3. IS Awareness Strategy
• Why will you do that?
• What is your goal?
• Who you are targeting
in your program?
• What will you teach them?
• How will you engage and
communicate to people?
3
4. IS Awareness Domains:
• Intro (terms, policy, requirements, risks, objectives,
incidents, roles and responsibilities…)
• Processes (information classification and labeling,
change management, information transfer, incident
notification, business continuity, backup and recovery…)
• Acceptable use policy (BYOD, laptops, IT services,
shared folders, Internet…)
• Physical Security (badges, access control, secure areas,
key management, visitors, documents disposal, clear
desk policy…)
• IT Security (antimalware, VPN, password policy,
notification about monitoring (DLP, SIEM, web)…)
• Remote work and business trips
• Public Information (social medias, presentation, PR…)
• Data protection (GDPR+)
• Special cases
https://www.patreon.com/posts/is-awareness-30631920 4
7. 2017 2018 2019 2020
• Document
study
• Document study
• The corporate portal and
Shared Folders (Z)
• Security Presents
• Document study
• The corporate portal and
Shared Folders (Z)
• Security Presents
• E-mailing (not regular)
• Document study
• The corporate portal and
Shared Folders (Z)
• Security Presents
• E-mailing
• Posters
• Presentations:
• Introduction (1.0), 60%
• Site security (1.0), 100%
• Presentations:
• Introduction (2.9), 80%
• Site security (2.0), 100%
• Phishing (1.2), 50%
• Presentations:
• Introduction (3.x)
• Site security
• Phishing
• Classification and Handling
• e-Learning platform testing
– Failure
• Video recording – Failure
• Posters – Failure
• Phishing and e-Learning
platform testing – Failure
• Phishing platform testing –
Failure
• Phishing platform (?Gophish)
• e-Learning platform (?SCORM
format)
My IS awareness programme: Chronology
7
8. A few words about metrics
Basic metrics - % of employees trained. We'll complicate it later…
In case of incidents (including tests) - one more training…
Observations:
• The number of incident notifications has increased
• The number of incidents has decreased (by category)
• The number (and topics) of requests have changed
Input for CI
8
9. Content
!!!
Good
Looking
Plain
language
AIDA
ActualUseful
Smart
Tests
Easy to
update
e-Learning
• Attention
• Interest
• Desire
• Action
• Real cases
• Company / Industry
• Region
• Corporate culture
• Business context
• Personal context
• We need a designer!
• Buy the pictures
• Use the photos
• T/F questions are
better than multiple
choice questions
• Answers in the text
• Explanations
• Native language
• No slang
• Humor
• No video / audio
• SCORM
9
11. Usually we don't have
time (and motivation) for
IS awareness and training...
11
12. Usually we don't have
time (and motivation) for
IS awareness and training...
• IS team
• Management
• Employees
12
13. Five “S”s to Success
• Support
• Staff
• Soft skills
• Simplicity
• Smart
By SANS
13
14. Thanks!
Andrey Prozorov, CISM
My blog
My Patreon
My Linkedin
80na20.blogspot.com
www.patreon.com/AndreyProzorov
www.linkedin.com/in/andrey-prozorov-cism-90018530