Company Allen Smith & Nancy Toppel, “Case Study: Using Security Awareness to Combat the Advanced Persistent Threat” (Jun 2009) http://cisse.info/resources/archives/category/12-papers?download=131:s03p02-2009  Intranet  One-page, once monthly  Audio vignette  Audio message from Executive  Management briefings  Awareness giveaways  Contest  Events  Email Q&A list
16© Copyright 2015 EMC Corporation. All rights reserved. • Make it personal for employees – Security best practices inside and outside the workplace • Treat communication like a Hollywood movie – Clips, tasters, and teasers ahead of deployment can build tension and interest • Embed elements of novelty & use unexpected delivery channels – Draw attention to a message by making it appear outside of its normal, or expected, context Some Content Ideas Forrester, “Reinvent Security Awareness To Engage The Human Firewall” (Dec 2014) [79821]
17© Copyright 2015 EMC Corporation. All rights reserved. • Reinforce the message at teachable moments – Near-misses (your organization, or others in the news) – One-on-one guidance following (failed) phishing tests • Test gamification tactics – Set up friendly competition among staff – Create scenarios where employees compete with each other, or for personal “best scores” Some Content Ideas Forrester, “Reinvent Security Awareness To Engage The Human Firewall” (Dec 2014) [79821]
18© Copyright 2015 EMC Corporation. All rights reserved. Gamification Ira Winkler & Samantha Manke, “Gamifying Security Awareness” (Feb 2014) http://www.rsaconference.com/writable/presentations/file_upload/hum-t07a-gamifying-security-awareness.pdf
19© Copyright 2015 EMC Corporation. All rights reserved. • SANS “OUCH!” newsletter – https://www.securingthehuman.org/resources/newsletters/ouch/2015 Additional (Free!) Resources ∙ Shopping Online Securely (Nov) ∙ Password Managers (Oct) ∙ Two-Step Verification (Sep) ∙ Backup & Recovery (Aug) ∙ Social Media (Jul) ∙ Educating Kids on Cyber Safety (Jun) ∙ Securing the Cyber Generation Gap (May) ∙ Passphrases (Apr) ∙ Gaming Online Safely & Securely (Mar) ∙ Staying Secure on the Road (Feb)
20© Copyright 2015 EMC Corporation. All rights reserved. • SANS “Securing the Human” blog – https://www.securingthehuman.org/blog/ • National Cyber Security Alliance: Business Safe Online Resources – https://www.staysafeonline.org/business-safe-online/resources/ • NIST SP 800-50, “Building An Information Technology Security Awareness and Training Program” (Oct 2003) – http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf – < Section 4. Developing Awareness and Training Material > Additional (Free!) Resources
21© Copyright 2015 EMC Corporation. All rights reserved. • DHS US-CERT: National Cyber Awareness System - Tips – https://www.us-cert.gov/ncas/tips • DHS “Stop.Think.Connect.” Campaign – http://www.dhs.gov/stopthinkconnect – http://www.dhs.gov/publication/stopthinkconnect-small-business-resources • RSAC CyberSafety: Kids initiative – http://www.rsaconference.com/about/rsac-cyber-safety Additional (Free!) Resources
22© Copyright 2015 EMC Corporation. All rights reserved. • Pro – “The ABC’s of Security Behavioral Influence” (Geordie Stewart, 2015) http://www.risk-intelligence.co.uk/7-habits-of-highly-successful-security-policies/ – “The 7 elements of a successful security awareness program” (Ira Winkler & Samantha Manke, 2014) http://www.csoonline.com/article/2133408/network-security/the-7-elements-of-a-successful-security-awareness-program.html – “Information Security Awareness - Down, But Not Out” (Salvatore Paladino, 2013) http://www.csoonline.com/article/2136488/security- awareness/information-security-awareness---down--but-not-out---by-salvatore-c--paladino.html – “Security Awareness Education” (“Ben Ten” @Ben0xA, 2013) http://ben0xa.com/security-awareness-education/ – “Arguments Against Security Awareness Are Shortsighted” (Ira Winkler, 2013) http://www.darkreading.com/risk/arguments-against-security-awareness- are-shortsighted/d/d-id/1139417?print=yes – “Schneier, Winkler and the Great Security Awareness Training Debate” (Stephen Cobb, 2013) http://www.welivesecurity.com/2013/03/27/schneier- winkler-and-the-great-security-awareness-training-debate/ – “Ten commandments for effective security training” (Joe Ferrara, 2012) http://www.csoonline.com/article/2131688/security-awareness/ten- commandments-for-effective-security-training.html – “Security awareness can be the most cost-effective security measure” (Ira Winkler, 2012) http://www.csoonline.com/article/2131999/metrics- budgets/security-awareness-can-be-the-most-cost-effective-security-measure.html – “Security Awareness Programs: Now Hear This!” (Lew McCreary, 2006) http://www.csoonline.com/article/2120826/strategic-planning-erm/security- awareness-programs--now-hear-this-.html • Con – “Security Awareness Training” (Bruce Schneier, 2013) https://www.schneier.com/blog/archives/2013/03/security_awaren_1.html – “Why you shouldn't train employees for security awareness” (Dave Aitel, 2012) http://www.csoonline.com/article/2131941/security-awareness/why- you-shouldn-t-train-employees-for-security-awareness.html Other Thoughts from Industry
23© Copyright 2015 EMC Corporation. All rights reserved. http://BenSmith.SE/twitter http://BenSmith.SE/linkedin

Recommandé

Security awareness
Security awarenessSecurity awareness
Security awareness
Josh Chandler
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
Atlantic Training, LLC.
 
Cyber security training
Cyber security trainingCyber security training
Cyber security training
Wilmington University
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Stephen Cobb
 
End-User Security Awareness
End-User Security AwarenessEnd-User Security Awareness
End-User Security Awareness
Surya Bathulapalli
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
William Mann
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness Training
Dave Monahan
 
Information Security Awareness Training Open
Information Security Awareness Training OpenInformation Security Awareness Training Open
Information Security Awareness Training Open
Fred Beck MBA, CPA
 

Recommandé

Security awareness
Security awarenessSecurity awareness
Security awareness
Josh Chandler
 
Security Awareness Training by Fortinet
Security Awareness Training by FortinetSecurity Awareness Training by Fortinet
Security Awareness Training by Fortinet
Atlantic Training, LLC.
 
Cyber security training
Cyber security trainingCyber security training
Cyber security training
Wilmington University
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Stephen Cobb
 
End-User Security Awareness
End-User Security AwarenessEnd-User Security Awareness
End-User Security Awareness
Surya Bathulapalli
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
William Mann
 
Cybersecurity Awareness Training
Cybersecurity Awareness TrainingCybersecurity Awareness Training
Cybersecurity Awareness Training
Dave Monahan
 
Information Security Awareness Training Open
Information Security Awareness Training OpenInformation Security Awareness Training Open
Information Security Awareness Training Open
Fred Beck MBA, CPA
 
IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.ppt
OoXair
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awareness
Jason Murray
 
14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness
Michel Bitter
 
Information security awareness - 101
Information security awareness - 101Information security awareness - 101
Information security awareness - 101
mateenzero
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness Training
Jen Ruhman
 
Customer information security awareness training
Customer information security awareness trainingCustomer information security awareness training
Customer information security awareness training
AbdalrhmanTHassan
 
Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@
R_Yanus
 
Information Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier UniversityInformation Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier University
Atlantic Training, LLC.
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
Daniel P Wallace
 
Employee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - KloudlearnEmployee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - Kloudlearn
KloudLearn
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionals
Krishna Srikanth Manda
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
Dmitriy Scherbina
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
SnapComms
 
New Hire Information Security Awareness
New Hire Information Security AwarenessNew Hire Information Security Awareness
New Hire Information Security Awareness
hubbargf
 
Information Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalInformation Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn Hospital
Atlantic Training, LLC.
 
Cyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxCyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptx
Dinesh582831
 
IT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeIT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community College
Atlantic Training, LLC.
 
Building An Information Security Awareness Program
Building An Information Security Awareness ProgramBuilding An Information Security Awareness Program
Building An Information Security Awareness Program
Bill Gardner
 
Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3
DallasHaselhorst
 
Employee Security Awareness Training
Employee Security Awareness TrainingEmployee Security Awareness Training
Employee Security Awareness Training
Denis kisina
 
End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness Presentation
Cristian Mihai
 
Cyber War, Cyber Peace, Stones and Glass Houses
Cyber War, Cyber Peace, Stones and Glass HousesCyber War, Cyber Peace, Stones and Glass Houses
Cyber War, Cyber Peace, Stones and Glass Houses
Paige Rasid
 

Contenu connexe

Tendances

Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@
R_Yanus
 
Information Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier UniversityInformation Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier University
Atlantic Training, LLC.
 
Information Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalInformation Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn Hospital
Atlantic Training, LLC.
 
IT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeIT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community College
Atlantic Training, LLC.
 
Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3
DallasHaselhorst
 

Tendances (20)

IT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.pptIT Security Awareness-v1.7.ppt
IT Security Awareness-v1.7.ppt
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awareness
 
14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness14 tips to increase cybersecurity awareness
14 tips to increase cybersecurity awareness
 
Information security awareness - 101
Information security awareness - 101Information security awareness - 101
Information security awareness - 101
 
Hyphenet Security Awareness Training
Hyphenet Security Awareness TrainingHyphenet Security Awareness Training
Hyphenet Security Awareness Training
 
Customer information security awareness training
Customer information security awareness trainingCustomer information security awareness training
Customer information security awareness training
 
Employee Security Training[1]@
Employee Security Training[1]@Employee Security Training[1]@
Employee Security Training[1]@
 
Information Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier UniversityInformation Security Awareness Training by Wilfrid Laurier University
Information Security Awareness Training by Wilfrid Laurier University
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
Employee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - KloudlearnEmployee Awareness in Cyber Security - Kloudlearn
Employee Awareness in Cyber Security - Kloudlearn
 
Cyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionalsCyber Security Awareness Session for Executives and Non-IT professionals
Cyber Security Awareness Session for Executives and Non-IT professionals
 
Security Awareness Training
Security Awareness TrainingSecurity Awareness Training
Security Awareness Training
 
Information Security Awareness
Information Security Awareness Information Security Awareness
Information Security Awareness
 
New Hire Information Security Awareness
New Hire Information Security AwarenessNew Hire Information Security Awareness
New Hire Information Security Awareness
 
Information Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn HospitalInformation Security Awareness Training by Mount Auburn Hospital
Information Security Awareness Training by Mount Auburn Hospital
 
Cyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptxCyber Security Awareness Program.pptx
Cyber Security Awareness Program.pptx
 
IT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community CollegeIT Security Awarenesss by Northern Virginia Community College
IT Security Awarenesss by Northern Virginia Community College
 
Building An Information Security Awareness Program
Building An Information Security Awareness ProgramBuilding An Information Security Awareness Program
Building An Information Security Awareness Program
 
Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3Cybersecurity Awareness Training Presentation v1.3
Cybersecurity Awareness Training Presentation v1.3
 
Employee Security Awareness Training
Employee Security Awareness TrainingEmployee Security Awareness Training
Employee Security Awareness Training
 

En vedette

Security Training and Threat Awareness by Pedraza
Security Training and Threat Awareness by PedrazaSecurity Training and Threat Awareness by Pedraza
Security Training and Threat Awareness by Pedraza
Atlantic Training, LLC.
 
Fall2015SecurityShow
Fall2015SecurityShowFall2015SecurityShow
Fall2015SecurityShow
Adam Heller
 
How To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your CompanyHow To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your Company
danielblander
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awareness
Robin Rafique
 

En vedette (19)

End User Security Awareness Presentation
End User Security Awareness PresentationEnd User Security Awareness Presentation
End User Security Awareness Presentation
 
Cyber War, Cyber Peace, Stones and Glass Houses
Cyber War, Cyber Peace, Stones and Glass HousesCyber War, Cyber Peace, Stones and Glass Houses
Cyber War, Cyber Peace, Stones and Glass Houses
 
Security Training and Threat Awareness by Pedraza
Security Training and Threat Awareness by PedrazaSecurity Training and Threat Awareness by Pedraza
Security Training and Threat Awareness by Pedraza
 
Overview of NIST SCO Standards Training Activities
Overview of NIST SCO Standards Training ActivitiesOverview of NIST SCO Standards Training Activities
Overview of NIST SCO Standards Training Activities
 
NIST Security Awareness SP 800-50
NIST Security Awareness SP 800-50NIST Security Awareness SP 800-50
NIST Security Awareness SP 800-50
 
Safety, Sanctuary and Security
Safety, Sanctuary and SecuritySafety, Sanctuary and Security
Safety, Sanctuary and Security
 
Top 5 it security threats for 2015
Top 5 it security threats for 2015Top 5 it security threats for 2015
Top 5 it security threats for 2015
 
Pivotal Role of HR in Cybersecurity
Pivotal Role of HR in CybersecurityPivotal Role of HR in Cybersecurity
Pivotal Role of HR in Cybersecurity
 
Malware from the Consumer Jungle
Malware from the Consumer JungleMalware from the Consumer Jungle
Malware from the Consumer Jungle
 
Keeping Control: Data Security and Vendor Management
Keeping Control: Data Security and Vendor ManagementKeeping Control: Data Security and Vendor Management
Keeping Control: Data Security and Vendor Management
 
Fall2015SecurityShow
Fall2015SecurityShowFall2015SecurityShow
Fall2015SecurityShow
 
How To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your CompanyHow To Promote Security Awareness In Your Company
How To Promote Security Awareness In Your Company
 
The Dark Net
The Dark NetThe Dark Net
The Dark Net
 
Mengenal Internet Security
Mengenal Internet SecurityMengenal Internet Security
Mengenal Internet Security
 
Employee Security Awareness Program
Employee Security Awareness ProgramEmployee Security Awareness Program
Employee Security Awareness Program
 
Employee security awareness communication
Employee security awareness communicationEmployee security awareness communication
Employee security awareness communication
 
Cyber security awareness for students
Cyber security awareness for studentsCyber security awareness for students
Cyber security awareness for students
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awareness
 
Cyber crime and security
Cyber crime and securityCyber crime and security
Cyber crime and security
 

Similaire à Cybersecurity Employee Training

Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk Management
DMIMarketing
 
BLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyBLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity Literacy
Casey Fleming
 
Cyber Security at CTX15, London
Cyber Security at CTX15, LondonCyber Security at CTX15, London
Cyber Security at CTX15, London
John Palfreyman
 
2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurity2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurity
Matthew Rosenquist
 
Iob gm's lecture 7th jan 2014 GRC and corporate governance in Financial serv...
Iob gm's lecture 7th jan 2014 GRC and corporate governance in Financial serv...Iob gm's lecture 7th jan 2014 GRC and corporate governance in Financial serv...
Iob gm's lecture 7th jan 2014 GRC and corporate governance in Financial serv...
subramanian K
 
Ask the Experts final
Ask the Experts finalAsk the Experts final
Ask the Experts final
Daren Dunkel
 
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
IBM Security
 

Similaire à Cybersecurity Employee Training (20)

CS Sakerhetsdagen 2015 IBM Feb 19
CS Sakerhetsdagen 2015 IBM Feb 19CS Sakerhetsdagen 2015 IBM Feb 19
CS Sakerhetsdagen 2015 IBM Feb 19
 
Cybrary's navigating a security wasteland
Cybrary's navigating a security wasteland Cybrary's navigating a security wasteland
Cybrary's navigating a security wasteland
 
5 Questions Executives Should Be Asking Their Security Teams
5 Questions Executives Should Be Asking Their Security Teams 5 Questions Executives Should Be Asking Their Security Teams
5 Questions Executives Should Be Asking Their Security Teams
 
SC Magazine & ForeScout Survey Results
SC Magazine & ForeScout Survey ResultsSC Magazine & ForeScout Survey Results
SC Magazine & ForeScout Survey Results
 
SC Magazine & ForeScout Survey Results
SC Magazine & ForeScout Survey ResultsSC Magazine & ForeScout Survey Results
SC Magazine & ForeScout Survey Results
 
5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management5 Steps to Mobile Risk Management
5 Steps to Mobile Risk Management
 
Mobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk ManagementMobile Security: 5 Steps to Mobile Risk Management
Mobile Security: 5 Steps to Mobile Risk Management
 
Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...Internal or insider threats are far more dangerous than the external - bala g...
Internal or insider threats are far more dangerous than the external - bala g...
 
BLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity LiteracyBLACKOPS_USCS CyberSecurity Literacy
BLACKOPS_USCS CyberSecurity Literacy
 
Smarter cyber security v8
Smarter cyber security v8Smarter cyber security v8
Smarter cyber security v8
 
Cyber Security at CTX15, London
Cyber Security at CTX15, LondonCyber Security at CTX15, London
Cyber Security at CTX15, London
 
2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurity2014 the future evolution of cybersecurity
2014 the future evolution of cybersecurity
 
Segurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSegurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago Cavanna
 
Cyber Security and the CEO
Cyber Security and the CEOCyber Security and the CEO
Cyber Security and the CEO
 
csxnewsletter
csxnewslettercsxnewsletter
csxnewsletter
 
7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec7350_RiskWatch-Summer2015-Maligec
7350_RiskWatch-Summer2015-Maligec
 
Cultivate a stronger corporate culture to enhance cybersecurity
Cultivate a stronger corporate culture to enhance cybersecurityCultivate a stronger corporate culture to enhance cybersecurity
Cultivate a stronger corporate culture to enhance cybersecurity
 
Iob gm's lecture 7th jan 2014 GRC and corporate governance in Financial serv...
Iob gm's lecture 7th jan 2014 GRC and corporate governance in Financial serv...Iob gm's lecture 7th jan 2014 GRC and corporate governance in Financial serv...
Iob gm's lecture 7th jan 2014 GRC and corporate governance in Financial serv...
 
Ask the Experts final
Ask the Experts finalAsk the Experts final
Ask the Experts final
 
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
 

Plus de Paige Rasid

Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar SeriesCyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Paige Rasid
 
Women Of Innovation® 2016 Honoree Bios & Event Program
Women Of Innovation® 2016 Honoree Bios & Event ProgramWomen Of Innovation® 2016 Honoree Bios & Event Program
Women Of Innovation® 2016 Honoree Bios & Event Program
Paige Rasid
 

Plus de Paige Rasid (20)

Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar SeriesCyber Liability & Cyber Insurance - Cybersecurity Seminar Series
Cyber Liability & Cyber Insurance - Cybersecurity Seminar Series
 
Women Of Innovation® 2016 Honoree Bios & Event Program
Women Of Innovation® 2016 Honoree Bios & Event ProgramWomen Of Innovation® 2016 Honoree Bios & Event Program
Women Of Innovation® 2016 Honoree Bios & Event Program
 
CS3: Cybersecurity Extortion & Fraud
CS3: Cybersecurity Extortion & FraudCS3: Cybersecurity Extortion & Fraud
CS3: Cybersecurity Extortion & Fraud
 
2015 Marcum TT40 Program
2015 Marcum TT40 Program2015 Marcum TT40 Program
2015 Marcum TT40 Program
 
2015 Marcum Tech Top 40 Awards
2015 Marcum Tech Top 40 Awards 2015 Marcum Tech Top 40 Awards
2015 Marcum Tech Top 40 Awards
 
Social Media & Mobile Tech - CVG Entrepreneur and Investor Event
Social Media & Mobile Tech - CVG Entrepreneur and Investor EventSocial Media & Mobile Tech - CVG Entrepreneur and Investor Event
Social Media & Mobile Tech - CVG Entrepreneur and Investor Event
 
Life Cycle of a Data Breach - Cybersecurity Seminar Series
Life Cycle of a Data Breach - Cybersecurity Seminar SeriesLife Cycle of a Data Breach - Cybersecurity Seminar Series
Life Cycle of a Data Breach - Cybersecurity Seminar Series
 
Women of Innovation 2015 Program
Women of Innovation 2015 ProgramWomen of Innovation 2015 Program
Women of Innovation 2015 Program
 
Cybersecurity Seminar Series - March 30
Cybersecurity Seminar Series - March 30Cybersecurity Seminar Series - March 30
Cybersecurity Seminar Series - March 30
 
CVG - Medical Devices 2015
CVG - Medical Devices 2015CVG - Medical Devices 2015
CVG - Medical Devices 2015
 
Impact of IT on the healthcare industry
Impact of IT on the healthcare industryImpact of IT on the healthcare industry
Impact of IT on the healthcare industry
 
Public Policy Agenda
Public Policy AgendaPublic Policy Agenda
Public Policy Agenda
 
IT summit 2014-program
IT summit 2014-programIT summit 2014-program
IT summit 2014-program
 
2014 Innovation Summit Program
2014 Innovation Summit Program2014 Innovation Summit Program
2014 Innovation Summit Program
 
Marcum TT40 Presentation 2014
Marcum TT40 Presentation 2014Marcum TT40 Presentation 2014
Marcum TT40 Presentation 2014
 
Marcum Tech Top 40 Program 2014
Marcum Tech Top 40 Program 2014Marcum Tech Top 40 Program 2014
Marcum Tech Top 40 Program 2014
 
September 2014 | Social Media and Mobile Tech
September 2014 | Social Media and Mobile Tech September 2014 | Social Media and Mobile Tech
September 2014 | Social Media and Mobile Tech
 
Q2 2014 shaking the money tree
Q2 2014 shaking the money treeQ2 2014 shaking the money tree
Q2 2014 shaking the money tree
 
CVG - Education Technology Software - Second Thursday Event - July 2014
CVG - Education Technology Software - Second Thursday Event - July 2014 CVG - Education Technology Software - Second Thursday Event - July 2014
CVG - Education Technology Software - Second Thursday Event - July 2014
 
2014 Women of Innovation(r) presented by the Connecticut Technology Council
2014 Women of Innovation(r) presented by the Connecticut Technology Council2014 Women of Innovation(r) presented by the Connecticut Technology Council
2014 Women of Innovation(r) presented by the Connecticut Technology Council
 

Dernier

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 

Dernier (20)

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

Cybersecurity Employee Training

  • 1. Employee Training & Awareness A Critical Element in Cybersecurity Resilience @Ben_Smith Ben Smith, CISSP Field CTO (East), Security Portfolio
  • 2. 2© Copyright 2015 EMC Corporation. All rights reserved. Agenda 1 2 Looking in the mirror Failures of awareness, failures of behavior 4 Additional resources SAMPLE REFERENCE – “Hunting for Sharks’ Teeth (and Other IOCs)” https://blogs.rsa.com/hunting-sharks-teeth-iocs/ 3 What does success look like?
  • 3. 3© Copyright 2015 EMC Corporation. All rights reserved. • “It’s not about if you get breached; it's when you get breached.” • “Even large enterprises that have millions of dollars to spend on security got breached, so everyone is at risk.” • “The breaches we have seen so far are just the beginning – bigger breaches are coming.” • “Legacy security technologies are of limited value in the face of advanced persistent threats.” • “Security incidents can put you out of business.” What you will NOT hear from me today… Gartner, “The Future of Security Sales Revolves Around Digital Risk” (May 2015) [G00278090]
  • 4. 4© Copyright 2015 EMC Corporation. All rights reserved. • “We’re not very visible.” • “But we’ve never had a breach.” • “The probability of this happening is so low that I’ll take my chances.” Beware These Cop-Out Statements! Forrester, “Understand The Business Impact And Cost Of A Breach” (Jan 2015) [60563] It doesn’t matter if your company has a widely known public brand or not Don’t confuse luck with competence It’s unlikely that anyone in the organization knows the probability of certain security incidents happening
  • 5. 5© Copyright 2015 EMC Corporation. All rights reserved. • “We’re a small organization.” • “We have insurance.” Beware These Cop-Out Statements! Forrester, “Understand The Business Impact And Cost Of A Breach” (Jan 2015) [60563] A much bigger factor today than the size of your organization is whether you have information that is valuable to attackers now, or will be valuable in the future Read the fine print to ensure you know exactly what will be covered by your insurance policy, and remember… cyberinsurance is not a get out of jail free card
  • 6. 6© Copyright 2015 EMC Corporation. All rights reserved. • Education • Training • Awareness What is “Security Awareness”? Mark Wilson, “A Crash Course in Awareness versus Training versus Education versus Certification (An Off-Kilter Look)” (Feb 2014) http://csrc.nist.gov/organizations/fissea/2014-conference/presentations/fissea_2014_mwilson.pdf …study a topic in depth …produce relevant skills & competencies …focus attention, recognize & respond, change behavior
  • 7. 7© Copyright 2015 EMC Corporation. All rights reserved. • The good news (from the management front) – “Security awareness” as a priority has risen – 56% ► 71% (from 2010 to 2014) • The bad news (from the employee front) – 53% are aware of their employer’s current security policies – 38% say they have received training on staying secure at work – 22% of information workers are concerned about security Security Awareness, by the Numbers Forrester, “Reinvent Security Awareness To Engage The Human Firewall” (Dec 2014) [79821]
  • 8. 8© Copyright 2015 EMC Corporation. All rights reserved. • Staff are not emotionally involved • Objectives are not aligned with the ultimate goal • Bland and generic content fails to help the audience • Employers settling for one-time, compliance-driven approach Why Do Security Awareness Programs Fail? Forrester, “Reinvent Security Awareness To Engage The Human Firewall” (Dec 2014) [79821]
  • 9. 9© Copyright 2015 EMC Corporation. All rights reserved. • Behavior change is an ambitious (and necessary) goal! – Learning in the correct context – Repeating actions to embed knowledge – Rewarding staff to encourage new habits Awareness =? Behavior Change Forrester, “Reinvent Security Awareness To Engage The Human Firewall” (Dec 2014) [79821]
  • 10. 10© Copyright 2015 EMC Corporation. All rights reserved. 1. Speak a common language (business) to align incentives – Shift security and risk to a shared business issue from an IT- specific responsibility 2. Redefine data ownership to spread security and privacy mindfulness – Accountability = the business units, not IT 3. Cultivate “right choice” decision-making – Produce targeted security awareness training that is relevant for employees beyond the work environment 3 Key Processes to Change Culture & Behavior Forrester, “Instill A Culture Of Data Security And Privacy: Equip Your Workforce To Augment The Security Team” (Mar 2015) [101761]
  • 11. 11© Copyright 2015 EMC Corporation. All rights reserved. • “Crossover areas” of importance – Password reuse across accounts – Connecting to public Wi-Fi access points – Presence on social media sites – Social engineering – Phishing Beyond the work environment
  • 12. 12© Copyright 2015 EMC Corporation. All rights reserved. • Focus on discrete, clearly phrased, measurable outcomes in all objectives for security awareness • Avoid poorly-defined outcomes – “Increase the awareness of employees…” – “Ensure that all employees understand…” – “Effectively communicate corporate goals and principles regarding security risks” Define Measurable Outcomes Gartner, “Effective Security Awareness Starts With Defined Objectives” (Dec 2013) [G00258624]
  • 13. 13© Copyright 2015 EMC Corporation. All rights reserved. Define Measurable Outcomes Gartner, “Effective Security Awareness Starts With Defined Objectives” (Dec 2013) [G00258624]
  • 14. 14© Copyright 2015 EMC Corporation. All rights reserved. One Size Fits All? Gartner, “Segment Your Audience for Effective Security Awareness Communications” (Feb 2015) [G00271825] Office Bound Mobile Digital Immigrant Digital Native Coffee Machine Communicator Road Warrior Tablet TravelerFacebook Friend Group behavior Individual behavior Watch your mouth Watch your typing • Lock up before you leave • Keep your desk clean • Avoid loose talk in public • Be aware of the dangers of multichannel multitasking • Be aware of the risks of mixing work and pleasure • Protect your devices • Be aware of shoulder surfing • Avoid loose talk in public • Don’t share devices • Don’t share credentials • Be aware of media dangers • Humanize data
  • 15. 15© Copyright 2015 EMC Corporation. All rights reserved. • Management buy-in & sponsorship • Cross-functional “campaign” approach • Marketing, branding – One-line tagline used with all communications • Identification of “awareness vehicles” Case Study: Large Company Allen Smith & Nancy Toppel, “Case Study: Using Security Awareness to Combat the Advanced Persistent Threat” (Jun 2009) http://cisse.info/resources/archives/category/12-papers?download=131:s03p02-2009  Intranet  One-page, once monthly  Audio vignette  Audio message from Executive  Management briefings  Awareness giveaways  Contest  Events  Email Q&A list
  • 16. 16© Copyright 2015 EMC Corporation. All rights reserved. • Make it personal for employees – Security best practices inside and outside the workplace • Treat communication like a Hollywood movie – Clips, tasters, and teasers ahead of deployment can build tension and interest • Embed elements of novelty & use unexpected delivery channels – Draw attention to a message by making it appear outside of its normal, or expected, context Some Content Ideas Forrester, “Reinvent Security Awareness To Engage The Human Firewall” (Dec 2014) [79821]
  • 17. 17© Copyright 2015 EMC Corporation. All rights reserved. • Reinforce the message at teachable moments – Near-misses (your organization, or others in the news) – One-on-one guidance following (failed) phishing tests • Test gamification tactics – Set up friendly competition among staff – Create scenarios where employees compete with each other, or for personal “best scores” Some Content Ideas Forrester, “Reinvent Security Awareness To Engage The Human Firewall” (Dec 2014) [79821]
  • 18. 18© Copyright 2015 EMC Corporation. All rights reserved. Gamification Ira Winkler & Samantha Manke, “Gamifying Security Awareness” (Feb 2014) http://www.rsaconference.com/writable/presentations/file_upload/hum-t07a-gamifying-security-awareness.pdf
  • 19. 19© Copyright 2015 EMC Corporation. All rights reserved. • SANS “OUCH!” newsletter – https://www.securingthehuman.org/resources/newsletters/ouch/2015 Additional (Free!) Resources ∙ Shopping Online Securely (Nov) ∙ Password Managers (Oct) ∙ Two-Step Verification (Sep) ∙ Backup & Recovery (Aug) ∙ Social Media (Jul) ∙ Educating Kids on Cyber Safety (Jun) ∙ Securing the Cyber Generation Gap (May) ∙ Passphrases (Apr) ∙ Gaming Online Safely & Securely (Mar) ∙ Staying Secure on the Road (Feb)
  • 20. 20© Copyright 2015 EMC Corporation. All rights reserved. • SANS “Securing the Human” blog – https://www.securingthehuman.org/blog/ • National Cyber Security Alliance: Business Safe Online Resources – https://www.staysafeonline.org/business-safe-online/resources/ • NIST SP 800-50, “Building An Information Technology Security Awareness and Training Program” (Oct 2003) – http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf – < Section 4. Developing Awareness and Training Material > Additional (Free!) Resources
  • 21. 21© Copyright 2015 EMC Corporation. All rights reserved. • DHS US-CERT: National Cyber Awareness System - Tips – https://www.us-cert.gov/ncas/tips • DHS “Stop.Think.Connect.” Campaign – http://www.dhs.gov/stopthinkconnect – http://www.dhs.gov/publication/stopthinkconnect-small-business-resources • RSAC CyberSafety: Kids initiative – http://www.rsaconference.com/about/rsac-cyber-safety Additional (Free!) Resources
  • 22. 22© Copyright 2015 EMC Corporation. All rights reserved. • Pro – “The ABC’s of Security Behavioral Influence” (Geordie Stewart, 2015) http://www.risk-intelligence.co.uk/7-habits-of-highly-successful-security-policies/ – “The 7 elements of a successful security awareness program” (Ira Winkler & Samantha Manke, 2014) http://www.csoonline.com/article/2133408/network-security/the-7-elements-of-a-successful-security-awareness-program.html – “Information Security Awareness - Down, But Not Out” (Salvatore Paladino, 2013) http://www.csoonline.com/article/2136488/security- awareness/information-security-awareness---down--but-not-out---by-salvatore-c--paladino.html – “Security Awareness Education” (“Ben Ten” @Ben0xA, 2013) http://ben0xa.com/security-awareness-education/ – “Arguments Against Security Awareness Are Shortsighted” (Ira Winkler, 2013) http://www.darkreading.com/risk/arguments-against-security-awareness- are-shortsighted/d/d-id/1139417?print=yes – “Schneier, Winkler and the Great Security Awareness Training Debate” (Stephen Cobb, 2013) http://www.welivesecurity.com/2013/03/27/schneier- winkler-and-the-great-security-awareness-training-debate/ – “Ten commandments for effective security training” (Joe Ferrara, 2012) http://www.csoonline.com/article/2131688/security-awareness/ten- commandments-for-effective-security-training.html – “Security awareness can be the most cost-effective security measure” (Ira Winkler, 2012) http://www.csoonline.com/article/2131999/metrics- budgets/security-awareness-can-be-the-most-cost-effective-security-measure.html – “Security Awareness Programs: Now Hear This!” (Lew McCreary, 2006) http://www.csoonline.com/article/2120826/strategic-planning-erm/security- awareness-programs--now-hear-this-.html • Con – “Security Awareness Training” (Bruce Schneier, 2013) https://www.schneier.com/blog/archives/2013/03/security_awaren_1.html – “Why you shouldn't train employees for security awareness” (Dave Aitel, 2012) http://www.csoonline.com/article/2131941/security-awareness/why- you-shouldn-t-train-employees-for-security-awareness.html Other Thoughts from Industry
  • 23. 23© Copyright 2015 EMC Corporation. All rights reserved. http://BenSmith.SE/twitter http://BenSmith.SE/linkedin