Lance Spitzner securingthehuman.sans.org lspitzner@sans.org - - PowerPoint PPT Presentation

Lance Spitzner

securingthehuman.sans.org lspitzner@sans.org @securethehuman

WindowsOS vs. HumanOS

2002 2012 2004 2006 2008 2010

Security Controls

Trustworthy Computing Software Restriction Policies Automatic Updating Microsoft Secure Development Lifecycle Firewall Enabled by Default Baseline Security Analyzer Data Execution Protection (DEP) Malicious Software Removal Tool Windows Defender ASDL User Account Control Bitlocker Windows Service Hardening Mandatory Integrity Control AppLocker Encrypted File System Microsoft Security Essentials EMET

2014 HumanOS WindowsOS

Non-existent Compliance Focused Promoting Awareness & Behavior Change Long-Term Sustainment & Culture Change Metrics Framework

Security Awareness Maturity Model

Fogg Behavior Model

Communication

• Most organizations have teams of security

experts and know what the human risks are.

• Where we fail is communicating the solution

– curse of knowledge.

• Security Communications Officer

2016 Sec Awareness Report

Start with WHY

• Why does cyber security matter?
• Communicate at an emotional level, do not

rationalize

• Condense message to core, something

people can easily understand.

– Kotter [Leading Change] calls this the Vision – Heath [Made to Stick] call this the Commander’s Intent.

How Organization Benefits

Instead of changing your culture, play on your

• rganization’s existing culture

– Industrial Control System (ICS) industries have a very strong safety culture, cyber security contributes to safety – Healthcare has a strong culture of patient care, cyber security contributes to the wellbeing of patients – Where does your employees’ pride come from?

How Individual Benefits

• Keep message positive, focus on how

security enables (addresses blocker issue)

• Your awareness topics are same for both

and work, focus on personal benefit

– Far more likely to listen – Security becomes part of their DNA, same behaviors at home and work

Organizational Culture

• How do we communicate this new vision?
• Start with defining your culture

– Conservative vs. outgoing – Different definitions of offensive – Generational differences – Localization

• You may have multiple cultures

Outgoing

• Examples include marketing firms,

technology companies, universities, and hospitality

• Outgoing cultures prefer

– Using the latest technology such as social media

• r mobile devices

– Watching content as opposed to reading content – Fun / entertaining material

Conservative

• Examples include financials, insurance,

defense industry or law firms

• Conservative cultures prefer

– Content that is subdued and professional – Prefer to read content as opposed to watching content – May prefer to work directly with people

• A conservative culture can be an advantage,

easier to stand out

Push vs. Pull

• Push: Sending information to people
• Pull: People get information on their own

– People too busy for scheduled events – Peoples’ e-mail boxes are overwhelmed – Communications departments are limiting what you can push out – Competing with other training communications

Computer Based Training

Newsletters

• Monthly or quarterly

newsletter

• Keep it short, non-

technical, and easy to read, include contact information

• Track downloads
• Be prepared for it to go

home / go viral

Security Blog

• Simple, interactive way to

reach people on their own schedule

• Update your blog 1-3 times a week with

engaging content

• Titles are everything
• Engaging content that is not too long or too

short

Promotional Items

Do Not Write Your Password On This

Mascots / Tag Lines

I don’t like it here! There is nothing to eat! I like it here! There is lots of information to satify my stomach!

Self-Education (Pull Method)

Create a central security portal for employees

– Links to trusted tools – Downloads for materials and presentations – Security Blog or news updates – Online form for submitting questions or incidents – Scan my computer – Glosassary of terms or FAQ – Examples / results of phishing assessments – Training or internally created videos – Update site regularly so people want to return

Ambassador Program

• Instead of training coming from the top

down, the training comes from peers

• Security team trains volunteers to become

ambassadors, provides ambassadors with resources, then ‘embeds’ them throughout the organization

• Have ambassadors help create your

materials

Ambassador Keys to Success

• Motivation

– Recognize ambassadors for their work (e-mail their boss / HR, letter from CEO, team shirts) – Chance to build their network throughout org – Chance to develop new skills / make a difference

• Ability

– Train ambassadors – Provide resources such as a portal, dedicated maillist, premade FAQs, and presentations – Budget

Gamification

• The concept of turning learning into a game

– www.khanacademy.org – www.codeacademy.org

• Recognize people for secure behaviors

through levels, badges or progression maps so people can visualize their progress

• Not for everyone

Salesforce

Leveraging Leadership

• Ensure your leaders understand the

important role they play

• Often leaders believe in your security mission,

but do not know how to demonstrate that. Give them examples of key behaviors to show or things to say to employees

• Reach them through their assistants

Summary

Communication is where most awareness programs fail. The key to making it stick is focus on how people benefit and hit them with multiple methods.

securingthehuman.sans.org/events