Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Building a Culture of Digital Self Defense

86 Aufrufe

Veröffentlicht am

NYSERNET Conference presentation on building a cyber security culture in higher education: thinking strategically, building a communications plan, best practices in security awareness.

Veröffentlicht in: Bildung
  • Loggen Sie sich ein, um Kommentare anzuzeigen.

  • Gehören Sie zu den Ersten, denen das gefällt!

Building a Culture of Digital Self Defense

  1. 1. Building a Culture of Digital Self Defense Ben Woelk, CISSP, CPTC Program Manager Rochester Institute of Technology 4 October 2018
  2. 2. Why Build a Culture of Digital Self Defense? OR
  3. 3. Who Am I? • Member, EDUCAUSE HEISC Awareness and Training Working Group • Vice President, Society for Technical Communication, Associate Fellow (2018) • Adjunct professor teaching Intro to Computing Security and technical communication classes at the Rochester Institute of Technology • Practice areas in security awareness, policies and procedures, introverted leadership development, mentoring © Ben Woelk 2018
  4. 4. Key Points • The Problem • Changing the Culture • Awareness Plan Basics • Measuring Your Success © Ben Woelk 2018
  5. 5. THE PROBLEM © Ben Woelk 2018
  6. 6. Security Awareness isn’t Working – Why not? – “The fact is that people know the answer to awareness questions but they do not act accordingly to their real life (ISF, 2014, NIST, 2003).” (Bada and Sasse, 2014) © Ben Woelk 2018
  7. 7. Why Not? 1. Not understanding what security awareness really is 2. Reliance on checking the box 3. Failing to acknowledge that awareness is a unique discipline 4. Lack of engaging and appropriate materials 5. Not collecting metrics 6. Unreasonable expectations 7. Relying upon a single training exercise Winkler Ira and Manke Samantha (2013). 7 Reasons for Security Awareness Failure, CSO Magazine, July 10. Retrieved from http://www.csoonline.com/article/2133697/metrics-budgets/7-reasons-for-security-awareness-failure.html © Ben Woelk 2018
  8. 8. Wrong Behaviors? • What are we saying our users should do? • Google Research http://googleonlinesecurity.blogspot.com/2015/07/new-research-comparing-how-security.html © Ben Woelk 2018
  9. 9. THE SOLUTION © Ben Woelk 2018
  10. 10. Culture Change • Culture--the set of shared attitudes, values, goals, and practices that characterizes an institution or organization (Merriam Webster) • What would culture change look like? © Ben Woelk 2018
  11. 11. Success Factors 1. Security awareness has to be professionally prepared and organised in order to work. 2. Invoking fear in people is not an effective tactic, since it could scare people who can least afford to take risks. 3. Security education has to be more than providing information to users – it needs to be targeted, actionable, doable and provide feedback. 4. Once people are willing to change, training and continuous feedback is needed to sustain them through the change period. 5. Emphasis is necessary on different cultural contexts and characteristics when creating cyber security-awareness campaigns. Bada, Maria; Sasse, Angela; Nurse, Jason R. C. Cyber Security Awareness Campaigns Why do they fail to change behavior? Conference paper. January 2015. © Ben Woelk 2018
  12. 12. Making Good Security Habitual • Contextualization • Repetition and Branding • Reward © Ben Woelk 2018
  13. 13. © Ben Woelk 2018
  14. 14. An impossible dream? © Ben Woelk 2018
  15. 15. AWARENESS PLANS © Ben Woelk 2018
  16. 16. Building the Plan • Determine Goal • Identify and Profile Audience • Develop Messages • Select Communication Channels • Choose Activities and Materials • Establish Partnerships • Implement the Plan • Evaluate and Make Mid-Course Corrections © Ben Woelk 2018 Woelk and Schaufler, It Doesn’t Take Magic: It Doesn't Take Magic: Tricks of the Trade to Create an Effective Security Awareness Program
  17. 17. Implementing the Plan Topics and Activities (Monthly or Quarterly) – Topics (top three cyber security issues) – Specific audiences and deliverables – Calendar of Deliverables © Ben Woelk 2018
  18. 18. METRICS © Ben Woelk 2018
  19. 19. Measuring Your Success • What can and should we measure? – Number of incidents? – Engagement? – Specific areas • Phishing • Compliance issues • BYOD or mobile device management • Data loss/leakage prevention McElroy, Lori, and Eric Weakland. “Measuring the Effectiveness of Security Awareness Programs” (Research Bulletin). Louisville, CO: EDUCAUSE Center for Analysis and Research, December 16, 2013 © Ben Woelk 2018
  20. 20. Discuss Ben Woelk Ben.woelk@rit.edu ben@benwoelk.com 20
  21. 21. Resources • Woelk, Ben. “Building a Culture of Digital Self Defense,” EDUCAUSE Review Security Matters blog, September 20, 2016 • Woelk, Ben. The Successful Security Awareness Professional: Foundational Skills and Continuing Education Strategies. Research bulletin. Louisville, CO: ECAR, August 10, 2016 • _________W.H. Kellogg Foundation, Strategic Communication Plan, https://www.wkkf.org/resource-directory/resource/2006/01/template-for- strategic-communications-plan • Various, EDUCAUSE Security Awareness https://library.educause.edu/topics/cybersecurity/security-awareness • Templates, Presentation, Resources list https://drive.google.com/drive/folders/0B45bhFW7CueDbkVGQ1JXMzdFYXM?usp=s haring © Ben Woelk 2018
  22. 22. Thank You