Lance Spitzner securingthehuman.sans.org lspitzner@sans.org @securethehuman
EMET WindowsOS Microsoft Security Essentials Encrypted File System WindowsOS vs. HumanOS AppLocker Mandatory Integrity Control Windows Service Hardening Security Controls Bitlocker User Account Control ASDL Windows Defender Malicious Software Removal Tool Data Execution Protection (DEP) Baseline Security Analyzer Firewall Enabled by Default Microsoft Secure Development Lifecycle Automatic Updating Software Restriction Policies HumanOS Trustworthy Computing 2008 2010 2012 2002 2004 2006 2014
Security Awareness Maturity Model Metrics Framework Long-Term Sustainment & Culture Change Promoting Awareness & Behavior Change Compliance Focused Non-existent
Fogg Behavior Model
Communication • Most organizations have teams of security experts and know what the human risks are. • Where we fail is communicating the solution – curse of knowledge . • Security Communications Officer
2016 Sec Awareness Report
Start with WHY • Why does cyber security matter? • Communicate at an emotional level, do not rationalize • Condense message to core, something people can easily understand. – Kotter [Leading Change] calls this the Vision – Heath [Made to Stick] call this the Commander’s Intent.
How Organization Benefits Instead of changing your culture, play on your organization’s existing culture – Industrial Control System (ICS) industries have a very strong safety culture, cyber security contributes to safety – Healthcare has a strong culture of patient care, cyber security contributes to the wellbeing of patients – Where does your employees’ pride come from?
How Individual Benefits • Keep message positive, focus on how security enables (addresses blocker issue) • Your awareness topics are same for both and work, focus on personal benefit – Far more likely to listen – Security becomes part of their DNA, same behaviors at home and work
Organizational Culture • How do we communicate this new vision? • Start with defining your culture – Conservative vs. outgoing – Different definitions of offensive – Generational differences – Localization • You may have multiple cultures
Outgoing • Examples include marketing firms, technology companies, universities, and hospitality • Outgoing cultures prefer – Using the latest technology such as social media or mobile devices – Watching content as opposed to reading content – Fun / entertaining material
Conservative • Examples include financials, insurance, defense industry or law firms • Conservative cultures prefer – Content that is subdued and professional – Prefer to read content as opposed to watching content – May prefer to work directly with people • A conservative culture can be an advantage, easier to stand out
Push vs. Pull • Push: Sending information to people • Pull: People get information on their own – People too busy for scheduled events – Peoples’ e-mail boxes are overwhelmed – Communications departments are limiting what you can push out – Competing with other training communications
Computer Based Training
Newsletters • Monthly or quarterly newsletter • Keep it short, non- technical, and easy to read, include contact information • Track downloads • Be prepared for it to go home / go viral
Security Blog • Simple, interactive way to reach people on their own schedule • Update your blog 1-3 times a week with engaging content • Titles are everything • Engaging content that is not too long or too short
Promotional Items Do Not Write Your Password On This
Mascots / Tag Lines I don’t like it here! There is nothing to I like it here! There is lots of eat! information to satify my stomach!
Self-Education (Pull Method) Create a central security portal for employees – Links to trusted tools – Downloads for materials and presentations – Security Blog or news updates – Online form for submitting questions or incidents – Scan my computer – Glosassary of terms or FAQ – Examples / results of phishing assessments – Training or internally created videos – Update site regularly so people want to return
Ambassador Program • Instead of training coming from the top down, the training comes from peers • Security team trains volunteers to become ambassadors, provides ambassadors with resources, then ‘embeds’ them throughout the organization • Have ambassadors help create your materials
Ambassador Keys to Success • Motivation – Recognize ambassadors for their work (e-mail their boss / HR, letter from CEO, team shirts) – Chance to build their network throughout org – Chance to develop new skills / make a difference • Ability – Train ambassadors – Provide resources such as a portal, dedicated maillist, premade FAQs, and presentations – Budget
Gamification • The concept of turning learning into a game – www.khanacademy.org – www.codeacademy.org • Recognize people for secure behaviors through levels, badges or progression maps so people can visualize their progress • Not for everyone
Salesforce
Leveraging Leadership • Ensure your leaders understand the important role they play • Often leaders believe in your security mission, but do not know how to demonstrate that. Give them examples of key behaviors to show or things to say to employees • Reach them through their assistants
Summary Communication is where most awareness programs fail. The key to making it stick is focus on how people benefit and hit them with multiple methods. securingthehuman.sans.org/events
Recommend
More recommend
