Cybersecurity: Managing Human Risk...a control to manage human risk. NOTE: In the notes section...
Transcript of Cybersecurity: Managing Human Risk...a control to manage human risk. NOTE: In the notes section...
Cybersecurity: Managing Human Risk
https://sans.org/security-awareness
The ProblemThe goal here is to first explain to leadership what the problem is
2002 20122004 2006 2008 2010
Secu
rity
Con
trol
s
Trustworthy ComputingSoftware Restriction Policies
Automatic UpdatingMicrosoft Secure Development LifecycleFirewall Enabled by DefaultBaseline Security AnalyzerData Execution Protection (DEP)
Malicious Software Removal ToolWindows Defender
ASDLUser Account ControlBitlockerWindows Service HardeningMandatory Integrity Control
AppLockerEncrypted File System
Microsoft Security EssentialsEMET
2014
HumanOS
WindowsOS
2016
Credential GuardBiometrics
2018
Edge Browser
44HumanLaptop
Resources
Technology vs. Human Investment
4
55
CEO Fraud
• Best way to demonstrate how bad guys are bypassing technology by targeting the human, walk through a real, targeted attack.
• Also known as BEC or Business Email Compromise attack.
The SolutionExplain to leadership what a security awareness program is and how it is
a control to manage human risk.
NOTE: In the notes section below are case studies how others obtained support for their awareness program.
Non-existent
Compliance Focused
Promoting Awareness & Behavior Change
Long-Term Sustainment &Culture Change
MetricsFramework
Security AwarenessMaturity Model
1010
Common Misconceptions / Blockers
10
• Awareness programs never work.• Awareness programs are a failure because
someone always clicks• Awareness is just about human prevention
1111
Managing Human Risk
11
Mitigate human risk by changing human behavior.
1212
BJ Fogg Behavior Model
1313
Plan of Attack
• Who• What• How
1414
Who
• Explain the value of identifying different target groups in your training.
• Then explain the different target groups you identified and why
1515
What
• To be successful, focus on as few topics / behaviors as possible.
• Different target groups have different risks.
• Explain what risks / behaviors you are focusing on and why.
1616
How
• Overview of how you will engage and train your workforce.
• Focus on positive engagement• How people benefit personally• Active and continuous reinforcement
1717
Metrics
• What metrics will you use to track and communicate impact?• More strategic metrics?• Specific behavioral metrics?
• What does your leadership care about, how can you demonstrate support of org.
SupportDetail what you need to make this happen
1919
Three “S”s to Success
• Support• Staff• Soft skills
2020
Leadership Support is Key
2121
Minimum Number of FTEs
2222
Soft Skills Lacking
2323
Summary
• To manage human risk we need to change behavior.
• To change behavior we need a mature awareness program.