Information Security Awareness Training

29  Download (0)

Full text


Information Security

Awareness Training

Various Methods and their

effectiveness at New Paltz

SUNY Technology Conference

Lake Placid - June 2014


Why the focus on training?

“Only amateurs attack machines; professionals

target people”

- Bruce Schneier

“There is only one way to keep your product plans

safe and that is by having a trained, aware, and

conscientious workforce. This involves training on

the policies and procedures, but also - and

probably even more important - an ongoing


Why the focus on training?

Targeting individuals instead of systems, can

bypass some or all of your protection measures.

Dollar for dollar, will have a huge benefit for



Who needs security training?

Ideally, everyone - students, faculty, staff, and



Review laws, contracts, etc. for who is required

to receive training (specifically PCI, GLBA,



What are the goals of the training?

Getting users to

understand and


the risks.

Training users to

change their



Making users recognize that they

are at



Educate users as to impact to the

college of a successful scam.


What topics should be covered?

Password safety


Social Engineering

Physical Security

Security Policy


Psychological Issues

Fast and Slow Thinking

Fast, quick judgements, relies on heuristics ➢ Slow, thoughtful, lazy

Availability Heuristic

➢ Representativeness

➢ Availability

Evaluation of risk

➢ Users exaggerate risks that are rare, sudden, are out of their control, or affect them personally.

Users downplay risks that are common, affect others, or


Compliance motivation

One method is via Expectancy Theory

Expectancy ➢ Instrumentality

➢ Valence

Make sure employees know the

consequences to the college of security



Training methods

Email communications

Can be newsletters or specific advisories.

➢ Can easily be overwhelming when too frequent.

➢ Will be ignored by a large amount of people.

If they are too long or contain too much technical jargon,

they will be ignored by a larger amount of people.

Posters and flyers

Should be ‘catchy’ while still being informative ➢ Should change frequently



Periodic communication about security


Meant to communicate specific issues

or to

keep security issues on people’

s minds.


In-person training

Initially conducted by an external

security consulting firm.

Transitioned to internal training the

following year.

Conducted annually - employees with

sensitive data access such as Banner

are required to attend. All other

employees are strongly encouraged to



Don’t just rely on IT

Take advantage of “Security

Evangelists” outside of IT.

Use their power and status to extend

the reach of security messaging.

Get administration support & buy-in.


Online Training

Conducted via an external firm

(Wombat Security).

Training is


. Users cannot

just click ‘next, next, next’.

Users are scored on training.

Topics include Email Security, URL

Training, and Safer Web Browsing.


Online Training

Required & Recommended groups.

Compliance Rates ~ 60%


Online Training

Per-user reports

Can be used to review users who have fallen for (or are

suspected of falling for) phishing scams.

➢ Users who fall for phishing scams (and malware) are much more likely to have not taken the training.

Not taking the training changes our response


Most missed report

➢ Shows questions users have problems with.

➢ Helps adjust messaging to emphasize certain issues for all users (not just those included in the training).


Phishing Simulations

We phish our own users.

Done through an external service.

➢ Can use actual scam emails (with modified links to a site we control).

Can also use custom emails/spear phishing.

“Victims” who submit data are brought to a training


When users fall for it, it breaks them out of the

“immunity fallacy”


Works through altering the Availability Heuristic. ➢ Some users will be confused.


Phishing responses

Try to be patient with the users. Security is not

their job.

Don’t allow the training to be ignored

completely though.

When someone ignores the training and is a


Training results


drop in number of phishing victims

Average phishing victims per month was 4-5. ➢ Number of victims year-to-date (2014) is now 4.

Large increase in users reporting suspicious


Significant decrease in submit rate for our

phishing simulations.

Generally positive reactions from faculty and


➢ Some negative/apathetic reactions.


Remaining challenges

Keeping users vigilant and avoiding


Training needs to stay relevant and fresh

Reducing training costs

➢ Reducing per-user costs to include more users

➢ Creating in-house (or in-SUNY?) training

➢ Including students in active training methods

Including students in training

Secure programming/coding training

Effectiveness of more sophisticated methods

still is an issue (spear phishing, other social

engineering methods)



Psychology & Information Security course at

Albany (Dr. Kevin Williams)

Bruce Schneier - Psychology of Security (Indiana University)

Stop, Think, Connect (

Internet 2 Cyber Security Awareness Resource



edu/confluence/display/itsg2/Cybersecurity+Awareness+Re source+Library)




Evaluation site: