training people and rising awareness
TRANSCRIPT
14/5/2013 ISACA – Sofia Chapter 1
Training people and rising awareness
The never-ending story
14/5/2013 ISACA – Sofia Chapter 2
Agenda
Define the facts
Avoid the pitfalls
Best practices
To be successful
Takeaways
Rocket-science
14/5/2013 ISACA – Sofia Chapter 3
Define the facts
14/5/2013 ISACA – Sofia Chapter 4
Define the facts
• Training is a critical part of any initiative, introducing users to policy guidelines and allowing management to set expectations.
Source: www.assero.co.uk
14/5/2013 ISACA – Sofia Chapter 5
Define the facts
• You won't get far in your training if you don't tune your message to the audience, whether you're presenting your case to the executive board, the IT group or the staff.
Source: articles.elitefts.com
14/5/2013 ISACA – Sofia Chapter 6
Define the facts
• Habits drive organizational culture, and there are no technologies that will ever make up for poor culture.
Source: www.eaglesflight.com
14/5/2013 ISACA – Sofia Chapter 7
Define the facts
• Ensure that any awareness training program is a continuous process: heightened user awareness loses value if you don't reinforce learned concepts over time."As it shows in the report we have seen susceptibility reductions of over 80% when comparing an initial mock attack to subsequent attacks when in-depth training is completed in between the attacks.“
-- Joe Ferrara, President and CEO of Wombat Security Technologies
Source: http://www.wombatsecurity.com/phishing_attack_report
14/5/2013 ISACA – Sofia Chapter 8
Define the facts
• There is clear tendency not to engage with external awareness providers.Wisegate found that less than 1% of companies use only third-party training companies, 50% develop their awareness regime fully in-house, 42% use a combination of third-party and in-house training, and amazingly, as many as 7% do no awareness training at all.
Awareness training05
101520253035404550
Develop fully in-houseNo awareness trainingUse third-party only Use a combination
Source: http://www.wisegateit.com/resources/downloads-security-awareness-report
14/5/2013 ISACA – Sofia Chapter 9
Avoid the pitfalls
• ‘Do as I say, not as I do’ resonates in the executive corridor of far too many organizations today. – When asked “Do you believe directors think the policies don’t apply to them?”, 56% agreed. – Not so many senior managers actually “ignore or flout security policies and procedures,” but at 42%
it is still surprisingly high. – 52% agreed “The board of directors have access to the most sensitive information but have the least
understanding of security issues.”-- Cryptzone queried 300 IT professionals
Source: http://www.infosecurity-magazine.com/view/25971/security-do-as-i-say-not-as-i-do/
14/5/2013 ISACA – Sofia Chapter 10
Avoid the pitfalls
• Recognize that the user is ‘the most commonly exploited security vulnerability’ in your company, but be warned that there is no single one-size-fits-all solution to awareness training.
Source: http://www.infosecurity-magazine.com/view/30404/security-awareness-the-ciso-view-from-the-coalface/
14/5/2013 ISACA – Sofia Chapter 11
Avoid the pitfalls
• Don’t do it alone. Turn to the marketing and training departments and use their expertise in both developing an awareness program, and then selling it to the user.
Source: http://www.infosecurity-magazine.com/view/30404/security-awareness-the-ciso-view-from-the-coalface/
14/5/2013 ISACA – Sofia Chapter 12
Best Practices
• Maximize the strengths and avoid the pitfalls in what can be a controversial, but is a very effective, method of training users: learning by experience. Its effectiveness can be measured and monitored to allow the most cost-efficient training for the highest risk people and topics.
14/5/2013 ISACA – Sofia Chapter 13
Best Practices
• Make education easy and accessible. Don’t make security training a burden, make it part of their everyday activities.
• Refresh the policy training routinely and test their knowledge often to ensure they have the ability to execute the policy in day-to-day scenarios.
• Try to make the information relevant to their personal use. This creates a feeling of empowerment and responsibility to practice good security day and night.
• Work to make the information factual and provide real world examples of where things went wrong. By sharing information on what is good and how bad impacts the brand and reputation of a company help your employees understand why compliance of policies is so critical.
• Programs that relied on 90 Day plans, and reevaluated the program and its goals every 90 Days, are the most effective. Every 90 days, the program is reevaluated to determine what topics need to be addressed moving forward.
14/5/2013 ISACA – Sofia Chapter 14
How to be successful
• Awareness programs that obtain C-level support are more successful. This support inevitably leads to more freedom, larger budgets and support from other departments.
• Creativity is a must. While a large budget helps, companies with a small security awareness budget have still been able to establish successful programs. Creativity and enthusiasm can make up for a small budget.
• One of the key factors in having a successful effort is being able to prove that your effort is successful. The only way to do this is to collect metrics prior to initiated new awareness efforts.
• Awareness efforts that focus on how to accomplish actions are more successful than those that focus on telling people that they should not be doing things.
• The most successful programs are not only creative; they rely on many forms of awareness materials. The most participative efforts appear to have the most success.
14/5/2013 ISACA – Sofia Chapter 15
Takeaways
• Start measuring by creating a baseline, defining a clear goal, and tracking progress. If you aren’t moving in the right direction, adjust the course.
• Awareness programs, when properly executed, provide knowledge that instills behavior, i.e. changes habits, i.e. drives for a better culture.
• Approach of not concentrating on raising awareness, but changing employee behavior, habits and actions to create a culture, by using “prescriptions.”– Using password vault within Twitter ended up reaching over 75% of users;– Twitter mastered training approach via constant feedback and evaluation.
• There is no technology that will prevent the human misbehavior, e.g. mishandling of paper information and computer media.
• Awareness mitigates non-technical issues that technology can't. By measuring return on investment you will find that awareness is one of the most reliable measures available.
14/5/2013 ISACA – Sofia Chapter 16
Takeaways
• Focus on security culture, not training, and to constantly measure the effect of the training so that it can be repeatedly reshaped in order to be more effective - and here is where the feedback comes in handy.
• Never to give up on users: "It's never a lost cause until you believe it is.“• “For” and “against” awareness training: an easy for-“victory”, simply
because it is not possible to provide clear and consistent evidence that training is not working. There is plenty of evidence of the opposite.
• Education and training is not perfect. The challenge is that even if you do it right, it can be hard to document effect, and to show a clear causation between your training efforts and the behavior change.
• The biggest issue is perhaps that awareness efforts are frequently not optional. Telling people not to do something, because we believe it is a bad idea is just not an option.
• Address and utilize interpersonal skills, personality traits, motivational theory; do not rely only on technical skills, risk management models and policy making.
14/5/2013 ISACA – Sofia Chapter 17
Go rocket-science
Two different sides of the brain control, two different “modes” of thinking.
(Theory of the structure and functions of the mind)
• People think and learn in different ways with evidence of different learning characteristics, but different cultural groups may emphasize one cognitive style over another: the verbal vs. the nonverbal, represented rather separately in left and right hemispheres respectively.
• Our education system, as well as science in general, tends to neglect the nonverbal form of intellect. Modern society discriminates against the right hemisphere, i.e. nonverbal thinking.
• Most children rank highly creative (right brain) before entering school. Because our educational systems place a higher value on left brain skills such as mathematics, logic and language than it does on drawing or using our imagination: – Only 10% of these same children will rank highly creative by age of 7. – By the time we are adults, high creativity remains in only 2% of the population.
14/5/2013 ISACA – Sofia Chapter 18
Right Brain vs. Left Brain
LEFT BRAIN FUNCTIONS
uses logicdetail oriented
facts rulewords and language
present and pastmath and sciencecan comprehend
knowingacknowledges
order/pattern perceptionknows object name
reality basedforms strategies
practicalsafe
RIGHT BRAIN FUNCTIONS uses feeling"big picture" orientedimagination rulessymbols and imagespresent and futurephilosophy & religioncan "get it" (i.e. meaning)believesappreciatesspatial perceptionknows object functionfantasy basedpresents possibilitiesimpetuousrisk taking
• Left-brain scholastic subjects focus on logical thinking, analysis, and accuracy.
• While Right-brained subjects focus on aesthetics, feeling, and creativity.
14/5/2013 ISACA – Sofia Chapter 19
Right Brain vs. Left Brain
• Our conscious mind can only focus on data from one brain at a time. Eventually ultimate authority to enter consciousness is delegated to one brain or the other. In our modern world, this battle is almost always won by the left brain.
• Sometimes skills which the right brain can perform better are routinely handled, with less skill, by the left brain.
Too bad, and now what?
• Methods have been devised to "shut off" the left brain, allowing the right side to have its say, even temporarily.
• The logical left side is easily bored by lack of input and tends to "doze off" during such activities as meditation (repeating a mantra or word over and over) or in sensory deprivation environments.
14/5/2013 ISACA – Sofia Chapter 20
Why should I care?
How is all this related to people training?
• To foster a more whole-brained scholastic experience, teachers should use instruction techniques that connect with both sides of the brain.
• Increase right-brain learning activities by incorporating more patterning, metaphors, analogies, role playing, visuals, and movement into reading, calculation, and analytical activities.
• For a more accurate whole-brained evaluation of student learning, educators must develop new forms of assessment that honor right-brained talents and skills.
Ideally, both brains work together in people with optimum mental ability. This coordinating ability may be the key to superior intellectual abilities.
Such employees shall form better habits, shall develop great organizational culture, shall be more productive/creative, so it goes, the never-ending story.
14/5/2013 ISACA – Sofia Chapter 21
Thank you!Zdravko Stoychev, CISM CRISC
http://twitter.com/zdravkos