waynestate technology securitytrainingoverview...2015/10/07 · computing & information...
TRANSCRIPT
Computing & Information Technology
Wayne State Security Training Overview
Kevin Hayes, CISSP, CISM Informa)on Security Officer
Geoff Nathan Faculty Liaison
Wayne State University Compu3ng & Informa3on Technology
Computing & Information Technology
Breaches are not going away
Computing & Information TechnologySadly, Simple A?acks Work
• A?acks via email are the primary source of breaches, hacks & compromised accounts.
• A?acks are free, simple, and easy. • Used by na)on states and mature cybercrime organiza)ons.
• 9% to 18% success rate if email makes it to your Inbox
• People click on ridiculous things.
Computing & Information Technology“Invoice.zip” Outbreak
• Email message was simple: – “invoice123.zip” was a ZIP file a?achment – On opening ZIP file, a virus appearing to be an Adobe PDF file was made available.
– Only by double-‐clicking the virus could you become infected.
• 150 Computers Infected • 111 Computers Propaga)ng Virus • Less than one hour for viral explosion.
Computing & Information TechnologyWSU Direct Deposit Scam
– In September, an email went to a number of high-‐salaried faculty in a college to be nameless • A significant number of your colleagues ‘clicked here’ to verify their ‘raise’. • An authen)c-‐looking Wayne State web page asked for their creden)als. • A?ackers used these creden)als to redirect their next paycheck to a pop-‐up bank in Africa.
– WSU made good, but other nearby universi)es were not so nice.
Computing & Information TechnologyWhy training now?
• Threats are growing, crea)ng a technology arms race that’s difficult to keep up with.
• People have been asking for training and guidance more frequently.
• We wanted to ensure a cohesive program was developed – not just deliver sta)c and stale content in a “one size fits all” approach.
Computing & Information TechnologyPiloDng some training
• 250 people watched purchased videos. – Content did not use WSU terminology or policies. – Issues with clarity and wording of quiz ques)ons. – Videos had poor produc)on: monotone narra)on, use of clip art, low audio quality.
– “These videos are a joke at best.” • Resulted in resistance for taking the training
Computing & Information TechnologyA light turns on
• Our primary job is to teach things. Why are we limi)ng ourselves?
• News Flash: People learn differently. • Why can’t we do different things to address the underlying reasons people won’t take the training?
Computing & Information TechnologyA star is born
• We decided to offer different training methods. • Use same learning objec)ves for all training. • Taking any one training method will cer)fy you. • Wanted content to change frequently and be dynamic.
• Learn to be flexible via three op)ons: – Online Videos – In-‐Person Seminar – Advanced Placement Exam
Computing & Information Technology
OpDon One: Updated Online Videos
• Online videos are great for self-‐starters who want to knock out bits and pieces here and there.
• Purchased selec)on of training videos from Inspired eLearning
• Addressed produc)on quality. • 3 modules for staff, 4 for managers. • Installed in Accelerate HR LMS – Blackboard had issues with >1000 registra)on and large gradebooks.
Computing & Information Technology
OpDon One: Updated Online Videos
Computing & Information Technology
OpDon Two: Created In-‐Person Seminar
• Created 90 minute presenta)on. • Held across campus several )mes a month. – Have AM sessions on Fridays.
• Allows for more interac)vity and “tradi)onal learning”.
• Sign up using exis)ng training registra)on system.
Computing & Information Technology
OpDon Two: Sign-‐up facility
Computing & Information Technology
OpDon Three: Created Test-‐Out Op)on
• For those that already know security (or at least claim to).
• Created online 24 Ques)on “Advanced Placement Exam” in Qualtrics based on learning objec)ves and program content.
• Only one try permi?ed per 12 months. • No easy ques)ons. • High Passing percentage required (85%).
Computing & Information Technology
OpDon Three: Created Test-‐Out Op)on
Computing & Information TechnologyKeeping the training simple
• “Have an answer for every yes, but” • Created portal landing page: – h?ps://compu)ng.wayne.edu/securityawareness
• Try for minimal-‐click solu)ons where possible. • Created Program FAQ and Knowledge Base with )ps and acDonable advice on security topics.
• Made easy quick reference sheet.
Computing & Information Technology
Comes with a handy hand-‐out
Computing & Information Technology
Fancy cer)ficate paper: 10 cents each. Employees voluntarily showcasing their cer)ficates: PRICELESS.
Computing & Information TechnologyAnalyzing Program Results
• Con)nue to measure and evaluate all training op)ons.
• All topics by far rated as “Very Useful” by a?endees, scoring at least 6.4 out of 7.
• Giving personal anecdotes and stories the most effec)ve in gesng informa)on across.
Computing & Information TechnologySecurity Training teaches
0
5
10
15
20
25
30
Nothing Few Things Fair Amount A Whole Lot
“How much do you feel you personally learned?”
Computing & Information TechnologySecurity Training is valuable
• 90% of respondents rated the amount of content delivered as “Just Right”.
• All respondents felt this training met their expecta)ons, with 60% of them having their expecta)on exceeded.
• Respondents are ra)ng the training as valuable, applicable, and recommend it to their coworkers.
Computing & Information TechnologyFeedback on Security Training
“I thought it was an excellent training session; Geoff and Kevin are knowledgeable, ar3culate,
and they made the session entertaining.”
“The training was very informa3ve and I think that all staff should aJend one of the sessions if
possible. Thanks!”
Computing & Information Technology
Feedback on Security Training from a faculty member (!)
“The commiJee was one of the first to receive an excep3onal presenta3on on internet security. I have sat on the FSST commiJee for about seven years and to the best of my recollec3on have
never before seen a presenter receive a round of applause. I encourage you and your chairs to invite them to present at their departmental
mee3ngs.”
Computing & Information Technology
Wayne State Security Training Overview
Kevin Hayes, CISSP, CISM Informa)on Security Officer
Geoff Nathan Faculty Liaison
Wayne State University Compu3ng & Informa3on Technology