The Most Critical Risk Control: Human Behavior
description
Transcript of The Most Critical Risk Control: Human Behavior
![Page 1: The Most Critical Risk Control: Human Behavior](https://reader035.fdocuments.in/reader035/viewer/2022070404/56813b8c550346895da4bbed/html5/thumbnails/1.jpg)
The Most Critical Risk Control: Human Behavior
Lynn Goodendorf
Director, Information Security
Atlanta ISACA
Chapter Meeting
June 20, 2014
![Page 2: The Most Critical Risk Control: Human Behavior](https://reader035.fdocuments.in/reader035/viewer/2022070404/56813b8c550346895da4bbed/html5/thumbnails/2.jpg)
AGENDA FOR THIS SESSION
Why technical defenses are not enough
Formal policy vs. training and awareness
What does an effective security awareness program look like?
![Page 3: The Most Critical Risk Control: Human Behavior](https://reader035.fdocuments.in/reader035/viewer/2022070404/56813b8c550346895da4bbed/html5/thumbnails/3.jpg)
LESSONS FROM DATA BREACHES
Epsilon – spear phishing attack
AOL – not understanding data classification
Google, Yahoo and 18 others: users needed to update browsers
Gawker Media –used weak passwords for multiple applications
Target – began with phishing attack on 3rd party
![Page 4: The Most Critical Risk Control: Human Behavior](https://reader035.fdocuments.in/reader035/viewer/2022070404/56813b8c550346895da4bbed/html5/thumbnails/4.jpg)
FORMAL POLICY
Provides management guidance and intention
Protects company liability
Must be “translated” into key concepts and messages
Requires partnership with Human Resources
![Page 5: The Most Critical Risk Control: Human Behavior](https://reader035.fdocuments.in/reader035/viewer/2022070404/56813b8c550346895da4bbed/html5/thumbnails/5.jpg)
What does an effective security awareness program look like?
![Page 6: The Most Critical Risk Control: Human Behavior](https://reader035.fdocuments.in/reader035/viewer/2022070404/56813b8c550346895da4bbed/html5/thumbnails/6.jpg)
KNOW YOUR AUDIENCE
Language
Work environment
Types of computing devices
Job roles
![Page 7: The Most Critical Risk Control: Human Behavior](https://reader035.fdocuments.in/reader035/viewer/2022070404/56813b8c550346895da4bbed/html5/thumbnails/7.jpg)
KEEP IT SIMPLE
![Page 8: The Most Critical Risk Control: Human Behavior](https://reader035.fdocuments.in/reader035/viewer/2022070404/56813b8c550346895da4bbed/html5/thumbnails/8.jpg)
REPEAT…REPEAT…REPEAT
Screensavers
Newsletters
Posters
Online training
Webinars
![Page 9: The Most Critical Risk Control: Human Behavior](https://reader035.fdocuments.in/reader035/viewer/2022070404/56813b8c550346895da4bbed/html5/thumbnails/9.jpg)
EXPLAIN WHY
![Page 10: The Most Critical Risk Control: Human Behavior](https://reader035.fdocuments.in/reader035/viewer/2022070404/56813b8c550346895da4bbed/html5/thumbnails/10.jpg)
MAKE IT FUN!
![Page 11: The Most Critical Risk Control: Human Behavior](https://reader035.fdocuments.in/reader035/viewer/2022070404/56813b8c550346895da4bbed/html5/thumbnails/11.jpg)
ASK FOR FEEDBACK
![Page 12: The Most Critical Risk Control: Human Behavior](https://reader035.fdocuments.in/reader035/viewer/2022070404/56813b8c550346895da4bbed/html5/thumbnails/12.jpg)
TRACK AND MEASURE
![Page 13: The Most Critical Risk Control: Human Behavior](https://reader035.fdocuments.in/reader035/viewer/2022070404/56813b8c550346895da4bbed/html5/thumbnails/13.jpg)
RECOGNITION AND REWARDS
![Page 14: The Most Critical Risk Control: Human Behavior](https://reader035.fdocuments.in/reader035/viewer/2022070404/56813b8c550346895da4bbed/html5/thumbnails/14.jpg)
AWARENESS TOPICS
How to spot Key logging devices
Is Email Spam Harmful?
Watering hole attacks
Storing paper records
Visitors who may be imposters
Are cookies bad for you?
All about malware
![Page 15: The Most Critical Risk Control: Human Behavior](https://reader035.fdocuments.in/reader035/viewer/2022070404/56813b8c550346895da4bbed/html5/thumbnails/15.jpg)
MORE AWARENESS TOPICS
Create and remember strong passwords
Get Going with Mobile Security
What is a mobile botnet?
Found any free USB drives?
What did you capture on camera?
Erase those whiteboards!
We love to share email chain letters
![Page 16: The Most Critical Risk Control: Human Behavior](https://reader035.fdocuments.in/reader035/viewer/2022070404/56813b8c550346895da4bbed/html5/thumbnails/16.jpg)
AND MORE AWARENESS TOPICS
Dialing for Dollars: Phone Scams
Cell phone ringtone scams
Dangers of Counterfeit Software
Wi-Fi Security Tips at Home
Email Etiquette for Your Career
Has your Facebook account been hacked?
![Page 17: The Most Critical Risk Control: Human Behavior](https://reader035.fdocuments.in/reader035/viewer/2022070404/56813b8c550346895da4bbed/html5/thumbnails/17.jpg)
STANDARDS
NIST Special Publication 800-50 “Building an Information
Technology Security Awareness and Training Program”
ISO 27002:2013 Section 7.2.2 Deliver Information Security
Awareness Programs
Australian Government: Protective Security Governance Guidelines –
Security Awareness Training
![Page 18: The Most Critical Risk Control: Human Behavior](https://reader035.fdocuments.in/reader035/viewer/2022070404/56813b8c550346895da4bbed/html5/thumbnails/18.jpg)
COST OF SECURITY AWARENESS
Budgetary Planning: $5 - $10 per person per year
Online courses
Posters, Screen savers
Newsletters
Pens, Buttons, Etc.
![Page 19: The Most Critical Risk Control: Human Behavior](https://reader035.fdocuments.in/reader035/viewer/2022070404/56813b8c550346895da4bbed/html5/thumbnails/19.jpg)
WRAP UP AND QUESTIONS
Is an annual awareness session adequate?
Are acknowledgments of policy enough?
Are there better ways to audit that will help to drive improvement?