4. How does Learning work?
Bad news and warnings aren’t as effective as we’d like to think
Source: TEDx talk By Tali Sharot
https://www.youtube.com/watch?v=xp0O2vi8DX4
5. From Internet Crime Center - 2018
Source: https://pdf.ic3.gov/2018_IC3Report.pdf
7. 6
• Social incentives and healthy peer pressure – competitions,
broader recognitions for good behavior, subtly calling out
“bad” behavior as anomalous
• Invoke emotions - Making it personal with eSafety, using
memorable content including humor and disgust. Basically,
DON’T BE BORING!
So, What Works?
13. 12
• Making advice actionable – audience should have clarity of expectation
AND capability of execution
• Harnessing the power of allies
• Tone at the top
• Targeted messaging and progress monitoring
• Clarity on what good looks like
What works…
14. 13
Types of Awareness Objectives:
1. To inform - Basic level (acceptable use, scatter-gun content, compliance tick)
2. To influence decision making and motivate secure behavior – Real value delivered
• Start with core business objectives
• Understand key cyber risks
• Identify behaviors to address those risks (try to limit to two or three at the most)
• Focus on changing them
• Use Specific Measurable Actionable Relevant Timebound (SMART) approach
Example of a SMART objective:
After three months of awareness messaging on how to identify suspicious emails, the
click-rate on malicious emails should be less than 10% across the organization
What are you trying to accomplish?
15. 14
Challenge your awareness efforts
• Are you communicating effectively?
• Are you truly addressing the behaviours that matter?
Need an opportunity to raise online safety at home to lead into security at work?
• Stay Smart Online 7-13th October
• Safer Internet Day 11th February
What Now?
Editor's Notes
Less than 1% of the attacks made use of system vulnerabilities. The rest “the human factor”: the instincts of curiosity
and trust that lead well-intentioned people to click, download, install, open, and send money or data. Proofpoint Human Factor Report 2019.
Cyber Security is fundamentally a human issue, not a technology problem. Focus is how we message and what we message. How many have attended a cyber awareness session that started with data breaches. Target, Sony, etc. We all have. Seems intuitive. However, we haven’t seen improvement in cyber behaviours in spite of increasing investments and training. Something isn’t right. If cyber is a human problem then we need to understand how humans learn.
Here are some numbers for IC3. They publish these reports every year. All through the years one trend has generally remained constant, older people consistently lose more money. Reasons include less familiar with tech, more wealth and personal circumstances.
We are using the least effective message for those who need it the most. Fear induces inaction. Humans fundamentally seek progress, and this leads to action. So does technology which we use to make our daily lives easier.
Run some internal competitions – phishing email writing, mascots, cyber moment on camera (password manager, reporting phishing, etc.). Reward Success! Stop fear, poor hoodie wearing pictures, not clothing of choice for hackers in Arizona, USA or Chennai, India. Give people a sense of control. Change the conversation and narrative. What works - eSafety. Keeping people safe in their personal lives will translate to security at work. People are CISOs in their own homes. They need to be reminded of that. Lives have migrated online. Convergence of physical and cyber worlds. Cyber bullying negative. Industrial automation positive. 17 interconnected devices in each home.
Don’t glamorise hackers. Hackers, cyber creeps, paedophiles, bullies, revenge porn. Real life behaviours have now migrated online.
Toothbrush – password analogy. Humour.
Toothbrush – password analogy. Disgust.
Valuables in open vs devices left open and unlocked. Data as valuable as actual valuables. Privacy also impacts safety. E.g. abusive ex-partner.
One more – frosting on windows to protect your privacy. Hiding sensitive transactions through VPN.
Don’t click on suspicious links (ambiguous), don’t click on links within emails (specific). Legal, privacy, physical security, regulatory compliance and internal audit are the assurance crew. Amplify and cascade the message. Security champions. Most people pay attention to awareness messages when it comes from their direct line managers, culture of empathy and learning, not blame. People fall for phishing because they’re human not stupid. Have senior leaders visibly walk the talk and provide executive support and funding. Heightened messaging for Executives (BEC, Whaling) and EAs, for people who regularly handle sensitive data (finance, HR, Legal, etc.), system administrators or people with privileged access (spear phishing and targeted social engineering). Just in time training as opposed to one offs. Identify the business processes and risks that are the most material to you.
Evidence of training vs effectiveness of training. eCommerce websites – disruption or DDoS is a much bigger deal. For a health clinic’s static website, not as much. The patient record management system data confidentiality, integrity or availability is a bigger deal. Ransomware and phishing being the key cyber threats. Behaviour to address would be susceptibility to phishing messages so target click rate and reporting. Poor password practices can also be a behaviour change. For DDoS, it could include redundancies and resilience built-in.