The key to securing your employees behaviors is an effective strategic plan that is both realistic and supported by your leadership. Learn how other organizations are doing this and how you can apply their lessons learned to build your own strategic plan when you get back to your organization. (Source: RSA Conference USA 2017)

1. SESSION ID:SESSION ID:
#RSAC
Lance Spitzner
Building a Strategic Plan for Your
Security Awareness Program
HUM-T09
Director
SANS Securing The Human
@lspitzner

2. 2002 20122004 2006 2008 2010
SecurityControls
Trustworthy Computing
Software Restriction Policies
Automatic Updating
Microsoft Secure Development Lifecycle
Firewall Enabled by Default
Baseline Security Analyzer
Data Execution Protection (DEP)
Malicious Software Removal Tool
Windows Defender
ASDL
User Account Control
Bitlocker
Windows Service Hardening
Mandatory Integrity Control
AppLocker
Encrypted File System
Microsoft Security Essentials
EMET
2014
HumanOS
WindowsOS

3. Security Awareness Maturity Model
Nonexistent
Compliance-
Focused
Promoting
Awareness and
Behavioral
Change
Long-Term
Sustainment and
Cultural Change
Metrics
Framework
Security Awareness Maturity Model
Security Awareness
Maturity Model
Compliance
Focused
Promoting
Awareness &
Behavior Change
Long-Term
Sustainment &
Culture Change
Metrics
Framework
Non-existent

4. 4

5. #RSAC
Your Strategic Plan
WHO
WHAT
HOW

6. #RSAC
WHO Are You Targeting?
• Different targets require different / additional content and
communication methods:
o Employees
o Contractors / Vendors
o IT Staff / Developers
o Senior Management
o Accounts Payable / HR
• Many organizations start with just all employees, but as their
programs mature, they identify unique sub-groups

7. #RSAC
Defining Who

8. #RSAC
WHAT Do You Teach?
• Focus on topics that have the greatest ROI:
o People can remember only so much—cognitive overload
o You have limited time and resources to teach
o Fewer topics are easier to reinforce
o Avoid “training fatigue”
• Identify the greatest human risks to your organization,
and then develop training modules to address each of
those risks

9. #RSAC
Verizon DBIR

10. #RSAC
Qualitative Analysis
Topic % Impact Risk
Score
VH / 5
H / 4
L / 2
M / 3
VL / 1
VH / 5H / 4M / 3L / 2VL / 1
Impact
Probability
X
X
4 4 16
5 1 5
Phishing
Tracking Cookies

11. #RSAC
Learning Objectives - Bad
• A common security awareness topic is passwords:
o Minimum of 12 characters
o 1 symbol
o 1 number
o 1 capital letter
o No two repeated letters
o Change every 90 days
• Costs associated with this

12. #RSAC
Learning Objectives - Good
• Do not get infected
• Do not share your passwords
• Do not log in using untrusted systems
• Personal questions are just another password
• Passphrases—Where is my Coffee?
• Password Managers
• Use two-step verification whenever possible

13. #RSAC
HOW to Change Behavior
Security teams have to think like marketing, communications or
sales people. Awareness is a product we are attempting to ‘sell’
Connect people at an emotional, creative level.
Why does cyber security matter?

14. #RSAC
Curse of Knowledge

15. #RSAC
Why Cyber Security Matters

16. #RSAC
Engagement
• Centers for Disease Control (CDC) has
long-term awareness campaign on
preparing for disasters; no one was
listening
• May 16, 2011 posted blog on preparing for
"Zombie Apocalypse"
• Three hours later, the network collapsed; 2
days later, they made an official public
announcement

17. #RSAC
Push Versus Pull
• Push: Sending information to people
• Pull: People get information on their own
• Pull method is becoming more common and popular:
• Online / Computer Based Training
• Podcasts / blogs
• Newsletters / Posters
• Booth events
• Ambassador programs

18. #RSAC
Primary vs. Reinforcement
Primary: Typical annual training.
Mandatory / compliance
Lays foundation for people
Instructor Led / Computer Based
Reinforcement: Rest of the year
Not mandatory / engaging
One topic at a time
Numerous ways to communicate

19. #RSAC
Turkcell
I like it here, there is a lot of information to
satisfy my stomach!
Don’t feed the monster.

20. Annual Program

21. #RSAC
Two Types of Metrics
• Compliance Metrics: Measure the deployment of your
awareness program. Are you compliant?
• Impact Metrics: Measure the impact of your
awareness program. Are you changing behavior?

22. #RSAC
Impact Metrics
Every metric should tie to a specific behavior that helps
manage a human risk you care about
—Phishing
—ID Badges / Drafting
—Dumpster diving
—Phone calls
—Data Loss Prevention (DLP)
—Screenlock use
—Mobile device loss

23. #RSAC
Metrics – Key Points
• Biggest difference between technical and human metrics is that
humans have feelings
• Announce your metrics program ahead of time, and then start slow
and simple
• Do not embarrass people (no Viagra e-mails). Do not release names
of those who fail. Only notify management of repeat offenders
• Focus on real-world risks, do not “trick” people
• Always make sure there are at least two ways to detect an
assessment

24. #RSAC
When You Return to Work
24
Identify your key high risk groups (accounts payable, HR, etc) and take
them out to lunch or host a specialized webcast for them. Build bridges
Do a human risk analysis and prioritize the risks / behaviors you teach
Partner with your communications team, have a person assigned to your
security team
Read Leading Change and Made to Stick
Partner with a senior champion, have that person help you communicate
with leadership