Cybersecurity: Managing Human Risk

https://sans.org/security-awareness

The ProblemThe goal here is to first explain to leadership what the problem is

2002 20122004 2006 2008 2010

Secu

rity

Con

trol

s

Trustworthy ComputingSoftware Restriction Policies

Automatic UpdatingMicrosoft Secure Development LifecycleFirewall Enabled by DefaultBaseline Security AnalyzerData Execution Protection (DEP)

Malicious Software Removal ToolWindows Defender

ASDLUser Account ControlBitlockerWindows Service HardeningMandatory Integrity Control

AppLockerEncrypted File System

Microsoft Security EssentialsEMET

2014

HumanOS

WindowsOS

2016

Credential GuardBiometrics

2018

Edge Browser

44HumanLaptop

Resources

Technology vs. Human Investment

4

55

CEO Fraud

• Best way to demonstrate how bad guys are bypassing technology by targeting the human, walk through a real, targeted attack.

• Also known as BEC or Business Email Compromise attack.

The SolutionExplain to leadership what a security awareness program is and how it is

a control to manage human risk.

NOTE: In the notes section below are case studies how others obtained support for their awareness program.

Non-existent

Compliance Focused

Promoting Awareness & Behavior Change

Long-Term Sustainment &Culture Change

MetricsFramework

Security AwarenessMaturity Model

1010

Common Misconceptions / Blockers

10

• Awareness programs never work.• Awareness programs are a failure because

someone always clicks• Awareness is just about human prevention

1111

Managing Human Risk

11

Mitigate human risk by changing human behavior.

1212

BJ Fogg Behavior Model

1313

Plan of Attack

• Who• What• How

1414

Who

• Explain the value of identifying different target groups in your training.

• Then explain the different target groups you identified and why

1515

What

• To be successful, focus on as few topics / behaviors as possible.

• Different target groups have different risks.

• Explain what risks / behaviors you are focusing on and why.

1616

How

• Overview of how you will engage and train your workforce.

• Focus on positive engagement• How people benefit personally• Active and continuous reinforcement

1717

Metrics

• What metrics will you use to track and communicate impact?• More strategic metrics?• Specific behavioral metrics?

• What does your leadership care about, how can you demonstrate support of org.

SupportDetail what you need to make this happen

1919

Three “S”s to Success

• Support• Staff• Soft skills

2020

Leadership Support is Key

2121

Minimum Number of FTEs

2222

Soft Skills Lacking

2323

Summary

• To manage human risk we need to change behavior.

• To change behavior we need a mature awareness program.