• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Effective user training
 

Effective user training

on

  • 244 views

Too often user training gets a bad rep in the information security industry. Too often this is because training is done extremely poorly. In this presentation I show that training works, can be ...

Too often user training gets a bad rep in the information security industry. Too often this is because training is done extremely poorly. In this presentation I show that training works, can be effective, and give suggestions for putting together a good training program.

Statistics

Views

Total Views
244
Views on SlideShare
244
Embed Views
0

Actions

Likes
0
Downloads
5
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as OpenOffice

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Effective user training Effective user training Presentation Transcript

    • Users: Your First Line Of Defense 1 Users: Your First Line of Defense Ari Elias-Bachrach Defensium llc May 2014 http://bit.ly/effective_training
    • Users: Your First Line Of Defense 2 About Me Ari Elias-Bachrach ● Application Security nerd, training instructor ● Former pen tester ● Former infosec engineer ● Wanted to increase my impact on security ● Make CBTs ● Trainer ● Develop e-learning classes
    • Users: Your First Line Of Defense 3 This Talk Will Cover Effective Training For Non-Security Personnel Why We Do Training How To Give Advice Make Training Relevant Use Social Psychology
    • Users: Your First Line Of Defense 4 Why We Do Training
    • Users: Your First Line Of Defense 5 Attackers Are Targeting End Users More Source: 2014 Verizon Data Breach Investigations Report
    • Users: Your First Line Of Defense 6 Technical Problems Have Technical Solutions. Non-Technical Problems Have non-Technical Solutions.
    • Users: Your First Line Of Defense 7 Training Works Source: Threatsim, 2013 State of the Phish
    • Users: Your First Line Of Defense 8 Training Works Source: 2013 Verizon Data Breach Investigations Report
    • Users: Your First Line Of Defense 9 How To Give Advice
    • Users: Your First Line Of Defense 10 Give Positive Advice. Instead of telling people what NOT to do, tell them what to do No Running In the House! In The House We Walk
    • Users: Your First Line Of Defense 11 The Security Industry Gives Advice Mostly in the Negative Form Don't click the link 1,500,000 results Report a phishing email 54,400 results
    • Users: Your First Line Of Defense 12 The Security Industry Gives Advice Mostly in the Negative Form Cross Site Scripting 2,710,000 results Output Encoding 110,000 results
    • Users: Your First Line Of Defense 13 Give Positive Advice Common security advice: - Don't click the link - Don't use “product” - Don't use easily guessable passwords - Don't have any of these vulnerabilities
    • Users: Your First Line Of Defense 14 Give Positive Advice Good security advice: - When you get a phishing email.... - use “other product” - To make a good password... - Code in the following way....
    • Users: Your First Line Of Defense 15 Training Needs to be Relevant
    • Users: Your First Line Of Defense 16 Pick Your Topics Based on Real Needs What causes our IT incidents here? ➢ Phishing attacks? ➢ SQL injection? ➢ Viruses coming in through sneakernet? ➢ Loss/theft of laptops and smartphones?
    • Users: Your First Line Of Defense 17 Training Needs to be Relevant Don't Rely on Gimmicks – Focus on Concrete Things People See
    • Users: Your First Line Of Defense 18 Training Needs to be Relevant Don't Rely on Gimmicks – Focus on Concrete Things People See
    • Users: Your First Line Of Defense 19 Training Needs to be Relevant Don't Rely on Gimmicks – Focus on Concrete Things People See 8:00 10:30 12:00 2:00 5:00 Get to work and hold door open for “coworker” Write some code for a new web application Get an email from the helpdesk with instructions to fill out a form Discuss work over lunch in restaurant Go home. Leave desk unlocked
    • Users: Your First Line Of Defense 20 Do Not Teach Them The Language of Security, We Need to Speak Their Language 256 pages
    • Users: Your First Line Of Defense 21 Do Not Teach Them The Language of Security, We Need to Speak Their Language Vulnerability SQL Injection Confidentiality AES Encrypted Bug Prepared Statement Eavesdrop Protected
    • Users: Your First Line Of Defense 22 Use Social Psychology – There are Six Factors of Influence 1) Reciprocity 2) Commitment 3) Social Proof 4) Liking 5) Authority 6) Scarcity
    • Users: Your First Line Of Defense 23 Reciprocity – A Person Feels Like They're Repaying A Favor
    • Users: Your First Line Of Defense 24 Commitment – Once Committed to a Position, People Stick to it Source: Yes: 50 Scientifically Proven Ways to Be Persuasive, Noah J Goldstein
    • Users: Your First Line Of Defense 25 Commitment – Once Committed to a Position, People Stick to it Click-through doesn't do much If you can get people to read and sign a physical document, especially in a group, they're publicly supporting the position.
    • Users: Your First Line Of Defense 26 Commitment – Once Committed to a Position, People Stick to it Do you think that the security of our data is important? Why?
    • Users: Your First Line Of Defense 27 Commitment – Asking Questions Can Force a Person To Commit to a Position Compare these 3 options If you get a phishing email, please call the help desk. The next time you get a phishing email, will you call the service desk? The next time you get a phishing email, what will you do?
    • Users: Your First Line Of Defense 28 Liking – People are More Likely To Be Influenced By People They Like People like people who: ● Look like them ● Are Attractive ● Make them feel good (compliments, etc.) Not really possible for infosec to use this right? :-)
    • Users: Your First Line Of Defense 29 One Way to Make A Department More Likeable is To Humanize it. Source: petrelocation.com
    • Users: Your First Line Of Defense 30 One Way to Make A Department More Likeable is To Humanize it. Who should this email be sent from? 1) The IT Security department 2) A person
    • Users: Your First Line Of Defense 31 Social Proof – Do What Everyone Else is Doing People do what they perceive everyone else to be doing.
    • Users: Your First Line Of Defense 32 Social Proof – Do What Everyone Else is Doing “Last year our company had 237 incidents caused by people using weak passwords.” “Last year our company had 37 incidents caused by people clicking on links in phishing emails” These Statements are actually detrimental!
    • Users: Your First Line Of Defense 33 Social Proof – Do What Everyone Else is Doing “In a company audit, we found that 95% of our employees are using strong passwords.” “Last year we received 25,000 phishing emails, of which 99% were caught by the spam filter or ignored by the recipients.” These are much better
    • Users: Your First Line Of Defense 34 Authority – Some People's Positions Are Influential Source: Rusch, Jonathan. The "Social Engineering" of Internet Fraud Nurses were told to: ● Via an order over the phone ● Administer an unauthorized drug ● Above the maximum dosage ● From a Doctor they'd never heard of 95% did as they were told
    • Users: Your First Line Of Defense 35 Authority – Some People's Positions Are Influential Who is an authority where you work? ● Manager ● VP ● CEO ● IT Department
    • Users: Your First Line Of Defense 36 Scarcity – People Are More Likely To Want Something Perceived as Scarce While supplies last! Act now! This offer ends soon! Sale ends...
    • Users: Your First Line Of Defense 37 Conclusion Why We Do Training How To Give Advice Make Training Relevant Use Social Psychology
    • Users: Your First Line Of Defense 38 Further Reading To Sell is Human Predictable Irrational Influence Dan Pink Dan Ariely Robert Chialdini
    • Users: Your First Line Of Defense 39 CSRF: Not All Defenses Are Created Equal Ari Elias-Bachrach ari@defensium.com @angelofsecurity Defensium llc http://www.defensium.com