lance spitzner - sans.org · pdf filemaillist, premade faqs, and presentations – budget....

Lance Spitznersecuringthehuman.sans.orglspitzner@sans.org@securethehuman

WindowsOS vs. HumanOS

2002 20122004 2006 2008 2010

SecurityCo

ntrols

TrustworthyComputingSoftwareRestrictionPolicies

AutomaticUpdatingMicrosoftSecureDevelopmentLifecycleFirewallEnabledbyDefaultBaselineSecurityAnalyzerDataExecutionProtection(DEP)

MaliciousSoftwareRemovalTool

WindowsDefender

ASDLUserAccountControlBitlockerWindowsServiceHardeningMandatoryIntegrityControl

AppLockerEncryptedFileSystem

MicrosoftSecurityEssentialsEMET

2014

HumanOS

WindowsOS

Non-existent

Compliance Focused

Promoting Awareness & Behavior Change

Long-Term Sustainment &Culture Change

MetricsFramework

SecurityAwarenessMaturityModel

Fogg Behavior Model

Communication

• Most organizations have teams of security experts and know what the human risks are.

• Where we fail is communicating the solution – curse of knowledge.

• Security Communications Officer

2016 Sec Awareness Report

Start with WHY• Why does cyber security matter?• Communicate at an emotional level, do not

rationalize• Condense message to core, something

people can easily understand.– Kotter [Leading Change] calls this the Vision– Heath [Made to Stick] call this the Commander’s

Intent.

How Organization BenefitsInstead of changing your culture, play on your organization’s existing culture

– Industrial Control System (ICS) industries have a very strong safety culture, cyber security contributes to safety

– Healthcare has a strong culture of patient care, cyber security contributes to the wellbeing of patients

– Where does your employees’ pride come from?

How Individual Benefits• Keep message positive, focus on how

security enables (addresses blocker issue)• Your awareness topics are same for both

and work, focus on personal benefit– Far more likely to listen– Security becomes part of their DNA, same

behaviors at home and work

Organizational Culture• How do we communicate this new vision?• Start with defining your culture

– Conservative vs. outgoing– Different definitions of offensive – Generational differences– Localization

• You may have multiple cultures

Outgoing• Examples include marketing firms,

technology companies, universities, and hospitality

• Outgoing cultures prefer– Using the latest technology such as social media

or mobile devices– Watching content as opposed to reading content– Fun / entertaining material

Conservative• Examples include financials, insurance,

defense industry or law firms• Conservative cultures prefer

– Content that is subdued and professional– Prefer to read content as opposed to watching

content– May prefer to work directly with people

• A conservative culture can be an advantage, easier to stand out

Push vs. Pull• Push: Sending information to people• Pull: People get information on their own

– People too busy for scheduled events– Peoples’ e-mail boxes are overwhelmed– Communications departments are limiting what

you can push out– Competing with other training communications

Computer Based Training

Newsletters• Monthly or quarterly

newsletter• Keep it short, non-

technical, and easy to read, include contact information

• Track downloads• Be prepared for it to go

home / go viral

Security Blog

• Simple, interactive way to reach people on their own schedule

• Update your blog 1-3 times a week with engaging content

• Titles are everything• Engaging content that is not too long or too

short

Promotional Items

DoNotWriteYourPasswordOnThis

Mascots / Tag Lines

Idon’t like ithere!There isnothing toeat!

Ilike ithere!There is lots ofinformation to satify my stomach!

Self-Education (Pull Method)Create a central security portal for employees

– Links to trusted tools – Downloads for materials and presentations– Security Blog or news updates– Online form for submitting questions or incidents– Scan my computer– Glosassary of terms or FAQ– Examples / results of phishing assessments– Training or internally created videos– Update site regularly so people want to return

Ambassador Program• Instead of training coming from the top

down, the training comes from peers• Security team trains volunteers to become

ambassadors, provides ambassadors with resources, then ‘embeds’ them throughout the organization

• Have ambassadors help create your materials

Ambassador Keys to Success• Motivation

– Recognize ambassadors for their work (e-mail their boss / HR, letter from CEO, team shirts)

– Chance to build their network throughout org– Chance to develop new skills / make a difference

• Ability– Train ambassadors– Provide resources such as a portal, dedicated

maillist, premade FAQs, and presentations– Budget

Gamification• The concept of turning learning into a game

– www.khanacademy.org– www.codeacademy.org

• Recognize people for secure behaviors through levels, badges or progression maps so people can visualize their progress

• Not for everyone

Salesforce

Leveraging Leadership• Ensure your leaders understand the

important role they play• Often leaders believe in your security mission,

but do not know how to demonstrate that. Give them examples of key behaviors to show or things to say to employees

• Reach them through their assistants

SummaryCommunication is where most awareness programs fail. The key to making it stick is focus on how people benefit and hit them with multiple methods.

securingthehuman.sans.org/events