4. 14/5/2013 ISACA – Sofia Chapter 4
Define the facts
• Training is a critical part of any initiative, introducing users to policy
guidelines and allowing management to set expectations.
Source: www.assero.co.uk
5. 14/5/2013 ISACA – Sofia Chapter 5
Define the facts
• You won't get far in your training if you don't tune your message to the
audience, whether you're presenting your case to the executive
board, the IT group or the staff.
Source: articles.elitefts.com
6. 14/5/2013 ISACA – Sofia Chapter 6
Define the facts
• Habits drive organizational culture, and there are no technologies that
will ever make up for poor culture.
Source: www.eaglesflight.com
7. 14/5/2013 ISACA – Sofia Chapter 7
Define the facts
• Ensure that any awareness training program is a continuous process:
heightened user awareness loses value if you don't reinforce learned
concepts over time.
"As it shows in the report we have seen susceptibility reductions of over 80% when comparing an initial
mock attack to subsequent attacks when in-depth training is completed in between the attacks.“
-- Joe Ferrara, President and CEO of Wombat Security Technologies
Source: http://www.wombatsecurity.com/phishing_attack_report
8. 14/5/2013 ISACA – Sofia Chapter 8
Define the facts
• There is clear tendency not to engage with external awareness providers.
Wisegate found that less than 1% of companies use only third-party training
companies, 50% develop their awareness regime fully in-house, 42% use a combination of
third-party and in-house training, and amazingly, as many as 7% do no awareness training
at all.
0
10
20
30
40
50
Awareness training
Develop fully in-house
No awareness training
Use third-party only
Use a combination
Source: http://www.wisegateit.com/resources/downloads-security-awareness-report
9. 14/5/2013 ISACA – Sofia Chapter 9
Avoid the pitfalls
• ‘Do as I say, not as I do’ resonates in the executive corridor of far too
many organizations today.
– When asked “Do you believe directors think the policies don’t apply to them?”, 56% agreed.
– Not so many senior managers actually “ignore or flout security policies and procedures,” but at 42%
it is still surprisingly high.
– 52% agreed “The board of directors have access to the most sensitive information but have the least
understanding of security issues.”
-- Cryptzone queried 300 IT professionals
Source: http://www.infosecurity-magazine.com/view/25971/security-do-as-i-say-not-as-i-do/
10. 14/5/2013 ISACA – Sofia Chapter 10
Avoid the pitfalls
• Recognize that the user is ‘the most commonly exploited security
vulnerability’ in your company, but be warned that there is no single one-
size-fits-all solution to awareness training.
Source: http://www.infosecurity-magazine.com/view/30404/security-awareness-the-ciso-view-from-the-coalface/
11. 14/5/2013 ISACA – Sofia Chapter 11
Avoid the pitfalls
• Don’t do it alone. Turn to the marketing and training departments and
use their expertise in both developing an awareness program, and then
selling it to the user.
Source: http://www.infosecurity-magazine.com/view/30404/security-awareness-the-ciso-view-from-the-coalface/
12. 14/5/2013 ISACA – Sofia Chapter 12
Best Practices
• Maximize the strengths and avoid the pitfalls in what can be a
controversial, but is a very effective, method of training users: learning by
experience. Its effectiveness can be measured and monitored to allow the
most cost-efficient training for the highest risk people and topics.
13. 14/5/2013 ISACA – Sofia Chapter 13
Best Practices
• Make education easy and accessible. Don’t make security training a
burden, make it part of their everyday activities.
• Refresh the policy training routinely and test their knowledge often to
ensure they have the ability to execute the policy in day-to-day scenarios.
• Try to make the information relevant to their personal use. This creates a
feeling of empowerment and responsibility to practice good security day
and night.
• Work to make the information factual and provide real world examples of
where things went wrong. By sharing information on what is good and
how bad impacts the brand and reputation of a company help your
employees understand why compliance of policies is so critical.
• Programs that relied on 90 Day plans, and reevaluated the program and
its goals every 90 Days, are the most effective. Every 90 days, the program
is reevaluated to determine what topics need to be addressed moving
forward.
14. 14/5/2013 ISACA – Sofia Chapter 14
How to be successful
• Awareness programs that obtain C-level support are more successful. This
support inevitably leads to more freedom, larger budgets and support
from other departments.
• Creativity is a must. While a large budget helps, companies with a small
security awareness budget have still been able to establish successful
programs. Creativity and enthusiasm can make up for a small budget.
• One of the key factors in having a successful effort is being able to prove
that your effort is successful. The only way to do this is to collect metrics
prior to initiated new awareness efforts.
• Awareness efforts that focus on how to accomplish actions are more
successful than those that focus on telling people that they should not be
doing things.
• The most successful programs are not only creative; they rely on many
forms of awareness materials. The most participative efforts appear to
have the most success.
15. 14/5/2013 ISACA – Sofia Chapter 15
Takeaways
• Start measuring by creating a baseline, defining a clear goal, and tracking
progress. If you aren’t moving in the right direction, adjust the course.
• Awareness programs, when properly executed, provide knowledge that
instills behavior, i.e. changes habits, i.e. drives for a better culture.
• Approach of not concentrating on raising awareness, but changing
employee behavior, habits and actions to create a culture, by using
“prescriptions.”
– Using password vault within Twitter ended up reaching over 75% of users;
– Twitter mastered training approach via constant feedback and evaluation.
• There is no technology that will prevent the human misbehavior, e.g.
mishandling of paper information and computer media.
• Awareness mitigates non-technical issues that technology can't. By
measuring return on investment you will find that awareness is one of the
most reliable measures available.
16. 14/5/2013 ISACA – Sofia Chapter 16
Takeaways
• Focus on security culture, not training, and to constantly measure the
effect of the training so that it can be repeatedly reshaped in order to be
more effective - and here is where the feedback comes in handy.
• Never to give up on users: "It's never a lost cause until you believe it is.“
• “For” and “against” awareness training: an easy for-“victory”, simply
because it is not possible to provide clear and consistent evidence that
training is not working. There is plenty of evidence of the opposite.
• Education and training is not perfect. The challenge is that even if you do
it right, it can be hard to document effect, and to show a clear causation
between your training efforts and the behavior change.
• The biggest issue is perhaps that awareness efforts are frequently not
optional. Telling people not to do something, because we believe it is a
bad idea is just not an option.
• Address and utilize interpersonal skills, personality traits, motivational
theory; do not rely only on technical skills, risk management models and
policy making.
17. 14/5/2013 ISACA – Sofia Chapter 17
Go rocket-science
Two different sides of the brain control,
two different “modes” of thinking.
(Theory of the structure and functions of the mind)
• People think and learn in different ways with evidence of different
learning characteristics, but different cultural groups may emphasize one
cognitive style over another: the verbal vs. the nonverbal, represented
rather separately in left and right hemispheres respectively.
• Our education system, as well as science in general, tends to neglect the
nonverbal form of intellect. Modern society discriminates against the
right hemisphere, i.e. nonverbal thinking.
• Most children rank highly creative (right brain) before entering school.
Because our educational systems place a higher value on left brain skills
such as mathematics, logic and language than it does on drawing or using
our imagination:
– Only 10% of these same children will rank highly creative by age of 7.
– By the time we are adults, high creativity remains in only 2% of the population.
18. 14/5/2013 ISACA – Sofia Chapter 18
Right Brain vs. Left Brain
LEFT BRAIN FUNCTIONS
uses logic
detail oriented
facts rule
words and language
present and past
math and science
can comprehend
knowing
acknowledges
order/pattern perception
knows object name
reality based
forms strategies
practical
safe
RIGHT BRAIN FUNCTIONS
uses feeling
"big picture" oriented
imagination rules
symbols and images
present and future
philosophy & religion
can "get it" (i.e. meaning)
believes
appreciates
spatial perception
knows object function
fantasy based
presents possibilities
impetuous
risk taking
• Left-brain scholastic subjects focus on logical thinking, analysis, and
accuracy.
• While Right-brained subjects focus on aesthetics, feeling, and creativity.
19. 14/5/2013 ISACA – Sofia Chapter 19
Right Brain vs. Left Brain
• Our conscious mind can only focus on data from one brain at a time.
Eventually ultimate authority to enter consciousness is delegated to one
brain or the other. In our modern world, this battle is almost always won
by the left brain.
• Sometimes skills which the right brain can perform better are routinely
handled, with less skill, by the left brain.
Too bad, and now what?
• Methods have been devised to "shut off" the left brain, allowing the right
side to have its say, even temporarily.
• The logical left side is easily bored by lack of input and tends to "doze off"
during such activities as meditation (repeating a mantra or word over and
over) or in sensory deprivation environments.
20. 14/5/2013 ISACA – Sofia Chapter 20
Why should I care?
How is all this related to people training?
• To foster a more whole-brained scholastic experience, teachers should
use instruction techniques that connect with both sides of the brain.
• Increase right-brain learning activities by incorporating more
patterning, metaphors, analogies, role playing, visuals, and movement
into reading, calculation, and analytical activities.
• For a more accurate whole-brained evaluation of student
learning, educators must develop new forms of assessment that honor
right-brained talents and skills.
Ideally, both brains work together in people with optimum mental ability. This
coordinating ability may be the key to superior intellectual abilities.
Such employees shall form better habits, shall develop great organizational
culture, shall be more productive/creative, so it goes, the never-ending story.