Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Habits of Highly Successful Security Awareness Programs Samantha Manke Chief Knowledge Officer.

Published byTyree Dunning Modified over 9 years ago

Similar presentations

Presentation on theme: "The Habits of Highly Successful Security Awareness Programs Samantha Manke Chief Knowledge Officer."— Presentation transcript:

1 The Habits of Highly Successful Security Awareness Programs Samantha Manke Chief Knowledge Officer

2 SECURITY AWARENESS LESSONS LEARNED AS A TEENAGE GIRL

3 My father is an IT/Security guy His intentions were good But the draw of Neopets and Harry Potter was too great Taught me the basic maneuvers to thwart his security attempts His attempts continued until I turned 18 MY FATHER IS AN IT/SECURITY GUY

4 The problem is that security professionals assume that the users should exercise common sense They likewise consider their approach as an afterthought There is no such thing as common sense without a base common knowledge Security programs fail, because they assume there is the common knowledge COMMON SENSE

5 It’s incompetent security professionals While there are some stupid activities on the part of the users, I always ask what could the security staff have done better? Does your staff stop and ask how could the incident have been prevented Is there a discussion of both modifying user activity and preventing user activity IT’S NOT STUPID USERS

6 Security awareness strives to get people to implement secure practices into their daily activities Must instill common knowledge of concerns and base actions Training is different from Awareness SECURITY AWARENESS IS CONNECTED TO SECURITY CULTURE

7 The human factor Technology can only help so much Cost-effective solution Required by standards and regulations WHY SECURITY AWARENESS?

8 THE STUDY: METHODOLOGY

9 Work experience allowed me to build and improve many security awareness programs The local ISSA chapter’s Security Awareness user group (a.k.a. “Support Group”) meets bi- monthly and delegates were willing participants Security Awareness material is seen as non- proprietary OPPORTUNITY STATEMENT

10 Varying degrees of quality in awareness programs The 3-year cycle Poor security cultures THE PROBLEM WITH SECURITY AWARENESS

11 Qualitative – Face-to-face interviews with Security Awareness Specialists Quantitative 2 Surveys – 1 for Security employees – 1 for Non-Security employees Limitations APPROACH/METHODOLOGY

12 STUDY: ANALYSIS

13 Participating companies from the following sectors: Health Sector Manufacturing Sector Food Sector Financial Sector Retail Sector Companies were often surprisingly honest about the success of their programs No participating company had any metrics to assess their effectiveness ANALYSIS: GENERAL TRENDS

14 Most companies struggle to gain support: – From upper management – From key departments – From their user population Compliance: – PCI helps with support and budget – HIPAA does not ANALYSIS: GENERAL TRENDS

15 Variety of approaches – Some Security Awareness Specialists had a security background while others had a marketing or communications background – Companies had 1-26 employees contributing to efforts ANALYSIS: GENERAL TRENDS

16 ANALYSIS: SECURITY RESPONDENTS

17

18

19

20

21 ANALYSIS: NON-SECURITY RESPONDENTS

22

23 ANALYSIS: NON-SECURITY RESPONDENT

24 ANALYSIS: NON-SECURITY RESPONDENTS

25 Security is difficult to administer at most companies PCI compliance helps with enforcement and awareness Creativity and/or participatory training are the key(s) to success Companies with more top-level support are more successful RESULTS

26 THE HABITS

27 This is the main source of failure Make a 3-month plan Topics may change Assess Approach – Softball – Hard push – Avoid fear-mongering HABIT 1-CREATE A STRONG FOUNDATION

28 Which mediums of communication will be most effective at your company? Which mediums are already saturated? What are employees most receptive to? CHOOSING COMPONENTS

29 Website Posters Newsletters/Blog Monthly tips Lunch and Learns Roadshows Speakers Security Week RECOMMENDED COMPONENTS

30 Easy to fall behind Pay attention to the news Create new material for every month KEEP THE PROGRAM FRESH

31 Appeal to the highest level you are able to engage Market some materials to the C-level Stress benefits of Security Awareness HABIT 2-ORGANIZATIONAL BUY-IN

32 Learning modules Interactive components/Gamification – Make user feel involved Additional tools--Phishing HABIT 3-PARTICIPATIVE LEARNING

33 Guerilla marketing campaign Security Cube Policy distribution Demonstrations and movie showings HABIT 4-MORE CREATIVE ENDEAVORS

34 No participating company gathered metrics Compare rate of reported incidents pre and post – Collecting metrics ahead of time so you can potentially measure success after the fact HABIT 5-GATHER METRICS

35 Assess which components have been successful Administer a survey – Try to keep it anonymous – Offer a drawing that employees can enter for a prize Understand limitations ASSESSING SUCCESS

36 Reinforces company message vs. security message Consider departments such as: – Legal – Compliance – Human Resources – Marketing – Privacy – Physical Security HABIT 6-PARTNER WITH KEY DEPARTMENTS

37 Department of “How” vs. Department of “No” Teach instead of dictate Establish positive security culture HABIT 7-BE THE DEPARTMENT OF HOW

38 CONCLUSIONS

39 Focus on building support before spending too much time on other aspects Do a thorough assessment of culture before starting or revamping program Consider partnership with other key departments Focus security awareness on common knowledge so users can exercise common sense APPLY

40 Samantha@securementem.com +1-651-325-5902 @samanthamanke http://www.linkedin.com/pub/samantha- manke/21/34/779 Ira@securementem.com +1-410-544-3435 www.facebook.com/ira.winkler @irawinkler www.linkedin.com/in/irawinkler FOR MORE INFORMATION

Download ppt "The Habits of Highly Successful Security Awareness Programs Samantha Manke Chief Knowledge Officer."

Similar presentations

An Introduction to professional services. The professional services The professional services support businesses of all sizes across the economy, providing.

An Introduction to professional services. The professional services The professional services support businesses of all sizes across the economy, providing.
Final Report Presentation By Mohammad Saber Sakhizada March,26 – 2009.

Final Report Presentation By Mohammad Saber Sakhizada March,26 – 2009.
Promoting Rational Drug Use in the Community Monitoring and evaluation.

Promoting Rational Drug Use in the Community Monitoring and evaluation.
Housing and care options for older people in Wigan Angela Durkin, Senior Housing Policy Officer, Wigan Council John McArdle, Chief Officer, Age UK Wigan.

Housing and care options for older people in Wigan Angela Durkin, Senior Housing Policy Officer, Wigan Council John McArdle, Chief Officer, Age UK Wigan.
John A. Bers John A. Bers Associate Professor of the Practice Management of Technology Program Nov. 5, 2003 Vanderbilt University School of Engineering.

John A. Bers John A. Bers Associate Professor of the Practice Management of Technology Program Nov. 5, 2003 Vanderbilt University School of Engineering.
Identifying enablers & disablers to change

Identifying enablers & disablers to change
You ! as a newly Graduate Students You ! as a newly Graduate Students from campus life to professional life… Kampus Biru UGM Fakultas Pertanian Yogyakarta,

You ! as a newly Graduate Students You ! as a newly Graduate Students from campus life to professional life… Kampus Biru UGM Fakultas Pertanian Yogyakarta,
The importance of a Compliance program is to ensure that our agency meets the highest possible standards for all relevant federal, state and local regulations,

The importance of a Compliance program is to ensure that our agency meets the highest possible standards for all relevant federal, state and local regulations,
STAND OUT: Communications and Messaging Strategies for CCR&R agencies.

STAND OUT: Communications and Messaging Strategies for CCR&R agencies.
Brandon Ho, CIPP HIPAA Compliance Specialist Pacific Regional Medical Command, Tripler Army Medical Center Aloha from the 50 th State.

Brandon Ho, CIPP HIPAA Compliance Specialist Pacific Regional Medical Command, Tripler Army Medical Center Aloha from the 50 th State.
Security Awareness in the Enterprise Jacob D. Furst Jean-Philippe Labruyere 22 March 2006.

Security Awareness in the Enterprise Jacob D. Furst Jean-Philippe Labruyere 22 March 2006.
Eaten: UNC - Chapel Hill An investigative look at the eating habits of freshmen on the University of North Carolina at Chapel Hill campus.

Eaten: UNC - Chapel Hill An investigative look at the eating habits of freshmen on the University of North Carolina at Chapel Hill campus.
Performance Indicators Exam QuestionsPromotionMerchandisingGeneral 1111 1111 1111 1111 1111 2222 2222 2222 2222 2222 3333 3333 3333 3333 3333 4444 4444.

Performance Indicators Exam QuestionsPromotionMerchandisingGeneral
EHealth business cases: Laastari Clinics. Laastari Lähiklinikka (FIN), Minutkliniken (SWE) A chain of drop-in retail clinics for acute common illnesses.

EHealth business cases: Laastari Clinics. Laastari Lähiklinikka (FIN), Minutkliniken (SWE) A chain of drop-in retail clinics for acute common illnesses.
Evaluation is a professional and ethical responsibility and is a core part of PHN professional practice Commitment to evaluation helps build the PHN intelligence.

Evaluation is a professional and ethical responsibility and is a core part of PHN professional practice Commitment to evaluation helps build the PHN intelligence.
SECURITY CONSIDERATIONS FOR COMPUTER PERSONNEL Tom Richards, Steve Guynes and Wayne Spence April 12, 2010.

SECURITY CONSIDERATIONS FOR COMPUTER PERSONNEL Tom Richards, Steve Guynes and Wayne Spence April 12, 2010.
Are you Using Technology to Assess Learning or Assessing Learning to Improve Technology? Marilee J. Bresciani, Ph.D. Associate Professor, Postsecondary.

Are you Using Technology to Assess Learning or Assessing Learning to Improve Technology? Marilee J. Bresciani, Ph.D. Associate Professor, Postsecondary.
Equality and Diversity: Resource for Level 4 students

Equality and Diversity: Resource for Level 4 students
Business research methods: data sources

Business research methods: data sources
Problem Analysis Intelligence Step 2 - Problem Analysis Developing solutions to complex population nutrition problems (such as obesity or food insecurity)

Problem Analysis Intelligence Step 2 - Problem Analysis Developing solutions to complex population nutrition problems (such as obesity or food insecurity)

Similar presentations

Ads by Google