Practical Advantages of a Security Educated Workforce

Adventures in Security Awareness:

Practical Advantages of an Educated Workforce

Adventures in Security Awareness: Practical Advantages of an Educated Workforce

2

Speaker Biography

• 15+ years fighting the InfoSec leadership battle • knows a few things about information

security governance and what it takes to build a successful security program• helps other security leaders build

successful governance, risk management, and compliance (GRC) programs• Also helps start-ups, small businesses,

non-profits, and university enterprises produce big business success

Keyaan Williams

www.linkedin.com/in/keyaan

@KeyaanWilliams

http://www.linkedin.com/in/keyaan


3

Forcing users to complete annual security training to check boxes rubbish!

There are better ways to use education, training, and awareness to improve security.


4

OutlineDefinitions

The Compliance-Driven Approach

The Compliance-Driven Problem

A Culture-Driven Alternative

Every Security Person Can Contribute

Summary and Q&A


5

DefinitionsUnderstanding the words we are using will help drive the point home.


6

Adjective: of or concerned with the actual doing or use of something rather than with theory and ideas

Practical


7

Education focuses on transferring knowledge or information via

communication tools that produce long-term retention.

Education


8

Training focuses on activities, coaching, and feedback that develop new skills or new

knowledge that students can apply to their work.

Training


9

Awareness focuses on the increased perception of facts or

information. Awareness


10

The Compliance-Driven Approach to “Security Awareness Training”

The regulators made me do it!


11

What normally happens

Compliance defines the approach rather than tailoring something unique for the organization.

Education, training, and awareness are consolidated into one big blob that is a single objective/activity.

Education, training, and awareness are not distinct activities with specific, individual purposes.


12

The Compliance Perspective

“The organization will be more secure because you gave users security training and you

confirmed that everyone participated at least annually.”


13

ISO 27001 and 27002

“All employees of the organization and, where relevant, contractors and third party users should receive

appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their

job function.”


14

NIST 800-53, AT-2

“The organization provides basic security awareness training to information system users.”


15

PCI-DSS

“Implement a formal security awareness program to make all personnel aware of the cardholder data security policy.”


16

PCI DSS v3.2

Testing procedures (12.6.1 and 12.6.2)

•Verify people attend training when hired and at least annually.•Obtain acknowledgement that people have read and

understand the security policy.


17

The Compliance-Driven Problem

Compliance provides a budget, but it doesn’t tell me how to be effective.


18

The compliance problem

Compliance incentivizes a generic approach that rarely changes behavior or has a meaningful

impact.


19


Compliance requires no validation that users can apply what they learned to their work.


20


Compliance measures how many, but not how effective.

Does theory produce practical results?


21

• Content has nothing to do with the organization or its current threats

• It is optional or some people are forgotten• It only focuses on phishing and makes people afraid

to check their e-mail• It produces no change in user-generated security

events

The Worst Case


22

A Culture-Driven Alternative

What can we do to make this work for everyone?


23

What does culture have to do with anything?

Sociology 101 - Culture is the sum of attitudes, customs, and beliefs that distinguishes one

group of people from another. This should drive the content of education, training, and

awareness at an organization.


24

Security Theory and Culture Collide

Incorporating security theory from education, training, and awareness into the culture of the

organization can practically make the organization more secure.


25

This is about changing (or strengthening) security culture

Emphasize what is important.

Reward behaviors that reflect what is

important.

Discourage behaviors that do not reflect what is

important.

Model the behaviors that you want to see in the

workplace. C. McNamara, "Organizational Culture," Authenticity Consulting, LLC, 2000. [Online]. Available: http://managementhelp.org/organizations/culture.htm#influence. [Accessed June 2016]


26

What is important? •Assets and how we protect

them.•Data and how we protect it.•People and how we protect them. •Stakeholders and how we protect their interests.


27

What is good behavior? •Follow policies, procedures,

and standards.•Report anomalies and strange events: “see something; say something.”•Conduct activities ethically.


28

How do we discourage

bad behavior? •Frown at nonconformists; peer pressure is effective.

•Formalize recourse in policies and standards (i.e. HR and performance reviews)


29

How do we reward good

behavior? Money

Recognition


30

A Simple Culture Case Study

The simplicity of cause, effect, and human behavior.


31

Rewarding good behavior influences the workforce. Most people want the reward.

I want recognition that produces a reward

I inform security operations about suspicious e-mail

They recognize me or give me money


32


I am not part of the security awareness team.What does it have to do with me?


33


You don’t have to be a CISO, Director, or Security Leader to contribute to the practical security

education of your organization.


34


Practitioners have a great opportunity to communicate relevant information and

influencing behavior as part of their interactions with people.


35


You are a professional; you know a lot! Share that information with everyone you encounter.


36


Tailor content based on the audience.Tell executives, managers, IT personnel, and non-IT end users the same story, but package the story differently based on the

risk each group faces.


37


Discretely retrain compromised users. You don’t have to embarrass people to get them to change.


38


Bedside manner is important!Don’t be a donkey about it.


39

Case Study 2Combining incident response and user re-education to

improve security.


40

Combining security awareness and incident response to improve security

User causes event

CSIRT activated

Root cause analysis

Results shared with

user

Anonymized results

shared with workforce

# similar events

decreases

This actually happened!


41

“Oh my! I downloaded a malicious file from a suspicious e-mail.”

User causes event


42

Case StudyEnterprise controls detect the IOC and the Computer Security Incident Response Team (CSIRT) is activated to

provide remediation.

CSIRT activated


43

Case Study

The CSIRT conducts root cause analysis to identify the malicious software’s impact and method of installation.

Root cause analysis


44

Case Study Findings from the root cause analysis are shared with the

user.

• The user understands his or her part in the activity.• This understanding prevents

a repeat offense.

Results shared with user


45

Case Study Results are anonymized to protect the image of the affected user and shared

with the workforce.

• The affected user is not embarrassed.

Anonymized results shared

with workforce


46

Case Study• Everyone learns from a single

mistake.

•Other users are less likely to repeat the actions.

•A culture of respect increases the likelihood that users will report anomalous events.

# similar events decreases


47

SummaryWhat should I remember from this conversation?


48

Compliance requires security awareness training, but a compliance-driven approach is the wrong approach. 1Effective education, training, and awareness can reduce the risk introduced by users2Effective training is tailored, interactive, and meaningful.3Awareness is important to reinforce ideas.4All security personnel can contribute to education, training, and awareness in an organization.5

Practical Advantages of a Security Educated Workforce

Technology

Transcript of Practical Advantages of a Security Educated Workforce