1 Redesigning Boston College s information security awareness program based on current research Boston University Security Camp Julie Gillis & David Millar August 21, 2014
2 Agenda Motivation Review of literature BC s planned approach
3 Dave s experience doing SETA Developed SETA based only on intuition Brochures, lectures, websites No fundamental improvement I must be doing it wrong Bigger brochures, bigger websites, more lectures No fundamental improvement Bigger brochures, etc.,etc,..
4 Typical academic research circa 2005
5 Literature reviewed Search scholar.google.com for information security AND (education OR training OR awareness) Search Gartner Group for information security AND (education OR training OR awareness) Not reviewed, but recommended: Measuring the Effectiveness of Security Awareness Programs, Educause/ECAR 2013
6 Academic Research in Information Security Terminology SETA Security Education Training and Awareness Academic approach to SETA SETA is viewed as the process of ensuring compliance with the organization s security policy Tacit assumption is that if employee complies with the policy, there can be no security incident
7 The problem Estimated > 50% of data breaches are due directly or indirectly to poor IS security compliance 1 SETA programs are developed based on tradition, personal judgment and whim 2 Most SETA programs lack an underlying theory 3 These programs are not working well: < 12% believe awareness programs are effective 4 24% didn t know if their university had a security policy 5 18% had read it 5 Most people just eat the chocolate and throw away the brochure 1. Stanton, Stam, Mastrangelo, Walls (Gartner), Karjalainen & Siponen, Albrechtsen, SanNicolas-Rocca, 2014
8 Gartner on current state of SETA..most enterprises have assumed that a set of undefined objectives exist for their security awareness program, but have not actually documented these objectives....the end result is a costly, unproven awareness program based on tradition, personal judgment and whim. This approach is not tolerated in any other phase of IT security operations and should not be tolerated in the realm of security awareness. 1 Gartner clients report that many employees regard the content, structure and delivery method of security awareness programs to be outmoded and symptomatic of a security program that is out of touch with the modern work environment. 1 User guides and policies are filled with statements that are non-specific and require users to take security actions that are beyond their capabilities Walls (Gartner), Gartner, 2013
9 Research on sanctions Employees compliance with security policies is not always best explained by fear of sanctions, because Employees use neutralization techniques rationalizations to justify non-compliance Nobody could possibly understand this policy Nobody has time to comply with these policies My compliance with policy X offsets non-compliance with Y Bottom line: no consensus on the value of sanctions Siponen & Vance, 2010
10 A qualitative study of users view on information security (1) 2007 survey of bank and customer service center Of course, there are rules and guidelines for information security behaviour. Nevertheless, I haven't heard about them or seen them.... I don't believe that everyone has read them I believe my behaviour is approximately the same as the documented expected behaviour, although I don't know what is written. One should know that there are rules on how to behave. I believe the documentation is huge it is not possible to read it all or to act in compliance with all the demands. Albrechtsen, 2007
11 A qualitative study of users view on information security (2) IT-rules they're boring. I don't know them word-for-word, but I know the essence. I don't believe my colleagues know the essence, they don't possess the necessary knowledge to understand it. Albrechtsen, 2007
12 SETA in higher education 3 Phases I. Survey the university II. Assemble faculty and staff to design SETA for the campus Voluntary participation 90 minutes lunch provided Instant poll on knowledge of policy and threats Small groups spend 30 min. preparing SETA proposals Teams formed to expand on most promising ideas III. Survey attendees afterward Conclusion: Including end users in planning SETA : Is an effective method to train on policies and procedures and Motivates users to comply. SanNicolas-Rocca, 2014
13 2 Requirements for SETA 1. SETA must be Persuasive Non-cognitive Cognitive arguments and pedagogies are not successful at changing behaviors. Normative methods are better at that. 2. Focus on the essential features of SETA Mandatory / voluntary participation Intangible threats Karjalainen & Siponen, 2011
14 Terminology Pedagogy: methods and practices of teaching, e.g. Behaviorism: reinforce or reward desired behavior, punish undesired behavior Instructivism: instructor explains the topic Constructivism: learners communicate with each other Social constructivism: groups construct knowledge for one another collaboratively creating a culture
15 Today ORIENTATIONS OF PEDAGOGIES Transmission Transaction The goal Transformation Learning paradigm Behaviorism Cognitivism Constructivism Social Constructivism General aims Mastery of knowledge Cognitive abilities Change beliefs and actions, personal change Change beliefs and actions, communal change Content Subjectcentered Problemcentered Learnercentered Communitycentered Teaching methods Instructor led Cognitive problem solving Personal knowledge through collaboration Communal knowledge through collaboration Evaluation of learning Tests Acquired intellectual skills Conversational forms of evaluation for individuals Conversational forms of evaluation for groups Karjalainen & Siponen, 2011
16 Experiential Learning Cycle Phase I: Involve Concrete Experiences Group exercise Include individuals concrete experiences w/ SETA w/r/t assets, threats & protection Back in the office Phase IV: Enable active experimentation Phase II: Engage reflective observation Synthesize phases & viewpoints into concrete instructions. Employees observe new practices and must execute changes. Small groups generate experiences w/ training to define meaning & implications Phase III: Support formation of abstract concepts and generalizations Observe differences between small groups & organizational viewpoint Karjalainen & Siponen, 2011
17 Universal Constructivist Instructional Theory Phase 1 Determination of the Instructional Task Phase 2 Diagnosis of the Current State of the Learner Phase 3 Constructing and Delivering the Instruction Phase 4 Diagnosis of Success Puhakainen & Siponen, 2010 Principles of Experiential Learning guide instructional design
18 Worked example (1) Problem: Tech firm employees not complying with policy that requires intellectual property be encrypted (7zip) when sent in 1. Anonymous survey revealed: a. Users generally knew there was a policy b. Non-technical staff had trouble using encryption tools c. Some employees found the data classification rules confusing d. Others found the security manual cumbersome and confusing 2. Interviews revealed: a. Management didn t always follow the policy b. Sales team often didn t follow the policy c. Sometimes receiving party could not decrypt Puhakainen & Siponen, 2010
19 Worked example (2) 3. IS Security manual was revised to address complaints about confusion 4. Two training sessions were held: a. All users i. Group discussion of risks (activate existing knowledge) ii. Learners submit their own chosen documents and group processes how to classify them (activate cognitive processing) iii. Learners analyze possible consequences for company, team and learners themselves if intellectual property were leaked. (make the subject matter relevant) b. Non-technical users i. Enable them to use the encryption software ii. Explain how to send the password through another channel Puhakainen & Siponen, 2010
20 Worked example (3) 5. Results a. Learners realized they had sent considerable intellectual property unencrypted b. Non-technical users complained in the training session that 7Zip s lack of support for S/MIME made it hard to correspond with customers 6. Instructors facilitated confidential discussions with CEO re: a. CEO s uneven use of encryption b. Sales refusal to use encryption 7. Follow up actions a. Security department agreed to look for S/MIME compliant crypto tool b. Sometimes receiving party could not decrypt Puhakainen & Siponen, 2010
21 Worked example (4) 7. Follow-up (cont.) a. Follow up surveys, group and individual interviews 8. Actual results a. Sales team continued to not use encryption b. Six users complained that the CEO didn t actively enough champion security Puhakainen & Siponen, 2010
22 Literature takeaways (1) Consider taking a more analytical approach: Ready. Aim. Fire. vs. Ready. Fire. Aim. Focus on just a few, key priorities Survey and interview users to identify where the breakdown is occurring - i.e. identify the learning task Develop training materials collaboratively with users Norms seems like an opportunity area Thus the value of group exercises/processes Also consider posters profiling security practices of campus thought leaders
23 Literature takeaways (2) Group workshops appear to be effective 1. Focused on high-risk groups 2. To improve the quality of learning materials Most or all of the literature treats policy and procedures as the definitive reference for employee behavior. Similarly, most of the literature assumes there are sanctions for non-compliance
24 Literature takeaways (3) Reframe our model of SETA from...a one way transmission of facts to Focus on a few key priorities Identify the learning tasks Identify the knowledge gap (surveys, focus groups) Look for opportunities to clarify policies, procedures trouble-shoot current processes
25 Discussion Generally, we all probably apply sanctions for things like theft, embezzlement, harassment, plagiarism, etc Does your institution prohibit in policy Divulging credentials in reply to a phishing message? Not applying security patches? Does your institution apply sanctions for any of these activities?
26 Discussion Conversely, what has been your experience with positive rewards: What about simple rankings by School or Department Fewest compromises as a percentage of hosts managed Lowest rate of response to phishing attacks
27 Upcoming SETA Plans at Boston College...
28 History of SETA at BC
29 Why is BC taking a more formal approach to SETA now?
30 April 22, 1970
31 $40 million so far for ALS research. Viral Activity - June 1 and August million users talking about 2.4 million Ice Bucket Challenge videos were shared on Facebook.
33 We aren t approaching this effort with any false belief that we will ever have the satisfaction of...
34 Approach Collaboration of ITS Security and ITS Communications and Training. Sponsored by ITS Sr. Mgmt. Project Management process - Charter, Project plan, etc. Per the literature: Clearly defined objectives Non-Cognitive
35 Goal of the project Collaborate with a wide range of faculty and staff to create a Security Awareness program framework that will aid in the development of a culture of security at all levels within the BC employee community.
37 Started evaluation in 2011 Students moved summer 2013 Faculty and staff moved summer Google Guides
38 f mb e m unity d ve m m l o v o n c i y y el ersit v i t Ac Univ s. he r a e t y o Tw o s r e
39 2 Parallel Tracks Process as Important as Product 1) High-risk groups Custom workshops with two high risk groups HR and FVP 2) BC-wide representation ( people) at a workshop aimed at gathering info, sharing info, and designing the SETA framework.
40 Planned Activities Determine invitee list for workshop. Design survey related to what data goes where Nov/December workshop, may include: Interactive survey related to what data goes where Group discussion and then wider sharing. Security and C&T share info tying together table talks, and the facts of what data goes where, and the challenge of changing behavior. Tables asked to brainstorm how to do educate and change. Wider sharing January - April 2015 Implement ideas from the Fall workshop - may include web site, use of SANS videos, events, communication, etc. May - June survey all faculty and staff (?) July Review lessons learned and prepare for next campaign.
42 Bibliography (1) SanNicolas-Rocca, 2014 Designing Effective Knowledge Transfer Practices to Improve IS Security Awareness and Compliance, th Hawaii International Conference on System Science Educause/ECAR, 2013 Measuring the Effectiveness of Security Awareness Programs, 2013 Walls (Gartner), 2013 Effective Security Awareness Starts With Defined Objectives, Andrew Walls, Gartner Group, December 10, 2013 Gartner, 2013 User Behavior Can Improve Security, but Only With Development and Practice Gartner Group, December 10, 2013 Karjalainen & Siponen 2011 Toward a New Meta-Theory for Designing Information Systems Security Training, Journal of the Association for Information Systems, August, 2011 Puhakainen & Siponen, 2010 Improving Employees Compliance Through Information Systems Security Training: An Action Research Study, MIS Quarterly, December 2010
43 Bibliography (2) Siponen & Vance, 2010 Neutralization, New Insights Into the Problem of Employee Information Systems Security Policy Violations MIS Quarterly, September 2010 Albrechtsen, 2007 A qualitative study of users view on information security, Computers & Security, June 2007 Stanton, Stam, Mastrangelo, 2005 Analysis of end user security behaviors, Computers and Security, (24)
STRENGTHENING NONPROFITS: A Capacity Builder s Resource Library Measuring Outcomes TABLE OF CONTENTS INTRODUCTION... 4 OVERVIEW... 5 Why Measure Outcomes?... 5 What is Outcome Measurement?... 5 Some Words
Guide to Implementing Quality Improvement Principles Foreword Quality Improvement in health care continues to be a priority for the Centers for Medicare & Medicaid Services (CMS). In the Affordable Care
www.ncolr.org/jiol Volume 4, Number 2, Fall 2005 ISSN: 1541-4914 Establishing Guidelines for Determining Appropriate Courses for Online Delivery Janet Smith Strickland Judy Butler University of West Georgia
Teachers Know Best Teachers Views on Professional Development ABOUT THIS STUDY The Boston Consulting Group (BCG) was engaged by the Bill & Melinda Gates Foundation to conduct a research study on professional
Summit on Education in Secure Software Final Report Dr. Diana L. Burley The George Washington University Dr. Matt Bishop University of California, Davis GW: UCD: Report GW-CSPRI-2011-7 Technical Report
Good Principals Aren t Born They re Mentored: LEARNING- CENTERED LEADERSHIP PROGRAM Are We Investing Enough to Get the School Leaders We Need? Southern Regional Education Board 592 10th St. N.W. Atlanta,
District Data Team Toolkit Helping districts establish, grow, and maintain a culture of inquiry and data use. MODULES Introduction Getting Ready Inquiry Information Knowledge Action Results District Data
U.S. Postsecondary Faculty in 2015 Diversity In People, Goals And Methods, But Focused On Students January 2015 Preface A confluence of social, technical, economic, and other factors have created the demand
Steve Davis: Tips for Better Teaching and Learning 1. Faculty Development Tidbit: Presentation Principles they never change! Tell them what you re going to tell them, tell them, tell them what you told
COOPERATIVE LEARNING GROUP ACTIVITIES FOR COLLEGE COURSES A GUIDE FOR INSTRUCTORS Prepared by Alice Macpherson Kwantlen University College Abstract Cooperative Learning Group Activities for College Courses
2 PROCESS DOCUMENTATION JOHN A JOSEPH PROCESS DOCUMENTATION Structure 2.1 Introduction 2.2 Aim and Importance of Process Documentation 2.3 Methods and Tools of Process Documentation 2.4 Process Narratives
Criminal Justice 207: Program Evaluation Research Comparison of CCE and Ground Programs Spring 2014 Project Director/Instructor: Yvette Farmer, Ph.D. Graduate Students (in alphabetical order): Margaret
Top 10 Reasons Faculty Fail When Using Blackboard CMS Dr. Penny Johnson Computer Science Carroll College firstname.lastname@example.org Abstract In today s ever increasing world of information technology it is not enough
Online professional education: A case study of an MBA program through its transition to an online model Lynne Schrum, Associate Professor Angela Benson, Graduate Research Assistant The University of Georgia
WHAT HELPS LAW PROFESSORS DEVELOP AS TEACHERS? AN EMPIRICAL STUDY GERALD F. HESS AND SOPHIE M. SPARROW * INTRODUCTION Many law schools seek to develop the teaching skills of their faculty. Some schools
Table of Contents THE MASTERY LEARNING MANUAL CHAPTER 1 INTRODUCTION TO MASTERY LEARNING Introduction by Carla Ford 1 Perspective on Training: Mastery Learning in the Elementary School 2 CHAPTER 2 AN OVERVIEW
Report on Cyber Security Education Project June 9, 2014 For Further Information: Dennis Egan: email@example.com Fred Roberts: firstname.lastname@example.org Table of Contents ` Executive Summary...
What Classroom Activities Reflect Constructivism? (Activities) Translating theory into constructivist-based practices can be guided by a number of key design principles. Murphy (1997a) summarizes Jonassen
Cataloging and Metadata Education: A Proposal for Preparing Cataloging Professionals of the 21 st Century A response to Action Item 5.1 of the Bibliographic Control of Web Resources: A Library of Congress
ILM Level 3 Qualifications in Leadership and Management Candidate Handbook 2 Background to ILM The Institute of Leadership & Management (ILM) is Europe s largest independent Leadership and Management Awarding
How to Make the Most of Work Integrated Learning: A Guide for Students, Lecturers & Supervisors Andy Martin & Helen Hughes How to Make the Most of Work Integrated Learning A Guide for Students, Lecturers
Eight Things Your Business Analysts Need to Know A Practical Approach to Recognizing and Improving Competencies An ESI International White Paper (877) 766-3337 www.esi-intl.com Table of Contents Abstract...3
G3658-11 Collecting Evaluation Data: End-of-Session Questionnaires Ellen Taylor-Powell Marcus Renner Program Development and Evaluation University of Wisconsin-Extension Cooperative Extension www.uwex.edu/ces/pdande
Certification Examinations for Oklahoma Educators Oklahoma Subject Area Tests STUDY GUIDE 039 School Counselor This test is now delivered as a computer-based test. See www.ceoe.nesinc.com for current program
A Self-Directed Guide to Designing Courses for Significant Learning L. Dee Fink, PhD Director, Instructional Development Program University of Oklahoma Author of: Creating Significant Learning Experiences:
http://www.davidlankes.org TITLE: Statistics, Measures and Quality Standards for Assessing Digital Library Services: Guidelines and Procedures AUTHOR(s): Charles McClure, R. David Lankes, Melissa Gross,
PLAN THE WORK Strategic Communication Planning for Not-for-Profit Organizations This handbook was produced by the Institute for Media, Policy and Civil Society for the Centre for Community Organizations