1.
Adventures in Security
Awareness:
Practical Advantages of an Educated Workforce

2.
Speaker Biography
• 15+ years fighting the InfoSec leadership
battle
• knows a few things about information
security governance and what it takes to
build a successful security program
• helps other security leaders build
successful governance, risk management,
and compliance (GRC) programs
• Also helps start-ups, small businesses,
non-profits, and university enterprises
produce big business success
Keyaan Williams
www.linkedin.com/in/keyaan
@KeyaanWilliams
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
2

3.
Forcing users to complete annual security
training to check boxes rubbish!
There are better ways to use education, training, and
awareness to improve security.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
3

4.
Outline
Definitions
The Compliance-Driven Approach
The Compliance-Driven Problem
A Culture-Driven Alternative
Every Security Person Can Contribute
Summary and Q&A
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
4

5.
Definitions
Understanding the words we are using will help drive the point home.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
5

6.
Adjective: of or concerned with the
actual doing or use of something
rather than with theory and ideas
Practical
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
6

7.
Education focuses on transferring
knowledge or information via
communication tools that
produce long-term retention.
Education
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
7

8.
Training focuses on activities,
coaching, and feedback that
develop new skills or new
knowledge that students can
apply to their work.
Training
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
8

9.
Awareness focuses on the
increased perception of facts or
information.
Awareness
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
9

10.
The Compliance-Driven Approach
to “Security Awareness Training”
The regulators made me do it!
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
10

11.
What normally happens
Compliance defines the approach rather than
tailoring something unique for the organization.
Education, training, and awareness are consolidated
into one big blob that is a single objective/activity.
Education, training, and awareness are not distinct
activities with specific, individual purposes.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
11

12.
The Compliance Perspective
“The organization will be more secure because
you gave users security training and you
confirmed that everyone participated at least
annually.”
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
12

13.
ISO 27001 and 27002
“All employees of the organization and, where relevant,
contractors and third party users should receive
appropriate awareness training and regular updates in
organizational policies and procedures, as relevant for their
job function.”
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
13

14.
NIST 800-53, AT-2
“The organization provides basic security awareness training
to information system users.”
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
14

15.
PCI-DSS
“Implement a formal security awareness program to make
all personnel aware of the cardholder data security policy.”
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
15

16.
PCI DSS v3.2
Testing procedures (12.6.1 and 12.6.2)
• Verify people attend training when hired and at least
annually.
• Obtain acknowledgement that people have read and
understand the security policy.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
16

17.
The Compliance-Driven Problem
Compliance provides a budget, but it doesn’t tell me how to
be effective.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
17

18.
The compliance problem
Compliance incentivizes a generic approach that
rarely changes behavior or has a meaningful
impact.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
18

19.
The compliance problem
Compliance requires no validation that users can
apply what they learned to their work.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
19

20.
The compliance problem
Compliance measures how many, but not how
effective.
Does theory produce practical results?
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
20

21.
• Content has nothing to do with the organization or
its current threats
• It is optional or some people are forgotten
• It only focuses on phishing and makes people afraid
to check their e-mail
• It produces no change in user-generated security
events
The Worst Case
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
21

22.
A Culture-Driven Alternative
What can we do to make this work for everyone?
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
22

23.
What does culture have to do with anything?
Sociology 101 - Culture is the sum of attitudes,
customs, and beliefs that distinguishes one
group of people from another.
This should drive the content of education, training, and
awareness at an organization.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
23

24.
Security Theory and Culture Collide
Incorporating security theory from education,
training, and awareness into the culture of the
organization can practically make the
organization more secure.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
24

25.
This is about changing (or strengthening)
security culture
Emphasize what is
important.
Reward behaviors
that reflect what is
important.
Discourage
behaviors that do
not reflect what is
important.
Model the
behaviors that you
want to see in the
workplace.
C. McNamara, "Organizational Culture," Authenticity Consulting, LLC, 2000. [Online]. Available:
http://managementhelp.org/organizations/culture.htm#influence. [Accessed June 2016]
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
25

26.
What is
important? •Assets and how we protect
them.
•Data and how we protect it.
•People and how we protect
them.
•Stakeholders and how we
protect their interests.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
26

27.
What is good
behavior?
•Follow policies, procedures,
and standards.
•Report anomalies and strange
events: “see something; say
something.”
•Conduct activities ethically.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
27

28.
How do we
discourage bad
behavior? •Frown at nonconformists; peer
pressure is effective.
•Formalize recourse in policies
and standards (i.e. HR and
performance reviews)
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
28

29.
How do we
reward good
behavior?
Money
Recognition
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
29

30.
A Simple Culture Case Study
The simplicity of cause, effect, and human behavior.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
30

31.
Rewarding good behavior influences the workforce.
Most people want the reward.
I want
recognition that
produces a
reward
I inform security
operations about
suspicious e-mail
They recognize
me or give me
money
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
31

32.
Every Security Person Can
Contribute
I am not part of the security awareness team.
What does it have to do with me?
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
32

33.
Every Security Person Can Contribute
You don’t have to be a CISO, Director, or Security
Leader to contribute to the practical security
education of your organization.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
33

34.
Every Security Person Can Contribute
Practitioners have a great opportunity to
communicate relevant information and
influencing behavior as part of their
interactions with people.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
34

35.
Every Security Person Can Contribute
You are a professional; you know a lot!
Share that information with everyone you encounter.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
35

36.
Every Security Person Can Contribute
Tailor content based on the audience.
Tell executives, managers, IT personnel, and non-IT end users
the same story, but package the story differently based on the
risk each group faces.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
36

37.
Every Security Person Can Contribute
Discretely retrain compromised users.
You don’t have to embarrass people to get them to change.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
37

38.
Every Security Person Can Contribute
Bedside manner is important!
Don’t be a donkey about it.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
38

39.
Case Study 2
Combining incident response and user re-education to
improve security.
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
39

40.
Combining security awareness and incident
response to improve security
User causes
event
CSIRT
activated
Root cause
analysis
Results
shared with
user
Anonymized
results
shared with
workforce
# similar
events
decreases
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
40
This actually happened!

41.
“Oh my! I downloaded a
malicious file from a
suspicious e-mail.”
User causes event
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
41

42.
Case Study
Enterprise controls detect
the IOC and the Computer
Security Incident Response
Team (CSIRT) is activated to
provide remediation.
CSIRT activated
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
42

43.
Case Study
The CSIRT conducts root
cause analysis to identify the
malicious software’s impact
and method of installation.
Root cause
analysis
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
43

44.
Case Study Findings from the root cause
analysis are shared with the
user.
•The user understands his or
her part in the activity.
•This understanding prevents
a repeat offense.
Results shared
with user
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
44

45.
Case Study Results are anonymized to
protect the image of the
affected user and shared
with the workforce.
•The affected user is not
embarrassed.
Anonymized
results shared
with workforce
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
45

46.
Case Study
• Everyone learns from a single
mistake.
• Other users are less likely to
repeat the actions.
• A culture of respect increases
the likelihood that users will
report anomalous events.
# similar events
decreases
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
46

47.
Summary
What should I remember from this conversation?
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
47

48.
Compliance requires security awareness training, but
a compliance-driven approach is the wrong approach.1
Effective education, training, and awareness can
reduce the risk introduced by users2
Effective training is tailored, interactive, and
meaningful.3
Awareness is important to reinforce ideas.4
All security personnel can contribute to education,
training, and awareness in an organization.5
Adventures in Security Awareness: Practical Advantages of an
Educated Workforce
48