My GRRCON 2013 talk on imparting security awareness. This is based on a highly successful and well received awareness program I created and rolled out for both blue collar and white collar users.

1. How to get them to really understand why security is important
BOHICA: YOUR USERS, YOUR PROBLEM

2. “I personally believe that training users in
security is generally a waste of time, and
that the money can be spent better
elsewhere. Moreover, I believe that our
industry's focus on training serves to
obscure greater failings in security
design.”
- Bruce Schneier, March 2013

3. JOEL CARDELLA
• Director, Information Security for a multinational manufacturing company
• 16 years IT experience, I&O focused
• In 2012 I created and delivered an awareness program to the general
population of a manufacturing company
• The program targeted general security awareness
• Based on survey responses:
• 98% of the population said the material was easy to understand
• 91% rated the program as Extremely Relevant or Very Relevant to their
jobs
• 96% said they would be able to use the material in their personal lives
• 97% said they would like to receive more IT programs in the future

4. WHAT I PROMISED
• How to create a security awareness program which can be
targeted to any level of user ability, in any user.
• Specifically show how targeting consumer behavior migrates to
the enterprise.
• Motivational ways to engage users on the topic, in terms they
understand
• Some ways to measure effectiveness
• How to prevent BOHICA

5. WHY DOES AWARENESS FAIL?
How users view IT How IT views users
For awareness to work this must change!

6. AWARENESS IS A SECURITY DISCIPLINE
• Awareness is not about creating a culture of fear & response
• Awareness is about reducing risk by shrinking the attack
surfaces
• Like any security countermeasure, awareness is not 100%
effective…
…but it is critical in maintaining a layered defense strategy

7. AWARENESS IS HARD
• Awareness benefits are often intangible, anecdotal and difficult
to measure
• Thus, programs are a difficult sell to C-levels
• However, good awareness doesn’t have to follow a formula, and
it can be done for very little cost

8. AWARENESS AND TRAINING
ARE NOT THE SAME!
“Awareness is not training. The purpose of
awareness presentations is simply to
focus attention on security.
Awareness presentations are intended to
allow individuals to recognize IT security
concerns and respond accordingly. “

9. PLANNING THE PROGRAM
What I did … YMMV

10. WHAT I DID (YMMV)
Source: SANS Securing The Human

11. COMPANY PROFILE
• Industry: Manufacturing
• IT Users: 5000
• Plants, facilities and remote trailers (blue collar, very low IT investment)
• 75% of the user base
• Corporate offices (white collar, mix of staff and management, very high IT
investment)
• 25% of the user base
• Physical Locations: 400+
• Countries: 2
• Languages: 2
• GOAL: Create a targeted awareness campaign that every IT user at every level could
benefit from

12. REFINING THE MESSAGE
• To create the program, I started with a question:
• What understanding did I want to impart?
• The company had developed an annual one page sign off of security rules, called “the 5
IT rules”
Every user every year signs
and acknowledges these rules
But had we ever taken the time
to explain them, or why they
were important?

13. FURTHER REFINEMENT
• So the program core was centered on the 5 IT rules, and all the
resulting materials built around them
• In reality, only rule 1 would have the most impact for both
awareness and for security
• So, the most time and energy spent in the sessions would be
around constructing good passwords [and locking PCs]

14. HOW DO YOU GET THEM TO CARE?
• It's incredibly difficult for users to care about security, because,
from a rational cost-benefit view, they draw a conclusion that it's
not worth it
• We require stringent, complex passwords that change with
increasing frequency – and we want them to use more than one
• They have no understanding of what they are trying to protect in
a business sense, so they have no attachment to it
• They may not have the savvy to work with the technology, so
they get frustrated

15. THE PROGRAM

16. OPENING THE MEETING
• The first thing I did was engage them on their level
• I acknowledged this was mandatory, and no one likes being forced into a
meeting
• I acknowledged that they thought security was - *GASP* - boring
• I acknowledged that they thought the next hour of their time would be a waste
• This set the stage for the information I was going to give them, and framed with a bit
of humor
• Now that the level was set, I had to speak at that level – which meant very little “tech
talk”
• I had to give them information about security and risk that they could use in context
• This is called “casting the line”

17. COMMON UNDERSTANDING
• I started with background data to get them to a point of common
understanding
• Security is concept that applies to everything you do in life:
at work, at home, with family & friends
• Security is not just technology, it’s about physical space and
documents
• Mobility has brought personal and work lives together, and
interconnected everyone (thus raising risk)
• I also had the benefit of using some failed audits as a driver and
lever - YMMV

18. NEXT, I INTRODUCED NOTEWORTHY NEWS
ITEMS
• I grabbed some news headlines of big, well known data
breaches
• Sony
• Visa
• RSA
• NASDAQ
• This gave them context for the discussion using names and
news items they had heard of

19. DATA = $$
• I explained that data breaches (aka “hacking”) was all about
the monetization of the data
• Everything is now for sale, it’s no longer about bragging
rights
• Then I showed them smaller breaches, but closer to home
• Medical records
• Financial records
• SSNs

20. AND A BIT MORE CONTEXT
• Jan 15, 2012: 24 Million customer records on Zappos.com
• Jan 20: Arizona State University: 300,000 records downloaded by an illegal party
• Jan 20: Kansas Dept Of Aging: 7,100 records resulting from theft from a vehicle of paper
files, laptop and flash drives
• Jan 24, 2012: 1,245,000 records from New York State Electric & Gas (NYSEG),
• Jan 30: University Of Miami: 1200 medical records stolen from a briefcase with flash
drive
• Feb 6, 2012: 17,000 records when an October 2011 burglary from a physician’s office
resulted in the theft of a laptop. Laptop contained names, DOBs, physicians and
diagnosis information.
• Feb 15, 2012: St Joseph Health System: 32,000 records of patients available on internet.
Hospital did not know until contacted by attorney

21. HOW IT IMPACTED THE BUSINESS
• The next part was a brief slide of the infections & breaches we
had seen at the company, and how they had impacted business
• Again, this was to impart the context of how security breaches
impact all parts of their lives
• This was an important slide for business context, but I did NOT
spend a lot of time on it
• This is where they will get lost & bored
• This is called “reeling in the line”
• Reel too fast and you lose your fish
• Reel too slow and you lost your bait

22. SETTING THE HOOK
• Now that the stage was set with context, I shifted gears to show what IT
initiatives were in place or in the works to deal with these things
• Locking down admin rights on PCs
• 2 factor authentication for IT System Admins
• Training IT Staff on current threats/trends
• Vulnerability Tests
• Segregation of Duties – NOTE: this was a big bone of contention
because of the impact to users in the business, so it helped to
explain why it was necessary
• What this did was show that IT was doing what it could to help prevent,
detect and respond to threats
• But we needed them to come to the table as well
• This is what we call “setting the hook”

23. ENGAGING THEM
• This is where you are asking for help, creating empathy
• This is where humor is your ally!
• This is IT outreach, and it’s sorely needed in all organizations

24. FOCUS ON PASSWORDS

25. RECAP: WHAT HAS HAPPENED SO FAR
• I have created empathy
• I have given them context for security at home and at work
• I have given them an expectation of what we need from them
• I’ve set the hook and begun to reel them in
• WHAT HAS REALLY HAPPENED
• The concept of risk has been illustrated
• We’ve shown why risk needs to be reduced
• They have had a few laughs
• They are seriously worried about having to make 30 character
passwords

26. NOW WE FOCUS ON WHAT WE WANT THEM TO
LEARN
• So, if we need passwords to be strong we have to explain why
• So, I discuss “What is the value of your password?”
• Put a monetary value on a user password, so if it is compromised the
value can be used to determine the impact
• I used the company annual report of profit ($500M)
• We have 5 main business processes, so even division means that each
process contributes $100M to profit
• If a user contributes only 1% to their business process, then their
password is worth $100,000
• These are really simple expressions that are not 100% accurate but they
help send the message

27. APPLY THE SAME CONCEPT TO THEIR
PERSONAL LIVES
• Add up the total of all your personal assets or use an arbitrary number to
represent data value
• Every password in your personal life then has this value associated with it
• Email
• Bank/finance
• Crazy web sites
• So the concept of password strength is universal, and this is what the user
must understand – this is awareness; that passwords at home and at work
represent identity, and that identity must be protected regardless of context
(business or personal)
• This is the real hook – getting them aware that this concept of security
applies to any context of using IT systems

28. NOW THE MEAT
• I told them here that this was the important stuff
• If they walked away retaining anything it was this

29. I USED THE STRATFOR BREACH
• I showed the actual list of breached passwords, so they could see what were considered bad
passwords & why
I explained that password
crackers use dictionary
word lists to guess
passwords, and that’s why
we say don’t use real
words
I also asked if anyone saw
their own password on the
list

30. I EXPLAINED PASSPHRASES
• I showed how
to construct
strong
passwords from
pass phrases
• I asked them
not to hum
when typing
them

31. AND NOW THE QUIZ
• To test the concept of whether or not what I was saying was getting through, I did
a quick quiz
• The quiz showed a password and I asked
• Is this a good, strong password?
• Why or why not?
• The final question in the quiz showed a 16 character password
• I asked them if it was:
• Compliant with corporate policy
• Strong
• Easy to remember
• They said NO
• Then I sang the passphrase it was attached to – and I saw the light bulbs light

32. PASSWORD QUIZ!
• Are these strong passwords? Why or why not?
• Cindy2012
• No! This complies with corporate security policy but is easily guessed
• Fisherman
• NO! Real word in the dictionary
• GoWings!
• Hey I’m from Detroit.
• No, this password is too easily guessed
• P@ssw0rd#1
• No. These substitution tricks are too common – looks too much like a real world,
easily guessed
• H,dyhtstmbgitw?1
• Yes! It doesn’t look like any words and it has enough complexity
• Themostbeautifulgirlintheworld1.
• Yes! This very complex and long (32 characters!) and can’t be easily guessed, even
though it has real words in it

33. GIVE THEM A GOAL
• I set a goal for them to have one distinct long & complex
password for one login: their personal finances

34. AT THIS POINT: AWARENESS
• This is when awareness kicks in
• This is the point that they realize they can make strong
passwords that they can easily remember
• They also realize they can use different passwords across
applications, and also remember them
• And then I offered a bonus class session on managing complex
passwords using password management software (KeePass)
• Imagine what would happen to your enterprise if you had a 20%
to 30% shift in users using strong passwords
• Imagine what would happen to the world if this shift occurred?

35. I QUICKLY ADDRESSED THE OTHER 4 RULES
• I linked it back to personal behavior
• Locking your PC is like locking the door to your house – you are trying to
keep your valuables safe
Many users did not know
that you could lock a PC
using Windows+L
They also did not know how
easy it was to unlock
Don’t assume your users
know these things!

36. LET’S TALK
• When you have achieved this point, stop talking about the
company/business and keep the talk focused on their personal
lives
• This is awareness, which is behavioral focused, and if we get
them to behave securely in their personal lives, this will migrate
to the enterprise

37. CONSUMERIZATION

38. CONSUMER BEHAVIOR APPLIES TO THE
ENTERPRISE
• Now I discussed consumerization and the risks
• Social Media
• Mobility
• Public Wifi/Public access terminals
• For the older generation, I acknowledged that while they might
not use these things in any large capacity, they knew someone
who did: their kids, nieces/nephews, friends, neighbors

39. TALKING THE TALK
• I addressed “bad” behaviors
• Avoid using the same usernames and passwords among multiple
applications/websites
• I talked about “good” behaviors
• 2nd factor authentication for email/Facebook/Twitter (protecting identity)
• I gave personal anecdotes
• My wife’s Facebook post from Foursquare showed we were at the
movies, the show times, and a map
• This is important as it illustrates that anyone can be in a compromised
position

40. WALKING THE TALK
• Social networking:
• I showed them how to use Facebook privacy settings, and what the important
ones were
• Explained social interconnection, and how posts from others can impute
information about themselves (esp kids)
• How it can be used for identity fraud
• Mobility
• I discussed the importance of PIN locking a smartphone
• I discussed apps accessing more data than they might want
• Public access
• I discussed use of public terminals (library computers) and to log out/close
browser sessions
• I discussed that SMS on a data network can be captured in the clear

41. I SHOWED THEM HOW TO BE SECURE AT HOME
• An important item is to engage them at home – personal behavior migrates
to the enterprise
• I talked about how to secure their home PCs by using antivirus, and
accepting regular software and OS updates
• I talked about physical security and different lock types
• I also gave them takeaways for home which included a list of free AV apps
and other open source programs which can be helpful
• I opened the floor for a Q&A about home PC use

42. 2 OPTIONAL CLASSES
• I also gave 2 optional classes at each site
• Managing passwords using password management
software (KeePass)
• Creating backups for home and for work using open
source tools (Fbackup)
• The feedback here was 100% positive from those who
attended, and I have been asked to continue giving
these classes

43. GAUGING SUCCESS

44. SUBJECTIVE MEASURES
• “Success” with awareness is more subjective that objective
• So I gathered subjective observations and included them in an executive
report
• I was doing a two day session at a plant. A terminal operator from day
one came to me and said “Last night my wife and I sat down and
changed all our passwords. Thanks!”
• At one location, the plant employees asked if their wives come come
hear the talk about Facebook and social media protection – so I gave it
again for them as well
• At one corporate location, after giving the class on managing passwords
with KeePass, a Finance controller came to me and said “This has
changed my life for the better”

45. OBJECTIVE MEASURES
• I created a quick, 10 question survey and distributed it via SurveyMonkey
• Was the material presented in a way that was easy to understand?
• Yes/No/Partial
• 98% Yes
• How relevant is the material to your job?
• Exteremely/Very/Somewhat/Slightly/Not at all
• 91% Extremely or Very
• Will you be able to use the material in your home life as well as work life?
• Yes/No/Partially
• 96% Yes
• Do you think this material is important to you and the company?
• Yes/No/Partial
• 97% Yes
• Then some questions about me as a presenter and a couple of optional questions & comments

46. IMPACT ON METRICS
• The impact on metrics was minimal, but noticable
• The rate of infection didn’t change
• The amount of malicious activity like side-scanning didn’t change
• The number of tickets reporting fake/phishing email went up 2400%
• From 2-3/month to 50+/month
• The number of contacts by users into Security about general questions went
up 300%
• Rough 2-3 per year to 30+

47. WHY WAS IT SUCCESSFUL?

48. ENGAGEMENT AND PARTNERSHIP
• Partnering with HR was key
• HR managed the meeting organizations
• HR tracked them as training sessions (all employees have
mandatory training hours)
• I talked to users in their language
• I didn’t use acronyms, or explained the ones I did
• Did not see them as Juggalos

49. IT’S ALL ABOUT CONNECTING AND OUTREACH
• Awareness doesn’t have to be a program, you can use other
ways
• Offer optional training classes on IT tools
• Backup management
• Password management
• How to protect a home PC
• How to effectively use search engines
• Publish a security newsletter, with personal information that can
be used at home
• Especially target information for families

50. NEWSLETTER EXAMPLES

51. NEWSLETTER EXAMPLES

52. NEWSLETTER EXAMPLES

53. TOOLBOX

54. ONLINE TOOLS
• Privacyrights.org
• Lists reported data breaches
• Verizon Data Breach Investigation Report
• http://www.verizonenterprise.com/DBIR/2013/
• Microsoft Threat Intelligence Report
• http://www.microsoft.com/security/sir/default.aspx
• Ponemon Threat Intelligence Report
• http://www.ponemon.org/
• Popular news stories about security

55. CONTACT INFO
• Joel Cardella
• Email: dronf@pobox.com
• Twitter: @JoelConverses
• Freenode IRC: #MiSEC