1) Employee training and awareness is a critical element for cybersecurity resilience. Successful programs focus on changing employee behavior and aligning security practices both inside and outside of work. 2) Traditional awareness programs often fail because they are not engaging for employees and do not lead to real behavior change. Effective programs treat security messaging like marketing and use multiple channels, contexts, and reminders to reinforce the message. 3) Measuring outcomes is important for security awareness programs. Objectives should be clearly defined and focused on discrete, measurable goals rather than vague concepts like "increasing awareness."

1. Employee Training & Awareness
A Critical Element in Cybersecurity Resilience
@Ben_Smith
Ben Smith, CISSP
Field CTO (East), Security Portfolio

2. 2© Copyright 2015 EMC Corporation. All rights reserved.
Agenda
1 2
Looking in the mirror
Failures of awareness,
failures of behavior
4
Additional
resources
SAMPLE REFERENCE – “Hunting for Sharks’ Teeth (and Other IOCs)” https://blogs.rsa.com/hunting-sharks-teeth-iocs/
3
What does success look like?

3. 3© Copyright 2015 EMC Corporation. All rights reserved.
• “It’s not about if you get breached; it's when you get
breached.”
• “Even large enterprises that have millions of dollars to
spend on security got breached, so everyone is at
risk.”
• “The breaches we have seen so far are just the
beginning – bigger breaches are coming.”
• “Legacy security technologies are of limited value in
the face of advanced persistent threats.”
• “Security incidents can put you out of business.”
What you will NOT hear from me today…
Gartner, “The Future of Security Sales Revolves Around Digital Risk” (May 2015) [G00278090]

4. 4© Copyright 2015 EMC Corporation. All rights reserved.
• “We’re not very visible.”
• “But we’ve never had a breach.”
• “The probability of this happening is so low that I’ll take my chances.”
Beware These Cop-Out Statements!
Forrester, “Understand The Business Impact And Cost Of A Breach” (Jan 2015) [60563]
It doesn’t matter if your company has a
widely known public brand or not
Don’t confuse luck with competence
It’s unlikely that anyone in the organization knows the
probability of certain security incidents happening

5. 5© Copyright 2015 EMC Corporation. All rights reserved.
• “We’re a small organization.”
• “We have insurance.”
Beware These Cop-Out Statements!
Forrester, “Understand The Business Impact And Cost Of A Breach” (Jan 2015) [60563]
A much bigger factor today than the size
of your organization is whether you have
information that is valuable to attackers now, or
will be valuable in the future
Read the fine print to ensure you know exactly what will
be covered by your insurance policy, and remember…
cyberinsurance is not a get out of jail free card

6. 6© Copyright 2015 EMC Corporation. All rights reserved.
• Education
• Training
• Awareness
What is “Security Awareness”?
Mark Wilson, “A Crash Course in Awareness versus Training versus Education versus Certification (An Off-Kilter Look)” (Feb 2014)
http://csrc.nist.gov/organizations/fissea/2014-conference/presentations/fissea_2014_mwilson.pdf
…study a topic in depth
…produce relevant skills & competencies
…focus attention, recognize & respond,
change behavior

7. 7© Copyright 2015 EMC Corporation. All rights reserved.
• The good news (from the management front)
– “Security awareness” as a priority has risen
– 56% ► 71% (from 2010 to 2014)
• The bad news (from the employee front)
– 53% are aware of their employer’s current security policies
– 38% say they have received training on staying secure at work
– 22% of information workers are concerned about security
Security Awareness, by the Numbers
Forrester, “Reinvent Security Awareness To Engage The Human Firewall” (Dec 2014) [79821]

8. 8© Copyright 2015 EMC Corporation. All rights reserved.
• Staff are not emotionally involved
• Objectives are not aligned with the ultimate goal
• Bland and generic content fails to help the audience
• Employers settling for one-time, compliance-driven approach
Why Do Security Awareness Programs Fail?
Forrester, “Reinvent Security Awareness To Engage The Human Firewall” (Dec 2014) [79821]

9. 9© Copyright 2015 EMC Corporation. All rights reserved.
• Behavior change is an ambitious (and necessary) goal!
– Learning in the correct context
– Repeating actions to embed knowledge
– Rewarding staff to encourage new habits
Awareness =? Behavior Change
Forrester, “Reinvent Security Awareness To Engage The Human Firewall” (Dec 2014) [79821]

10. 10© Copyright 2015 EMC Corporation. All rights reserved.
1. Speak a common language (business) to align incentives
– Shift security and risk to a shared business issue from an IT-
specific responsibility
2. Redefine data ownership to spread security and privacy
mindfulness
– Accountability = the business units, not IT
3. Cultivate “right choice” decision-making
– Produce targeted security awareness training that is relevant for
employees beyond the work environment
3 Key Processes to Change Culture & Behavior
Forrester, “Instill A Culture Of Data Security And Privacy: Equip Your Workforce To Augment The Security Team” (Mar 2015) [101761]

11. 11© Copyright 2015 EMC Corporation. All rights reserved.
• “Crossover areas” of importance
– Password reuse across accounts
– Connecting to public Wi-Fi access points
– Presence on social media sites
– Social engineering
– Phishing
Beyond the work environment

12. 12© Copyright 2015 EMC Corporation. All rights reserved.
• Focus on discrete, clearly phrased, measurable outcomes in all
objectives for security awareness
• Avoid poorly-defined outcomes
– “Increase the awareness of employees…”
– “Ensure that all employees understand…”
– “Effectively communicate corporate goals and principles regarding
security risks”
Define Measurable Outcomes
Gartner, “Effective Security Awareness Starts With Defined Objectives” (Dec 2013) [G00258624]

13. 13© Copyright 2015 EMC Corporation. All rights reserved.
Define Measurable Outcomes
Gartner, “Effective Security Awareness Starts With Defined Objectives” (Dec 2013) [G00258624]

14. 14© Copyright 2015 EMC Corporation. All rights reserved.
One Size Fits All?
Gartner, “Segment Your Audience for Effective Security Awareness Communications” (Feb 2015) [G00271825]
Office
Bound
Mobile
Digital Immigrant
Digital Native
Coffee Machine
Communicator
Road Warrior
Tablet TravelerFacebook Friend
Group behavior Individual behavior
Watch your mouth
Watch your typing
• Lock up before you leave
• Keep your desk clean
• Avoid loose talk in public
• Be aware of the dangers of
multichannel multitasking
• Be aware of the risks of
mixing work and pleasure
• Protect your devices
• Be aware of shoulder surfing
• Avoid loose talk in public
• Don’t share devices
• Don’t share credentials
• Be aware of media dangers
• Humanize data

15. 15© Copyright 2015 EMC Corporation. All rights reserved.
• Management buy-in & sponsorship
• Cross-functional “campaign” approach
• Marketing, branding
– One-line tagline used with all communications
• Identification of “awareness vehicles”
Case Study: Large Company
Allen Smith & Nancy Toppel, “Case Study: Using Security Awareness to Combat the Advanced Persistent Threat” (Jun 2009)
http://cisse.info/resources/archives/category/12-papers?download=131:s03p02-2009
 Intranet
 One-page, once monthly
 Audio vignette
 Audio message from Executive
 Management briefings
 Awareness giveaways
 Contest
 Events
 Email Q&A list

16. 16© Copyright 2015 EMC Corporation. All rights reserved.
• Make it personal for employees
– Security best practices inside and outside the workplace
• Treat communication like a Hollywood movie
– Clips, tasters, and teasers ahead of deployment can build tension
and interest
• Embed elements of novelty & use unexpected delivery channels
– Draw attention to a message by making it appear outside of its
normal, or expected, context
Some Content Ideas
Forrester, “Reinvent Security Awareness To Engage The Human Firewall” (Dec 2014) [79821]

17. 17© Copyright 2015 EMC Corporation. All rights reserved.
• Reinforce the message at teachable moments
– Near-misses (your organization, or others in the news)
– One-on-one guidance following (failed) phishing tests
• Test gamification tactics
– Set up friendly competition among staff
– Create scenarios where employees compete with each other,
or for personal “best scores”
Some Content Ideas
Forrester, “Reinvent Security Awareness To Engage The Human Firewall” (Dec 2014) [79821]

18. 18© Copyright 2015 EMC Corporation. All rights reserved.
Gamification
Ira Winkler & Samantha Manke, “Gamifying Security Awareness” (Feb 2014)
http://www.rsaconference.com/writable/presentations/file_upload/hum-t07a-gamifying-security-awareness.pdf

19. 19© Copyright 2015 EMC Corporation. All rights reserved.
• SANS “OUCH!” newsletter
– https://www.securingthehuman.org/resources/newsletters/ouch/2015
Additional (Free!) Resources
∙ Shopping Online Securely (Nov)
∙ Password Managers (Oct)
∙ Two-Step Verification (Sep)
∙ Backup & Recovery (Aug)
∙ Social Media (Jul)
∙ Educating Kids on Cyber Safety (Jun)
∙ Securing the Cyber Generation Gap (May)
∙ Passphrases (Apr)
∙ Gaming Online Safely & Securely (Mar)
∙ Staying Secure on the Road (Feb)

20. 20© Copyright 2015 EMC Corporation. All rights reserved.
• SANS “Securing the Human” blog
– https://www.securingthehuman.org/blog/
• National Cyber Security Alliance: Business Safe Online Resources
– https://www.staysafeonline.org/business-safe-online/resources/
• NIST SP 800-50, “Building An Information Technology Security
Awareness and Training Program” (Oct 2003)
– http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf
– < Section 4. Developing Awareness and Training Material >
Additional (Free!) Resources

21. 21© Copyright 2015 EMC Corporation. All rights reserved.
• DHS US-CERT: National Cyber Awareness System - Tips
– https://www.us-cert.gov/ncas/tips
• DHS “Stop.Think.Connect.” Campaign
– http://www.dhs.gov/stopthinkconnect
– http://www.dhs.gov/publication/stopthinkconnect-small-business-resources
• RSAC CyberSafety: Kids initiative
– http://www.rsaconference.com/about/rsac-cyber-safety
Additional (Free!) Resources

22. 22© Copyright 2015 EMC Corporation. All rights reserved.
• Pro
– “The ABC’s of Security Behavioral Influence” (Geordie Stewart, 2015) http://www.risk-intelligence.co.uk/7-habits-of-highly-successful-security-policies/
– “The 7 elements of a successful security awareness program” (Ira Winkler & Samantha Manke, 2014)
http://www.csoonline.com/article/2133408/network-security/the-7-elements-of-a-successful-security-awareness-program.html
– “Information Security Awareness - Down, But Not Out” (Salvatore Paladino, 2013) http://www.csoonline.com/article/2136488/security-
awareness/information-security-awareness---down--but-not-out---by-salvatore-c--paladino.html
– “Security Awareness Education” (“Ben Ten” @Ben0xA, 2013) http://ben0xa.com/security-awareness-education/
– “Arguments Against Security Awareness Are Shortsighted” (Ira Winkler, 2013) http://www.darkreading.com/risk/arguments-against-security-awareness-
are-shortsighted/d/d-id/1139417?print=yes
– “Schneier, Winkler and the Great Security Awareness Training Debate” (Stephen Cobb, 2013) http://www.welivesecurity.com/2013/03/27/schneier-
winkler-and-the-great-security-awareness-training-debate/
– “Ten commandments for effective security training” (Joe Ferrara, 2012) http://www.csoonline.com/article/2131688/security-awareness/ten-
commandments-for-effective-security-training.html
– “Security awareness can be the most cost-effective security measure” (Ira Winkler, 2012) http://www.csoonline.com/article/2131999/metrics-
budgets/security-awareness-can-be-the-most-cost-effective-security-measure.html
– “Security Awareness Programs: Now Hear This!” (Lew McCreary, 2006) http://www.csoonline.com/article/2120826/strategic-planning-erm/security-
awareness-programs--now-hear-this-.html
• Con
– “Security Awareness Training” (Bruce Schneier, 2013) https://www.schneier.com/blog/archives/2013/03/security_awaren_1.html
– “Why you shouldn't train employees for security awareness” (Dave Aitel, 2012) http://www.csoonline.com/article/2131941/security-awareness/why-
you-shouldn-t-train-employees-for-security-awareness.html
Other Thoughts from Industry

23. 23© Copyright 2015 EMC Corporation. All rights reserved.
http://BenSmith.SE/twitter
http://BenSmith.SE/linkedin