Information Security Awareness Training Various Methods and their effectiveness at New Paltz SUNY Technology Conference Lake Placid - June 2014 Paul Chauvet
Why the focus on training? Only amateurs attack machines; professionals target people - Bruce Schneier There is only one way to keep your product plans safe and that is by having a trained, aware, and conscientious workforce. This involves training on the policies and procedures, but also - and probably even more important - an ongoing awareness program - Kevin Mitnick
Why the focus on training? Targeting individuals instead of systems, can bypass some or all of your protection measures. Dollar for dollar, will have a huge benefit for security.
Who needs security training? Ideally, everyone - students, faculty, staff, and contractors. Realistically? Review laws, contracts, etc. for who is required to receive training (specifically PCI, GLBA, HIPAA)
What are the goals of the training? Getting users to understand and recognize the risks. Training users to change their instinctual responses. Making users recognize that they are at risk. Educate users as to impact to the college of a successful scam.
What topics should be covered? Password safety Malware Social Engineering Physical Security Security Policy Electronic & Physical security
Psychological Issues Fast and Slow Thinking Fast, quick judgements, relies on heuristics Slow, thoughtful, lazy Availability Heuristic Representativeness Availability Evaluation of risk Users exaggerate risks that are rare, sudden, are out of their control, or affect them personally. Users downplay risks that are common, affect others, or that are under their control.
Compliance motivation One method is via Expectancy Theory Expectancy Instrumentality Valence Make sure employees know the consequences to the college of security lapses.
Training methods Email communications Can be newsletters or specific advisories. Can easily be overwhelming when too frequent. Will be ignored by a large amount of people. If they are too long or contain too much technical jargon, they will be ignored by a larger amount of people. Posters and flyers Should be catchy while still being informative Should change frequently
Flyers
Flyers
Newsletter Periodic communication about security issues. Meant to communicate specific issues or to keep security issues on people s minds.
In-person training Initially conducted by an external security consulting firm. Transitioned to internal training the following year. Conducted annually - employees with sensitive data access such as Banner are required to attend. All other employees are strongly encouraged to attend.
Don t just rely on IT Take advantage of Security Evangelists outside of IT. Use their power and status to extend the reach of security messaging. Get administration support & buy-in.
Online Training Conducted via an external firm (Wombat Security). Training is interactive. Users cannot just click next, next, next. Users are scored on training. Topics include Email Security, URL Training, and Safer Web Browsing.
Online Training Required & Recommended groups. Compliance Rates ~ 60% Passing score required to be compliant.
Online Training Per-user reports Can be used to review users who have fallen for (or are suspected of falling for) phishing scams. Users who fall for phishing scams (and malware) are much more likely to have not taken the training. Not taking the training changes our response postmalware/phishing Most missed report Shows questions users have problems with. Helps adjust messaging to emphasize certain issues for all users (not just those included in the training).
Phishing Simulations We phish our own users. Done through an external service. Can use actual scam emails (with modified links to a site we control). Can also use custom emails/spear phishing. Victims who submit data are brought to a training page. When users fall for it, it breaks them out of the immunity fallacy. Works through altering the Availability Heuristic. Some users will be confused.
Phishing Simulations
Phishing Simulations
Phishing Simulations
Phishing responses Try to be patient with the users. Security is not their job. Don t allow the training to be ignored completely though. When someone ignores the training and is a repeat offender, their supervisor is notified.
Training results Significant drop in number of phishing victims Average phishing victims per month was 4-5. Number of victims year-to-date (2014) is now 4. Large increase in users reporting suspicious emails. Significant decrease in submit rate for our phishing simulations. Generally positive reactions from faculty and staff. Some negative/apathetic reactions. Compliance rate is higher among non-teaching faculty & staff.
Remaining challenges Keeping users vigilant and avoiding complacency Training needs to stay relevant and fresh Reducing training costs Reducing per-user costs to include more users Creating in-house (or in-suny?) training Including students in active training methods Including students in training Secure programming/coding training Effectiveness of more sophisticated methods still is an issue (spear phishing, other social engineering methods)
Resources Psychology & Information Security course at Albany (Dr. Kevin Williams) Bruce Schneier - Psychology of Security protect.iu.edu (Indiana University) Stop, Think, Connect (stopthinkconnect.org) Internet 2 Cyber Security Awareness Resource Library (https://wiki.internet2. edu/confluence/display/itsg2/cybersecurity+awareness+re source+library)
Questions? Comments?
Evaluation site: http://www.cvent.com/d/p4qxwg?dvce=2