Computing & Information Technology

Wayne  State  Security  Training  Overview  

Kevin  Hayes,  CISSP,  CISM  Informa)on  Security  Officer  

Geoff  Nathan  Faculty  Liaison  

Wayne  State  University  Compu3ng  &  Informa3on  Technology  

Computing & Information Technology

Breaches  are  not  going  away  

Computing & Information TechnologySadly,  Simple  A?acks  Work  

•  A?acks  via  email  are  the  primary  source  of  breaches,  hacks  &  compromised  accounts.  

•  A?acks  are  free,  simple,  and  easy.  •  Used  by  na)on  states  and  mature  cybercrime  organiza)ons.  

•  9%  to  18%  success  rate  if  email  makes  it  to  your  Inbox  

•  People  click  on  ridiculous  things.  

Computing & Information Technology“Invoice.zip”  Outbreak  

•  Email  message  was  simple:  – “invoice123.zip”  was  a  ZIP  file  a?achment  – On  opening  ZIP  file,  a  virus  appearing  to  be  an  Adobe  PDF  file  was  made  available.  

– Only  by  double-­‐clicking  the  virus    could  you  become  infected.  

•  150  Computers  Infected  •  111  Computers  Propaga)ng  Virus  •  Less  than  one  hour  for  viral  explosion.  

Computing & Information TechnologyWSU  Direct  Deposit  Scam  

–  In  September,  an  email  went  to  a  number  of  high-­‐salaried  faculty  in  a  college  to  be  nameless  •  A  significant  number  of  your  colleagues  ‘clicked  here’  to  verify  their  ‘raise’.  •  An  authen)c-­‐looking  Wayne  State  web  page  asked  for  their  creden)als.  •  A?ackers  used  these  creden)als  to  redirect  their  next  paycheck  to  a  pop-­‐up  bank  in  Africa.  

– WSU  made  good,  but  other  nearby  universi)es  were  not  so  nice.  

Computing & Information TechnologyWhy  training  now?  

•  Threats  are  growing,  crea)ng  a  technology  arms  race  that’s  difficult  to  keep  up  with.  

•  People  have  been  asking  for  training  and  guidance  more  frequently.  

•  We  wanted  to  ensure  a  cohesive  program  was  developed  –  not  just  deliver  sta)c  and  stale  content  in  a  “one  size  fits  all”  approach.  

Computing & Information TechnologyPiloDng  some  training  

•  250  people  watched  purchased  videos.  – Content  did  not  use  WSU  terminology  or  policies.  –  Issues  with  clarity  and  wording  of  quiz  ques)ons.  – Videos  had  poor  produc)on:  monotone  narra)on,  use  of  clip  art,  low  audio  quality.  

– “These  videos  are  a  joke  at  best.”  •  Resulted  in  resistance  for  taking  the  training  

Computing & Information TechnologyA  light  turns  on  

•  Our  primary  job  is  to  teach  things.  Why  are  we  limi)ng  ourselves?  

•  News  Flash:  People  learn  differently.  •  Why  can’t  we  do  different  things  to  address  the  underlying  reasons  people  won’t  take  the  training?  

Computing & Information TechnologyA  star  is  born  

•  We  decided  to  offer  different  training  methods.  •  Use  same  learning  objec)ves  for  all  training.  •  Taking  any  one  training  method  will  cer)fy  you.  •  Wanted  content  to  change  frequently  and  be  dynamic.  

•  Learn  to  be  flexible  via  three  op)ons:  – Online  Videos  –  In-­‐Person  Seminar  – Advanced  Placement  Exam  

Computing & Information Technology

OpDon  One:  Updated  Online  Videos  

•  Online  videos  are  great  for  self-­‐starters  who  want  to  knock  out  bits  and  pieces  here  and  there.  

•  Purchased  selec)on  of  training  videos  from  Inspired  eLearning  

•  Addressed  produc)on  quality.  •  3  modules  for  staff,  4  for  managers.  •  Installed  in  Accelerate  HR  LMS  –  Blackboard  had  issues  with  >1000  registra)on  and  large  gradebooks.  

Computing & Information Technology

OpDon  One:  Updated  Online  Videos  

Computing & Information Technology

OpDon  Two:  Created  In-­‐Person  Seminar  

•  Created  90  minute  presenta)on.  •  Held  across  campus  several  )mes  a  month.  – Have  AM  sessions  on  Fridays.  

•  Allows  for  more  interac)vity  and  “tradi)onal  learning”.  

•  Sign  up  using  exis)ng  training  registra)on  system.  

Computing & Information Technology

OpDon  Two:  Sign-­‐up  facility  

Computing & Information Technology

OpDon  Three:  Created  Test-­‐Out  Op)on  

•  For  those  that  already  know  security    (or  at  least  claim  to).  

•  Created  online  24  Ques)on  “Advanced  Placement  Exam”  in  Qualtrics  based  on  learning  objec)ves  and  program  content.  

•  Only  one  try  permi?ed  per  12  months.  •  No  easy  ques)ons.  •  High  Passing  percentage  required  (85%).  

Computing & Information Technology

OpDon  Three:  Created  Test-­‐Out  Op)on  

Computing & Information TechnologyKeeping  the  training  simple  

•  “Have  an  answer  for  every  yes,  but”  •  Created  portal  landing  page:  – h?ps://compu)ng.wayne.edu/securityawareness  

•  Try  for  minimal-­‐click  solu)ons  where  possible.  •  Created  Program  FAQ  and  Knowledge  Base  with  )ps  and  acDonable  advice  on  security  topics.  

•  Made  easy  quick  reference  sheet.  

Computing & Information Technology

Comes  with  a  handy  hand-­‐out  

Computing & Information Technology

Fancy  cer)ficate  paper:  10  cents  each.    Employees  voluntarily  showcasing  their  cer)ficates:    PRICELESS.      

Computing & Information TechnologyAnalyzing  Program  Results  

•  Con)nue  to  measure  and  evaluate  all  training  op)ons.  

•  All  topics  by  far  rated  as  “Very  Useful”  by  a?endees,  scoring  at  least  6.4  out  of  7.  

•  Giving  personal  anecdotes  and  stories  the  most  effec)ve  in  gesng  informa)on  across.  

Computing & Information TechnologySecurity  Training  teaches  

0  

5  

10  

15  

20  

25  

30  

Nothing   Few  Things   Fair  Amount   A  Whole  Lot  

“How  much  do  you  feel  you  personally  learned?”  

Computing & Information TechnologySecurity  Training  is  valuable  

•  90%  of  respondents  rated  the  amount  of  content  delivered  as  “Just  Right”.  

•  All  respondents  felt  this  training  met  their  expecta)ons,  with  60%  of  them  having  their  expecta)on  exceeded.  

•  Respondents  are  ra)ng  the  training  as  valuable,  applicable,  and  recommend  it  to  their  coworkers.  

Computing & Information TechnologyFeedback  on  Security  Training  

“I  thought  it  was  an  excellent  training  session;  Geoff  and  Kevin  are  knowledgeable,  ar3culate,  

and  they  made  the  session  entertaining.”    

“The  training  was  very  informa3ve  and  I  think  that  all  staff  should  aJend  one  of  the  sessions  if  

possible.  Thanks!”  

Computing & Information Technology

Feedback  on  Security  Training  from  a  faculty  member  (!)  

“The  commiJee  was  one  of  the  first  to  receive  an  excep3onal  presenta3on  on  internet  security.    I  have  sat  on  the  FSST  commiJee  for  about  seven  years  and  to  the  best  of  my  recollec3on  have  

never  before  seen  a  presenter  receive  a  round  of  applause.    I  encourage  you  and  your  chairs  to  invite  them  to  present  at  their  departmental  

mee3ngs.”  

Computing & Information Technology

Wayne  State  Security  Training  Overview  

Kevin  Hayes,  CISSP,  CISM  Informa)on  Security  Officer  

Geoff  Nathan  Faculty  Liaison  

Wayne  State  University  Compu3ng  &  Informa3on  Technology