5 Reasons Why Your Security Education Program isn t Working (and how to fix it)

Similar documents
5 Reasons Why Your Security Education Program isn t Working (and how to fix it)

TEN COMMANDMENTS OF EFFECTIVE SECURITY AWARENESS TRAINING

Training Employees to Recognise & Avoid Advanced Threats

SIMULATED ATTACKS. Evaluate Susceptibility Using PhishGuru, SmishGuru, and USBGuru MEASURE ASSESS

Anti-Phishing Training Modules Teach employees to recognize and avoid phishing and spear phishing attacks

Developing a Successful Security Awareness Training Program. Shea Garber, Sr. Account Executive Wombat Security Technologies, Inc.

Deploying Continuous and Measurable Security Education for Employees. Security awareness and training methodology and best practices

Deploying Continuous and Measurable Security Education for Employees. Security awareness and training methodology and best practices

Activities for Protecting Your Identity and Computer for Middle and High School Students

How to Deploy the Survey Below are some ideas and elements to consider when deploying this survey.

THE THREE Es OF MODERN SECURITY FOR PHISHING

Security Intelligence Services. Cybersecurity training.

McAfee Phishing Quiz. Partner Enablement Guide

White Paper. What the ideal cloud-based web security service should provide. the tools and services to look for

Shield Your Business - Combat Phishing Attacks. A Phishnix White Paper

SBA Cybersecurity for Small Businesses. 1.1 Introduction. 1.2 Course Objectives. 1.3 Course Topics

KASPERSKY PRIVATE SECURITY NETWORK: REAL-TIME THREAT INTELLIGENCE INSIDE THE CORPORATE INFRASTRUCTURE

Advanced Threat Detection: Necessary but Not Sufficient The First Installment in the Blinded By the Hype Series

Is security awareness a waste of time?

Social Engineering & How to Counteract Advanced Attacks. Ralph Massaro, VP of Sales Wombat Security Technologies, Inc.

Separating Signal from Noise: Taking Threat Intelligence to the Next Level

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

What Do You Mean My Cloud Data Isn t Secure?

Reduce Your Network's Attack Surface

WHITE PAPER. The Cost of Phishing: Understanding the True Cost Dynamics Behind Phishing Attacks

Cyber Threats Insights from history and current operations. Prepared by Cognitio May 5, 2015

BE SAFE ONLINE: Lesson Plan

Best value security report

QRadar SIEM and FireEye MPS Integration

ERP. Key Initiative Overview

Symantec Global Intelligence Network 2.0 Architecture: Staying Ahead of the Evolving Threat Landscape

Netsweeper Whitepaper

2011 Forrester Research, Inc. Reproduction Prohibited

The webinar will begin shortly

RSA ARCHER OPERATIONAL RISK MANAGEMENT

Things To Do After You ve Been Hacked

Virtual Classroom Designer Competency Resources

Information Security Awareness: How to Get Users Asking for More

How to Use Windows Firewall With User Account Control (UAC)

INTERNET & COMPUTER SECURITY March 20, Scoville Library. ccayne@biblio.org

Internet basics 2.3 Protecting your computer

Defense Media Activity Guide To Keeping Your Social Media Accounts Secure

WEB PROTECTION. Features SECURITY OF INFORMATION TECHNOLOGIES

Evaluating DMARC Effectiveness for the Financial Services Industry

Protecting against cyber threats and security breaches

Integrating MSS, SEP and NGFW to catch targeted APTs

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

INTRODUCING isheriff CLOUD SECURITY

TO AN EFFECTIVE BUSINESS CONTINUITY PLAN

It s easy to protect our files our school work, our music, our photos, our games everything that we save on our computers from loss by malware.

Why you need an Automated Asset Management Solution

Bitrix Software Security. Powerful content management with advanced security features

Introducing IBM s Advanced Threat Protection Platform

Threat Intelligence: The More You Know the Less Damage They Can Do. Charles Kolodgy Research VP, Security Products

Recommended Practice Case Study: Cross-Site Scripting. February 2007

Click to edit Master title style

ReadySpace Limited Unit J, 16/F Reason Group Tower, Castle PeakRoad, Kwai Chung, N.T.

Phishing Attacks Methodology and Response GridSecCon 2012

End-user Security Analytics Strengthens Protection with ArcSight

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Cloud Computing. Key Initiative Overview

NATIONAL CYBER SECURITY AWARENESS MONTH

Top 10 Tips to Keep Your Small Business Safe

Global IT Security Risks

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

Elearning: Building an Effective and Engaging Solution Online

WhatWorks: Blocking Complex Malware Threats at Boston Financial

Convergence of Desktop Security and Management: System Center 2012 Endpoint Protection and System Center 2012 Configuration Manager

CSUF Tech Day Security Awareness Overview Dale Coddington, Information Security Office

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

The Cyber Threat Profiler

OUR MISSION IS TO PROTECT EVERYONE FROM CYBERCRIME

STOP. THINK. CONNECT. Online Safety Quiz

CaaS Think as a bad guy Petr Hněvkovský, CISA, CISSP HP Enterprise Security

Transcription:

5 Reasons Why Your Security Education Program isn t Working (and how to fix it) February 2015

Presentation Agenda Importance of Secure End User Behavior 5 Reasons Your Program isn t Working 10 Learning Science Principles Continuous Training Methodology Significant Risk Reduction Case Studies

95% of security incidents investigated in 2013 were attributed to Human Error IBM Security Services, 2014 Cyber Security Intelligence Index

Why Invest in Security Education? *Aberdeen Group October 2014. The Last Mile in IT Security: Changing User Behaviors 60% Investments in Improving User Behavior Reduce Risks by about 60% * 70% Leading Performer Companies are 70% more likely than Laggards to have Invested in User Awareness and Education

Effectiveness Security Education Maturity Short Focused Topics Continuous Education & Improvement Just-in-Time & In-Context Training Annual Presentations 2004 2009 2014 Now

5 Reasons Security Awareness Doesn t Work 1. Happens once per year 2. Relies on video or slides 3. Tells the end user what to do but not why 4. Training sessions are longer than 15 minutes 5. Focuses on awareness of threats but not behavior change

Keys to Effective Security Training Program

Conceptual and Procedural Knowledge Conceptual knowledge provides the big picture Procedural knowledge focuses on specific actions to solve the problem How to apply this principle: Training should always describe why something is a threat before telling the trainee what to do Give actionable information. Specific steps they should take to protect themselves.

Serve Small Bites People learn better when they can focus on small pieces of information. How to apply this principle: Limit the time a lesson takes to 10 minutes or less Keep the lesson concepts very simple Don t train on all cyber threats at once

Reinforce Lessons Without frequent feedback and practice, even well-learned abilities go away. Security training should be ongoing, not a one-off. How to apply this principle: Have the users practice concepts immediately after learning them Repeat the same lessons throughout the year Repetition increases retention

Train in Context Present lessons in the context which the person is most likely to be attacked. How to apply this principle: Create a situation that users can relate to - You re sitting at your desk and an email comes in - You receive an SMS from a number you don t recognize Simulate the user interface when possible

Give Immediate Feedback Calling it at the point of foul creates teachable moments and increases impact. How to apply this principle: After each practice exercise explain why an answer is correct or incorrect to reinforce the lesson. This is best done on an individual basis but can be done in a group setting

Let Them Set the Pace Different baseline knowledge requires a different learning pace How to apply this principle: Web-based training enables trainees to go at their own pace Allow users to take the training over and over again

Tell a Story People remember stories much better than facts and data How to apply this principle: Keep one set of characters in a particular scenario throughout training Might want to have trainees provide a story and apply that throughout classroom training

Involve Your Students Being actively involved in learning helps students remember things better. How to apply this principle: Immediately after each lesson give trainees opportunity to practice what they ve learned multiple times. Use multiple realistic scenarios Use classroom discussion

Make Them Think People need to evaluate their performance before they improve. How to apply this principle: Providing scenarios where people practice and make decisions based upon new knowledge helps them change performance. Have people relay a story about a threat they received and what they did or could have done differently.

Measure Results Collecting baseline data, and new data after each training campaign, provides positive reinforcement to trainees How to apply this principle: Ensure that your training program supports more than just collection of completion data Perform annual, or more regular, assessments to measure knowledge, not to train

Continuous Training Methodology Detailed reports show progress Knowledge assessments Mock attacks Analyze and Repeat Posters, articles, newsletters, gifts Interactive training modules & games

Assessments & Mock Attacks Assess knowledge and vulnerability Gather baseline results Intelligence for planning Motivate users

Leveraging Teachable Moments Intervention training 30-60 seconds Immediate feedback Provides context

In-Depth Education Bite-sized education Learn by doing Stories & scenarios Provide immediate feedback Collect valuable data

Reinforce & Repeat Reinforce educational messages & imagery Review results Repeat and refine

Revealing Organizational Risk Reduction

What is Risk? Risk is the likelihood something bad will happen Business Impact is the result of something bad happening when it does

How was this calculated?

Summarizing the Results The results of Aberdeen s Monte Carlo model shows that for every 1000 Users and $200M in revenue: If your company is willing to accept a $5M business impact per year then investing in security education reduces the risk of this cost from 50% to less than 6%. 50% to < 6%

500,000 1,000,000 1,500,000 2,000,000 2,500,000 3,000,000 3,500,000 4,000,000 4,500,000 5,000,000 5,500,000 6,000,000 6,500,000 7,000,000 7,500,000 8,000,000 8,500,000 9,000,000 9,500,000 10,000,000 10,500,000 11,000,000 11,500,000 12,000,000 12,500,000 13,000,000 13,500,000 14,000,000 14,500,000 15,000,000 15,500,000 16,000,000 16,500,000 17,000,000 17,500,000 18,000,000 18,500,000 19,000,000 19,500,000 20,000,000 More Cumulative Probability (Likelihood that Annual Business Impact will be Greater than the Corresponding Point on the Curve) Business Impact Resulting from Improved Behavior 100% Results: How User Awareness and Training Changes User Behaviors and Reduces Your Security Risk 80% 60% Risk is reduced Risk Threshold (illustrative) STATUS QUO (NO TRAINING) AFTER TRAINING ~50% likelihood that the annual busines impact will be greater than this appetite for risk 40% 20% 0% < 6% likelihood Risk is reduced For every 1K users and $200M in annual revenue, net of the cost of user awareness and training Annual Business Impact from Infections Related to User Behaviors

Results that Prove out the Model 28

Case Study: A College in the Northeast Public college in the Northeastern US with thousands of faculty and staff and a significant phishing problem Baseline Data 5-6 successful malicious phishing attacks every month Phishing emails weren t getting caught by filters

A College in the Northeast Goals Objective Reduce the number of successful phishing attacks by teaching employees how to recognize and avoid attacks Realistic timeline 6 months Realistic goal 50% reduction The scale and sophistication of phishing attacks was increasing, and the administration started realizing how much security as a whole was important.

A College in the Northeast Education Program Email to faculty and staff about training program Anti-phishing training began Mock phishing attacks every few weeks to assess learning gain and continued vulnerability When we phish our users and they fall for it, it breaks that part of their psyche that says, I am not going to fall for these things and I am not being targeted. It makes them more receptive to training.

A College in the Northeast Methodology Detailed reports show progress Mock Phishing attacks every few weeks Analyze and Repeat Positive response to forwarded phish Email Security and URL Training Modules

A College in the Northeast Case Results 90% reduction in successful phishing attacks Less spyware, fewer infections Rise in proactive reporting and recognized accountability Recent sophisticated attack was not successful The interactive nature of the Wombat training, as opposed to a simple quiz at the end, made everything else we looked at seem poor in comparison.

Case Study: Manufacturing Company International manufacturer had phishing emails infecting machines despite strict email authentication program Baseline Data More than 70 malware infections/day worldwide Average of 32 calls a month related to spyware, virus, and malware concerns

Manufacturing Company Goals Increase awareness of phishing attacks Reduce the number of malware infections Prove to the board that security awareness and training could achieve these results Any company that is not taking awareness seriously is hedging its bets. In my opinion, the single most important thing an organization can do is create a security awareness program.

Manufacturing Company Education Program 5000 employees in countries around the world Voluntary training -- Safer Web Browsing, Email Security, and URL Training Mock phishing attacks using Random Scheduling I think the reason we re getting such great support from our Board is because we re able to show results on the things we re doing, but the potential for cost reductions isn t really the driver here. To me, it s rooted in awareness. I feel this kind of work is essential to a secure work environment, and the Board concurs with that.

Manufacturing Company Methodology Reports show results for Board level discussions Mock Phishing attacks Analyze and Repeat Positive response Safer Web Browsing Email Security URL Training

Manufacturing Company Results 46% reduction in malware infections from 72 per day to 39 per day (Europe 69% reduction) 40% reduction in help desk calls from 32 to 20 per month More than 700% return on investment based on cost to remediate infections Positive user feedback on the interactive nature of the training modules

Future Program Enhancement Move to mandatory training 4-6 additional training modules Targeted phishing to particular departments Broad knowledge assessments We ve developed a healthy sense of paranoia throughout the organization. I think that s the best result that can come out of the awareness training we re doing.

Conclusions Using the right approach end users can learn secure behaviors Continuous training methodology yields significant results to your bottom line There s more than one way to achieve positive results if you have the right ingredients Increase awareness of security issues with employees, executives and your Board Education can reduce overall organization risk

Wombat Security is a Leader in the NEW Gartner Magic Quadrant for Security Awareness Computer-Based Training (CBT) Vendors. Access the full Magic Quadrant report here: http://info.wombatsecurity.com/wombat-named-a-leader

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information