SlideShare a Scribd company logo

Training People and Rising Awareness

Download as PPTX, PDF
Zdravko Stoychev, CISM, CRISC
Zdravko Stoychev, CISM, CRISC
TechnologyBusiness
1 of 21
14/5/2013 ISACA – Sofia Chapter 1 Training people and rising awareness The never-ending story
14/5/2013 ISACA – Sofia Chapter 2 Agenda Define the facts Avoid the pitfalls Best practices To be successful Takeaways Rocket-science
14/5/2013 ISACA – Sofia Chapter 3 Define the facts
14/5/2013 ISACA – Sofia Chapter 4 Define the facts • Training is a critical part of any initiative, introducing users to policy guidelines and allowing management to set expectations. Source: www.assero.co.uk
14/5/2013 ISACA – Sofia Chapter 5 Define the facts • You won't get far in your training if you don't tune your message to the audience, whether you're presenting your case to the executive board, the IT group or the staff. Source: articles.elitefts.com
14/5/2013 ISACA – Sofia Chapter 6 Define the facts • Habits drive organizational culture, and there are no technologies that will ever make up for poor culture. Source: www.eaglesflight.com
14/5/2013 ISACA – Sofia Chapter 7 Define the facts • Ensure that any awareness training program is a continuous process: heightened user awareness loses value if you don't reinforce learned concepts over time. "As it shows in the report we have seen susceptibility reductions of over 80% when comparing an initial mock attack to subsequent attacks when in-depth training is completed in between the attacks.“ -- Joe Ferrara, President and CEO of Wombat Security Technologies Source: http://www.wombatsecurity.com/phishing_attack_report
14/5/2013 ISACA – Sofia Chapter 8 Define the facts • There is clear tendency not to engage with external awareness providers. Wisegate found that less than 1% of companies use only third-party training companies, 50% develop their awareness regime fully in-house, 42% use a combination of third-party and in-house training, and amazingly, as many as 7% do no awareness training at all. 0 10 20 30 40 50 Awareness training Develop fully in-house No awareness training Use third-party only Use a combination Source: http://www.wisegateit.com/resources/downloads-security-awareness-report
14/5/2013 ISACA – Sofia Chapter 9 Avoid the pitfalls • ‘Do as I say, not as I do’ resonates in the executive corridor of far too many organizations today. – When asked “Do you believe directors think the policies don’t apply to them?”, 56% agreed. – Not so many senior managers actually “ignore or flout security policies and procedures,” but at 42% it is still surprisingly high. – 52% agreed “The board of directors have access to the most sensitive information but have the least understanding of security issues.” -- Cryptzone queried 300 IT professionals Source: http://www.infosecurity-magazine.com/view/25971/security-do-as-i-say-not-as-i-do/
14/5/2013 ISACA – Sofia Chapter 10 Avoid the pitfalls • Recognize that the user is ‘the most commonly exploited security vulnerability’ in your company, but be warned that there is no single one- size-fits-all solution to awareness training. Source: http://www.infosecurity-magazine.com/view/30404/security-awareness-the-ciso-view-from-the-coalface/
14/5/2013 ISACA – Sofia Chapter 11 Avoid the pitfalls • Don’t do it alone. Turn to the marketing and training departments and use their expertise in both developing an awareness program, and then selling it to the user. Source: http://www.infosecurity-magazine.com/view/30404/security-awareness-the-ciso-view-from-the-coalface/
14/5/2013 ISACA – Sofia Chapter 12 Best Practices • Maximize the strengths and avoid the pitfalls in what can be a controversial, but is a very effective, method of training users: learning by experience. Its effectiveness can be measured and monitored to allow the most cost-efficient training for the highest risk people and topics.
14/5/2013 ISACA – Sofia Chapter 13 Best Practices • Make education easy and accessible. Don’t make security training a burden, make it part of their everyday activities. • Refresh the policy training routinely and test their knowledge often to ensure they have the ability to execute the policy in day-to-day scenarios. • Try to make the information relevant to their personal use. This creates a feeling of empowerment and responsibility to practice good security day and night. • Work to make the information factual and provide real world examples of where things went wrong. By sharing information on what is good and how bad impacts the brand and reputation of a company help your employees understand why compliance of policies is so critical. • Programs that relied on 90 Day plans, and reevaluated the program and its goals every 90 Days, are the most effective. Every 90 days, the program is reevaluated to determine what topics need to be addressed moving forward.
14/5/2013 ISACA – Sofia Chapter 14 How to be successful • Awareness programs that obtain C-level support are more successful. This support inevitably leads to more freedom, larger budgets and support from other departments. • Creativity is a must. While a large budget helps, companies with a small security awareness budget have still been able to establish successful programs. Creativity and enthusiasm can make up for a small budget. • One of the key factors in having a successful effort is being able to prove that your effort is successful. The only way to do this is to collect metrics prior to initiated new awareness efforts. • Awareness efforts that focus on how to accomplish actions are more successful than those that focus on telling people that they should not be doing things. • The most successful programs are not only creative; they rely on many forms of awareness materials. The most participative efforts appear to have the most success.
14/5/2013 ISACA – Sofia Chapter 15 Takeaways • Start measuring by creating a baseline, defining a clear goal, and tracking progress. If you aren’t moving in the right direction, adjust the course. • Awareness programs, when properly executed, provide knowledge that instills behavior, i.e. changes habits, i.e. drives for a better culture. • Approach of not concentrating on raising awareness, but changing employee behavior, habits and actions to create a culture, by using “prescriptions.” – Using password vault within Twitter ended up reaching over 75% of users; – Twitter mastered training approach via constant feedback and evaluation. • There is no technology that will prevent the human misbehavior, e.g. mishandling of paper information and computer media. • Awareness mitigates non-technical issues that technology can't. By measuring return on investment you will find that awareness is one of the most reliable measures available.
14/5/2013 ISACA – Sofia Chapter 16 Takeaways • Focus on security culture, not training, and to constantly measure the effect of the training so that it can be repeatedly reshaped in order to be more effective - and here is where the feedback comes in handy. • Never to give up on users: "It's never a lost cause until you believe it is.“ • “For” and “against” awareness training: an easy for-“victory”, simply because it is not possible to provide clear and consistent evidence that training is not working. There is plenty of evidence of the opposite. • Education and training is not perfect. The challenge is that even if you do it right, it can be hard to document effect, and to show a clear causation between your training efforts and the behavior change. • The biggest issue is perhaps that awareness efforts are frequently not optional. Telling people not to do something, because we believe it is a bad idea is just not an option. • Address and utilize interpersonal skills, personality traits, motivational theory; do not rely only on technical skills, risk management models and policy making.
14/5/2013 ISACA – Sofia Chapter 17 Go rocket-science Two different sides of the brain control, two different “modes” of thinking. (Theory of the structure and functions of the mind) • People think and learn in different ways with evidence of different learning characteristics, but different cultural groups may emphasize one cognitive style over another: the verbal vs. the nonverbal, represented rather separately in left and right hemispheres respectively. • Our education system, as well as science in general, tends to neglect the nonverbal form of intellect. Modern society discriminates against the right hemisphere, i.e. nonverbal thinking. • Most children rank highly creative (right brain) before entering school. Because our educational systems place a higher value on left brain skills such as mathematics, logic and language than it does on drawing or using our imagination: – Only 10% of these same children will rank highly creative by age of 7. – By the time we are adults, high creativity remains in only 2% of the population.
14/5/2013 ISACA – Sofia Chapter 18 Right Brain vs. Left Brain LEFT BRAIN FUNCTIONS uses logic detail oriented facts rule words and language present and past math and science can comprehend knowing acknowledges order/pattern perception knows object name reality based forms strategies practical safe RIGHT BRAIN FUNCTIONS uses feeling "big picture" oriented imagination rules symbols and images present and future philosophy & religion can "get it" (i.e. meaning) believes appreciates spatial perception knows object function fantasy based presents possibilities impetuous risk taking • Left-brain scholastic subjects focus on logical thinking, analysis, and accuracy. • While Right-brained subjects focus on aesthetics, feeling, and creativity.
14/5/2013 ISACA – Sofia Chapter 19 Right Brain vs. Left Brain • Our conscious mind can only focus on data from one brain at a time. Eventually ultimate authority to enter consciousness is delegated to one brain or the other. In our modern world, this battle is almost always won by the left brain. • Sometimes skills which the right brain can perform better are routinely handled, with less skill, by the left brain. Too bad, and now what? • Methods have been devised to "shut off" the left brain, allowing the right side to have its say, even temporarily. • The logical left side is easily bored by lack of input and tends to "doze off" during such activities as meditation (repeating a mantra or word over and over) or in sensory deprivation environments.
14/5/2013 ISACA – Sofia Chapter 20 Why should I care? How is all this related to people training? • To foster a more whole-brained scholastic experience, teachers should use instruction techniques that connect with both sides of the brain. • Increase right-brain learning activities by incorporating more patterning, metaphors, analogies, role playing, visuals, and movement into reading, calculation, and analytical activities. • For a more accurate whole-brained evaluation of student learning, educators must develop new forms of assessment that honor right-brained talents and skills. Ideally, both brains work together in people with optimum mental ability. This coordinating ability may be the key to superior intellectual abilities. Such employees shall form better habits, shall develop great organizational culture, shall be more productive/creative, so it goes, the never-ending story.
14/5/2013 ISACA – Sofia Chapter 21 Thank you! Zdravko Stoychev, CISM CRISC http://twitter.com/zdravkos

Recommended

Zhang d lis 560 assignment 2
Zhang d lis 560 assignment 2Zhang d lis 560 assignment 2
Zhang d lis 560 assignment 2Dibiboi
 
Learning Agility over Learning Agile
Learning Agility over Learning AgileLearning Agility over Learning Agile
Learning Agility over Learning AgileDaniel Davis
 
Degreed_How_the_Workforce_Learns_in_2016
Degreed_How_the_Workforce_Learns_in_2016Degreed_How_the_Workforce_Learns_in_2016
Degreed_How_the_Workforce_Learns_in_2016Chris Bennett
 
Reaching and Teaching Employees in a 24x7 Connected World - mLearn Conference...
Reaching and Teaching Employees in a 24x7 Connected World - mLearn Conference...Reaching and Teaching Employees in a 24x7 Connected World - mLearn Conference...
Reaching and Teaching Employees in a 24x7 Connected World - mLearn Conference...BizLibrary
 
Rubiaceae
RubiaceaeRubiaceae
RubiaceaeVera Tuibeo
 
ISACA Certification Program 2012
ISACA Certification Program 2012ISACA Certification Program 2012
ISACA Certification Program 2012Zdravko Stoychev, CISM, CRISC
 
ISACA Day - New CSX Certifications
ISACA Day - New CSX CertificationsISACA Day - New CSX Certifications
ISACA Day - New CSX CertificationsZdravko Stoychev, CISM, CRISC
 
Gettingstartedmaya2010 A1pdf
Gettingstartedmaya2010 A1pdfGettingstartedmaya2010 A1pdf
Gettingstartedmaya2010 A1pdfguest43cd94a
 

Recommended

Zhang d lis 560 assignment 2
Zhang d lis 560 assignment 2Zhang d lis 560 assignment 2
Zhang d lis 560 assignment 2Dibiboi
 
Learning Agility over Learning Agile
Learning Agility over Learning AgileLearning Agility over Learning Agile
Learning Agility over Learning AgileDaniel Davis
 
Degreed_How_the_Workforce_Learns_in_2016
Degreed_How_the_Workforce_Learns_in_2016Degreed_How_the_Workforce_Learns_in_2016
Degreed_How_the_Workforce_Learns_in_2016Chris Bennett
 
Reaching and Teaching Employees in a 24x7 Connected World - mLearn Conference...
Reaching and Teaching Employees in a 24x7 Connected World - mLearn Conference...Reaching and Teaching Employees in a 24x7 Connected World - mLearn Conference...
Reaching and Teaching Employees in a 24x7 Connected World - mLearn Conference...BizLibrary
 
Rubiaceae
RubiaceaeRubiaceae
RubiaceaeVera Tuibeo
 
ISACA Certification Program 2012
ISACA Certification Program 2012ISACA Certification Program 2012
ISACA Certification Program 2012Zdravko Stoychev, CISM, CRISC
 
ISACA Day - New CSX Certifications
ISACA Day - New CSX CertificationsISACA Day - New CSX Certifications
ISACA Day - New CSX CertificationsZdravko Stoychev, CISM, CRISC
 
Gettingstartedmaya2010 A1pdf
Gettingstartedmaya2010 A1pdfGettingstartedmaya2010 A1pdf
Gettingstartedmaya2010 A1pdfguest43cd94a
 
On the horizon for learning analytics
On the horizon for learning analyticsOn the horizon for learning analytics
On the horizon for learning analyticsRebecca Ferguson
 
More than a jukebox - how to design world-class learning interventions
More than a jukebox - how to design world-class learning interventionsMore than a jukebox - how to design world-class learning interventions
More than a jukebox - how to design world-class learning interventionsMore Than Blended Learning
 
The 4 Pillars of Learning
The 4 Pillars of LearningThe 4 Pillars of Learning
The 4 Pillars of LearningOlivier Serrat
 
Security Industry Conference 2016 - Keynote -Paul Lim
Security Industry Conference 2016 - Keynote -Paul LimSecurity Industry Conference 2016 - Keynote -Paul Lim
Security Industry Conference 2016 - Keynote -Paul LimPaul Lim
 
CDE16 WHITE PAPER Superintendent_V
CDE16 WHITE PAPER Superintendent_VCDE16 WHITE PAPER Superintendent_V
CDE16 WHITE PAPER Superintendent_VLinda Misegadis, CPP, CPM, CCM
 
Learning at the speed of need
Learning at the speed of needLearning at the speed of need
Learning at the speed of neederaser Juan José Calderón
 
Organizing to Get Analytics Right
Organizing to Get Analytics RightOrganizing to Get Analytics Right
Organizing to Get Analytics RightVince Kellen, Ph.D.
 
Urgency for success
Urgency for successUrgency for success
Urgency for successabderrahmanelkourdas
 
Online Learning Excellence (our manifesto)
Online Learning Excellence (our manifesto)Online Learning Excellence (our manifesto)
Online Learning Excellence (our manifesto)Norris Krueger
 
Ideas for Creating and Delivering Impactful IT Education Programs - itS…
Ideas for Creating and Delivering Impactful IT Education Programs - itS…Ideas for Creating and Delivering Impactful IT Education Programs - itS…
Ideas for Creating and Delivering Impactful IT Education Programs - itS…John Kleist III
 
Business Agility and Organisational Learning
Business Agility and Organisational LearningBusiness Agility and Organisational Learning
Business Agility and Organisational LearningShoaib Shaukat
 
Exploring the Edges
Exploring the EdgesExploring the Edges
Exploring the EdgesCheryl Doig
 
Exploring the Edges
Exploring the EdgesExploring the Edges
Exploring the EdgesCheryl Doig
 
DevLearn Notes - Ashley's four days at the DevLearn Conference!
DevLearn Notes - Ashley's four days at the DevLearn Conference! DevLearn Notes - Ashley's four days at the DevLearn Conference!
DevLearn Notes - Ashley's four days at the DevLearn Conference! Ashley Porter
 
School strategies-handout
School strategies-handoutSchool strategies-handout
School strategies-handoutMarta Montoro
 
12 Career Readiness Practices and Technology part 1
12 Career Readiness Practices and Technology part 112 Career Readiness Practices and Technology part 1
12 Career Readiness Practices and Technology part 1Nell Eckersley
 
Campaign Planning by WILPF
Campaign Planning by WILPFCampaign Planning by WILPF
Campaign Planning by WILPFC.J. Minster
 
1©McGraw-Hill Education. All rights reserved. Authorized o
1©McGraw-Hill Education. All rights reserved. Authorized o1©McGraw-Hill Education. All rights reserved. Authorized o
1©McGraw-Hill Education. All rights reserved. Authorized oTatianaMajor22
 
Read 290 Critical Reading as Critical ThinkingOnlineWeek .docx
Read 290 Critical Reading as Critical ThinkingOnlineWeek .docxRead 290 Critical Reading as Critical ThinkingOnlineWeek .docx
Read 290 Critical Reading as Critical ThinkingOnlineWeek .docxcatheryncouper
 
meMap App Design Project
meMap App Design ProjectmeMap App Design Project
meMap App Design ProjectSusanna Willis
 
(You better) change focus, 2015 finance ict & isaca v2
(You better) change focus, 2015 finance ict & isaca v2(You better) change focus, 2015 finance ict & isaca v2
(You better) change focus, 2015 finance ict & isaca v2Zdravko Stoychev, CISM, CRISC
 
New Challenges in Data Privacy - Cybercrime and Cybersecurity Forum 2013, Sof...
New Challenges in Data Privacy - Cybercrime and Cybersecurity Forum 2013, Sof...New Challenges in Data Privacy - Cybercrime and Cybersecurity Forum 2013, Sof...
New Challenges in Data Privacy - Cybercrime and Cybersecurity Forum 2013, Sof...Zdravko Stoychev, CISM, CRISC
 

More Related Content

Similar to Training People and Rising Awareness

On the horizon for learning analytics
On the horizon for learning analyticsOn the horizon for learning analytics
On the horizon for learning analyticsRebecca Ferguson
 
More than a jukebox - how to design world-class learning interventions
More than a jukebox - how to design world-class learning interventionsMore than a jukebox - how to design world-class learning interventions
More than a jukebox - how to design world-class learning interventionsMore Than Blended Learning
 
The 4 Pillars of Learning
The 4 Pillars of LearningThe 4 Pillars of Learning
The 4 Pillars of LearningOlivier Serrat
 
Security Industry Conference 2016 - Keynote -Paul Lim
Security Industry Conference 2016 - Keynote -Paul LimSecurity Industry Conference 2016 - Keynote -Paul Lim
Security Industry Conference 2016 - Keynote -Paul LimPaul Lim
 
Organizing to Get Analytics Right
Organizing to Get Analytics RightOrganizing to Get Analytics Right
Organizing to Get Analytics RightVince Kellen, Ph.D.
 
Online Learning Excellence (our manifesto)
Online Learning Excellence (our manifesto)Online Learning Excellence (our manifesto)
Online Learning Excellence (our manifesto)Norris Krueger
 
Ideas for Creating and Delivering Impactful IT Education Programs - itS…
Ideas for Creating and Delivering Impactful IT Education Programs - itS…Ideas for Creating and Delivering Impactful IT Education Programs - itS…
Ideas for Creating and Delivering Impactful IT Education Programs - itS…John Kleist III
 
Business Agility and Organisational Learning
Business Agility and Organisational LearningBusiness Agility and Organisational Learning
Business Agility and Organisational LearningShoaib Shaukat
 
Exploring the Edges
Exploring the EdgesExploring the Edges
Exploring the EdgesCheryl Doig
 
Exploring the Edges
Exploring the EdgesExploring the Edges
Exploring the EdgesCheryl Doig
 
DevLearn Notes - Ashley's four days at the DevLearn Conference!
DevLearn Notes - Ashley's four days at the DevLearn Conference! DevLearn Notes - Ashley's four days at the DevLearn Conference!
DevLearn Notes - Ashley's four days at the DevLearn Conference! Ashley Porter
 
School strategies-handout
School strategies-handoutSchool strategies-handout
School strategies-handoutMarta Montoro
 
12 Career Readiness Practices and Technology part 1
12 Career Readiness Practices and Technology part 112 Career Readiness Practices and Technology part 1
12 Career Readiness Practices and Technology part 1Nell Eckersley
 
Campaign Planning by WILPF
Campaign Planning by WILPFCampaign Planning by WILPF
Campaign Planning by WILPFC.J. Minster
 
1©McGraw-Hill Education. All rights reserved. Authorized o
1©McGraw-Hill Education. All rights reserved. Authorized o1©McGraw-Hill Education. All rights reserved. Authorized o
1©McGraw-Hill Education. All rights reserved. Authorized oTatianaMajor22
 
Read 290 Critical Reading as Critical ThinkingOnlineWeek .docx
Read 290 Critical Reading as Critical ThinkingOnlineWeek .docxRead 290 Critical Reading as Critical ThinkingOnlineWeek .docx
Read 290 Critical Reading as Critical ThinkingOnlineWeek .docxcatheryncouper
 
meMap App Design Project
meMap App Design ProjectmeMap App Design Project
meMap App Design ProjectSusanna Willis
 

Similar to Training People and Rising Awareness (20)

On the horizon for learning analytics
On the horizon for learning analyticsOn the horizon for learning analytics
On the horizon for learning analytics
 
More than a jukebox - how to design world-class learning interventions
More than a jukebox - how to design world-class learning interventionsMore than a jukebox - how to design world-class learning interventions
More than a jukebox - how to design world-class learning interventions
 
The 4 Pillars of Learning
The 4 Pillars of LearningThe 4 Pillars of Learning
The 4 Pillars of Learning
 
Security Industry Conference 2016 - Keynote -Paul Lim
Security Industry Conference 2016 - Keynote -Paul LimSecurity Industry Conference 2016 - Keynote -Paul Lim
Security Industry Conference 2016 - Keynote -Paul Lim
 
CDE16 WHITE PAPER Superintendent_V
CDE16 WHITE PAPER Superintendent_VCDE16 WHITE PAPER Superintendent_V
CDE16 WHITE PAPER Superintendent_V
 
Learning at the speed of need
Learning at the speed of needLearning at the speed of need
Learning at the speed of need
 
Organizing to Get Analytics Right
Organizing to Get Analytics RightOrganizing to Get Analytics Right
Organizing to Get Analytics Right
 
Urgency for success
Urgency for successUrgency for success
Urgency for success
 
Online Learning Excellence (our manifesto)
Online Learning Excellence (our manifesto)Online Learning Excellence (our manifesto)
Online Learning Excellence (our manifesto)
 
Ideas for Creating and Delivering Impactful IT Education Programs - itS…
Ideas for Creating and Delivering Impactful IT Education Programs - itS…Ideas for Creating and Delivering Impactful IT Education Programs - itS…
Ideas for Creating and Delivering Impactful IT Education Programs - itS…
 
Business Agility and Organisational Learning
Business Agility and Organisational LearningBusiness Agility and Organisational Learning
Business Agility and Organisational Learning
 
Exploring the Edges
Exploring the EdgesExploring the Edges
Exploring the Edges
 
Exploring the Edges
Exploring the EdgesExploring the Edges
Exploring the Edges
 
DevLearn Notes - Ashley's four days at the DevLearn Conference!
DevLearn Notes - Ashley's four days at the DevLearn Conference! DevLearn Notes - Ashley's four days at the DevLearn Conference!
DevLearn Notes - Ashley's four days at the DevLearn Conference!
 
School strategies-handout
School strategies-handoutSchool strategies-handout
School strategies-handout
 
12 Career Readiness Practices and Technology part 1
12 Career Readiness Practices and Technology part 112 Career Readiness Practices and Technology part 1
12 Career Readiness Practices and Technology part 1
 
Campaign Planning by WILPF
Campaign Planning by WILPFCampaign Planning by WILPF
Campaign Planning by WILPF
 
1©McGraw-Hill Education. All rights reserved. Authorized o
1©McGraw-Hill Education. All rights reserved. Authorized o1©McGraw-Hill Education. All rights reserved. Authorized o
1©McGraw-Hill Education. All rights reserved. Authorized o
 
Read 290 Critical Reading as Critical ThinkingOnlineWeek .docx
Read 290 Critical Reading as Critical ThinkingOnlineWeek .docxRead 290 Critical Reading as Critical ThinkingOnlineWeek .docx
Read 290 Critical Reading as Critical ThinkingOnlineWeek .docx
 
meMap App Design Project
meMap App Design ProjectmeMap App Design Project
meMap App Design Project
 

More from Zdravko Stoychev, CISM, CRISC

(You better) change focus, 2015 finance ict & isaca v2
(You better) change focus, 2015 finance ict & isaca v2(You better) change focus, 2015 finance ict & isaca v2
(You better) change focus, 2015 finance ict & isaca v2Zdravko Stoychev, CISM, CRISC
 
New Challenges in Data Privacy - Cybercrime and Cybersecurity Forum 2013, Sof...
New Challenges in Data Privacy - Cybercrime and Cybersecurity Forum 2013, Sof...New Challenges in Data Privacy - Cybercrime and Cybersecurity Forum 2013, Sof...
New Challenges in Data Privacy - Cybercrime and Cybersecurity Forum 2013, Sof...Zdravko Stoychev, CISM, CRISC
 
Въведение в международния стандарт ISO 27001
Въведение в международния стандарт ISO 27001Въведение в международния стандарт ISO 27001
Въведение в международния стандарт ISO 27001Zdravko Stoychev, CISM, CRISC
 
Управление и сигурност на информацията с McAfee
Управление и сигурност на информацията с McAfeeУправление и сигурност на информацията с McAfee
Управление и сигурност на информацията с McAfeeZdravko Stoychev, CISM, CRISC
 

More from Zdravko Stoychev, CISM, CRISC (6)

(You better) change focus, 2015 finance ict & isaca v2
(You better) change focus, 2015 finance ict & isaca v2(You better) change focus, 2015 finance ict & isaca v2
(You better) change focus, 2015 finance ict & isaca v2
 
New Challenges in Data Privacy - Cybercrime and Cybersecurity Forum 2013, Sof...
New Challenges in Data Privacy - Cybercrime and Cybersecurity Forum 2013, Sof...New Challenges in Data Privacy - Cybercrime and Cybersecurity Forum 2013, Sof...
New Challenges in Data Privacy - Cybercrime and Cybersecurity Forum 2013, Sof...
 
Data leakage prevention EN Final
Data leakage prevention EN FinalData leakage prevention EN Final
Data leakage prevention EN Final
 
ISACA certification programme 2010
ISACA certification programme 2010ISACA certification programme 2010
ISACA certification programme 2010
 
Въведение в международния стандарт ISO 27001
Въведение в международния стандарт ISO 27001Въведение в международния стандарт ISO 27001
Въведение в международния стандарт ISO 27001
 
Управление и сигурност на информацията с McAfee
Управление и сигурност на информацията с McAfeeУправление и сигурност на информацията с McAfee
Управление и сигурност на информацията с McAfee
 

Recently uploaded

What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...AliaaTarek5
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 

Recently uploaded (20)

What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
(How to Program) Paul Deitel, Harvey Deitel-Java How to Program, Early Object...
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 

Training People and Rising Awareness

  • 1. 14/5/2013 ISACA – Sofia Chapter 1 Training people and rising awareness The never-ending story
  • 2. 14/5/2013 ISACA – Sofia Chapter 2 Agenda Define the facts Avoid the pitfalls Best practices To be successful Takeaways Rocket-science
  • 3. 14/5/2013 ISACA – Sofia Chapter 3 Define the facts
  • 4. 14/5/2013 ISACA – Sofia Chapter 4 Define the facts • Training is a critical part of any initiative, introducing users to policy guidelines and allowing management to set expectations. Source: www.assero.co.uk
  • 5. 14/5/2013 ISACA – Sofia Chapter 5 Define the facts • You won't get far in your training if you don't tune your message to the audience, whether you're presenting your case to the executive board, the IT group or the staff. Source: articles.elitefts.com
  • 6. 14/5/2013 ISACA – Sofia Chapter 6 Define the facts • Habits drive organizational culture, and there are no technologies that will ever make up for poor culture. Source: www.eaglesflight.com
  • 7. 14/5/2013 ISACA – Sofia Chapter 7 Define the facts • Ensure that any awareness training program is a continuous process: heightened user awareness loses value if you don't reinforce learned concepts over time. "As it shows in the report we have seen susceptibility reductions of over 80% when comparing an initial mock attack to subsequent attacks when in-depth training is completed in between the attacks.“ -- Joe Ferrara, President and CEO of Wombat Security Technologies Source: http://www.wombatsecurity.com/phishing_attack_report
  • 8. 14/5/2013 ISACA – Sofia Chapter 8 Define the facts • There is clear tendency not to engage with external awareness providers. Wisegate found that less than 1% of companies use only third-party training companies, 50% develop their awareness regime fully in-house, 42% use a combination of third-party and in-house training, and amazingly, as many as 7% do no awareness training at all. 0 10 20 30 40 50 Awareness training Develop fully in-house No awareness training Use third-party only Use a combination Source: http://www.wisegateit.com/resources/downloads-security-awareness-report
  • 9. 14/5/2013 ISACA – Sofia Chapter 9 Avoid the pitfalls • ‘Do as I say, not as I do’ resonates in the executive corridor of far too many organizations today. – When asked “Do you believe directors think the policies don’t apply to them?”, 56% agreed. – Not so many senior managers actually “ignore or flout security policies and procedures,” but at 42% it is still surprisingly high. – 52% agreed “The board of directors have access to the most sensitive information but have the least understanding of security issues.” -- Cryptzone queried 300 IT professionals Source: http://www.infosecurity-magazine.com/view/25971/security-do-as-i-say-not-as-i-do/
  • 10. 14/5/2013 ISACA – Sofia Chapter 10 Avoid the pitfalls • Recognize that the user is ‘the most commonly exploited security vulnerability’ in your company, but be warned that there is no single one- size-fits-all solution to awareness training. Source: http://www.infosecurity-magazine.com/view/30404/security-awareness-the-ciso-view-from-the-coalface/
  • 11. 14/5/2013 ISACA – Sofia Chapter 11 Avoid the pitfalls • Don’t do it alone. Turn to the marketing and training departments and use their expertise in both developing an awareness program, and then selling it to the user. Source: http://www.infosecurity-magazine.com/view/30404/security-awareness-the-ciso-view-from-the-coalface/
  • 12. 14/5/2013 ISACA – Sofia Chapter 12 Best Practices • Maximize the strengths and avoid the pitfalls in what can be a controversial, but is a very effective, method of training users: learning by experience. Its effectiveness can be measured and monitored to allow the most cost-efficient training for the highest risk people and topics.
  • 13. 14/5/2013 ISACA – Sofia Chapter 13 Best Practices • Make education easy and accessible. Don’t make security training a burden, make it part of their everyday activities. • Refresh the policy training routinely and test their knowledge often to ensure they have the ability to execute the policy in day-to-day scenarios. • Try to make the information relevant to their personal use. This creates a feeling of empowerment and responsibility to practice good security day and night. • Work to make the information factual and provide real world examples of where things went wrong. By sharing information on what is good and how bad impacts the brand and reputation of a company help your employees understand why compliance of policies is so critical. • Programs that relied on 90 Day plans, and reevaluated the program and its goals every 90 Days, are the most effective. Every 90 days, the program is reevaluated to determine what topics need to be addressed moving forward.
  • 14. 14/5/2013 ISACA – Sofia Chapter 14 How to be successful • Awareness programs that obtain C-level support are more successful. This support inevitably leads to more freedom, larger budgets and support from other departments. • Creativity is a must. While a large budget helps, companies with a small security awareness budget have still been able to establish successful programs. Creativity and enthusiasm can make up for a small budget. • One of the key factors in having a successful effort is being able to prove that your effort is successful. The only way to do this is to collect metrics prior to initiated new awareness efforts. • Awareness efforts that focus on how to accomplish actions are more successful than those that focus on telling people that they should not be doing things. • The most successful programs are not only creative; they rely on many forms of awareness materials. The most participative efforts appear to have the most success.
  • 15. 14/5/2013 ISACA – Sofia Chapter 15 Takeaways • Start measuring by creating a baseline, defining a clear goal, and tracking progress. If you aren’t moving in the right direction, adjust the course. • Awareness programs, when properly executed, provide knowledge that instills behavior, i.e. changes habits, i.e. drives for a better culture. • Approach of not concentrating on raising awareness, but changing employee behavior, habits and actions to create a culture, by using “prescriptions.” – Using password vault within Twitter ended up reaching over 75% of users; – Twitter mastered training approach via constant feedback and evaluation. • There is no technology that will prevent the human misbehavior, e.g. mishandling of paper information and computer media. • Awareness mitigates non-technical issues that technology can't. By measuring return on investment you will find that awareness is one of the most reliable measures available.
  • 16. 14/5/2013 ISACA – Sofia Chapter 16 Takeaways • Focus on security culture, not training, and to constantly measure the effect of the training so that it can be repeatedly reshaped in order to be more effective - and here is where the feedback comes in handy. • Never to give up on users: "It's never a lost cause until you believe it is.“ • “For” and “against” awareness training: an easy for-“victory”, simply because it is not possible to provide clear and consistent evidence that training is not working. There is plenty of evidence of the opposite. • Education and training is not perfect. The challenge is that even if you do it right, it can be hard to document effect, and to show a clear causation between your training efforts and the behavior change. • The biggest issue is perhaps that awareness efforts are frequently not optional. Telling people not to do something, because we believe it is a bad idea is just not an option. • Address and utilize interpersonal skills, personality traits, motivational theory; do not rely only on technical skills, risk management models and policy making.
  • 17. 14/5/2013 ISACA – Sofia Chapter 17 Go rocket-science Two different sides of the brain control, two different “modes” of thinking. (Theory of the structure and functions of the mind) • People think and learn in different ways with evidence of different learning characteristics, but different cultural groups may emphasize one cognitive style over another: the verbal vs. the nonverbal, represented rather separately in left and right hemispheres respectively. • Our education system, as well as science in general, tends to neglect the nonverbal form of intellect. Modern society discriminates against the right hemisphere, i.e. nonverbal thinking. • Most children rank highly creative (right brain) before entering school. Because our educational systems place a higher value on left brain skills such as mathematics, logic and language than it does on drawing or using our imagination: – Only 10% of these same children will rank highly creative by age of 7. – By the time we are adults, high creativity remains in only 2% of the population.
  • 18. 14/5/2013 ISACA – Sofia Chapter 18 Right Brain vs. Left Brain LEFT BRAIN FUNCTIONS uses logic detail oriented facts rule words and language present and past math and science can comprehend knowing acknowledges order/pattern perception knows object name reality based forms strategies practical safe RIGHT BRAIN FUNCTIONS uses feeling "big picture" oriented imagination rules symbols and images present and future philosophy & religion can "get it" (i.e. meaning) believes appreciates spatial perception knows object function fantasy based presents possibilities impetuous risk taking • Left-brain scholastic subjects focus on logical thinking, analysis, and accuracy. • While Right-brained subjects focus on aesthetics, feeling, and creativity.
  • 19. 14/5/2013 ISACA – Sofia Chapter 19 Right Brain vs. Left Brain • Our conscious mind can only focus on data from one brain at a time. Eventually ultimate authority to enter consciousness is delegated to one brain or the other. In our modern world, this battle is almost always won by the left brain. • Sometimes skills which the right brain can perform better are routinely handled, with less skill, by the left brain. Too bad, and now what? • Methods have been devised to "shut off" the left brain, allowing the right side to have its say, even temporarily. • The logical left side is easily bored by lack of input and tends to "doze off" during such activities as meditation (repeating a mantra or word over and over) or in sensory deprivation environments.
  • 20. 14/5/2013 ISACA – Sofia Chapter 20 Why should I care? How is all this related to people training? • To foster a more whole-brained scholastic experience, teachers should use instruction techniques that connect with both sides of the brain. • Increase right-brain learning activities by incorporating more patterning, metaphors, analogies, role playing, visuals, and movement into reading, calculation, and analytical activities. • For a more accurate whole-brained evaluation of student learning, educators must develop new forms of assessment that honor right-brained talents and skills. Ideally, both brains work together in people with optimum mental ability. This coordinating ability may be the key to superior intellectual abilities. Such employees shall form better habits, shall develop great organizational culture, shall be more productive/creative, so it goes, the never-ending story.
  • 21. 14/5/2013 ISACA – Sofia Chapter 21 Thank you! Zdravko Stoychev, CISM CRISC http://twitter.com/zdravkos