Practical Advantages of a Security Educated Workforce

Adventures in Security Awareness:

Practical Advantages of an Educated Workforce

Adventures in Security Awareness: Practical Advantages of an Educated Workforce

Speaker Biography

• 15+ years fighting the InfoSec leadership battle • knows a few things about information

security governance and what it takes to build a successful security program• helps other security leaders build

successful governance, risk management, and compliance (GRC) programs• Also helps start-ups, small businesses,

non-profits, and university enterprises produce big business success

Keyaan Williams

www.linkedin.com/in/keyaan

@KeyaanWilliams

Forcing users to complete annual security training to check boxes rubbish!

There are better ways to use education, training, and awareness to improve security.

OutlineDefinitions

The Compliance-Driven Approach

The Compliance-Driven Problem

A Culture-Driven Alternative

Every Security Person Can Contribute

Summary and Q&A

DefinitionsUnderstanding the words we are using will help drive the point home.

Adjective: of or concerned with the actual doing or use of something rather than with theory and ideas

Practical

Education focuses on transferring knowledge or information via

communication tools that produce long-term retention.

Education

Training focuses on activities, coaching, and feedback that develop new skills or new

knowledge that students can apply to their work.

Training

Awareness focuses on the increased perception of facts or

information. Awareness

The Compliance-Driven Approach to “Security Awareness Training”

The regulators made me do it!

What normally happens

Compliance defines the approach rather than tailoring something unique for the organization.

Education, training, and awareness are consolidated into one big blob that is a single objective/activity.

Education, training, and awareness are not distinct activities with specific, individual purposes.

The Compliance Perspective

“The organization will be more secure because you gave users security training and you

confirmed that everyone participated at least annually.”

ISO 27001 and 27002

“All employees of the organization and, where relevant, contractors and third party users should receive

appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their

job function.”

NIST 800-53, AT-2

“The organization provides basic security awareness training to information system users.”

PCI-DSS

“Implement a formal security awareness program to make all personnel aware of the cardholder data security policy.”

PCI DSS v3.2

Testing procedures (12.6.1 and 12.6.2)

•Verify people attend training when hired and at least annually.•Obtain acknowledgement that people have read and

understand the security policy.

The Compliance-Driven Problem

Compliance provides a budget, but it doesn’t tell me how to be effective.

The compliance problem

Compliance incentivizes a generic approach that rarely changes behavior or has a meaningful

impact.

Compliance requires no validation that users can apply what they learned to their work.

Compliance measures how many, but not how effective.

Does theory produce practical results?

• Content has nothing to do with the organization or its current threats

• It is optional or some people are forgotten• It only focuses on phishing and makes people afraid

to check their e-mail• It produces no change in user-generated security

events

The Worst Case

A Culture-Driven Alternative

What can we do to make this work for everyone?

What does culture have to do with anything?

Sociology 101 - Culture is the sum of attitudes, customs, and beliefs that distinguishes one

group of people from another. This should drive the content of education, training, and

awareness at an organization.

Security Theory and Culture Collide

Incorporating security theory from education, training, and awareness into the culture of the

organization can practically make the organization more secure.

This is about changing (or strengthening) security culture

Emphasize what is important.

Reward behaviors that reflect what is

important.

Discourage behaviors that do not reflect what is

important.

Model the behaviors that you want to see in the

workplace. C. McNamara, "Organizational Culture," Authenticity Consulting, LLC, 2000. [Online]. Available: http://managementhelp.org/organizations/culture.htm#influence. [Accessed June 2016]

What is important? •Assets and how we protect

them.•Data and how we protect it.•People and how we protect them. •Stakeholders and how we protect their interests.

What is good behavior? •Follow policies, procedures,

and standards.•Report anomalies and strange events: “see something; say something.”•Conduct activities ethically.

How do we discourage

bad behavior? •Frown at nonconformists; peer pressure is effective.

•Formalize recourse in policies and standards (i.e. HR and performance reviews)

How do we reward good

behavior? Money

Recognition

A Simple Culture Case Study

The simplicity of cause, effect, and human behavior.

Rewarding good behavior influences the workforce. Most people want the reward.

I want recognition that produces a reward

I inform security operations about suspicious e-mail

They recognize me or give me money

I am not part of the security awareness team.What does it have to do with me?

You don’t have to be a CISO, Director, or Security Leader to contribute to the practical security

education of your organization.

Practitioners have a great opportunity to communicate relevant information and

influencing behavior as part of their interactions with people.

You are a professional; you know a lot! Share that information with everyone you encounter.

Tailor content based on the audience.Tell executives, managers, IT personnel, and non-IT end users the same story, but package the story differently based on the

risk each group faces.

Discretely retrain compromised users. You don’t have to embarrass people to get them to change.

Bedside manner is important!Don’t be a donkey about it.

Case Study 2Combining incident response and user re-education to

improve security.

Combining security awareness and incident response to improve security

User causes event

CSIRT activated

Root cause analysis

Results shared with

Anonymized results

shared with workforce

# similar events

decreases

This actually happened!

“Oh my! I downloaded a malicious file from a suspicious e-mail.”

User causes event

Case StudyEnterprise controls detect the IOC and the Computer Security Incident Response Team (CSIRT) is activated to

provide remediation.

CSIRT activated

Case Study

The CSIRT conducts root cause analysis to identify the malicious software’s impact and method of installation.

Root cause analysis

Case Study Findings from the root cause analysis are shared with the

• The user understands his or her part in the activity.• This understanding prevents

a repeat offense.

Results shared with user

Case Study Results are anonymized to protect the image of the affected user and shared

with the workforce.

• The affected user is not embarrassed.

Anonymized results shared

with workforce

Case Study• Everyone learns from a single

mistake.

•Other users are less likely to repeat the actions.

•A culture of respect increases the likelihood that users will report anomalous events.

# similar events decreases

SummaryWhat should I remember from this conversation?

Compliance requires security awareness training, but a compliance-driven approach is the wrong approach. 1Effective education, training, and awareness can reduce the risk introduced by users2Effective training is tailored, interactive, and meaningful.3Awareness is important to reinforce ideas.4All security personnel can contribute to education, training, and awareness in an organization.5

Practical Advantages of a Security Educated Workforce

Technology

SAP Workforce Performance Builder Your advantages at …floatdene.net/wp-content/uploads/docs/SAP Workforce Performance... · SAP Workforce Performance Builder ... server-based collaboration

Presentación de PowerPoint - Prodintec Pearce... · 2016-11-15 · Millennials' Low Interest in Manufacturing Manufacturing Workforce Is Getting More Educated ... Product Marketing

CERTIFICATION AND WORKFORCE INTEGRATION AND WORKFORCE INTEGRATION: EXPERIENCES OF INTERNATIONALLY EDUCATED TEACHERS Focus-group findings FSubmitted to the Council of Ministers of Education,

Trauma-Informed Care Innovation Community: Workforce ...A Trauma-Informed Educated Workforce •Requires leadership support and direction •Includes ‘everyone’ in the organization

United Way of Racine County Collectively Building an Educated Workforce

A Skilled and Educated Workforce 2011 - Washington · A Skilled and Educated Workforce 2011 Page 5 Source: HECB analysis of 2005-2009 ACS. Figure 1: Net In-migration by Education

A Skilled and Educated Workforce 2017 Update · A Skilled and Educated Workforce – 2017 Update Page 3 of 26 The report highlights the changing fundamental nature of employment in

Simplify, Standardize, Maximize Workforce Efficiency; SmartLine's Platform Advantages

BARILLA (North American Headquarters | Chicago …...Due to Northbrook’s strategic location and highly educated workforce, the surrounding area is home to corporate headquarters

STATE OF THE WORKFORCE REPORT 2008. Study Objectives 1.County Demographics 2.Workforce Challenges Advantages/challenges regional businesses 3.Recruitment

Landing on Planet Motorola: Ensuring their workforce were educated and incentivised for the launch of RAZR i smartphone

Northern Ireland Financial Centre of Excellence 2019 May ... · Northern Ireland’s competitive advantages quickly add up, starting with a highly-educated workforce, strong in quantitative

A Skilled and Educated Workforce 2013 Update - … · A Skilled and Educated Workforce 2013 Update ... Past reports on A Skilled and Educated Workforce in Washington have consistently

Vision of an Educated Workforce Science, Technology, Engineering, Math Paul Benson Sam Pellerito

CROWD-SOURCING Simin Chen. Amazon Mechanical Turk Advantages On demand workforce Scalable workforce Qualified workforce Pay only if satisfied

A Skilled and Educated Workforce 2011 Update

Exploring the Lived Experiences of Educated Women who Opted Back Into the Workforce After

College-Educated Millennials: An Overview of Their ... · Gen Y will provide 75 percent of the global workforce (Schawbel, 2012). Currently, about 25 percent of the workforce is made

Facilitating the workforce success of internationally educated occupational therapists

Italy: Birthplace of Renaissance Italy’s Advantages Renaissance- period (rebirth) from 1300-1600 which witnessed a revival in art and in learning Educated