Study of Security Awareness Training



Similar documents
Security Awareness & Training. Steve Kruse, Impruve Bill Pankey, The Tunitas Group

Role of Awareness and Training for Successful InfoSec Security Program 1

Cyber ROI. A practical approach to quantifying the financial benefits of cybersecurity

The Value of Vulnerability Management*

White Paper from Global Process Innovation. Fourteen Metrics for a BPM Program

CORE Security and GLBA

How to start a software security initiative within your organization: a maturity based and metrics driven approach OWASP

IG ISCM MATURITY MODEL FOR FY 2015 FISMA FOR OFFICIAL USE ONLY

Continuous Network Monitoring

Aftermath of a Data Breach Study

Security Operations Metrics Definitions for Management and Operations Teams

Is Your Company Ready for a Big Data Breach? Sponsored by Experian Data Breach Resolution

Leveraging a Maturity Model to Achieve Proactive Compliance

Seven Strategies to Defend ICSs

End-user Security Analytics Strengthens Protection with ArcSight

Maintaining PCI-DSS compliance. Daniele Bertolotti Antonio Ricci

2012 Application Security Gap Study: A Survey of IT Security & Developers

1. For each of the 25 questions, multiply each question response risk value (1-5) by the number of times it was chosen by the survey takers.

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

Information Security Program CHARTER

Symantec Security Compliance Solution Symantec s automated approach to IT security compliance helps organizations minimize threats, improve security,

2015 VORMETRIC INSIDER THREAT REPORT

Independent Evaluation of NRC s Implementation of the Federal Information Security Modernization Act of 2014 for Fiscal Year 2015

SECURITY. Risk & Compliance Services

Appendix A-2 Generic Job Titles for respective categories

Information Security Awareness Training

Defending Against Data Beaches: Internal Controls for Cybersecurity

ISO :2005 Requirements Summary

SIEM Optimization 101. ReliaQuest E-Book Fully Integrated and Optimized IT Security

HIPAA: Compliance Essentials

The economics of IT risk and reputation

The Cost of Insecure Mobile Devices in the Workplace Sponsored by AT&T

Employee Surveys: Four Do s and Don ts. Alec Levenson

What is required of a compliant Risk Assessment?

Using the ITSM Metrics Modeling Tool

2014 State of Endpoint Risk. Sponsored by Lumension. Independently conducted by Ponemon Institute LLC Publication Date: December 2013

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

ITSM 101. Patrick Connelly and Sandeep Narang. Gartner.

TEL2813/IS2820 Security Management

Enterprise Software Management Systems by Using Security Metrics

Nine Network Considerations in the New HIPAA Landscape

MICHIGAN AUDIT REPORT OFFICE OF THE AUDITOR GENERAL THOMAS H. MCTAVISH, C.P.A. AUDITOR GENERAL

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

CISM (Certified Information Security Manager) Document version:

Intelligence Driven Security

HIPAA Compliance Review Analysis and Summary of Results

RSA CYBERSECURITY POVERTY INDEX 2015

ITSM Reporting Services. Enterprise Service Management. Monthly Metric Report

POSTAL REGULATORY COMMISSION

BIG SHIFT TO CLOUD-BASED SECURITY

White Paper Software Quality Management

Perceptions about Self-Encrypting Drives: A Study of IT Practitioners

CISOs Discuss Best Ways to Gain Budget and Buy-in for Security

Defending against modern cyber threats

Risk Management Frameworks

The Role of Security Monitoring & SIEM in Risk Management

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

Information Security Awareness Training and Phishing

Developing Secure Software in the Age of Advanced Persistent Threats

Italy. EY s Global Information Security Survey 2013

Control Design & Implementation Week #5 CRISC Exam Prep ~ Domain #4. Bill Pankey Tunitas Group. Job Practice

Sample Data Security Policies

January IIA / ISACA Joint Meeting Pre-meeting. Cybersecurity Update for Internal Auditors. Matt Wilson, PwC Risk Assurance Director

SECURITY RISK MANAGEMENT

Patent Public Advisory Committee Meeting. OCIO Update

White Paper. Understanding NIST FISMA Requirements

Personal Security Practices of the CAO

A Benchmark Study of Multinational Organizations

U.S. Office of Personnel Management. Actions to Strengthen Cybersecurity and Protect Critical IT Systems

Social Performance Rating System

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Better secure IT equipment and systems

Contents. Specialty Answering Service. All rights reserved.

Solving the CIO s Cybersecurity Dilemma: 20 Critical Controls for Effective Cyber Defense

Maximising the Effectiveness of Information Security Awareness

Unit Specific Questions Administrative

High Level Cyber Security Assessment 2/1/2012. Assessor: J. Doe

Risk Management Guide for Information Technology Systems. NIST SP Overview

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

The Power of Risk, Compliance & Security Management in SAP S/4HANA

How To Improve Nasa'S Security

Transcription:

Study of Security Awareness Training Steve Kruse,Security Principal @ RSA Bill Pankey, Consultant @Tunitas Group Paradox Explanations Conclusions Innovation Norway Feb 04, 2010 CSI / FBI Computer Crime Survey http://www.gocsi.com Annual study of infosec events & security practice in US Estimates losses from computer crime Type and frequency of exploits Survey of security practice / response to threats Commonly used baseline for Risk assessments Security budget justification 1

2007 CSI Finding: Minimal UAT* Budgets http://i.cmpnet.com/v2.gocsi.com/pdf/csisurvey2007.pdf % of security budget spent on UAT 22% 48% 6% 2007 Security budgets average between 3-5% of total IT budget * UAT: Security Awareness Training Counter Indications Convention wisdom among US security practitioners is that end users are the greatest security threat: 85% of security breaches involve end users ~ Forester End user web surfing primary source of network infection ~ Symantec Email borne compromise of end user accounts has been has been the initial entry vector for 100% of advanced persistent threats (APT) ~ Mandiant. Any basic handbook of computer security 2

The Paradox You can t service pack the end user - Mike Nash, Microsoft Is there an inverse Pareto principle i at work: spend the least on the biggest problem? High recognition of end user involvement with security breaches Relatively low spending on user security awareness training Is the security industry guilty of risk management malpractice? Study resolved to understand / explain this apparent paradox 2009 Survey of Security Awareness & Training http://tinyurl.com/uatsurvey 57 questions UAT budgeting & rationale UAT metrics & accountability UAT practices Respondents recruited from: UseNet / yahoo UAT interest groups Metricon audience Disclaimer: No sampling control Suspect bias in self-report survey results: More, rather than less interest in UAT than among typical security practitioners Natural tendency to over-estimate the quality of their security program 3

Sample validates CSI Finding Survey sample places only slightly greater emphasis on UAT than CSI study 55% less than 2% of security budget 13% greater than 8% of security budget Difference are either not significant or indicate a very slight increased emphasis on UAT Security UAT budget in context True cost of UAT typically masked: Security budgets typically are not burdened with the cost of the users time spent on UAT Only 1 respondent reported that UAT training time is charged against security budget Total cost of user training time is likely to be the most costly component of UAT 93% of respondent companies require UAT for all employees at hire; 75% annual refresher training 53% of respondents require at least 1 hr per employee 4

Security UAT budget in context (2) Security program s UAT expenditure is either very efficient or very wasteful of company (human) resources UAT budget includes preparation, delivery and management costs for a significant expenditure of corporate resources Normalized UAT management cost metric: security program UAT budget / total # of user training hours * loaded labor rate Measure of efficiency? or inattention? Questions about the rationale for UAT? Is there formal documentation ti of anticipated i t UAT benefits? If so, where? Security plan: 65% Security policy: 42% (pro-forma?) UAT business case: 35% Individual campaign proposal: 5% But, often there is no accountability for benefit statements: 60% of respondents report no management review or approval of the above 5

UAT Rationale What is used to justify the commitment t of users time to UAT Regulatory requirement: 73% Unspecified security benefit : 65% External Auditor report: 45% Expected increase in user accountability: 15% Basis for rejection of requests for increase in mandated UAT (100 % of respondents)? Unspecified management priorities: 70% Weak business case: 16% Lack of UAT Effectiveness Performance Measurement Few companies tracked meaningful measures of UAT performance Training completion / compliance rate: 100% (User) Behavioral \ attitude measures: 13% Correlation w/ security incident metrics: 7% Management satisfaction determined by: CSO \ CISO: 67% CIO: 25% Compliance: 13% HR: 13% 6

Illusory UAT Management you can t manage what you don t measure Drucker 60% claim success of UAT to Reduce security incidents Address root causes of security breaches Increase compliance with security policy While focusing on cost, Rate of training completion But Avoiding collection of UAT performance / effectiveness metrics Few Meaningful UAT Metrics Focus on activity rather than benefit realization. Security Metrics, Jacquith % of staff completing security awareness training? (6) Correlation of tailgating rates w/ training latency Metrics for IT Service Management, ITSM % of staff not at optimal training level? (10) Poll of callers to service desk SP800-55 Performance Measurement Guide for Information Security, NIST % of employees in security roles receiving specialized security training (1) 7

Do UAT metrics obscure the security objective? Common UAT metrics available to establish industry baselines may miss the point Implicitly assume the effectiveness of training, ie, the results of management W/o the relevance, credibility & appropriateness of the training, the completion rate indicates nothing about the security value of the UAT program. Currently these measures are primarily cost metrics reflecting the scale of resource (end user time) consumption Meaningful UAT Metrics imply Strategy Security role of the end user is specific to company and its security strategy. Is the user, a: Threat to be engineered around? An actor whose behavior needs the constraint of policy? A source of detective or corrective control? All of the above? Some of the above? The view of user determines the objectives of UAT (improve user performance in security role) What and how much risk awareness Will vary with industry and company culture These UAT objectives will determine metrics Missing industry benchmarks 8

Standardization of Security Awareness Effectiveness of UAT has to be measured against expectations of security strategy Some user roles are expected to have more than less general security / risk awareness Some use roles expected to take specific action in response to events Standardization of user expectation facilitates development of appropriate metrics and establishing meaningful industry baselines Maturity Model for User Security Awareness Blissfully unaware Little recognition or acceptance of most information security threats At this level, l prevalent view is that t information security is a property of IT systems and largely a matter of architecture and configuration. Security largely independnet of user behavior. Consciously incompetent Some recognition that there is a information security threat, but: Poor risk assessment skill and intuition Uncertain of action needed to protect company information assets. Will do nothing rather than create further harm Compliant Aware of risks identified in company policy Will take action identified in company security policy Risk aware Considers information security risk in performance of company duties, but Unsure of appropriate action; sometime will report incidents Competent & Practiced Takes appropriate action within scope of role; otherwise reports incidents 9

UAT Goals re Targeted Maturity Level Blissfully unaware User: heads down routine data processing roles No UAT? Complaint User: Industry w/ little discretionary access control (e.g. banking). Users locked down by restrictive policy. UAT: Policy training Metric: Correlate policy violations with training latency Risk aware User: Industry w/ significant discretionary access (e.g. health) UAT: Policy training + Threat identification Metric: # of anomalies reported by users Example Scenario: End user sees what could be a company owned laptop in an unlocked car in the facility parking lot. What is the end user expected to do? Blissfully unaware: Where the company security tolerates the unaware user, e.g. where whole disk encryption has been implemented for all company laptops p ~ nothing Compliant: Where company policy prescribes all security obligations ~ only what is described in policy Risk aware: Where company security model depends upon actions of end users ~ alert company facility manager; security officer 10

Conclusions Little accountability for UAT beyond compliance with regulatory mandates Few, if any performance metrics Focus on cost Where there is no accountability, the optimal strategy is to reduce the absolute UAT expenditure UAT management requires new UAT performance metrics Correlate UAT with specific security benefits Lack of industry UAT performance benchmarks Meaningful metrics determined by targeted maturity levels 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information