LEARNING TRANSFER WHY DOES IT FAIL Identification of training needs - - PowerPoint PPT Presentation

▶

Oct 15, 2023 367 likes •602 views

P RACTICAL S ECURITY A WARENESS L ESSONS L EARNT AND B EST P RACTICES Stefan Schumacher sicherheitsforschung-magdeburg.de stefan.schumacher@sicherheitsforschung-magdeburg.de DeepSec 2019 S TEFAN S CHUMACHER (@0 X K AISHAKUNIN ) P RACTICAL S

SLIDE 1

PRACTICAL SECURITY AWARENESS

LESSONS LEARNT AND BEST PRACTICES Stefan Schumacher

sicherheitsforschung-magdeburg.de stefan.schumacher@sicherheitsforschung-magdeburg.de

DeepSec 2019

STEFAN SCHUMACHER (@0XKAISHAKUNIN) PRACTICAL SECURITY AWARENESS DEEPSEC 2019 1 / 22

SLIDE 2

ABOUT ME

STEFAN SCHUMACHER (@0XKAISHAKUNIN) PRACTICAL SECURITY AWARENESS DEEPSEC 2019 2 / 22

SLIDE 3

THE OBSTACLES OF A TRAINING

◮ Motivation of your Workforce ◮ Instructional Design of a Security Awareness Campaign ◮ Dealing with Complexity ◮ Transferring the Training Outcomes to the Job

STEFAN SCHUMACHER (@0XKAISHAKUNIN) PRACTICAL SECURITY AWARENESS DEEPSEC 2019 3 / 22

SLIDE 4

MOTIVATION

TWO FACTOR THEORY BY HERZBERG

◮ satisfaction and discontent are independent dimensions ◮ discontent is raised by extrinsic factors status, fear of losing your job, relations between coworkers and superior ◮ satisfaction is raised by intrinsic factors sense of achievement, recognition, taking over responsibility ◮ you actually can only demotivate people

STEFAN SCHUMACHER (@0XKAISHAKUNIN) PRACTICAL SECURITY AWARENESS DEEPSEC 2019 4 / 22

SLIDE 5

MOTIVATION

INTRINSIC/EXTRINSIC

◮ Intrinsic motivation: behaviour that is driven by internal rewards ◮ Extrinsic motivation: behaviour to earn external rewards or avoid punishment

STEFAN SCHUMACHER (@0XKAISHAKUNIN) PRACTICAL SECURITY AWARENESS DEEPSEC 2019 5 / 22

SLIDE 6

MOTIVATION

◮ good communication means to motivate the other party ◮ motivation means the other party shows a behaviour I want them to show ◮ motivation means to drop an old behavioural pattern in favour of a new pattern ◮ motivation means to address an unfulfilled need and showing how to fulfill it ◮ the better someone can picture the fulfillment of the need, the better motivated they will get

STEFAN SCHUMACHER (@0XKAISHAKUNIN) PRACTICAL SECURITY AWARENESS DEEPSEC 2019 6 / 22

SLIDE 7

MOTIVATION

Don’t sell the steak – sell the sizzle

STEFAN SCHUMACHER (@0XKAISHAKUNIN) PRACTICAL SECURITY AWARENESS DEEPSEC 2019 7 / 22

SLIDE 8

MOTIVATION

KEEP IN MIND

◮ Only current behaviour can be influenced at once! ◮ Every recurring behaviour has been trained through learning processes. ◮ Changing recurring behaviour requires new learning processes. ◮ Every learning process takes it’s time.

STEFAN SCHUMACHER (@0XKAISHAKUNIN) PRACTICAL SECURITY AWARENESS DEEPSEC 2019 8 / 22

SLIDE 9

DIDACTICS / INSTRUCTIONAL DESIGN

◮ teaching methods ◮ theory and practice of teaching and learning ◮ the science that turns you into a teacher ◮ general didactics: general teaching methods, how learning and teaching works, how to structure teaching ◮ specific didactics: with regards to a specific learning field, eg. subjects in school ◮ learning outcomes might get obsolete ◮ teaching a click path isn’t viable

STEFAN SCHUMACHER (@0XKAISHAKUNIN) PRACTICAL SECURITY AWARENESS DEEPSEC 2019 9 / 22

SLIDE 10

DIDACTICS

COMPETENCIES

◮ find roles: who does what and how ◮ professional fields of activity (according to a profession) ◮ learning situation and professional action

STEFAN SCHUMACHER (@0XKAISHAKUNIN) PRACTICAL SECURITY AWARENESS DEEPSEC 2019 10 / 22

SLIDE 11

COMPLEXITY

◮ psychological regulation of work IO Psychology ◮ theory of action ◮ decomposition of a complex action into less complex actions ◮ taking away the act of making a decision by establishing rules eg password rules

STEFAN SCHUMACHER (@0XKAISHAKUNIN) PRACTICAL SECURITY AWARENESS DEEPSEC 2019 11 / 22

SLIDE 12

LEARNING TRANSFER

◮ the workforce learnt something ◮ but doesn’t transfer it on the job ◮ for several reasons ◮ this is a huge problem in trainings

STEFAN SCHUMACHER (@0XKAISHAKUNIN) PRACTICAL SECURITY AWARENESS DEEPSEC 2019 12 / 22

SLIDE 13

LEARNING TRANSFER

WHY DOES IT FAIL

◮ Identification of training needs and interests of the workforce ◮ Identification of roles the relevant learning outcomes ◮ Determination of learning contents and learning places ◮ instructional design and teaching methods ◮ Cost Control ◮ Success Control and Evaluation

STEFAN SCHUMACHER (@0XKAISHAKUNIN) PRACTICAL SECURITY AWARENESS DEEPSEC 2019 13 / 22

SLIDE 14

LEARNING TRANSFER

◮ on the job

◮ wrong selection of participants ◮ learning outcomes are undefined or not clear enough ◮ learning contents don’t fit to the job ◮ training is not accepted and carried by management and employees ◮ no time for the training and transfer of the training outcomes

◮ by the learners

◮ lack of insight into the applicability of the learning contents on the job ◮ lack of practise of the new behaviour ◮ lack of motivation on the job

STEFAN SCHUMACHER (@0XKAISHAKUNIN) PRACTICAL SECURITY AWARENESS DEEPSEC 2019 14 / 22

SLIDE 15

EVALUATION

1. the methodologically sound measurement
2. the science-based benchmarking of processes and outcomes
3. to better understand and design practical training measures through the evaluation
f effectiveness, controlling and reflection

To achieve this, we have to methodise and document processes and outcomes

STEFAN SCHUMACHER (@0XKAISHAKUNIN) PRACTICAL SECURITY AWARENESS DEEPSEC 2019 15 / 22

SLIDE 16

EVALUATION

TARGETS

◮ the success of a completed training ◮ gather information for the instructional design of future trainings ◮ help reflect on a training ◮ to estimate and justify the costs of a training especially the costs of not doing the training ◮ management loves business indicators ◮ CFO: What happens if we spend money training our people and then they leave? CEO: What happens if we don’t and they stay?

STEFAN SCHUMACHER (@0XKAISHAKUNIN) PRACTICAL SECURITY AWARENESS DEEPSEC 2019 16 / 22

SLIDE 17

STORYTELLING

STEFAN SCHUMACHER (@0XKAISHAKUNIN) PRACTICAL SECURITY AWARENESS DEEPSEC 2019 17 / 22

SLIDE 18

WHY?

◮ Motivation ◮ Show how easy it has become to start generic attacks with Kali, Metasploit etc. ◮ Show the consequences of a successfull hack ◮ Show that unfocused mass attacks happen all the time ◮ Storytelling

STEFAN SCHUMACHER (@0XKAISHAKUNIN) PRACTICAL SECURITY AWARENESS DEEPSEC 2019 18 / 22

SLIDE 19

STORYTELLING

◮ lively storytelling motivates better than a dry list of facts ◮ has been used for centuries in all cultures of the world ◮ very good for the transportation of complex knowledge ◮ generates memories and supports learning mechanisms ◮ embed a Live-Hacking into a fitting story

STEFAN SCHUMACHER (@0XKAISHAKUNIN) PRACTICAL SECURITY AWARENESS DEEPSEC 2019 19 / 22

SLIDE 20

STORYTELLING

LIVE-HACKING FOR TEACHERS

◮ Hacker is a 15 year old pupil ◮ How long does he take to learn how to hack a Windows PC? (Youtube, 1h) ◮ What does he have to know and be able to do? (Almost nothing) ◮ Which Software does he need? (Kali, Metasploit) ◮ Where does he find those hacker tools? (Google) ◮ Examples: MafiaBoy/Stacheldraht, Operation PayBack ◮ the bottom line: Effort and Complexity

STEFAN SCHUMACHER (@0XKAISHAKUNIN) PRACTICAL SECURITY AWARENESS DEEPSEC 2019 20 / 22

SLIDE 21

SONSTIGES

◮ https://sicherheitstacho.eu Eye Candy ◮ https://cybermap.kaspersky.com/de ◮ https://threatmap.checkpoint.com/ThreatPortal/livemap.html ◮ Honeypots (SLAC2018) ◮ https://www.shodan.io/search?query=webcam

STEFAN SCHUMACHER (@0XKAISHAKUNIN) PRACTICAL SECURITY AWARENESS DEEPSEC 2019 21 / 22

SLIDE 22

◮ sicherheitsforschung-magdeburg.de ◮ stefan.schumacher@sicherheitsforschung-magdeburg.de ◮ sicherheitsforschung-magdeburg.de/publikationen/journal.html ◮ youtube.de/Sicherheitsforschung ◮ Twitter: 0xKaishakunin ◮ LinkedIn: Stefan Schumacher

STEFAN SCHUMACHER (@0XKAISHAKUNIN) PRACTICAL SECURITY AWARENESS DEEPSEC 2019 22 / 22