Building on the observation that the significant majority of cyber-attacks succeed because of human error, this presentation explains how organisations can build, embed & sustain the resilient behaviours required across the whole workforce, regardless of their role or responsibility, to better protect their most valuable & commercially sensitive information.

1. Everyone has a Role
National & Organisational
Strategies for Resilience to
Cyber Attack
www.CyberRescue.co.uk

2. agenda
www.CyberRescue.co.uk
1. UK National Cyber Security Strategy to 2021
2. Building Resilience – everyone has a role
Nick Wilding, General Manager, Cyber Resilience, Axelos
3. Recovery – what should CEOs do?
These presentations were given at a meeting organised by Cyber Rescue on 29/6/16.
Participants included senior representatives from the Cabinet Office (UK Government),
Capita, E.ON, Institute of Directors, Microsoft, Saga plc, Zurich Insurance, and others.
For similar material, follow Cyber Rescue on LinkedIn here.

3. Strategies for Resilience to Cyber Attack
BUILDING RESILIENCE:
EVERYBODY HAS A ROLE TO PLAY
29 June 2016
AXELOS.COM

4. ...it’s about behavioursIt’s not just about bits and bytes...
We all have a role to play
90%...
...NEED TO
INFLUENCE AND
ENABLE POSITIVE
CHANGE IN USER
BEHAVIOURS

5. Stats and facts
“253 days is the median
number of days it takes
an organisation to realise
that they have been
successfully attacked.”
(Verizon 2015 Data Breach
Investigations Report)
“Only 29% of companies
rate their cyber resilience
as high. Nearly 33% said
collaboration was
poor/non-existent.”
(Ponemon Institute research with
450 IT and security professionals)
(PWC UK Data breach
report, Feb 2015)
“90% of all successful
cyber-attacks rely on
human vulnerability to
succeed.”
(Verizon 2015 Data Breach
Investigations Report)
“65% of large firms
detected a cyber security
breach or attack in the
last year.”
(UK Cyber security breaches
survey May 2016)
“17% of UK businesses
have had their staff
attend some form of
cyber training in the last
12 months”
(UK Cyber security breaches
survey May 2016)
1 person can enable an
attacker to compromise
your systems and access
your most valuable
information.

6. Who are we?

7. Cyber Resilience best practice
Cyber Resilience is the ability for an
organisation to resist, respond and
recover from attacks that will impact the
critical information they require to do
business.

8. Reliance on
checking the box
Lack of engaging and
appropriate materials
Reliance on a single
training exercise
Metrics are not
collected
Unreasonable
expectations
Failure to acknowledge
that awareness is a
unique discipline
Why do security awareness
programmes typically fail?

9. Attitudes to awareness training
99%
Fairly or very
important
“How important is information security
awareness training to minimising the risk of
cyber security breaches at your organisation?”
“How important is minimising human error
in managing the risk of cyber security
breaches at your organisation?” 98%
Fairly or very
important
And yet when asked how many
people within their organisation
completed awareness training
only
52%
said it was
between
75%-100%
of staff

10. How effective is awareness learning?
42%
Very
effective
49%
Fairly
effective
7%
Not at all
effective
When asked “How effective is
your InfoSec awareness
programme?”
28%
Very
effective
55%
Fairly
effective
13%
Not at all
effective
When asked “How effective is your
InfoSec Awareness programme in
changing behaviours?”

11. Is your learning relevant?
When asked: “Overall, how confident
are you that the information security
awareness training your organisation
provided to all staff is relevant to their
day to day work?”
32%
Very
confident
62%
Fairly
confident
6%
Not at all
confident
When asked: “How effective is
your awareness learning in
ensuring compliance with required
regulatory requirements only?”
37%
said it
was very
effective

12. Awareness learning – delivery methods
14%
Games
61%
Face to face
80%
E-learning
43%
Posters26%
Animations
• Clear that majority of respondents still
rely on traditional E-learning.
• Is this an engaging, fun way to learn?
• ...Face to face and posters
• An effective and efficient control?
• Face to face in small organisations may be,
but it both cases it can be challenging to
measure ongoing progress of the learner
• Animations & Games
• 79% of respondents to a TalentLMS survey
said that they would be more productive and
motivated if their learning involved
gamification.
• “Games have the power to teach, train
and educate and are effective means for
learning skills and attitudes that are not
so easy to learn by rote memorization”
(Michael & Chen, 2006,)

13. 13 AXELOS - GLOBAL BEST PRACTICE AXELOS INTERNAL USE ONLY
…in summary - some principles
On-going, regular learning
Adaptive & personalised
Measurable benefit
Principle
Engaging, competitive
and fun
• Regular learning
• Short and concise
• Supporting updates and refreshers
• Suit individual learning preferences
• Content tailored to different skill levels
• Focus on the priority security issues
• Tracking changing behaviours over time
• Qualitative and quantitative metrics
• Demonstrate value of investment
• Different learning styles and formats
• Ability to learn inside and outside work
• Play to the competitive element of games
Summary and benefits

15. Questions and observations?
Nick Wilding
General Manager, Cyber Resilience
E: nick.wilding@axelos.com
T: 07860 950108

16. www.CyberRescue.co.uk
Who should own
the human element of cyber defence?
vote
Board CEO CFO CIO COO HR Director
There was a strong consensus at the meeting that the CEO must own the
human element of cyber defence, including prevention & response. All roles
listed above were share some responsibility, but the CEO has to define the
“Command & Control” as well as the Culture that is key to Cyber Resilience.

17. thank you
National & Organisational
Strategies for Resilience
to Cyber Attack
www.CyberRescue.co.uk
Kevin Duffey
Managing Director
29th
June 2016
For similar material, follow Cyber Rescue
on LinkedIn here.