This document discusses building an effective security awareness program. It emphasizes that the biggest risk to an organization's security is the actions or inactions of employees, so training is important. Effective training uses real examples, feedback, and individualized lessons. Compliance standards like PCI DSS, ISO, and HIPAA require awareness training. Building a security culture requires buy-in from executives and employees. Enforcing policies through graduated penalties helps change behavior. Measuring effectiveness through metrics like compliance and data breaches allows improvement. Social engineering tests and phishing simulations can train employees while easing security fatigue.

1. What you Need to Know
about Building an
Effective Security
Awareness Program
Kimberly Hood
10-27-2016

2. Is an Awareness
Program a Waste
of Time?

3. Value to the Organization
PCI Data Security Standard (PCI DSS)
One of the biggest risks to an organization’s
information security is the action or inaction by
employees that can lead to security incidents
• through disclosure of information that could be used in
a social engineering attack,
• not reporting observed unusual activity,
• accessing sensitive information unrelated to the user’s
role without following the proper procedures, and so
on.
PCI Best Practices for Implementing a Security
Awareness Program, October 2014

4. Value to the Organization
2014 US State of Cybercrime Survey by
PricewaterhouseCoopers
• 42% of respondents said security education and
awareness for new employees played a role in
deterring potential attacks
• Companies without security training for new hires
reported average annual financial losses of
$683,000, compared with
• Companies with training that said average financial
losses totaled $162,000.

5. Compliance Requirements
• ISO/IEC 27001 & 27002
§8.2.2 - All employees of the organization and, where relevant,
contractors and third party users should receive appropriate awareness
training and regular updates in organizational policies and procedures,
as relevant for their job function.
• PCI DSS
o Educate employees (for example, through posters, letters, memos,
meetings and promotions).
o Require employees to acknowledge in writing that they have read
and understood the company’s security policy and procedures.

6. Compliance Requirements
• Federal Information Security Management
Act (FISMA)
§3544.(b).(4).(A),(B) - Securing awareness training to inform personnel,
including contractors and other users of information systems that
support the operations and assets of the agency, of information security
risks associated with their activities; and their responsibilities in
complying with agency policies and procedures designed to reduce
these risks.
• Health Insurance Portability & Accountability
Act (HIPAA)
§164.308.(a).(5).(i) - Implement a security awareness and training
program for all members of its workforce (including management).

7. Compliance Requirements
• Red Flags Rule
§16 CFR 681.1(d)-(e). Employees should be trained about the various
red flags to look out for, and/or any other relevant aspect of the
organization’s Identity Theft Prevention Program.
• Control Objectives for Information and
Related Technologies (CobiT)
§PO7.4 Personnel Training - Provide IT employees with appropriate
orientation when hired and ongoing training to maintain their
knowledge, skills, abilities, internal controls and security awareness at
the level required to achieve organizational goals.

8. Compliance Requirements
• NERC CIP-003-6
§CIP-003-6(A2)…documentation that the reinforcement of cyber
security practices occurred at least once every 15 calendar months. The
evidence could be documentation through one or more of the following
methods:
o Direct communications (for example, e-mails, memos, or computer-
based training);
o Indirect communications (for example, posters, intranet, or
brochures); or
o Management support and reinforcement (for example,
presentations or meetings).

9. Compliance Requirements
• 201 CMR 17.00
§17.03(2) 1. ongoing employee (including temporary and contract
employee) training; 2. employee compliance with policies and
procedures; and 3. means for detecting and preventing security system
failures.
Imposing disciplinary measures for violations of the comprehensive
information security program rules.
§17.04(8) Education and training of employees on the proper use of the
computer security system and the importance of personal information
security.

10. Building a
Security Culture

11. Building a Security Culture
• George Kelling
• Minor policy violations lead
to bigger ones – eroding the
security culture
• Building a security culture
requires regular
reinforcement, creating and
sustaining habits.
The Tipping Point - Malcolm Gladwell

12. • Executive Team1
• IT Department2
• Employees3
Building a Security Culture
• Obtain buy-in at All Levels

13. Building a Security Culture
• Write a Plan
• Build a Security
Awareness Team
• Be Creative and
Enthusiastic
• Have an Expert
• Select metrics

14. What is Effective
Training?

15. What is Effective Training?
The first goal of any security awareness and
training program should be improved
knowledge and behavior, not just awareness.
• Security awareness alone is not enough to
improve end-user security
• Users must understand and know how to
respond to potential security risks

16. What is Effective Training?
Real-life examples and immediate feedback
enhance learning and retention, allowing
users to understand and correct their
behavior

17. What is Effective Training?
• When users can understand the context of their
behaviors, practice through simulated situations,
and receive immediate feedback, they can make
better decisions and reduce risks

18. What is Effective Training?
• Establish baseline training for the organization
• Present individualized training to specialized
groups with higher risk profiles – IT, Dispatch,
Customer Service, HR, Procurement
• Keep current - Ukrainian Grid, WikiLeaks, Dyn,
What have you seen in the organization?
• Don’t be about NO, be about HOW

19. What is Effective Training?
• Use mixed
media – videos,
posters, games,
interactive
lessons
• Free content
and forums
available
• www.clickclickphish.com

20. How can we
Enforce
Compliance?

21. Why enforce the policy?
If employees in a company witness other
people breaking security policies and not
being punished
• they are tempted to do the same
• becomes socially acceptable and normal
This is the root cause of poor security culture
Enforcement

22. • Write a Security Policy with Teeth
• Train to the Policy
• Graduated Enforcement
• Lead by Example
• Follow-up
Enforcement

23. PCI Security Standards Council
recommendations
• Make employees aware of potential
harm to the organization and detail how
that would affect the employee –
penalties, reputational harm, impact on
employee’s job
Enforcement

24. Measuring
Effectiveness

25. Measuring Effectiveness
You can’t improve if you don’t measure.
The Ponemon Institute’s Security Effectiveness Score
recommends these metrics:
• Uptime
• Compliance
• Threat containment
• Cost efficiency
• Data breach prevention
• Policy enforcement
http://www.csoonline.com/article/2134334/metrics-budgets/measuring-the-
effectiveness-of-your-security-awareness-program.html

26. Social Pen-Testing
• Social engineering has long been the preferred route
for hackers, whether through the front door or using
social media and email – Target, Natanz, Ukrainian
Grid, RSA
• Shock complacent staff into realizing how vulnerable
to social engineering they really are, and through that
keep them on their toes and improve overall security
• Opens a valuable communications channel between
users and security staff

27. Phishing
• Be open and up-front about the program goals and
objectives
– Allows a dialog to occur and concerns to be addressed
before any simulated phishing training takes place
• Steer the debrief conversation in the direction of
remediation and education, rather than blame and
sanctions
• Make reporting part of the
message

28. Phishing
• Phish using both inside and outside
addresses
• Not everyone will be vulnerable to
every phish
• Immediate feedback is a teaching
opportunity

29. Phishing
Click the Link
Open the Attachment
Fill out this Form

30. Phishing - Examples

31. Phishing - Examples

32. Phishing - Examples

33. Security Fatigue

34. Security Fatigue
• 2016 study by the National Institute of Standards and
Technology (NIST)
• When asked to make more computer security decisions
than they are able to manage, they experience decision
fatigue, which leads to security fatigue.
– “I never remember the PIN numbers, there are too many
things for me to remember. It is frustrating to have to
remember this useless information.”
– “It also bothers me when I have to go through more
additional security measures to access my things, or get
locked out of my own account because I forgot as I
accidentally typed in my password incorrectly.”

35. Three ways to ease security fatigue and help users
maintain secure online habits and behavior.
Security Fatigue
1. Limit the number of
security decisions users
need to make
2. Make it simple for
users to choose the
right security action
3. Design for consistent
decision making
whenever possible.

36. Questions?