14/5/2013 ISACA – Sofia Chapter 1Training people and risingawarenessThe never-ending story
14/5/2013 ISACA – Sofia Chapter 2AgendaDefine the factsAvoid the pitfallsBest practicesTo be successfulTakeawaysRocket-science
14/5/2013 ISACA – Sofia Chapter 3Define the facts
14/5/2013 ISACA – Sofia Chapter 4Define the facts• Training is a critical part of any initiative, introducing users to policyguidelines and allowing management to set expectations.Source: www.assero.co.uk
14/5/2013 ISACA – Sofia Chapter 5Define the facts• You wont get far in your training if you dont tune your message to theaudience, whether youre presenting your case to the executiveboard, the IT group or the staff.Source: articles.elitefts.com
14/5/2013 ISACA – Sofia Chapter 6Define the facts• Habits drive organizational culture, and there are no technologies thatwill ever make up for poor culture.Source: www.eaglesflight.com
14/5/2013 ISACA – Sofia Chapter 7Define the facts• Ensure that any awareness training program is a continuous process:heightened user awareness loses value if you dont reinforce learnedconcepts over time."As it shows in the report we have seen susceptibility reductions of over 80% when comparing an initialmock attack to subsequent attacks when in-depth training is completed in between the attacks.“-- Joe Ferrara, President and CEO of Wombat Security TechnologiesSource: http://www.wombatsecurity.com/phishing_attack_report
14/5/2013 ISACA – Sofia Chapter 8Define the facts• There is clear tendency not to engage with external awareness providers.Wisegate found that less than 1% of companies use only third-party trainingcompanies, 50% develop their awareness regime fully in-house, 42% use a combination ofthird-party and in-house training, and amazingly, as many as 7% do no awareness trainingat all.01020304050Awareness trainingDevelop fully in-houseNo awareness trainingUse third-party onlyUse a combinationSource: http://www.wisegateit.com/resources/downloads-security-awareness-report
14/5/2013 ISACA – Sofia Chapter 9Avoid the pitfalls• ‘Do as I say, not as I do’ resonates in the executive corridor of far toomany organizations today.– When asked “Do you believe directors think the policies don’t apply to them?”, 56% agreed.– Not so many senior managers actually “ignore or flout security policies and procedures,” but at 42%it is still surprisingly high.– 52% agreed “The board of directors have access to the most sensitive information but have the leastunderstanding of security issues.”-- Cryptzone queried 300 IT professionalsSource: http://www.infosecurity-magazine.com/view/25971/security-do-as-i-say-not-as-i-do/
14/5/2013 ISACA – Sofia Chapter 10Avoid the pitfalls• Recognize that the user is ‘the most commonly exploited securityvulnerability’ in your company, but be warned that there is no single one-size-fits-all solution to awareness training.Source: http://www.infosecurity-magazine.com/view/30404/security-awareness-the-ciso-view-from-the-coalface/
14/5/2013 ISACA – Sofia Chapter 11Avoid the pitfalls• Don’t do it alone. Turn to the marketing and training departments anduse their expertise in both developing an awareness program, and thenselling it to the user.Source: http://www.infosecurity-magazine.com/view/30404/security-awareness-the-ciso-view-from-the-coalface/
14/5/2013 ISACA – Sofia Chapter 12Best Practices• Maximize the strengths and avoid the pitfalls in what can be acontroversial, but is a very effective, method of training users: learning byexperience. Its effectiveness can be measured and monitored to allow themost cost-efficient training for the highest risk people and topics.
14/5/2013 ISACA – Sofia Chapter 13Best Practices• Make education easy and accessible. Don’t make security training aburden, make it part of their everyday activities.• Refresh the policy training routinely and test their knowledge often toensure they have the ability to execute the policy in day-to-day scenarios.• Try to make the information relevant to their personal use. This creates afeeling of empowerment and responsibility to practice good security dayand night.• Work to make the information factual and provide real world examples ofwhere things went wrong. By sharing information on what is good andhow bad impacts the brand and reputation of a company help youremployees understand why compliance of policies is so critical.• Programs that relied on 90 Day plans, and reevaluated the program andits goals every 90 Days, are the most effective. Every 90 days, the programis reevaluated to determine what topics need to be addressed movingforward.
14/5/2013 ISACA – Sofia Chapter 14How to be successful• Awareness programs that obtain C-level support are more successful. Thissupport inevitably leads to more freedom, larger budgets and supportfrom other departments.• Creativity is a must. While a large budget helps, companies with a smallsecurity awareness budget have still been able to establish successfulprograms. Creativity and enthusiasm can make up for a small budget.• One of the key factors in having a successful effort is being able to provethat your effort is successful. The only way to do this is to collect metricsprior to initiated new awareness efforts.• Awareness efforts that focus on how to accomplish actions are moresuccessful than those that focus on telling people that they should not bedoing things.• The most successful programs are not only creative; they rely on manyforms of awareness materials. The most participative efforts appear tohave the most success.
14/5/2013 ISACA – Sofia Chapter 15Takeaways• Start measuring by creating a baseline, defining a clear goal, and trackingprogress. If you aren’t moving in the right direction, adjust the course.• Awareness programs, when properly executed, provide knowledge thatinstills behavior, i.e. changes habits, i.e. drives for a better culture.• Approach of not concentrating on raising awareness, but changingemployee behavior, habits and actions to create a culture, by using“prescriptions.”– Using password vault within Twitter ended up reaching over 75% of users;– Twitter mastered training approach via constant feedback and evaluation.• There is no technology that will prevent the human misbehavior, e.g.mishandling of paper information and computer media.• Awareness mitigates non-technical issues that technology cant. Bymeasuring return on investment you will find that awareness is one of themost reliable measures available.
14/5/2013 ISACA – Sofia Chapter 16Takeaways• Focus on security culture, not training, and to constantly measure theeffect of the training so that it can be repeatedly reshaped in order to bemore effective - and here is where the feedback comes in handy.• Never to give up on users: "Its never a lost cause until you believe it is.“• “For” and “against” awareness training: an easy for-“victory”, simplybecause it is not possible to provide clear and consistent evidence thattraining is not working. There is plenty of evidence of the opposite.• Education and training is not perfect. The challenge is that even if you doit right, it can be hard to document effect, and to show a clear causationbetween your training efforts and the behavior change.• The biggest issue is perhaps that awareness efforts are frequently notoptional. Telling people not to do something, because we believe it is abad idea is just not an option.• Address and utilize interpersonal skills, personality traits, motivationaltheory; do not rely only on technical skills, risk management models andpolicy making.
14/5/2013 ISACA – Sofia Chapter 17Go rocket-scienceTwo different sides of the brain control,two different “modes” of thinking.(Theory of the structure and functions of the mind)• People think and learn in different ways with evidence of differentlearning characteristics, but different cultural groups may emphasize onecognitive style over another: the verbal vs. the nonverbal, representedrather separately in left and right hemispheres respectively.• Our education system, as well as science in general, tends to neglect thenonverbal form of intellect. Modern society discriminates against theright hemisphere, i.e. nonverbal thinking.• Most children rank highly creative (right brain) before entering school.Because our educational systems place a higher value on left brain skillssuch as mathematics, logic and language than it does on drawing or usingour imagination:– Only 10% of these same children will rank highly creative by age of 7.– By the time we are adults, high creativity remains in only 2% of the population.
14/5/2013 ISACA – Sofia Chapter 18Right Brain vs. Left BrainLEFT BRAIN FUNCTIONSuses logicdetail orientedfacts rulewords and languagepresent and pastmath and sciencecan comprehendknowingacknowledgesorder/pattern perceptionknows object namereality basedforms strategiespracticalsafeRIGHT BRAIN FUNCTIONSuses feeling"big picture" orientedimagination rulessymbols and imagespresent and futurephilosophy & religioncan "get it" (i.e. meaning)believesappreciatesspatial perceptionknows object functionfantasy basedpresents possibilitiesimpetuousrisk taking• Left-brain scholastic subjects focus on logical thinking, analysis, andaccuracy.• While Right-brained subjects focus on aesthetics, feeling, and creativity.
14/5/2013 ISACA – Sofia Chapter 19Right Brain vs. Left Brain• Our conscious mind can only focus on data from one brain at a time.Eventually ultimate authority to enter consciousness is delegated to onebrain or the other. In our modern world, this battle is almost always wonby the left brain.• Sometimes skills which the right brain can perform better are routinelyhandled, with less skill, by the left brain.Too bad, and now what?• Methods have been devised to "shut off" the left brain, allowing the rightside to have its say, even temporarily.• The logical left side is easily bored by lack of input and tends to "doze off"during such activities as meditation (repeating a mantra or word over andover) or in sensory deprivation environments.
14/5/2013 ISACA – Sofia Chapter 20Why should I care?How is all this related to people training?• To foster a more whole-brained scholastic experience, teachers shoulduse instruction techniques that connect with both sides of the brain.• Increase right-brain learning activities by incorporating morepatterning, metaphors, analogies, role playing, visuals, and movementinto reading, calculation, and analytical activities.• For a more accurate whole-brained evaluation of studentlearning, educators must develop new forms of assessment that honorright-brained talents and skills.Ideally, both brains work together in people with optimum mental ability. Thiscoordinating ability may be the key to superior intellectual abilities.Such employees shall form better habits, shall develop great organizationalculture, shall be more productive/creative, so it goes, the never-ending story.