Information Security Awareness Training

Various Methods and their effectiveness at New Paltz

SUNY Technology ConferenceLake Placid - June 2014

Paul Chauvet

Why the focus on training?

“Only amateurs attack machines; professionals target people” - Bruce Schneier

“There is only one way to keep your product plans safe and that is by having a trained, aware, and

conscientious workforce. This involves training on the policies and procedures, but also - and probably even more important - an ongoing

awareness program” - Kevin Mitnick

Why the focus on training?

Targeting individuals instead of systems, can bypass some or all of your protection measures.

Dollar for dollar, will have a huge benefit for security.

Who needs security training?

➢ Ideally, everyone - students, faculty, staff, and contractors.

➢ Realistically?➢ Review laws, contracts, etc. for who is required

to receive training (specifically PCI, GLBA, HIPAA)

What are the goals of the training?

➢ Getting users to understand and recognize the risks.

➢ Training users to change their instinctual responses.

➢ Making users recognize that they are at risk.

➢ Educate users as to impact to the college of a successful scam.

What topics should be covered?

➢ Password safety➢ Malware➢ Social Engineering➢ Physical Security➢ Security Policy➢ Electronic & Physical security

Psychological Issues

➢ Fast and Slow Thinking➢ Fast, quick judgements, relies on heuristics➢ Slow, thoughtful, lazy

➢ Availability Heuristic➢ Representativeness➢ Availability

➢ Evaluation of risk➢ Users exaggerate risks that are rare, sudden, are out of

their control, or affect them personally.➢ Users downplay risks that are common, affect others, or

that are under their control.

Compliance motivation

➢ One method is via Expectancy Theory➢ Expectancy➢ Instrumentality➢ Valence

➢ Make sure employees know the consequences to the college of security lapses.

Training methods

➢ Email communications➢ Can be newsletters or specific advisories.➢ Can easily be overwhelming when too frequent.➢ Will be ignored by a large amount of people.➢ If they are too long or contain too much technical jargon,

they will be ignored by a larger amount of people.

➢ Posters and flyers➢ Should be ‘catchy’ while still being informative➢ Should change frequently

Flyers

Flyers

Newsletter

➢ Periodic communication about security issues.

➢ Meant to communicate specific issues or to keep security issues on people’s minds.

In-person training

➢ Initially conducted by an external security consulting firm.

➢ Transitioned to internal training the following year.

➢ Conducted annually - employees with sensitive data access such as Banner are required to attend. All other employees are strongly encouraged to attend.

Don’t just rely on IT

➢ Take advantage of “Security Evangelists” outside of IT.

➢ Use their power and status to extend the reach of security messaging.

➢ Get administration support & buy-in.➢

Online Training

➢ Conducted via an external firm (Wombat Security).

➢ Training is interactive. Users cannot just click ‘next, next, next’.

➢ Users are scored on training.➢ Topics include Email Security, URL

Training, and Safer Web Browsing.

Online Training

➢ Required & Recommended groups.➢ Compliance Rates ~ 60%➢ Passing score required to be compliant.

Online Training

➢ Per-user reports➢ Can be used to review users who have fallen for (or are

suspected of falling for) phishing scams.➢ Users who fall for phishing scams (and malware) are

much more likely to have not taken the training.➢ Not taking the training changes our response post-

malware/phishing

➢ Most missed report➢ Shows questions users have problems with.➢ Helps adjust messaging to emphasize certain issues for

all users (not just those included in the training).

Phishing Simulations

➢ We phish our own users.➢ Done through an external service.➢ Can use actual scam emails (with modified links to a

site we control).➢ Can also use custom emails/spear phishing.➢ “Victims” who submit data are brought to a training

page.

➢ When users fall for it, it breaks them out of the “immunity fallacy”.➢ Works through altering the Availability Heuristic.➢ Some users will be confused.

Phishing Simulations

Phishing Simulations

Phishing Simulations

Phishing responses

➢ Try to be patient with the users. Security is not their job.

➢ Don’t allow the training to be ignored completely though.➢ When someone ignores the training and is a

repeat offender, their supervisor is notified.

Training results

➢ Significant drop in number of phishing victims➢ Average phishing victims per month was 4-5.➢ Number of victims year-to-date (2014) is now 4.

➢ Large increase in users reporting suspicious emails.

➢ Significant decrease in submit rate for our phishing simulations.

➢ Generally positive reactions from faculty and staff.➢ Some negative/apathetic reactions.➢ Compliance rate is higher among non-teaching faculty & staff.

Remaining challenges

➢ Keeping users vigilant and avoiding complacency

➢ Training needs to stay relevant and fresh➢ Reducing training costs

➢ Reducing per-user costs to include more users➢ Creating in-house (or in-SUNY?) training➢ Including students in active training methods

➢ Including students in training➢ Secure programming/coding training➢ Effectiveness of more sophisticated methods

still is an issue (spear phishing, other social engineering methods)

Resources

➢ Psychology & Information Security course at Albany (Dr. Kevin Williams)

➢ Bruce Schneier - Psychology of Security➢ protect.iu.edu (Indiana University)➢ Stop, Think, Connect (stopthinkconnect.org)➢ Internet 2 Cyber Security Awareness Resource

Library (https://wiki.internet2.edu/confluence/display/itsg2/Cybersecurity+Awareness+Resource+Library)

➢ Questions?➢ Comments?

➢ Evaluation site:http://www.cvent.com/d/p4qxwg?dvce=2