Don't allow compliance-driven security awareness training stop you from educating your workforce and producing meaningful results with education, training, and awareness.
2. Speaker Biography
• 15+ years fighting the InfoSec leadership
battle
• knows a few things about information
security governance and what it takes to
build a successful security program
• helps other security leaders build
successful governance, risk management,
and compliance (GRC) programs
• Also helps start-ups, small businesses,
non-profits, and university enterprises
produce big business success
Keyaan Williams
www.linkedin.com/in/keyaan
@KeyaanWilliams
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
2
3. Forcing users to complete annual security
training to check boxes rubbish!
There are better ways to use education, training, and
awareness to improve security.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
3
4. Outline
Definitions
The Compliance-Driven Approach
The Compliance-Driven Problem
A Culture-Driven Alternative
Every Security Person Can Contribute
Summary and Q&A
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
4
5. Definitions
Understanding the words we are using will help drive the point home.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
5
6. Adjective: of or concerned with the
actual doing or use of something
rather than with theory and ideas
Practical
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
6
7. Education focuses on transferring
knowledge or information via
communication tools that
produce long-term retention.
Education
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
7
8. Training focuses on activities,
coaching, and feedback that
develop new skills or new
knowledge that students can
apply to their work.
Training
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
8
9. Awareness focuses on the
increased perception of facts or
information.
Awareness
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
9
10. The Compliance-Driven Approach
to “Security Awareness Training”
The regulators made me do it!
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
10
11. What normally happens
Compliance defines the approach rather than
tailoring something unique for the organization.
Education, training, and awareness are consolidated
into one big blob that is a single objective/activity.
Education, training, and awareness are not distinct
activities with specific, individual purposes.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
11
12. The Compliance Perspective
“The organization will be more secure because
you gave users security training and you
confirmed that everyone participated at least
annually.”
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
12
13. ISO 27001 and 27002
“All employees of the organization and, where relevant,
contractors and third party users should receive
appropriate awareness training and regular updates in
organizational policies and procedures, as relevant for their
job function.”
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
13
14. NIST 800-53, AT-2
“The organization provides basic security awareness training
to information system users.”
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
14
15. PCI-DSS
“Implement a formal security awareness program to make
all personnel aware of the cardholder data security policy.”
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
15
16. PCI DSS v3.2
Testing procedures (12.6.1 and 12.6.2)
• Verify people attend training when hired and at least
annually.
• Obtain acknowledgement that people have read and
understand the security policy.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
16
17. The Compliance-Driven Problem
Compliance provides a budget, but it doesn’t tell me how to
be effective.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
17
18. The compliance problem
Compliance incentivizes a generic approach that
rarely changes behavior or has a meaningful
impact.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
18
19. The compliance problem
Compliance requires no validation that users can
apply what they learned to their work.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
19
20. The compliance problem
Compliance measures how many, but not how
effective.
Does theory produce practical results?
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
20
21. • Content has nothing to do with the organization or
its current threats
• It is optional or some people are forgotten
• It only focuses on phishing and makes people afraid
to check their e-mail
• It produces no change in user-generated security
events
The Worst Case
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
21
22. A Culture-Driven Alternative
What can we do to make this work for everyone?
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
22
23. What does culture have to do with anything?
Sociology 101 - Culture is the sum of attitudes,
customs, and beliefs that distinguishes one
group of people from another.
This should drive the content of education, training, and
awareness at an organization.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
23
24. Security Theory and Culture Collide
Incorporating security theory from education,
training, and awareness into the culture of the
organization can practically make the
organization more secure.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
24
25. This is about changing (or strengthening)
security culture
Emphasize what is
important.
Reward behaviors
that reflect what is
important.
Discourage
behaviors that do
not reflect what is
important.
Model the
behaviors that you
want to see in the
workplace.
C. McNamara, "Organizational Culture," Authenticity Consulting, LLC, 2000. [Online]. Available:
http://managementhelp.org/organizations/culture.htm#influence. [Accessed June 2016]
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
25
26. What is
important? •Assets and how we protect
them.
•Data and how we protect it.
•People and how we protect
them.
•Stakeholders and how we
protect their interests.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
26
27. What is good
behavior?
•Follow policies, procedures,
and standards.
•Report anomalies and strange
events: “see something; say
something.”
•Conduct activities ethically.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
27
28. How do we
discourage bad
behavior? •Frown at nonconformists; peer
pressure is effective.
•Formalize recourse in policies
and standards (i.e. HR and
performance reviews)
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
28
29. How do we
reward good
behavior?
Money
Recognition
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
29
30. A Simple Culture Case Study
The simplicity of cause, effect, and human behavior.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
30
31. Rewarding good behavior influences the workforce.
Most people want the reward.
I want
recognition that
produces a
reward
I inform security
operations about
suspicious e-mail
They recognize
me or give me
money
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
31
32. Every Security Person Can
Contribute
I am not part of the security awareness team.
What does it have to do with me?
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
32
33. Every Security Person Can Contribute
You don’t have to be a CISO, Director, or Security
Leader to contribute to the practical security
education of your organization.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
33
34. Every Security Person Can Contribute
Practitioners have a great opportunity to
communicate relevant information and
influencing behavior as part of their
interactions with people.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
34
35. Every Security Person Can Contribute
You are a professional; you know a lot!
Share that information with everyone you encounter.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
35
36. Every Security Person Can Contribute
Tailor content based on the audience.
Tell executives, managers, IT personnel, and non-IT end users
the same story, but package the story differently based on the
risk each group faces.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
36
37. Every Security Person Can Contribute
Discretely retrain compromised users.
You don’t have to embarrass people to get them to change.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
37
38. Every Security Person Can Contribute
Bedside manner is important!
Don’t be a donkey about it.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
38
39. Case Study 2
Combining incident response and user re-education to
improve security.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
39
40. Combining security awareness and incident
response to improve security
User causes
event
CSIRT
activated
Root cause
analysis
Results
shared with
user
Anonymized
results
shared with
workforce
# similar
events
decreases
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
40
This actually happened!
41. “Oh my! I downloaded a
malicious file from a
suspicious e-mail.”
User causes event
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
41
42. Case Study
Enterprise controls detect
the IOC and the Computer
Security Incident Response
Team (CSIRT) is activated to
provide remediation.
CSIRT activated
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
42
43. Case Study
The CSIRT conducts root
cause analysis to identify the
malicious software’s impact
and method of installation.
Root cause
analysis
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
43
44. Case Study Findings from the root cause
analysis are shared with the
user.
•The user understands his or
her part in the activity.
•This understanding prevents
a repeat offense.
Results shared
with user
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
44
45. Case Study Results are anonymized to
protect the image of the
affected user and shared
with the workforce.
•The affected user is not
embarrassed.
Anonymized
results shared
with workforce
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
45
46. Case Study
• Everyone learns from a single
mistake.
• Other users are less likely to
repeat the actions.
• A culture of respect increases
the likelihood that users will
report anomalous events.
# similar events
decreases
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
46
47. Summary
What should I remember from this conversation?
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
47
48. Compliance requires security awareness training, but
a compliance-driven approach is the wrong approach.1
Effective education, training, and awareness can
reduce the risk introduced by users2
Effective training is tailored, interactive, and
meaningful.3
Awareness is important to reinforce ideas.4
All security personnel can contribute to education,
training, and awareness in an organization.5
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
48
Notes de l'éditeur
Awareness and Training (AT) family has 5 controls
NIST SP 800-50 provides supplemental guidance for Building an IT Security Awareness Training Program