SlideShare a Scribd company logo

Maximizing Security Training ROI

Download as PPT, PDF
Symosis Security (Previously C-Level Security)
Symosis Security (Previously C-Level Security)

Security training for developers, Training ROI, Business case for security Emerging threats How to build an effective training program?

1 of 49
Maximizing Security Training ROI Kartik Trivedi, Symosis
Who am I? • VP / Co-Founder of Symosis, 10+ years in information security consulting & Training, USC, Foundstone, McAfee, Accuvant, C-Level security, etc • Invited speaker, author and educator • MBA, MS Comp Sc, CISM, CISA, CISSP Symosis Confidential 2
Table of Content • Business case for security • Emerging threats • How to build an effective training program? • Case Studies Symosis Confidential 3
The Business Case for Security Proper security enables a company to meet its business objective by providing a safe and secure environment Symosis Confidential 4
Impact of Security Breach Loss of Revenue Damage to Reputation Damage to Investor Loss or Compromise of Confidence Data Damage to Customer Interruption of Business Confidence Processes Legal Consequences Symosis Confidential 5
Dollar Amount Of Loss Symosis Confidential 6 * CSI 2006
Cost of Security Breach a t is er, i wev rity l ; ho secu ivia ting t tr iga y is no f mit urit ost o ises sec e c s t of of th pro m The co tion com frac Symosis Confidential 7 * Aberdeen Group August 2010
Security Breach Example Costs Cost of Recent Customer Records Breach • $6.5 Million: DSW Warehouse Costs from Data Theft • $5.7 Million: BJ’s Wholesale Club from Data Breach Additional impact/cost due to lost customers • 20% of customers have ended a relationship with a company after being notified of a breach (Ponemon Institute) • 58% said the breach decreased their sense of trust and confidence in the organization reporting the incident Symosis Confidential 8
Table of Content • Business case for security • Emerging threats • How to build an effective training program? • Case Studies Symosis Confidential 9
Emerging Threats Target and Scope of Damage Rapidly Escalating Threat to Businesses GLOBAL Infrastructure Seconds Impact Next Gen  Flash REGIONAL Networks threats Minutes  Massive MULTIPLE Third Gen “bot”-driven Networks Days  Distributed DDoS Second Gen Denial of  Damaging Weeks Service INDIVIDUAL  Macro payload Networks First Gen viruses  Application worms  Boot  Denial of threats INDIVIDUAL Computer viruses Service  Malware 1980s 1990s Today Future Symosis Confidential 10
Emerging Threats Drivers Threats becoming increasingly difficult to detect and mitigate FINANCIAL Theft & Damage FAME THREAT SEVERITY Viruses and Malware TESTING THE WATERS Basic Intrusions and Viruses 1990 1995 2000 2005 WHAT’S NEXT? Symosis Confidential 11
Emerging Attack Methods Symosis Confidential 12 * SANS 2010
Emerging Application Weaknesses * SANS 2010 Symosis Confidential 13
Table of Content • Business case for security • Evolving threats • How to build an effective training program? • Case Studies Symosis Confidential 14
Why Security Training – Security Guy view • Build in-depth knowledge to design, implement, or operate security programs • Develop skills for users can perform their jobs while using IT systems more securely • Increase security awareness Symosis Confidential 15
Why Security Training – CEO view • Demonstrating care & due diligence can help indemnify the institution against lawsuits • Dissemination & enforcement of policy become easier when training & awareness programs are in place • Reduce accidental security breaches Symosis Confidential 16
Step 1: Define Objectives • Compliance, Regulations and Governance • Client & Partner requirements • Increase the general level of security awareness • Design, develop and maintain secure IT infrastructure and applications Symosis Confidential 17
How is Information Security (Training) Justified in Corporations Today? PWC security survey 2010 Symosis Confidential 18
Payment Card Industry (PCI) PCI DSS mandates security awareness program that 12.6.1: Educate employees upon hire and at least annually 12.6.2: Require employees to annually acknowledge in writing that they have read and understood the company's security policy and procedure Symosis Confidential 19
Health Insurance Portability and Accountability Act (HIPAA) • Mandated annual privacy and security training for management, agents & contractors • Security “Marketing” Efforts • Annual System-specific training Symosis Confidential 20
Gramm–Leach–Bliley Act (GLBA) • Mandates IT Security Awareness Training for all employees of financial service providers (FSPs) including – insurance agencies , tax preparers, finance companies, collections agencies, – leasing agencies, travel agencies and financial advisors Symosis Confidential 21
Federal Information Security Management Act (FISMA) • FISMA requires federal agencies to develop, document, and implement security training program that educates personnel, including contractors and other users, of their responsibilities in maintaining information security, complying with organizational policies and procedures, and reducing the risks associated with their activities Symosis Confidential 22
ISO 27002 • ISO 27002 recommends designing and implementing adequate level of security education and training to your organization’s employees, contractors and third party users Symosis Confidential 23
Table of Content • Business case for security • Evolving threats • How to build an effective training program? – Step 1: Define Objectives – Step 2: Assess Needs – Step 3: Key Success Factors – Step 4: Metrics • Case Studies Symosis Confidential 24
Step 2: Assess Needs • Identify training administrator • Primary responsibility lies with Chief Information Security Officer, top management and security team Symosis Confidential 25
Assess Needs Using wrong training methods can:  Hinder transfer of knowledge  Lead to unnecessary expense & frustrated, poorly trained employees Symosis Confidential 26
Assess Needs • Who needs to be trained and on what? – All stakeholders: Security Awareness Training, Compliance – Program Managers – Security principles & Design – Developers – Threats, coding mistakes, secure software development – Testers / QA – Security Test Cases Symosis Confidential 27
Table of Content • Business case for security • Evolving threats • How to build an effective training program? – Step 1: Define Objectives – Step 2: Assess Needs – Step 3: Key Success Factors – Step 4: Metrics • Case Studies Symosis Confidential 28
Step 3: Key Success Factors • Build in-house • Buy ready made • Classroom Training • Web Based Training • Generic vs. Customized • Hosting Symosis Confidential 29
Build in-house • Business needs are unique • Internal capability, time, resources • Proprietary information or data needs to be protected • Complexity of interface with company's LMS Symosis Confidential 30
Buy ready made • Reduce and control operating costs • Free internal resources • Gain access to external expertise • Share risks Symosis Confidential 31
Classroom Training • Time set aside dedicated to learning • Costs include course fees, travel, accommodation and opportunity costs • Face to face access to a trainer • Network with other students Symosis Confidential 32
Web Based Training • Individuals can study at their own time and pace • Cost effective • Easily Customizable • Easier to measure student progress and justify costs Symosis Confidential 33
Generic vs. Customized • Generic training is cost effective and focuses on core security issues like OWASP Top 10, etc • Customization provides training that matches specific needs for content, completion requirements, quiz, policies, and even employee responsibility acknowledgment. Symosis Confidential 34
Hosting • Internal hosting provides greater control but could be resource and cost intensive • SAAS service is often turn key but may limit scalability and usage Symosis Confidential 35
Table of Content • Business case for security • Evolving threats • How to build an effective training program? – Define Objectives – Assess Needs – Key Success Factors • Build vs. Buy • Classroom vs. Web Based • Generic vs. Customized • Hosting – Metrics • Case Studies Symosis Confidential 36
Step 4: Metrics • Quiz and survey results • Content • People Symosis Confidential 37
Metrics - Quiz and survey results • Score Results: How did people score? • Answer Breakdown: How did people answer? • Attempt Detail: How did a user answer? Symosis Confidential 38
Metrics - Content • Activity: What was the activity for a content item? • Traffic: How often was an item viewed? • Progress: How many slides did people view? • Popular Content: Which content was viewed the most? Symosis Confidential 39
Metrics - People • Group Activity: What content did a group view? • User Activity: What content did a user view? • Active Groups: Who were my most active groups? • Active Users: Who were my most active users? Symosis Confidential 40
Table of Content • Business case for security • Evolving threats • How to build an effective training program? • Case Studies Symosis Confidential 41
management and custom software company • Challenge: – Ensure secure coding elements have been taught – Prevent top 10 threats and mitigation techniques – Meet a time sensitive requirement under a DoD contract Symosis Confidential 42
management and custom software company • Solution: Framework – Define Objectives – Implement best practices – Assess Needs software security training – Key Success Factors for Java • Build vs. Buy – Provide access to training • Classroom vs. Web Based on demand from a SaaS • Generic vs. Customized model • Hosting – Metrics Symosis Confidential 43
Case Study 2: Large financial & Tax Software Company • Challenge – Improve software quality by eliminating common mistakes – Provide foundation for everyone to ‘own’ security Symosis Confidential 44
Case Study 2: Large financial & Tax Software Company • Solution – Create custom course based on previously identified risk and mitigation – Integrate security cases into QA lifecycle – Measure year over year declines in security related CRs Framework – Define Objectives – Assess Needs – Key Success Factors • Build vs. Buy • Classroom vs. Web Based • Generic vs. Customized • Hosting – Metrics Symosis Confidential 45
Case Study 3: Large Fitness Center Chain • Challenge: – Meet PCI compliance for integrating secure coding practices – Short timeline, small budget, looking for turnkey solution Symosis Confidential 46
Case Study 3: Large Fitness Center Chain • Solution – Implement JAVA/.NET secure coding practices – Address PCI Cardholder Data requirements within application development Framework – Define Objectives – Assess Needs – Key Success Factors • Build vs. Buy • Classroom vs. Web Based • Generic vs. Customized • Hosting – Metrics Symosis Confidential 47
Thanks for listening… Questions? To try or evaluate Symosis security training for FREE, please email me at kartik@symosis.com Symosis Confidential 48
Symosis Training Offerings • Introductory Tracks – Security Awareness Training – Introduction to Application Security (covering OWASP, WASC and MS SDL) • Advanced Tracks – Security Training for Managers / Architects – Security Training for Developers - .NET – Security Training for Developers – JAVA / J2EE – Security Training for Developers – C/C++ – Security Training for Developers – Flash / FLEX – Security QA / Testing for Applications • Regulations & Compliance – PCI DSS Awareness Training – PCI DSS Training for Developer – Security Training for HIPAA Symosis Confidential 49

Recommended

Return on Security Investment
Return on Security InvestmentReturn on Security Investment
Return on Security Investment
Conferencias FIST
 
Undgå sikkerhedstrusler med Security Intelligence. Filip Schepers, IBM
Undgå sikkerhedstrusler med Security Intelligence. Filip Schepers, IBMUndgå sikkerhedstrusler med Security Intelligence. Filip Schepers, IBM
Undgå sikkerhedstrusler med Security Intelligence. Filip Schepers, IBM
IBM Danmark
 
Responding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksResponding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacks
IBM
 
Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)
Rochester Security Summit
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By Design
Nalneesh Gaur
 
Enterprise cyber security
Enterprise cyber securityEnterprise cyber security
Enterprise cyber security
nsheel
 
Improving Your Information Security Program
Improving Your Information Security ProgramImproving Your Information Security Program
Improving Your Information Security Program
Seccuris Inc.
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to Security
Tripwire
 

Recommended

Return on Security Investment
Return on Security InvestmentReturn on Security Investment
Return on Security Investment
Conferencias FIST
 
Undgå sikkerhedstrusler med Security Intelligence. Filip Schepers, IBM
Undgå sikkerhedstrusler med Security Intelligence. Filip Schepers, IBMUndgå sikkerhedstrusler med Security Intelligence. Filip Schepers, IBM
Undgå sikkerhedstrusler med Security Intelligence. Filip Schepers, IBM
IBM Danmark
 
Responding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacksResponding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacks
IBM
 
Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)Maximizing ROI through Security Training (for Developers)
Maximizing ROI through Security Training (for Developers)
Rochester Security Summit
 
Information Security By Design
Information Security By DesignInformation Security By Design
Information Security By Design
Nalneesh Gaur
 
Enterprise cyber security
Enterprise cyber securityEnterprise cyber security
Enterprise cyber security
nsheel
 
Improving Your Information Security Program
Improving Your Information Security ProgramImproving Your Information Security Program
Improving Your Information Security Program
Seccuris Inc.
 
The Perils that PCI brings to Security
The Perils that PCI brings to SecurityThe Perils that PCI brings to Security
The Perils that PCI brings to Security
Tripwire
 
Dont Let Data And Business Assets Slip Out The Back Door Cm101243
Dont Let Data And Business Assets Slip Out The Back Door Cm101243Dont Let Data And Business Assets Slip Out The Back Door Cm101243
Dont Let Data And Business Assets Slip Out The Back Door Cm101243
Erik Ginalick
 
CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!
topseowebmaster
 
All clear id_whitepaper__not_all_breaches_are_created_equal
All clear id_whitepaper__not_all_breaches_are_created_equalAll clear id_whitepaper__not_all_breaches_are_created_equal
All clear id_whitepaper__not_all_breaches_are_created_equal
Nicholas Cramer
 
Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And Key
Yarko Petriw
 
CBI Threat Landscape Webinar
CBI Threat Landscape WebinarCBI Threat Landscape Webinar
CBI Threat Landscape Webinar
Joseph Schorr
 
Swenson Group Vvma
Swenson Group VvmaSwenson Group Vvma
Swenson Group Vvma
mhunter22
 
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems IntelligenceDSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
Andris Soroka
 
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
Energy Network marcus evans
 
SYMCAnnual
SYMCAnnualSYMCAnnual
SYMCAnnual
finance40
 
2013 PMA Business Security Insights
2013 PMA Business Security Insights2013 PMA Business Security Insights
2013 PMA Business Security Insights
gotopaz
 
CRTC Cloud Security- Jeff Crume
CRTC Cloud Security- Jeff CrumeCRTC Cloud Security- Jeff Crume
CRTC Cloud Security- Jeff Crume
KrisValerio
 
Wireless Vulnerability Management: What It Means for Your Enterprise
Wireless Vulnerability Management: What It Means for Your EnterpriseWireless Vulnerability Management: What It Means for Your Enterprise
Wireless Vulnerability Management: What It Means for Your Enterprise
AirTight Networks
 
Jedi mind tricks for building application security programs
Jedi mind tricks for building application security programsJedi mind tricks for building application security programs
Jedi mind tricks for building application security programs
Security BSides London
 
Sub custodian Risk Monitoring: analysing shifts in the industy practise
Sub custodian Risk Monitoring: analysing shifts in the industy practise Sub custodian Risk Monitoring: analysing shifts in the industy practise
Sub custodian Risk Monitoring: analysing shifts in the industy practise
The Benche
 
Dod IA Pen Testing Brief
Dod IA Pen Testing BriefDod IA Pen Testing Brief
Dod IA Pen Testing Brief
David McGuire
 
Take Control of End User Security
Take Control of End User SecurityTake Control of End User Security
Take Control of End User Security
anniebrowny
 
Dynamic Log Analysis™ Business Value Sheet
Dynamic Log Analysis™ Business Value SheetDynamic Log Analysis™ Business Value Sheet
Dynamic Log Analysis™ Business Value Sheet
Clear Technologies
 
How To Identify And Mitigate Security And Intellectual Property Risks When Ou...
How To Identify And Mitigate Security And Intellectual Property Risks When Ou...How To Identify And Mitigate Security And Intellectual Property Risks When Ou...
How To Identify And Mitigate Security And Intellectual Property Risks When Ou...
Altoros
 
Cyber Security for the Military and Defence Sector 2013
Cyber Security for the Military and Defence Sector 2013Cyber Security for the Military and Defence Sector 2013
Cyber Security for the Military and Defence Sector 2013
Dale Butler
 
Cyber Influence Operations
Cyber Influence OperationsCyber Influence Operations
Cyber Influence Operations
Papadakis K.-Cyber-Information Warfare Analyst & Cyber Defense/Security Consultant-Hellenic MoD
 
APT Webinar
APT WebinarAPT Webinar
APT Webinar
Joseph Schorr
 
Issa Charlotte 2009 Patching Your Users
Issa Charlotte 2009 Patching Your UsersIssa Charlotte 2009 Patching Your Users
Issa Charlotte 2009 Patching Your Users
Mike Murray
 

More Related Content

What's hot

Dont Let Data And Business Assets Slip Out The Back Door Cm101243
Dont Let Data And Business Assets Slip Out The Back Door Cm101243Dont Let Data And Business Assets Slip Out The Back Door Cm101243
Dont Let Data And Business Assets Slip Out The Back Door Cm101243
Erik Ginalick
 
CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!
topseowebmaster
 
All clear id_whitepaper__not_all_breaches_are_created_equal
All clear id_whitepaper__not_all_breaches_are_created_equalAll clear id_whitepaper__not_all_breaches_are_created_equal
All clear id_whitepaper__not_all_breaches_are_created_equal
Nicholas Cramer
 
Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And Key
Yarko Petriw
 
CBI Threat Landscape Webinar
CBI Threat Landscape WebinarCBI Threat Landscape Webinar
CBI Threat Landscape Webinar
Joseph Schorr
 
Swenson Group Vvma
Swenson Group VvmaSwenson Group Vvma
Swenson Group Vvma
mhunter22
 
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems IntelligenceDSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
Andris Soroka
 
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
Energy Network marcus evans
 
SYMCAnnual
SYMCAnnualSYMCAnnual
SYMCAnnual
finance40
 
2013 PMA Business Security Insights
2013 PMA Business Security Insights2013 PMA Business Security Insights
2013 PMA Business Security Insights
gotopaz
 
CRTC Cloud Security- Jeff Crume
CRTC Cloud Security- Jeff CrumeCRTC Cloud Security- Jeff Crume
CRTC Cloud Security- Jeff Crume
KrisValerio
 
Wireless Vulnerability Management: What It Means for Your Enterprise
Wireless Vulnerability Management: What It Means for Your EnterpriseWireless Vulnerability Management: What It Means for Your Enterprise
Wireless Vulnerability Management: What It Means for Your Enterprise
AirTight Networks
 
Jedi mind tricks for building application security programs
Jedi mind tricks for building application security programsJedi mind tricks for building application security programs
Jedi mind tricks for building application security programs
Security BSides London
 
Sub custodian Risk Monitoring: analysing shifts in the industy practise
Sub custodian Risk Monitoring: analysing shifts in the industy practise Sub custodian Risk Monitoring: analysing shifts in the industy practise
Sub custodian Risk Monitoring: analysing shifts in the industy practise
The Benche
 
Dod IA Pen Testing Brief
Dod IA Pen Testing BriefDod IA Pen Testing Brief
Dod IA Pen Testing Brief
David McGuire
 
Take Control of End User Security
Take Control of End User SecurityTake Control of End User Security
Take Control of End User Security
anniebrowny
 
Dynamic Log Analysis™ Business Value Sheet
Dynamic Log Analysis™ Business Value SheetDynamic Log Analysis™ Business Value Sheet
Dynamic Log Analysis™ Business Value Sheet
Clear Technologies
 
How To Identify And Mitigate Security And Intellectual Property Risks When Ou...
How To Identify And Mitigate Security And Intellectual Property Risks When Ou...How To Identify And Mitigate Security And Intellectual Property Risks When Ou...
How To Identify And Mitigate Security And Intellectual Property Risks When Ou...
Altoros
 
Cyber Security for the Military and Defence Sector 2013
Cyber Security for the Military and Defence Sector 2013Cyber Security for the Military and Defence Sector 2013
Cyber Security for the Military and Defence Sector 2013
Dale Butler
 
Cyber Influence Operations
Cyber Influence OperationsCyber Influence Operations
Cyber Influence Operations
Papadakis K.-Cyber-Information Warfare Analyst & Cyber Defense/Security Consultant-Hellenic MoD
 

What's hot (20)

Dont Let Data And Business Assets Slip Out The Back Door Cm101243
Dont Let Data And Business Assets Slip Out The Back Door Cm101243Dont Let Data And Business Assets Slip Out The Back Door Cm101243
Dont Let Data And Business Assets Slip Out The Back Door Cm101243
 
CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!CyberSecurity Insurance - The Ugly Truth!
CyberSecurity Insurance - The Ugly Truth!
 
All clear id_whitepaper__not_all_breaches_are_created_equal
All clear id_whitepaper__not_all_breaches_are_created_equalAll clear id_whitepaper__not_all_breaches_are_created_equal
All clear id_whitepaper__not_all_breaches_are_created_equal
 
Under Lock And Key
Under Lock And KeyUnder Lock And Key
Under Lock And Key
 
CBI Threat Landscape Webinar
CBI Threat Landscape WebinarCBI Threat Landscape Webinar
CBI Threat Landscape Webinar
 
Swenson Group Vvma
Swenson Group VvmaSwenson Group Vvma
Swenson Group Vvma
 
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems IntelligenceDSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
DSS ITSEC Conference 2012 - SIEM Q1 Labs IBM Security Systems Intelligence
 
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
Protecting Utilities through Business Continuity - Scott Roe, Corporate Risk ...
 
SYMCAnnual
SYMCAnnualSYMCAnnual
SYMCAnnual
 
2013 PMA Business Security Insights
2013 PMA Business Security Insights2013 PMA Business Security Insights
2013 PMA Business Security Insights
 
CRTC Cloud Security- Jeff Crume
CRTC Cloud Security- Jeff CrumeCRTC Cloud Security- Jeff Crume
CRTC Cloud Security- Jeff Crume
 
Wireless Vulnerability Management: What It Means for Your Enterprise
Wireless Vulnerability Management: What It Means for Your EnterpriseWireless Vulnerability Management: What It Means for Your Enterprise
Wireless Vulnerability Management: What It Means for Your Enterprise
 
Jedi mind tricks for building application security programs
Jedi mind tricks for building application security programsJedi mind tricks for building application security programs
Jedi mind tricks for building application security programs
 
Sub custodian Risk Monitoring: analysing shifts in the industy practise
Sub custodian Risk Monitoring: analysing shifts in the industy practise Sub custodian Risk Monitoring: analysing shifts in the industy practise
Sub custodian Risk Monitoring: analysing shifts in the industy practise
 
Dod IA Pen Testing Brief
Dod IA Pen Testing BriefDod IA Pen Testing Brief
Dod IA Pen Testing Brief
 
Take Control of End User Security
Take Control of End User SecurityTake Control of End User Security
Take Control of End User Security
 
Dynamic Log Analysis™ Business Value Sheet
Dynamic Log Analysis™ Business Value SheetDynamic Log Analysis™ Business Value Sheet
Dynamic Log Analysis™ Business Value Sheet
 
How To Identify And Mitigate Security And Intellectual Property Risks When Ou...
How To Identify And Mitigate Security And Intellectual Property Risks When Ou...How To Identify And Mitigate Security And Intellectual Property Risks When Ou...
How To Identify And Mitigate Security And Intellectual Property Risks When Ou...
 
Cyber Security for the Military and Defence Sector 2013
Cyber Security for the Military and Defence Sector 2013Cyber Security for the Military and Defence Sector 2013
Cyber Security for the Military and Defence Sector 2013
 
Cyber Influence Operations
Cyber Influence OperationsCyber Influence Operations
Cyber Influence Operations
 

Similar to Maximizing Security Training ROI

APT Webinar
APT WebinarAPT Webinar
APT Webinar
Joseph Schorr
 
Issa Charlotte 2009 Patching Your Users
Issa Charlotte 2009 Patching Your UsersIssa Charlotte 2009 Patching Your Users
Issa Charlotte 2009 Patching Your Users
Mike Murray
 
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
International Federation of Accountants
 
Sivasubramanian Risk Management In The Web 2.0 Environment
Sivasubramanian Risk Management In The Web 2.0 EnvironmentSivasubramanian Risk Management In The Web 2.0 Environment
Sivasubramanian Risk Management In The Web 2.0 Environment
Vinoth Sivasubramanan
 
PCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio PanadaPCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio Panada
IBM Danmark
 
Borderless Breaches and Migrating Malware: How Cybercrime is Breaking Down Ba...
Borderless Breaches and Migrating Malware: How Cybercrime is Breaking Down Ba...Borderless Breaches and Migrating Malware: How Cybercrime is Breaking Down Ba...
Borderless Breaches and Migrating Malware: How Cybercrime is Breaking Down Ba...
IBM Security
 
Bordless Breaches and Migrating Malware
Bordless Breaches and Migrating MalwareBordless Breaches and Migrating Malware
Bordless Breaches and Migrating Malware
Sarah Freemantle
 
Cybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial InstitutionsCybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial Institutions
Sarah Cirelli
 
2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecurity2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecurity
Svetlana Belyaeva
 
CA_Module_1.pdf
CA_Module_1.pdfCA_Module_1.pdf
CA_Module_1.pdf
EhabRushdy1
 
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk
 
Cybersecurity Myths for Small and Medium-Sized Businesses
Cybersecurity Myths for Small and Medium-Sized BusinessesCybersecurity Myths for Small and Medium-Sized Businesses
Cybersecurity Myths for Small and Medium-Sized Businesses
Seqrite
 
Netwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital worldNetwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital world
netwealthInvest
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy
Jason Clark
 
Security Feature Cover Story
Security Feature Cover StorySecurity Feature Cover Story
Security Feature Cover Story
Torrid Networks Private Limited
 
Information Security
Information SecurityInformation Security
Information Security
trunko
 
Segurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSegurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago Cavanna
Santiago Cavanna
 
Outlook emerging security_technology_trends
Outlook emerging security_technology_trendsOutlook emerging security_technology_trends
Outlook emerging security_technology_trends
wardell henley
 
Cyber Security at CTX15, London
Cyber Security at CTX15, LondonCyber Security at CTX15, London
Cyber Security at CTX15, London
John Palfreyman
 
IBM - IAM Security and Trends
IBM - IAM Security and TrendsIBM - IAM Security and Trends
IBM - IAM Security and Trends
IBM Sverige
 

Similar to Maximizing Security Training ROI (20)

APT Webinar
APT WebinarAPT Webinar
APT Webinar
 
Issa Charlotte 2009 Patching Your Users
Issa Charlotte 2009 Patching Your UsersIssa Charlotte 2009 Patching Your Users
Issa Charlotte 2009 Patching Your Users
 
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
Responding to Cybersecurity Threats: What SMEs and Professional Accountants N...
 
Sivasubramanian Risk Management In The Web 2.0 Environment
Sivasubramanian Risk Management In The Web 2.0 EnvironmentSivasubramanian Risk Management In The Web 2.0 Environment
Sivasubramanian Risk Management In The Web 2.0 Environment
 
PCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio PanadaPCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio Panada
 
Borderless Breaches and Migrating Malware: How Cybercrime is Breaking Down Ba...
Borderless Breaches and Migrating Malware: How Cybercrime is Breaking Down Ba...Borderless Breaches and Migrating Malware: How Cybercrime is Breaking Down Ba...
Borderless Breaches and Migrating Malware: How Cybercrime is Breaking Down Ba...
 
Bordless Breaches and Migrating Malware
Bordless Breaches and Migrating MalwareBordless Breaches and Migrating Malware
Bordless Breaches and Migrating Malware
 
Cybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial InstitutionsCybersecurity Risk Management for Financial Institutions
Cybersecurity Risk Management for Financial Institutions
 
2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecurity2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecurity
 
CA_Module_1.pdf
CA_Module_1.pdfCA_Module_1.pdf
CA_Module_1.pdf
 
Halvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber WebinarHalvorsen on Risk Cyber Webinar
Halvorsen on Risk Cyber Webinar
 
Cybersecurity Myths for Small and Medium-Sized Businesses
Cybersecurity Myths for Small and Medium-Sized BusinessesCybersecurity Myths for Small and Medium-Sized Businesses
Cybersecurity Myths for Small and Medium-Sized Businesses
 
Netwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital worldNetwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital world
 
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy
 
Security Feature Cover Story
Security Feature Cover StorySecurity Feature Cover Story
Security Feature Cover Story
 
Information Security
Information SecurityInformation Security
Information Security
 
Segurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago CavannaSegurinfo2014 Santiago Cavanna
Segurinfo2014 Santiago Cavanna
 
Outlook emerging security_technology_trends
Outlook emerging security_technology_trendsOutlook emerging security_technology_trends
Outlook emerging security_technology_trends
 
Cyber Security at CTX15, London
Cyber Security at CTX15, LondonCyber Security at CTX15, London
Cyber Security at CTX15, London
 
IBM - IAM Security and Trends
IBM - IAM Security and TrendsIBM - IAM Security and Trends
IBM - IAM Security and Trends
 

More from Symosis Security (Previously C-Level Security)

Security Privacy & Compliance for mHealth Apps 2014 ISRM Conference 2014
Security Privacy & Compliance for mHealth Apps 2014 ISRM Conference 2014Security Privacy & Compliance for mHealth Apps 2014 ISRM Conference 2014
Security Privacy & Compliance for mHealth Apps 2014 ISRM Conference 2014
Symosis Security (Previously C-Level Security)
 
Security & Compliance for Startups
Security & Compliance for StartupsSecurity & Compliance for Startups
Security & Compliance for Startups
Symosis Security (Previously C-Level Security)
 
InfoSec World 2014 Security Imperatives for IOS and Android
InfoSec World 2014 Security Imperatives for IOS and AndroidInfoSec World 2014 Security Imperatives for IOS and Android
InfoSec World 2014 Security Imperatives for IOS and Android
Symosis Security (Previously C-Level Security)
 
Security Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android AppsSecurity Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android Apps
Symosis Security (Previously C-Level Security)
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
Symosis Security (Previously C-Level Security)
 
Enterprise Security in Hybrid Cloud ISACA-SV 2012
Enterprise Security in Hybrid Cloud ISACA-SV 2012Enterprise Security in Hybrid Cloud ISACA-SV 2012
Enterprise Security in Hybrid Cloud ISACA-SV 2012
Symosis Security (Previously C-Level Security)
 
Mobile application securitry risks ISACA Silicon Valley 2012
Mobile application securitry risks ISACA Silicon Valley 2012Mobile application securitry risks ISACA Silicon Valley 2012
Mobile application securitry risks ISACA Silicon Valley 2012
Symosis Security (Previously C-Level Security)
 

More from Symosis Security (Previously C-Level Security) (7)

Security Privacy & Compliance for mHealth Apps 2014 ISRM Conference 2014
Security Privacy & Compliance for mHealth Apps 2014 ISRM Conference 2014Security Privacy & Compliance for mHealth Apps 2014 ISRM Conference 2014
Security Privacy & Compliance for mHealth Apps 2014 ISRM Conference 2014
 
Security & Compliance for Startups
Security & Compliance for StartupsSecurity & Compliance for Startups
Security & Compliance for Startups
 
InfoSec World 2014 Security Imperatives for IOS and Android
InfoSec World 2014 Security Imperatives for IOS and AndroidInfoSec World 2014 Security Imperatives for IOS and Android
InfoSec World 2014 Security Imperatives for IOS and Android
 
Security Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android AppsSecurity Imeprative for iOS and Android Apps
Security Imeprative for iOS and Android Apps
 
Developing Secure Mobile Applications
Developing Secure Mobile ApplicationsDeveloping Secure Mobile Applications
Developing Secure Mobile Applications
 
Enterprise Security in Hybrid Cloud ISACA-SV 2012
Enterprise Security in Hybrid Cloud ISACA-SV 2012Enterprise Security in Hybrid Cloud ISACA-SV 2012
Enterprise Security in Hybrid Cloud ISACA-SV 2012
 
Mobile application securitry risks ISACA Silicon Valley 2012
Mobile application securitry risks ISACA Silicon Valley 2012Mobile application securitry risks ISACA Silicon Valley 2012
Mobile application securitry risks ISACA Silicon Valley 2012
 

Maximizing Security Training ROI

  • 1. Maximizing Security Training ROI Kartik Trivedi, Symosis
  • 2. Who am I? • VP / Co-Founder of Symosis, 10+ years in information security consulting & Training, USC, Foundstone, McAfee, Accuvant, C-Level security, etc • Invited speaker, author and educator • MBA, MS Comp Sc, CISM, CISA, CISSP Symosis Confidential 2
  • 3. Table of Content • Business case for security • Emerging threats • How to build an effective training program? • Case Studies Symosis Confidential 3
  • 4. The Business Case for Security Proper security enables a company to meet its business objective by providing a safe and secure environment Symosis Confidential 4
  • 5. Impact of Security Breach Loss of Revenue Damage to Reputation Damage to Investor Loss or Compromise of Confidence Data Damage to Customer Interruption of Business Confidence Processes Legal Consequences Symosis Confidential 5
  • 6. Dollar Amount Of Loss Symosis Confidential 6 * CSI 2006
  • 7. Cost of Security Breach a t is er, i wev rity l ; ho secu ivia ting t tr iga y is no f mit urit ost o ises sec e c s t of of th pro m The co tion com frac Symosis Confidential 7 * Aberdeen Group August 2010
  • 8. Security Breach Example Costs Cost of Recent Customer Records Breach • $6.5 Million: DSW Warehouse Costs from Data Theft • $5.7 Million: BJ’s Wholesale Club from Data Breach Additional impact/cost due to lost customers • 20% of customers have ended a relationship with a company after being notified of a breach (Ponemon Institute) • 58% said the breach decreased their sense of trust and confidence in the organization reporting the incident Symosis Confidential 8
  • 9. Table of Content • Business case for security • Emerging threats • How to build an effective training program? • Case Studies Symosis Confidential 9
  • 10. Emerging Threats Target and Scope of Damage Rapidly Escalating Threat to Businesses GLOBAL Infrastructure Seconds Impact Next Gen  Flash REGIONAL Networks threats Minutes  Massive MULTIPLE Third Gen “bot”-driven Networks Days  Distributed DDoS Second Gen Denial of  Damaging Weeks Service INDIVIDUAL  Macro payload Networks First Gen viruses  Application worms  Boot  Denial of threats INDIVIDUAL Computer viruses Service  Malware 1980s 1990s Today Future Symosis Confidential 10
  • 11. Emerging Threats Drivers Threats becoming increasingly difficult to detect and mitigate FINANCIAL Theft & Damage FAME THREAT SEVERITY Viruses and Malware TESTING THE WATERS Basic Intrusions and Viruses 1990 1995 2000 2005 WHAT’S NEXT? Symosis Confidential 11
  • 12. Emerging Attack Methods Symosis Confidential 12 * SANS 2010
  • 13. Emerging Application Weaknesses * SANS 2010 Symosis Confidential 13
  • 14. Table of Content • Business case for security • Evolving threats • How to build an effective training program? • Case Studies Symosis Confidential 14
  • 15. Why Security Training – Security Guy view • Build in-depth knowledge to design, implement, or operate security programs • Develop skills for users can perform their jobs while using IT systems more securely • Increase security awareness Symosis Confidential 15
  • 16. Why Security Training – CEO view • Demonstrating care & due diligence can help indemnify the institution against lawsuits • Dissemination & enforcement of policy become easier when training & awareness programs are in place • Reduce accidental security breaches Symosis Confidential 16
  • 17. Step 1: Define Objectives • Compliance, Regulations and Governance • Client & Partner requirements • Increase the general level of security awareness • Design, develop and maintain secure IT infrastructure and applications Symosis Confidential 17
  • 18. How is Information Security (Training) Justified in Corporations Today? PWC security survey 2010 Symosis Confidential 18
  • 19. Payment Card Industry (PCI) PCI DSS mandates security awareness program that 12.6.1: Educate employees upon hire and at least annually 12.6.2: Require employees to annually acknowledge in writing that they have read and understood the company's security policy and procedure Symosis Confidential 19
  • 20. Health Insurance Portability and Accountability Act (HIPAA) • Mandated annual privacy and security training for management, agents & contractors • Security “Marketing” Efforts • Annual System-specific training Symosis Confidential 20
  • 21. Gramm–Leach–Bliley Act (GLBA) • Mandates IT Security Awareness Training for all employees of financial service providers (FSPs) including – insurance agencies , tax preparers, finance companies, collections agencies, – leasing agencies, travel agencies and financial advisors Symosis Confidential 21
  • 22. Federal Information Security Management Act (FISMA) • FISMA requires federal agencies to develop, document, and implement security training program that educates personnel, including contractors and other users, of their responsibilities in maintaining information security, complying with organizational policies and procedures, and reducing the risks associated with their activities Symosis Confidential 22
  • 23. ISO 27002 • ISO 27002 recommends designing and implementing adequate level of security education and training to your organization’s employees, contractors and third party users Symosis Confidential 23
  • 24. Table of Content • Business case for security • Evolving threats • How to build an effective training program? – Step 1: Define Objectives – Step 2: Assess Needs – Step 3: Key Success Factors – Step 4: Metrics • Case Studies Symosis Confidential 24
  • 25. Step 2: Assess Needs • Identify training administrator • Primary responsibility lies with Chief Information Security Officer, top management and security team Symosis Confidential 25
  • 26. Assess Needs Using wrong training methods can:  Hinder transfer of knowledge  Lead to unnecessary expense & frustrated, poorly trained employees Symosis Confidential 26
  • 27. Assess Needs • Who needs to be trained and on what? – All stakeholders: Security Awareness Training, Compliance – Program Managers – Security principles & Design – Developers – Threats, coding mistakes, secure software development – Testers / QA – Security Test Cases Symosis Confidential 27
  • 28. Table of Content • Business case for security • Evolving threats • How to build an effective training program? – Step 1: Define Objectives – Step 2: Assess Needs – Step 3: Key Success Factors – Step 4: Metrics • Case Studies Symosis Confidential 28
  • 29. Step 3: Key Success Factors • Build in-house • Buy ready made • Classroom Training • Web Based Training • Generic vs. Customized • Hosting Symosis Confidential 29
  • 30. Build in-house • Business needs are unique • Internal capability, time, resources • Proprietary information or data needs to be protected • Complexity of interface with company's LMS Symosis Confidential 30
  • 31. Buy ready made • Reduce and control operating costs • Free internal resources • Gain access to external expertise • Share risks Symosis Confidential 31
  • 32. Classroom Training • Time set aside dedicated to learning • Costs include course fees, travel, accommodation and opportunity costs • Face to face access to a trainer • Network with other students Symosis Confidential 32
  • 33. Web Based Training • Individuals can study at their own time and pace • Cost effective • Easily Customizable • Easier to measure student progress and justify costs Symosis Confidential 33
  • 34. Generic vs. Customized • Generic training is cost effective and focuses on core security issues like OWASP Top 10, etc • Customization provides training that matches specific needs for content, completion requirements, quiz, policies, and even employee responsibility acknowledgment. Symosis Confidential 34
  • 35. Hosting • Internal hosting provides greater control but could be resource and cost intensive • SAAS service is often turn key but may limit scalability and usage Symosis Confidential 35
  • 36. Table of Content • Business case for security • Evolving threats • How to build an effective training program? – Define Objectives – Assess Needs – Key Success Factors • Build vs. Buy • Classroom vs. Web Based • Generic vs. Customized • Hosting – Metrics • Case Studies Symosis Confidential 36
  • 37. Step 4: Metrics • Quiz and survey results • Content • People Symosis Confidential 37
  • 38. Metrics - Quiz and survey results • Score Results: How did people score? • Answer Breakdown: How did people answer? • Attempt Detail: How did a user answer? Symosis Confidential 38
  • 39. Metrics - Content • Activity: What was the activity for a content item? • Traffic: How often was an item viewed? • Progress: How many slides did people view? • Popular Content: Which content was viewed the most? Symosis Confidential 39
  • 40. Metrics - People • Group Activity: What content did a group view? • User Activity: What content did a user view? • Active Groups: Who were my most active groups? • Active Users: Who were my most active users? Symosis Confidential 40
  • 41. Table of Content • Business case for security • Evolving threats • How to build an effective training program? • Case Studies Symosis Confidential 41
  • 42. management and custom software company • Challenge: – Ensure secure coding elements have been taught – Prevent top 10 threats and mitigation techniques – Meet a time sensitive requirement under a DoD contract Symosis Confidential 42
  • 43. management and custom software company • Solution: Framework – Define Objectives – Implement best practices – Assess Needs software security training – Key Success Factors for Java • Build vs. Buy – Provide access to training • Classroom vs. Web Based on demand from a SaaS • Generic vs. Customized model • Hosting – Metrics Symosis Confidential 43
  • 44. Case Study 2: Large financial & Tax Software Company • Challenge – Improve software quality by eliminating common mistakes – Provide foundation for everyone to ‘own’ security Symosis Confidential 44
  • 45. Case Study 2: Large financial & Tax Software Company • Solution – Create custom course based on previously identified risk and mitigation – Integrate security cases into QA lifecycle – Measure year over year declines in security related CRs Framework – Define Objectives – Assess Needs – Key Success Factors • Build vs. Buy • Classroom vs. Web Based • Generic vs. Customized • Hosting – Metrics Symosis Confidential 45
  • 46. Case Study 3: Large Fitness Center Chain • Challenge: – Meet PCI compliance for integrating secure coding practices – Short timeline, small budget, looking for turnkey solution Symosis Confidential 46
  • 47. Case Study 3: Large Fitness Center Chain • Solution – Implement JAVA/.NET secure coding practices – Address PCI Cardholder Data requirements within application development Framework – Define Objectives – Assess Needs – Key Success Factors • Build vs. Buy • Classroom vs. Web Based • Generic vs. Customized • Hosting – Metrics Symosis Confidential 47
  • 48. Thanks for listening… Questions? To try or evaluate Symosis security training for FREE, please email me at kartik@symosis.com Symosis Confidential 48
  • 49. Symosis Training Offerings • Introductory Tracks – Security Awareness Training – Introduction to Application Security (covering OWASP, WASC and MS SDL) • Advanced Tracks – Security Training for Managers / Architects – Security Training for Developers - .NET – Security Training for Developers – JAVA / J2EE – Security Training for Developers – C/C++ – Security Training for Developers – Flash / FLEX – Security QA / Testing for Applications • Regulations & Compliance – PCI DSS Awareness Training – PCI DSS Training for Developer – Security Training for HIPAA Symosis Confidential 49

Editor's Notes

  1. According to DSW, in addition to credit card numbers, the thieves obtained driver's license numbers and checking account numbers from 96,000 transactions involving checks, but customer addresses and Social Security numbers were not stolen. The FTC charges that a total of approximately 1.4 million credit and debit cards and 96,000 checking accounts were compromised at DSW, and that there have been fraudulent charges on some of these accounts. Further, some customers whose checking account information was compromised have incurred out-of-pocket expenses in connection with closing their accounts and ordering new checks. Some checking account customers have contacted DSW to request reimbursement for their expenses, and DSW has provided some amount of reimbursement to these customers. According to DSW’s SEC filings, as of July 2005, the company’s exposure for losses related to the breach ranges from $6.5 million to $9.5 million. In 2004, DSW generated $961 million in net sales and 14.8 million in profits. While IT executives don't seem to be losing their jobs over the rising number of publicly reported breaches, their companies are experiencing severe losses, starting with an exodus of customers and customer loyalty. According to a September survey of 10,000 adults conducted by the Ponemon Institute, a privacy research organization, 19% of respondents ended their relationships with companies reporting breaches, and 58% say they have lost trust.
  2. Just a few years ago, System Administrators had days or weeks to respond to new threats. Today, threat levels are escalating at ever-increasing speed & magnitude…and can cause major damage to business processes and services. Now, response time has been cut to minutes or even seconds. This requires some revolutionary new methods to address these evolving threats. Behavioral blocking technologies seems to be the answer – both at the endpoint and in the network traffic stream. A couple of examples emphasize this point: the Sapphire worm in January 2003… spread worldwide in 11 minutes. At peak, infecting 55 million hosts/ second…doubled every 8.5 sec. PCs / servers… most common point of new attacks…infected by: Worms, viruses, Trojan horses Sophisticated “blended threats” combine multiple threats Cost of viruses businesses this year…$13 billion (Computer Economics, Inc, estimate) CIOs rank security…number one problem companies face today…according to Richard Clarke, Former Special Advisor to the President for Cyberspace Security, “The average amount of money, as a % of revenue, that companies spend on IT security is .0025 % or slightly less than they spend on coffee.”
  3. https://blogs.sans.org/appsecstreetfighter/2010/10/06/wasc-web-hacking-incident-database-semiannual-report/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SansApplicationSecurityBlog+%28SANS+Application+Security+Blog%29 WASC
  4. Payment Card Industry (PCI) Data Security Standard mandates security awareness program that 12.6.1: Educate employees upon hire and at least annually Role based training that is customized to include information specific to the importance of cardholder data security and how your employees can maintain and enhance your internal security controls 12.6.2: Require employees to annually acknowledge in writing that they have read and understood the company's security policy and procedure Training includes an integrated "policy acceptance form" that displays your policy and procedures documentation. Employees acknowledge annually that they have read, understood and will abide by your (changing) policies and procedures.
  5. management, agents and contractors
  6. http://www.inspiredelearning.com/sat/standards.htm
  7. Hybrid