Information Security Awareness Training

(1)

Information Security

Awareness Training

Various Methods and their

effectiveness at New Paltz

SUNY Technology Conference

Lake Placid - June 2014

(2)

Why the focus on training?

“Only amateurs attack machines; professionals

target people”

- Bruce Schneier

“There is only one way to keep your product plans

safe and that is by having a trained, aware, and

conscientious workforce. This involves training on

the policies and procedures, but also - and

probably even more important - an ongoing

(3)

Why the focus on training?

Targeting individuals instead of systems, can

bypass some or all of your protection measures.

Dollar for dollar, will have a huge benefit for

security.

(4)

Who needs security training?

➢

Ideally, everyone - students, faculty, staff, and

contractors.

➢

Realistically?

➢

Review laws, contracts, etc. for who is required

to receive training (specifically PCI, GLBA,

HIPAA)

(5)

What are the goals of the training?

➢

Getting users to

understand and

recognize

the risks.

➢

Training users to

change their

instinctual

responses.

➢

Making users recognize that they

are at

risk

.

➢

Educate users as to impact to the

college of a successful scam.

(6)

What topics should be covered?

➢

Password safety

➢

Malware

➢

Social Engineering

➢

Physical Security

➢

Security Policy

(7)

Psychological Issues

➢

Fast and Slow Thinking

➢ _{Fast, quick judgements, relies on heuristics} ➢ Slow, thoughtful, lazy

➢

Availability Heuristic

➢ Representativeness

➢ Availability

➢

Evaluation of risk

➢ Users exaggerate risks that are rare, sudden, are out of their control, or affect them personally.

➢ _{Users downplay risks that are common, affect others, or}

(8)

(9)

Compliance motivation

➢

One method is via Expectancy Theory

➢ _Expectancy ➢ Instrumentality

➢ Valence

➢

Make sure employees know the

consequences to the college of security

lapses.

(10)

Training methods

➢

Email communications

➢ _{Can be newsletters or specific advisories.}

➢ Can easily be overwhelming when too frequent.

➢ Will be ignored by a large amount of people.

➢ _{If they are too long or contain too much technical jargon,}

they will be ignored by a larger amount of people.

➢

Posters and flyers

➢ _{Should be ‘catchy’ while still being informative} ➢ Should change frequently

(11)

(12)

(13)

Newsletter

➢

Periodic communication about security

issues.

➢

Meant to communicate specific issues

or to

keep security issues on people’

s minds.

(14)

In-person training

➢

Initially conducted by an external

security consulting firm.

➢

Transitioned to internal training the

following year.

➢

Conducted annually - employees with

sensitive data access such as Banner

are required to attend. All other

employees are strongly encouraged to

attend.

(15)

Don’t just rely on IT

➢

Take advantage of “Security

Evangelists” outside of IT.

➢

Use their power and status to extend

the reach of security messaging.

➢

Get administration support & buy-in.

➢

(16)

Online Training

➢

Conducted via an external firm

(Wombat Security).

➢

Training is

interactive

. Users cannot

just click ‘next, next, next’.

➢

Users are scored on training.

➢

Topics include Email Security, URL

Training, and Safer Web Browsing.

(17)

Online Training

➢

Required & Recommended groups.

➢

Compliance Rates ~ 60%

(18)

Online Training

➢

Per-user reports

➢ _{Can be used to review users who have fallen for (or are}

suspected of falling for) phishing scams.

➢ Users who fall for phishing scams (and malware) are much more likely to have not taken the training.

➢ _{Not taking the training changes our response}

post-malware/phishing

➢

Most missed report

➢ Shows questions users have problems with.

➢ Helps adjust messaging to emphasize certain issues for all users (not just those included in the training).

(19)

Phishing Simulations

➢

We phish our own users.

➢ _{Done through an external service.}

➢ Can use actual scam emails (with modified links to a site we control).

➢ _{Can also use custom emails/spear phishing.}

➢ _{“Victims” who submit data are brought to a training}

page.

➢

When users fall for it, it breaks them out of the

“immunity fallacy”

.

➢ _{Works through altering the Availability Heuristic.} ➢ Some users will be confused.

(20)

(21)

(22)

(23)

Phishing responses

➢

Try to be patient with the users. Security is not

their job.

➢

Don’t allow the training to be ignored

completely though.

➢

When someone ignores the training and is a

(24)

Training results

➢

Significant

drop in number of phishing victims

➢ _{Average phishing victims per month was 4-5.} ➢ Number of victims year-to-date (2014) is now 4.

➢

Large increase in users reporting suspicious

emails.

➢

Significant decrease in submit rate for our

phishing simulations.

➢

Generally positive reactions from faculty and

staff.

➢ Some negative/apathetic reactions.

(25)

Remaining challenges

➢

Keeping users vigilant and avoiding

complacency

➢

Training needs to stay relevant and fresh

➢

Reducing training costs

➢ Reducing per-user costs to include more users

➢ Creating in-house (or in-SUNY?) training

➢ Including students in active training methods

➢

Including students in training

➢

Secure programming/coding training

➢

Effectiveness of more sophisticated methods

still is an issue (spear phishing, other social

engineering methods)

(26)

(27)

Resources

➢

Psychology & Information Security course at

Albany (Dr. Kevin Williams)

➢

Bruce Schneier - Psychology of Security

➢

protect.iu.edu (Indiana University)

➢

Stop, Think, Connect (stopthinkconnect.org)

➢

Internet 2 Cyber Security Awareness Resource

Library

(https://wiki.internet2.

edu/confluence/display/itsg2/Cybersecurity+Awareness+Re source+Library)

(28)

➢

Questions?

(29)

➢

Evaluation site: