information security awareness training - 25 years of stc!€¦ · information security awareness...
TRANSCRIPT
Information Security Awareness Training
Various Methods and their effectiveness at New Paltz
SUNY Technology ConferenceLake Placid - June 2014
Paul Chauvet
Why the focus on training?
“Only amateurs attack machines; professionals target people” - Bruce Schneier
“There is only one way to keep your product plans safe and that is by having a trained, aware, and
conscientious workforce. This involves training on the policies and procedures, but also - and probably even more important - an ongoing
awareness program” - Kevin Mitnick
Why the focus on training?
Targeting individuals instead of systems, can bypass some or all of your protection measures.
Dollar for dollar, will have a huge benefit for security.
Who needs security training?
➢ Ideally, everyone - students, faculty, staff, and contractors.
➢ Realistically?➢ Review laws, contracts, etc. for who is required
to receive training (specifically PCI, GLBA, HIPAA)
What are the goals of the training?
➢ Getting users to understand and recognize the risks.
➢ Training users to change their instinctual responses.
➢ Making users recognize that they are at risk.
➢ Educate users as to impact to the college of a successful scam.
What topics should be covered?
➢ Password safety➢ Malware➢ Social Engineering➢ Physical Security➢ Security Policy➢ Electronic & Physical security
Psychological Issues
➢ Fast and Slow Thinking➢ Fast, quick judgements, relies on heuristics➢ Slow, thoughtful, lazy
➢ Availability Heuristic➢ Representativeness➢ Availability
➢ Evaluation of risk➢ Users exaggerate risks that are rare, sudden, are out of
their control, or affect them personally.➢ Users downplay risks that are common, affect others, or
that are under their control.
Compliance motivation
➢ One method is via Expectancy Theory➢ Expectancy➢ Instrumentality➢ Valence
➢ Make sure employees know the consequences to the college of security lapses.
Training methods
➢ Email communications➢ Can be newsletters or specific advisories.➢ Can easily be overwhelming when too frequent.➢ Will be ignored by a large amount of people.➢ If they are too long or contain too much technical jargon,
they will be ignored by a larger amount of people.
➢ Posters and flyers➢ Should be ‘catchy’ while still being informative➢ Should change frequently
Newsletter
➢ Periodic communication about security issues.
➢ Meant to communicate specific issues or to keep security issues on people’s minds.
In-person training
➢ Initially conducted by an external security consulting firm.
➢ Transitioned to internal training the following year.
➢ Conducted annually - employees with sensitive data access such as Banner are required to attend. All other employees are strongly encouraged to attend.
Don’t just rely on IT
➢ Take advantage of “Security Evangelists” outside of IT.
➢ Use their power and status to extend the reach of security messaging.
➢ Get administration support & buy-in.➢
Online Training
➢ Conducted via an external firm (Wombat Security).
➢ Training is interactive. Users cannot just click ‘next, next, next’.
➢ Users are scored on training.➢ Topics include Email Security, URL
Training, and Safer Web Browsing.
Online Training
➢ Required & Recommended groups.➢ Compliance Rates ~ 60%➢ Passing score required to be compliant.
Online Training
➢ Per-user reports➢ Can be used to review users who have fallen for (or are
suspected of falling for) phishing scams.➢ Users who fall for phishing scams (and malware) are
much more likely to have not taken the training.➢ Not taking the training changes our response post-
malware/phishing
➢ Most missed report➢ Shows questions users have problems with.➢ Helps adjust messaging to emphasize certain issues for
all users (not just those included in the training).
Phishing Simulations
➢ We phish our own users.➢ Done through an external service.➢ Can use actual scam emails (with modified links to a
site we control).➢ Can also use custom emails/spear phishing.➢ “Victims” who submit data are brought to a training
page.
➢ When users fall for it, it breaks them out of the “immunity fallacy”.➢ Works through altering the Availability Heuristic.➢ Some users will be confused.
Phishing responses
➢ Try to be patient with the users. Security is not their job.
➢ Don’t allow the training to be ignored completely though.➢ When someone ignores the training and is a
repeat offender, their supervisor is notified.
Training results
➢ Significant drop in number of phishing victims➢ Average phishing victims per month was 4-5.➢ Number of victims year-to-date (2014) is now 4.
➢ Large increase in users reporting suspicious emails.
➢ Significant decrease in submit rate for our phishing simulations.
➢ Generally positive reactions from faculty and staff.➢ Some negative/apathetic reactions.➢ Compliance rate is higher among non-teaching faculty & staff.
Remaining challenges
➢ Keeping users vigilant and avoiding complacency
➢ Training needs to stay relevant and fresh➢ Reducing training costs
➢ Reducing per-user costs to include more users➢ Creating in-house (or in-SUNY?) training➢ Including students in active training methods
➢ Including students in training➢ Secure programming/coding training➢ Effectiveness of more sophisticated methods
still is an issue (spear phishing, other social engineering methods)
Resources
➢ Psychology & Information Security course at Albany (Dr. Kevin Williams)
➢ Bruce Schneier - Psychology of Security➢ protect.iu.edu (Indiana University)➢ Stop, Think, Connect (stopthinkconnect.org)➢ Internet 2 Cyber Security Awareness Resource
Library (https://wiki.internet2.edu/confluence/display/itsg2/Cybersecurity+Awareness+Resource+Library)