The document covers the importance of developing a security awareness maturity model to evaluate and enhance organizational security training. It emphasizes identifying human risks, prioritizing training content, and measuring the effectiveness of training programs through various methods. Key strategies include focusing on high-impact topics, keeping training engaging, and using metrics to gauge progress and behavior change.

1. SESSION ID:SESSION ID:
#RSAC
Lance Spitzner
Achieving and Measuring Success with
the Security Awareness Maturity Model
LAB2-R04
Director
SANS Securing The Human
@lspitzner

2. #RSAC
2002 20122004 2006 2008 2010
SecurityControls
Trustworthy Computing
Software Restriction Policies
Automatic Updating
Microsoft Secure Development Lifecycle
Firewall Enabled by Default
Baseline Security Analyzer
Data Execution Protection (DEP)
Malicious Software Removal Tool
Windows Defender
ASDL
User Account Control
Bitlocker
Windows Service Hardening
Mandatory Integrity Control
AppLocker
Encrypted File System
Microsoft Security Essentials
EMET
2014
HumanOS
WindowsOS

3. #RSAC
Security Awareness Maturity Model
Nonexistent
Compliance-
Focused
Promoting
Awareness and
Behavioral
Change
Long-Term
Sustainment and
Cultural Change
Metrics
Framework
Security Awareness Maturity Model
Security Awareness
Maturity Model
Compliance
Focused
Promoting
Awareness &
Behavior Change
Long-Term
Sustainment &
Culture Change
Metrics
Framework
Non-existent

4. #RSAC
BJ Fogg Model
4

5. #RSAC
Your Strategic Plan
WHO
WHAT – This is what we will focus on for today, completing two
group labs. This is also what drives your metrics.
HOW

6. #RSAC
WHAT Do You Teach?
• Focus on topics that have the greatest ROI:
o People can remember only so much—cognitive overload
o You have limited time and resources to teach
o Fewer topics are easier to reinforce
o Avoid “training fatigue”
• Identify the greatest human risks to your organization,
and then develop training modules to address each of
those risks

7. #RSAC
Start With Key Assets / Data
• For most organizations, key assets are your data
• Identify who is handling your most sensitive data and how
• This will help identify your highest risks areas / highest risk
target groups
• Then identify what threats / behaviors expose that data to the
greatest risk (don’t worry about prioritizing yet)

8. #RSAC
Past Assessments / Incidents
• Any penetration tests in the past 6-12 months? If so, which
human risks were identified?
• What were the most common or damaging human-related
incidents in the past 6-12 months?
• Take your Incident Response and Help Desk teams out to lunch.
They are great sources of information.

9. #RSAC
Verizon DBIR

10. #RSAC
Staying Current on Human Risks
Blogs / Twitter are a great way to stay current
www.schneier.com @schneierblog
krebsonsecurity.com @briankrebs
taosecurity.blogspot.com @taosecurity
isc.sans.org @sans_isc
securingthehuman.sans.org/blog @securethehuman
nakedsecurity.sophos.com @nakedsecurity

11. #RSAC
Measuring Your Human Risk
• Every organization measures risk differently; use what works
best for your organization
• Quantitative
o A precise / accurate measurement that produces a numeric value—a complex
and time-consuming approach
• Qualitative
o An estimate or comparative measurement (high, medium, low)—a fast and
simple approach

12. #RSAC
Qualitative Analysis
Topic % Impact Risk
Score
VH / 5
H / 4
L / 2
M / 3
VL / 1
VH / 5H / 4M / 3L / 2VL / 1
Impact
Probability
X
X
4 4 16
5 1 5
Phishing
Tracking Cookies

13. #RSAC
Lab – Prioritize Your Human Risks
• You have identified 18 human risks in your organization,
prioritize the top nine for your organization; this is your Core
training for all employees
• You can find a description of each risk/topic in your Lab
workbook
• Be sure to take into consideration your existing technical
controls and past training

14. #RSAC
Prioritization Matrix

15. #RSAC
Top Risks?
• Which topics do you feel are the most important and why?
• Which topics would you eliminate and why?
• What was missing?
• Which topic would you start and end with?
• Want to learn more about risk analysis? Consider SANS
MGT415.

16. #RSAC
Learning Objectives
• Your job is only half done; you now need to identify
what behaviors manage those top risks
• Create a separate learning objectives document for
each risk
• This is a living document that covers the target, goal,
and learning objective of each risk

17. #RSAC
Sample Learning Objectives

18. #RSAC
Example Learning Objectives

19. #RSAC
Typical Password Learning Objectives
• A common security awareness topic is passwords:
o Minimum of 12 characters
o 1 symbol
o 1 number
o 1 capital letter
o No two repeated letters
o Change every 90 days
• Costs associated with this

20. #RSAC
What Are We Missing?
• Do not get infected
• Do not share your passwords
• Do not log in using untrusted systems
• Personal questions are just another password
• Passphrases—Where is my Coffee?
• Password Managers
• Use two-step verification whenever possible

21. #RSAC

22. #RSAC
Lab – Learning Objectives
• Pick one of the most important topics from your top nine topic
list
• Document that topic using the Learning Objective template
• What did you pick and why?

23. #RSAC
Example Metric: Phishing
• Phishing is a useful metrics for most organizations:
Measures a key human risk organizations care about
Simple, low cost and easy to repeat
Quantifiable measurements that are actionable
• 90% fall victim in the first hour

24. #RSAC
Key Points
• Biggest difference between technical and human metrics is that humans
have feelings
• Announce your metrics program ahead of time, and then start slow and
simple
• Do not embarrass people (no Viagra e-mails)
• Do not release names of those who fail. Only notify management of repeat
offenders
• Focus on real-world risks, do not “trick” people
• Always make sure there are at least two ways to detect an assessment

25. #RSAC
Click Results
If an end user falls victim to a phishing assessment, you have two general
options:
No feedback
Immediate feedback that explains this was a test, what they did wrong, and
how to protect themselves

26. #RSAC

27. #RSAC
Human Risk Survey
• Sometimes, the simplest way to measure a behavior is to simply
ask
• Survey can measure behaviors that you normally do not have
access to
• Survey can also measure attitudes and perceptions (culture)
• Think of a human risk survey as a human vulnerability scanner

28. #RSAC
Data May Already Be There
• There may not be a need to collect data because you already have the
data. Check with:
Security Operations Center
Incident Response Team
Help Desk
Human Resources
• Example: Number of infected computers per month

29. #RSAC
Summary
Key to building a mature awareness program is having a strategic plan
that answers WHO, WHAT and HOW
WHAT consists of two parts, prioritizing your top human risks and then
identifying the key behaviors that manage that risk
Those key behaviors drive your metrics
Often the hardest part about awareness is NOT deciding what to
teach, but deciding what NOT to teach.

30. #RSAC
Webcasts / Courses / Summits
securingthehuman.sans.org/events