Developing a Full- Spectrum Security Training Program Wayne State University Compu3ng & Informa3on Kevin Hayes, CISSP, CISM Informa)on Security Officer Geoff Nathan Faculty Liason
Agenda Background Our First Pilot Program Implementa)on Program Results Feedback from You
Why We Didn t Already Have IT Security Awareness Educa)on Taking the training required effort people either would not or could not perform. Nobody in authority wanted to take on both the technical and poli)cal challenges. We had an old Blackboard course, but it was annoying to access & never updated.
So what changed? Threats are growing, crea)ng a technology arms race that s difficult to keep up with. People have been asking for training and guidance more frequently. We wanted to ensure a cohesive program was developed not just deliver sta)c and stale content in a one size fits all approach.
SeGng the Table for Change We get about 10 calls a day from vendors promising us the perfect technical solu)on that will solve all our security woes, but funding and staff difficult to come by. Academic environment makes it a challenge to put restric)ve controls in place. But, with a new administra)on came a new opportunity.
First Steps Large push by Informa)on Security Office and Quality, Communica)ons & Compliance Dra\ed a Program Charter. Audience will be all managers, IT staff, and individuals with enterprise system (Banner in our case) access about 2500 people. Charter approval by IT Risk/Oversight Group. Started with a Pilot Implementa)on directed at internal IT staff only.
Beginning the Pilot We were new at this and s)ll evalua)ng various goals. Decided to purchase online videos. Evaluated SANS STH and TeachPrivacy. Forced own department to take TeachPrivacy. Trickled content (2-3 per month) over a few months. Content loaded in Accelerate HR CMS.
What happened in the Pilot? 250 people watched the videos. Solicited and measured feedback: These videos are a joke at best. The content is passable, but the quality of the so\ware and presenta)on is deplorable. I would not pay anyone for this service, but I might show it to my less technically literate employees if it were free and there were no beger free alterna)ves.
The Pilot showed deficiencies Half people liked trickle, half liked all at once. Content did not use WSU terminology or policies. Issues with clarity and wording of quiz ques)ons. Videos had poor produc)on: monotone narra)on, use of clip art, low audio quality.
Pilot conclusions Content was good, delivery not so much. People s)ll wanted to learn things, kinda. Resistance for taking the training: I already know this I don t have )me The system is frustra)ng to use There s no point to this We knew we had to make significant changes.
A light turns on Our primary job is to teach things. Why are we limi)ng ourselves? News Flash: People learn differently. Why can t we do different things to address the underlying reasons people won t take the training?
A star is born We decided to offer different training methods. Use same learning objec)ves for all training. Taking any one training method will cer)fy you. Learn to be flexible via three op)ons: Online Videos In- Person Seminar Advanced Placement Exam Created a new project plan for implementa)on.
A few more goals Did not want to exclude any employees. Wanted content to change frequently and be dynamic. Doesn t require substan)al resources to maintain. Gelng program started took several people many months to iden)fy and iron out many wrinkles.
Different training; same educa)on. No mager how you learn, content is the same: 1. Need for IT Security 2. Properly Securing Data 3. Creden)al Management 4. Phishing & Email Agacks 5. Dealing with Malware 6. Repor)ng IT Security Incidents Goal is to make people aware of security.
OpQon One: Updated Online Videos Online videos are great for self- starters who want to knock out bits and pieces here and there. Purchased selec)on of training videos from Inspired elearning Addressed produc)on quality. 3 modules for staff, 4 for managers. Installed in Accelerate HR LMS Blackboard had issues with >1000 registra)on and large gradebooks.
OpQon One: Updated Online Videos
OpQon Two: Created In- Person Seminar Created 90 minute presenta)on. Held across campus several )mes a month. Have AM and PM sessions on a Friday. Sessions held in different campus buildings. Allows for more interac)vity and tradi)onal learning. Sign up using exis)ng training registra)on system.
OpQon Two: Sign- up facility
OpQon Three: Created Test- Out Op)on For those that already know security (or at least claim to). Created online 24 Ques)on Advanced Placement Exam in Qualtrics based on learning objec)ves and program content. Only one try permiged per 12 months. No easy ques)ons. High Passing percentage required (85%).
OpQon Three: Created Test- Out Op)on
Keeping the training simple Have an answer for every yes, but Created portal landing page: hgps://compu)ng.wayne.edu/securityawareness Try for minimal- click solu)ons where possible. Created Program FAQ and Knowledge Base with )ps and acqonable advice on security topics. Made easy quick reference sheet.
Comes with a handy hand- out
Tracking Program Comple)on Our web developers created a web applica)on to consolidate comple)on data: Weekly CSV Import for Online Videos AUendance Sheet for In- Person Seminars Qualtrics HTTP POST Call for AP Test Permit managers to see progress of their employees and department as a whole. Awesome spread sheet developed during web applica)on development.
TesQng the new approach Perform beta tes)ng and solicit feedback for all three methods of training: Gave demo of seminar to C&IT staff. AP Test to select Provost staff. (AVP s and Deans Council) Online videos to HR staff. Very posi)ve feedback on all approaches. Feedback used to fine- tune each offering.
Making it rewarding Training should not be one- way effort. Give something tangible back to those who toiled. Cer)ficate on fancy paper and is JPEG- signed by CIO, ISO, & Faculty Liaison. Congratula)ons leger physically signed by ISO. People have been reques)ng and proudly displaying their cer)ficates.
Fancy cer)ficate paper: 10 cents each. Employees voluntarily showcasing their cer)ficates: PRICELESS.
Making the Push Provost s office criqcal to gelng off the ground especially a\er the Pilot phase. Provost kept in the loop during all beta tes)ng phases. Provost insisted their office, as well as all the deans and senior staff, be trained first. Email message from our president sent to the iden)fied popula)on of 2500 people.
Midflight Changes Execu)ve management needed shorter seminar. Really difficult to cut presenta)on by one- third. Less background informa)on and content review. Directly focus on key points. Break up regular seminar to include breaks. Wording changes in AP exam. Reduce AP exam passing grade from 90% to 85%
Final & Current Product Comprehensive, mul)- modal training op)ons. Not )me intensive; less than two hours. Simple to access. Support from execu)ve management. Leverage good reputa)on of IT and ISO. Not a lot of ongoing InfoSec )me investment: 4-6 hours per month for Seminars 30 Minutes per week for cer)ficates.
Analyzing Program Results Con)nue to measure and evaluate all training op)ons. All topics by far rated as Very Useful by agendees, scoring at least 6.5 out of 7. Giving personal anecdotes and stories the most effec)ve in gelng informa)on across.
Security Training teaches 12 How much do you feel you personally learned? 10 8 6 4 2 0 Nothing Few Things Fair Amount A Whole Lot
Security Training is valuable 95% of respondents rated the amount of content delivered as Just Right. All respondents felt this training met their expecta)ons, with 42% of them having their expecta)on exceeded. Respondents are ra)ng the training as valuable, applicable, and recommend it to their coworkers.
Security Training is accepted 16 Applicable Valuable Recommended 14 12 10 8 6 4 2 0 1 2 3 4 5 Worst Best
Security Training is working Spearheaded by Provost, all Deans & Senior Staff. Over 500 individuals have been cer)fied. All three training op)ons are proving successful. 134 12% 110 27% 221 61% AP Test Videos Seminar
Security Training is working Official Program Rollout March 1 st Steady Cer)fica)on Progress; about 50 per week a\er ini)al surge. Managers manda)ng training for their staff. 400 350 300 250 200 150 100 50 Cer)fica)ons over Time 0 12/10/2014 1/10/2015 2/10/2015 3/10/2015
Feedback on Security Training I thought the training program was well- conceived and informa3ve. It was appropriate for WSU employees at a wide range of posi3ons within the university. The speakers had solid exper3se and experience with the topic and made the presenta3ons interes3ng and engaging. Your examples of incidents were good and relevant to me.
Feedback on Security Training I thought it was an excellent training session; Geoff and Kevin are knowledgeable, ar3culate, and they made the session entertaining. The training was very informa3ve and I think that all staff should alend one of the sessions if possible. Thanks!
Feedback on Security Training from a faculty member (!) The commilee was one of the first to receive an excep3onal presenta3on on internet security. I have sat on the FSST commilee for about seven years and to the best of my recollec3on have never before seen a presenter receive a round of applause. I encourage you and your chairs to invite them to present at their departmental mee3ngs.
Security Training is ongoing Content con)nually updated based on par)cipant feedback and new threats. Updated informa)on in training materials New Knowledge Base ar)cles and ac)onable )ps Send courtesy emails to cer)fied employees every few months with applicable content. We come to users and hold dedicated seminars for staff around their schedule.
Future Goals Security Awareness cer)fica)on will be needed for enterprise system access. Wai)ng for Cri)cal Mass of cer)fica)ons. Mandated by University IT Governance Council. Iden)ty Management will be used to enforce. Cer)fica)on currently lasts two years, eventually move down to one. Make part of HR onboarding process.
Your Feedback & Discussion
Developing a Full- Spectrum Security Training Program Wayne State University Compu3ng & Informa3on Kevin Hayes, CISSP, CISM Informa)on Security Officer Geoff Nathan Faculty Liaison