the 7 habits of highly successful security awareness · pdf filethe 7 habits of highly...

39
Session ID: Session Classification: Samantha Manke and Ira Winkler Internet Security Advisors Group The 7 Habits of Highly Successful Security Awareness Programs STAR-301 Intermediate

Upload: vankhanh

Post on 09-Feb-2018

226 views

Category:

Documents


1 download

TRANSCRIPT

Page 1: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

Session ID:

Session Classification:

Samantha Manke and Ira Winkler

Internet Security

Advisors Group

The 7 Habits of Highly Successful Security Awareness Programs

STAR-301

Intermediate

Page 2: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

2

Why Security Awareness?

Page 3: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

Insert presenter logo here on slide master. See hidden

slide 4 for directions

Captain Kirk

Who wouldn„t guess a password of “Captain” on an account with the user ID, “Kirk”?

This happened at NSA

3

Page 4: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

Insert presenter logo here on slide master. See hidden

slide 4 for directions

Whose Fault Is it?

She sounds like an idiot

She is an Ivy League graduate

Why was she not previously told that she shouldn„t have that as a password?

Why was the password allowed in the first place?

4

Page 5: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

Insert presenter logo here on slide master. See hidden

slide 4 for directions

This Is Not Unique

Security professionals make assumptions in the base level of knowledge in end users

Also extends to knowledge assumptions about other technical professionals

As per Felix Unger, when you assume you make an ass/u/me

5

Page 6: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

Insert presenter logo here on slide master. See hidden

slide 4 for directions

Common Sense

The problem is that security professionals assume that the users should exercise common sense

There is no such thing as common sense without a base common knowledge

Security programs fail, because they assume there is the common knowledge

6

Page 7: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

Insert presenter logo here on slide master. See hidden

slide 4 for directions

It’s Not Stupid Users

It‟s incompetent security professionals

While there are some stupid activities on the part of the users, I always ask what could the security staff have done better?

Does your staff stop and ask how could the incident have been prevented

Is there a discussion of both modifying user activity and preventing user activity

7

Page 8: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

Insert presenter logo here on slide master. See hidden

slide 4 for directions

Security Awareness is Implementing Security Culture

Not exactly, but close enough

Security awareness is to get people to implement secure practices into their daily activities

Security awareness is to strengthen security culture

Must instill common knowledge of concerns and base actions

8

Page 9: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

Insert presenter logo here on slide master. See hidden

slide 4 for directions

Why Security Awareness?

The human factor

Technology can only help so much

• Security Awareness programs are in integral part of a mature security program

Cost-Effective Solution

• Required by standards and regulations

9

Page 10: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

Insert presenter logo here on slide master. See hidden

slide 4 for directions

The Problem with Security Awareness Programs

• Varying degrees of quality in awareness programs

• The 3-year cycle

• Poor security cultures

10

Page 11: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

The Study: Opportunity Statement and Methodology

11

Page 12: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

Insert presenter logo here on slide master. See hidden

slide 4 for directions

Opportunity Statement

My work experience allowed me the unique experience to build a program from scratch

The local ISSA chapter‟s Security Awareness user group (a.k.a. “Support Group”) meets bi-monthly and delegates were willing participants

Security Awareness material is seen as non-proprietary

12

Page 13: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

Insert presenter logo here on slide master. See hidden

slide 4 for directions

Approach/Methodology

Qualitative

Face-to-face interviews with Security Awareness Specialists

Quantitative

2 Surveys

– 1 for Security employees

– 1 for Non-Security employees

Limitations

13

Page 14: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

Study: Analysis

14

Page 15: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

Insert presenter logo here on slide master. See hidden

slide 4 for directions

Analysis: General Trends

In the end a total of 7 companies participated

2 from the Health Sector

2 from the Manufacturing Sector

1 from the Food Sector

1 from the Financial Sector

1 from the Retail Sector

Companies were often surprisingly honest about the success of their programs

No participating company had any metrics to assess their effectiveness

15

Page 16: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

Insert presenter logo here on slide master. See hidden

slide 4 for directions

Analysis: General Trends

Most companies struggle to gain support:

From upper management

From key departments

From their user population

Compliance:

PCI helps with support and budget

HIPAA does not

16

Page 17: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

Insert presenter logo here on slide master. See hidden

slide 4 for directions

Analysis: General Trends

Variety of approaches

Some Security Awareness Specialists had a security background while others had a marketing or communications background

Companies had 1-26 employees contributing to efforts

17

Page 18: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

Insert presenter logo here on slide master. See hidden

slide 4 for directions

Analysis: Security Respondents

• 87% of Security Respondents (“SRs”) reported their programs are successful

• Roughly half reported having difficulty encouraging their employees to take security seriously

• Only 19% reported a lack of support from management

18

Page 19: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

Insert presenter logo here on slide master. See hidden

slide 4 for directions

Analysis: Security Respondents

• 26% reported a lack of enthusiasm for their efforts

• 50% reported having difficulty receiving funding for their initiatives

19

Page 20: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

Insert presenter logo here on slide master. See hidden

slide 4 for directions

Analysis: Non-Security Respondents

• 100% of Non-Security employees reported having learned something from their company‟s Security Awareness program

• 100% reported being “security-minded individuals”

• 100% reported thinking their company‟s Security Awareness programs are successful

20

Page 21: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

Insert presenter logo here on slide master. See hidden

slide 4 for directions

Analysis: Non-Security Respondents

• Only 60% reported changing their behavior as a result of Security Awareness

• 92% reported viewing their Security team positively

• 12% reported having conflicts with their Security team

21

Page 22: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

Insert presenter logo here on slide master. See hidden

slide 4 for directions

Results

• Security is difficult to administer at most companies

• PCI compliance helps with enforcement and awareness

• Creativity and/or mandatory training are the key(s) to success

• Companies with more top-level support are more successful

22

Page 23: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

The Habits

23

Page 24: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

Insert presenter logo here on slide master. See hidden

slide 4 for directions

Habit 1-Create a Strong Foundation

• This is the main source of failure

• Make a 3-month plan

• Topics may change

24

Page 25: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

Insert presenter logo here on slide master. See hidden

slide 4 for directions

Assess Approach

• Softball

• Hard push

• Avoid fear-mongering

25

Page 26: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

Insert presenter logo here on slide master. See hidden

slide 4 for directions

Deciding Which Components the Program Should Have

• Which mediums of communication will be most effective at your company?

• Which mediums are already saturated?

• What are employees most receptive to?

26

Page 27: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

Insert presenter logo here on slide master. See hidden

slide 4 for directions

Recommended Components

• Website

• Posters

• Newsletters/Blog

• Monthly tips

• Lunch and Learns

• Roadshows

• Speakers

• Security Week

27

Page 28: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

Insert presenter logo here on slide master. See hidden

slide 4 for directions

Keep the Program Fresh

• Easy to fall behind

• Pay attention to the news

• Create new material for every month

28

Page 29: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

Insert presenter logo here on slide master. See hidden

slide 4 for directions

Habit 2-Organizational Buy-In

• Appeal to the highest level you are able to engage

• Market some materials to the C-level

• Stress benefits of Security Awareness

29

Page 30: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

Insert presenter logo here on slide master. See hidden

slide 4 for directions

Habit 3-Participative Learning

Learning modules

Interactive components

Make user feel involved

Additional tools--Phishing

30

Page 31: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

Insert presenter logo here on slide master. See hidden

slide 4 for directions

Habit 4-More Creative Endeavors

• Guerilla marketing campaign

• Security Cube

• Demonstrations and movie showings

31

Page 32: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

Insert presenter logo here on slide master. See hidden

slide 4 for directions

Habit 5-Gather Metrics

No participating company gathered metrics

Compare rate of reported incidents pre and post

Collecting metrics ahead of time so you can potentially measure success after the fact

Should you do a pen test/assessment?

32

Page 33: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

Insert presenter logo here on slide master. See hidden

slide 4 for directions

Assessing Success

Assess which components have been successful

Administer a survey

Try to keep it anonymous

Offer a drawing that employees can enter for a prize

Understand limitations

33

Page 34: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

Insert presenter logo here on slide master. See hidden

slide 4 for directions

Habit 6-Partner with Key Departments

Reinforces company message vs. security message

Consider departments such as:

Legal

Compliance

Human Resources

Marketing

Privacy

Physical Security

34

Page 35: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

Insert presenter logo here on slide master. See hidden

slide 4 for directions

Habit 7-Be the Department of How

Department of “How” vs. Department of “No”

Teach instead of dictate

Establish positive security culture

35

Page 36: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

Conclusions

36

Page 37: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

Insert presenter logo here on slide master. See hidden

slide 4 for directions

Next Steps

ISSA‟s “Great Security Awareness Experiment” series

Many opportunities for additional research

Non-security employees should be re-surveyed

Additional companies from different sectors could be included

A deeper dive into participating companies could be conducted to ask about discrepancies

37

Page 38: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

Insert presenter logo here on slide master. See hidden

slide 4 for directions

Apply

• Focus on building support before spending too much time on other aspects

• Do a thorough assessment of culture before starting or revamping program

• Consider partnership with other key departments

• Focus security awareness on common knowledge so users can exercise common sense

38

Page 39: The 7 Habits of Highly Successful Security Awareness · PDF fileThe 7 Habits of Highly Successful ... Security programs fail, because they assume ... their programs are successful

Insert presenter logo here on slide master. See hidden

slide 4 for directions

For More Information

[email protected]

+1-651-325-5902

http://www.linkedin.com/pub/samantha-manke/21/34/779

[email protected]

+1-410-544-3435

www.facebook.com/ira.winkler

@irawinkler

www.linkedin.com/in/irawinkler

39