Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Most Critical Risk Control: Human Behavior Lynn Goodendorf Director, Information Security Atlanta ISACA Chapter Meeting June 20, 2014.

Similar presentations


Presentation on theme: "The Most Critical Risk Control: Human Behavior Lynn Goodendorf Director, Information Security Atlanta ISACA Chapter Meeting June 20, 2014."— Presentation transcript:

1 The Most Critical Risk Control: Human Behavior Lynn Goodendorf Director, Information Security Atlanta ISACA Chapter Meeting June 20, 2014

2 AGENDA FOR THIS SESSION  Why technical defenses are not enough  Formal policy vs. training and awareness  What does an effective security awareness program look like?

3 LESSONS FROM DATA BREACHES Epsilon – spear phishing attack AOL – not understanding data classification Google, Yahoo and 18 others: users needed to update browsers Gawker Media –used weak passwords for multiple applications Target – began with phishing attack on 3 rd party

4 FORMAL POLICY Provides management guidance and intention Protects company liability Must be “translated” into key concepts and messages Requires partnership with Human Resources

5 What does an effective security awareness program look like?

6 KNOW YOUR AUDIENCE Language Work environment Types of computing devices Job roles

7 KEEP IT SIMPLE

8 REPEAT…REPEAT…REPEAT Screensavers Newsletters Posters Online training Webinars

9 EXPLAIN WHY

10 MAKE IT FUN!

11 ASK FOR FEEDBACK

12 TRACK AND MEASURE

13 RECOGNITION AND REWARDS

14 AWARENESS TOPICS How to spot Key logging devices Is Spam Harmful? Watering hole attacks Storing paper records Visitors who may be imposters Are cookies bad for you? All about malware

15 MORE AWARENESS TOPICS Create and remember strong passwords Get Going with Mobile Security What is a mobile botnet? Found any free USB drives? What did you capture on camera? Erase those whiteboards! We love to share chain letters

16 AND MORE AWARENESS TOPICS Dialing for Dollars: Phone Scams Cell phone ringtone scams Dangers of Counterfeit Software Wi-Fi Security Tips at Home Etiquette for Your Career Has your Facebook account been hacked?

17 STANDARDS NIST Special Publication “Building an Information Technology Security Awareness and Training Program” ISO 27002:2013 Section Deliver Information Security Awareness Programs Australian Government: Protective Security Governance Guidelines – Security Awareness Training

18 COST OF SECURITY AWARENESS Budgetary Planning: $5 - $10 per person per year Online courses Posters, Screen savers Newsletters Pens, Buttons, Etc.

19 WRAP UP AND QUESTIONS Is an annual awareness session adequate? Are acknowledgments of policy enough? Are there better ways to audit that will help to drive improvement?


Download ppt "The Most Critical Risk Control: Human Behavior Lynn Goodendorf Director, Information Security Atlanta ISACA Chapter Meeting June 20, 2014."

Similar presentations


Ads by Google