1 / 24

Building a Strategic Plan for Your Security Awareness Program

Building a Strategic Plan for Your Security Awareness Program. Lance Spitzner. HUM-T09. Director SANS Securing The Human @ lspitzner. EMET. WindowsOS. Microsoft Security Essentials. Encrypted File System. AppLocker. Mandatory Integrity Control. Windows Service Hardening. Bitlocker.

jacquesb
Download Presentation

Building a Strategic Plan for Your Security Awareness Program

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Building a Strategic Plan for Your Security Awareness Program Lance Spitzner HUM-T09 Director SANS Securing The Human @lspitzner

  2. EMET WindowsOS Microsoft Security Essentials Encrypted File System AppLocker Mandatory Integrity Control Windows Service Hardening Bitlocker User Account Control Windows Defender Security Controls ASDL Malicious Software Removal Tool Data Execution Protection (DEP) HumanOS Baseline Security Analyzer Firewall Enabled by Default Microsoft Secure Development Lifecycle Automatic Updating 2008 2010 2012 2002 2004 2006 2014 Software Restriction Policies Trustworthy Computing

  3. Security Awareness Maturity Model Security Awareness Maturity Model Security Awareness Maturity Model Metrics Framework Metrics Framework Long-Term Sustainment and Cultural Change Long-Term Sustainment & Culture Change Promoting Awareness and Behavioral Change Promoting Awareness & Behavior Change Compliance- Focused Compliance Focused Nonexistent Non-existent

  4. Your Strategic Plan WHO WHAT HOW

  5. WHO Are You Targeting? • Different targets require different / additional content and communication methods: • Employees • Contractors / Vendors • IT Staff / Developers • Senior Management • Accounts Payable / HR • Many organizations start with just all employees, but as their programs mature, they identify unique sub-groups

  6. Defining Who

  7. WHAT Do You Teach? • Focus on topics that have the greatest ROI: • People can remember only so much—cognitive overload • You have limited time and resources to teach • Fewer topics are easier to reinforce • Avoid “training fatigue” • Identify the greatest human risks to your organization, and then develop training modules to address each of those risks

  8. Verizon DBIR

  9. Qualitative Analysis X VH / 5 X H / 4 Probability 4 4 Phishing 16 M / 3 1 5 5 Tracking Cookies L/ 2 VL / 1 L / 2 H / 4 M / 3 VL / 1 VH / 5 Impact

  10. Learning Objectives - Bad • A common security awareness topic is passwords: • Minimum of 12 characters • 1 symbol • 1 number • 1 capital letter • No two repeated letters • Change every 90 days • Costs associated with this

  11. Learning Objectives - Good • Do not get infected • Do not share your passwords • Do not log in using untrusted systems • Personal questions are just another password • Passphrases—Where is my Coffee? • Password Managers • Use two-step verification whenever possible

  12. HOW to Change Behavior Security teams have to think like marketing, communications or sales people. Awareness is a product we are attempting to ‘sell’ Connect people at an emotional, creative level. Why does cyber security matter?

  13. Curse of Knowledge

  14. Why Cyber Security Matters

  15. Engagement • Centers for Disease Control (CDC) has long-term awareness campaign on preparing for disasters; no one was listening • May 16, 2011 posted blog on preparing for "Zombie Apocalypse" • Three hours later, the network collapsed; 2 days later, they made an official public announcement

  16. Push Versus Pull • Push: Sending information to people • Pull: People get information on their own • Pull method is becoming more common and popular: • Online / Computer Based Training • Podcasts / blogs • Newsletters / Posters • Booth events • Ambassador programs

  17. Primary vs. Reinforcement • Primary: Typical annual training. • Mandatory / compliance • Lays foundation for people • Instructor Led / Computer Based • Reinforcement: Rest of the year • Not mandatory / engaging • One topic at a time • Numerous ways to communicate

  18. Turkcell I like it here, there is a lot of information to satisfy my stomach! Don’t feed the monster.

  19. Annual Program

  20. Two Types of Metrics • Compliance Metrics: Measure the deployment of your awareness program. Are you compliant? • Impact Metrics: Measure the impact of your awareness program. Are you changing behavior?

  21. Impact Metrics Every metric should tie to a specific behavior that helps manage a human risk you care about • Phishing • ID Badges / Drafting • Dumpster diving • Phone calls • Data Loss Prevention (DLP) • Screenlock use • Mobile device loss

  22. Metrics – Key Points • Biggest difference between technical and human metrics is that humans have feelings • Announce your metrics program ahead of time, and then start slow and simple • Do not embarrass people (no Viagra e-mails). Do not release names of those who fail. Only notify management of repeat offenders • Focus on real-world risks, do not “trick” people • Always make sure there are at least two ways to detect an assessment

  23. When You Return to Work Identify your key high risk groups (accounts payable, HR, etc) and take them out to lunch or host a specialized webcast for them. Build bridges Do a human risk analysis and prioritize the risks / behaviors you teach Partner with your communications team, have a person assigned to your security team Read Leading Change and Made to Stick Partner with a senior champion, have that person help you communicate with leadership

More Related