1. Info-Tech Research Group1 1 Info-Tech Research Group, Inc. Is a global leader in providing IT research and advice. Info-Tech’s products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns. © 1997-2015 Info-Tech Research Group Inc. Build a Security Awareness and Training Program Your weakest link is between the keyboard and the chair. Info-Tech's products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns.© 1997 - 2015 Info-Tech Research Group

2. Info-Tech Research Group2 2 This Research is Designed For:This Research Will Help You: This Research Will Assist:This Research Will Help You: This Research Is Designed For:This Research Will Help You: This Research Will Also Assist:This Research Will Help Them: Our understanding of the problem CISOs and Security managers looking to educate their employees on security best practices and increase their security posture. CIOs and IT Directors looking to increase the level of security awareness within their organization. Determine what content should be covered in your security training program. Leverage training best practices to deliver the material appropriately. Measure the level of success of your security awareness and training. Business executives who are looking to decrease the level of risk that end users can pose to the company. HR personnel looking to enhance their training programs to all employees. Assess how to tackle security awareness and training for the general end user. Improve the overall risk profile of your organization by protecting the human link.

3. Info-Tech Research Group3 3 Resolution Situation ! Complication ? Info-Tech Insight Executive summary Security threats and exploits continue to be on the rise in the form of advanced persistent threats (APTs) and other unique attack types. APTs and attackers are looking to go after the weakest link within your organization – the people. Whether it is a lack of knowledge or a disregard for security, your end users are either the intentional or unintentional cause of security threats for your organization. Organizations often consider large investments into technology-based security controls to secure their organizations. Even with these highly advanced (and costly) tools, end users will continue to be one of the weakest links. Increase the knowledge of your end users by creating a comprehensive and engaging security awareness and training program for your organization. Focus on increasing their knowledge within the training but actively going beyond to change their behavior by making them all security aware. Go beyond the standard classroom style learning that is expected of training – use new teaching methods and positive reinforcement to ensure that your end users become more security aware. Use Info-Tech’s blueprint and methodology to craft a program that will engage your audiences and employees, while ensuring to review important security-related topics with them. 1.Security Policies are your Foundation. For any security awareness and training to be effective, it must be rooted in organizational security policies. 2.Develop an Agile Program. Applying the agile software development approach to security education is the most effective solution. 3.Test your End Users. Any sort of mock/simulated testing of end users’ susceptibility to exploitation can be highly informative to your program.

4. Info-Tech Research Group4 4 Best-Practice Toolkit 1. Assess your program appropriateness 2. Document your need for a program 3. Define your benefits and objectives for a program 4. Gain an executive champion 5. Measure the business satisfaction with security 1. Identify existing security topics and policies 2. Identify missing security policies 3. Identify unique security topics 4. Prioritize your security topics 1. Develop program governance 2. Perform a current state assessment of your end users 3. Determine your target state 4. Develop your communication methods 1. Create an implementation timeline 2. Run a pilot program 3. Develop a review and update process Guided Implementations Determine your program appropriateness Measure the business satisfaction with security Identify any missing security policies and topics Understand the Threat Intelligence market space and prioritize your content Create a project charter Review your program governance and target state Evaluate communication method options Create an implementation timeline Run a pilot program Develop a review and update process Onsite Workshop Module 1: Determine your appropriateness Module 2: Identify your content Module 3: Determine how to execute your plan Module 4: Implement your awareness and training Phase 1 Results: Determined program appropriateness Identified security alignment Phase 2 Results: Identified content you will be training your end users on Phase 3 Results: Developed program governance Identified target state Determined communication methods Phase 4 Results: Implementation timeline Pilot program Completed planning Determine the appropriateness Identify the content Determine how to execute the plan Build a security awareness and training program project overview Implement the program

5. Info-Tech Research Group5 5 Day 1Day 2Day 3Day 4Day 5 PreparationWorkshop Day Working Session Workshop Preparation Document your current security policy suite and identify any missing security policies that will be needed for your program development. Complete Info-Tech’s Security Business Satisfaction and Alignment Report. Security Business Satisfaction and Alignment Report Morning Itinerary Determine your program appropriateness. Measure the business satisfaction with security and identify your security alignment needs. Afternoon Itinerary Identify any missing and unique security topics to be covered in the program. Prioritize your security topics. Morning Itinerary Develop your program governance. Perform a current state assessment. Afternoon Itinerary Define your target state. Determine your organizational constraints. Determine communication methods for each audience group. Morning Itinerary Continue to determine communication methods for each audience group. Develop continuous training and development methodologies. Determine end-user testing methods. Afternoon Itinerary Create a project timeline. Outline your pilot program. Workshop Debrief Develop a program communication plan. Next Steps Start development of your agile security awareness and training program. Workshop overview This workshop can be deployed as either a four or five day engagement depending on the level of preparation completed by the client prior to the facilitator arriving onsite. The light blue slides at the end of each section highlight the key activities and exercises that will be completed during the engagement with our analyst team. Contact your account representative or email Workshops@InfoTech.com for more information.Workshops@InfoTech.com

6. Info-Tech Research Group6 6 Phase 1: Determine the appropriateness Identify the content Determine how to execute the plan Phase 2: Phase 3: Determine the appropriate- ness Phase 1: Implement the program Phase 4:

7. Info-Tech Research Group7 7 Phase 1 outline Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2- 3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships. Guided Implementation 1: Determine your Security Awareness and Training Program Appropriateness Proposed Time to Completion (in weeks): Less than 1 Week Step 1.1: Determine your program appropriatenessStep 1.7: Measure the business satisfaction with security Complete these activities: Fill out the Information Security Awareness and Training Appropriateness Tool. Complete these activities: Document your program appropriateness and benefits in the Information Security Awareness and Training Program Workbook Complete the Security Business Satisfaction and Alignment Report.Security Business Satisfaction and Alignment Report Then speak with an analyst: Review and discuss your results from the tool. Understand how appropriate a program is for your organization compared to others. Determine what the main contributing factors to your organization’s needs for a program are. Then speak with an analyst: Have a dedicated results call with an analyst to discuss your results from the diagnostic survey, and understand the implications and how to leverage the results. Discuss your overall program appropriateness. And continue your documentation with this template: Information Security Awareness and Training Program Workbook With these tools & templates: Security Business Satisfaction and Alignment Report Phase 1 Results & Insights: Determined initial program benefits and rationale for overall appropriateness. Identified current security alignment by end users and IT. Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.GuidedImplementations@InfoTech.com

8. Info-Tech Research Group8 8 Securing the end user is a major aspect of information security Most organizations are aware of these three areas; however, many focus purely on the technology and process aspects. This includes investing in security technologies such as SIEM, IDPS, NGFWs, and many more. Technological-focused security controls need to be applied across a breadth of varying operating systems, mobile devices, and networks with accompanying processes in place for these to be properly enacted. Beyond that, many full time employees (FTEs) are often needed to ensure that these technologies are maintained and running smoothly. There are three main areas that security needs to focus on: People Process Technology The resources and budget spent on the people aspect of security pales in comparison to process and technology. Often, very little resourcing is focused on securing the employees of an organization with a new hire orientation often being the sole opportunity for users to learn about cybersecurity. Cyber criminals target the employees because they know it is possible to get around the defenses of an organization through people. 93% of respondents to an insider threat survey were looking to increase or maintain their existing spend on information security in the upcoming year. Source: 2015 Vormetric Insider Threat Report For any organization to succeed with its technology and process related controls, the people need to be security aware and trained. If you don’t educate your employees on their responsibility to security, the money that is spent on technology and processes goes to waste because you have not secured your weakest link – the people.

9. Info-Tech Research Group9 9 Most security breaches are a result of end-user error A separate 2014 study from the Ponemon institute indicated that the average cost of a data breach due to human error was approximately $160 per record compromised.* End users are often seen as the weakest link in the information security chain. Human error can put an organization largely at risk despite any security technologies or software that they may already have in place. Adversaries will attempt to take advantage of the users through social engineering and other exploit-based threats. For example, advanced persistent threats (APTs) are often focused on the end user where social engineering tactics are used to gain information. According to a survey about insider threats, only 11% of respondents believed that their organization is not vulnerable to insider risks.** 19% of organizations found that the cost of a social engineering incident was more than $100,000. For organizations with more than 5,000 employees, this increased to 30%.* 34% of respondents to a survey felt either very or extremely vulnerable to an insider attack, with 89% finding themselves now more at risk than ever.** Insider threats are caused by employees who either actively or accidentally perform actions that put an organization and its information at risk. This has slowly become more complex due to the fact that it is not just IT staff, but employees, partners, suppliers, and third-party services that have access to company networks and thereby can have access to critical data. Securing the active and accidental insider threat takes very different tactics. Insider threats are caused by employees who either actively or accidentally perform actions that put an organization and its information at risk. This has slowly become more complex due to the fact that it is not just IT staff, but employees, partners, suppliers, and third-party services that have access to company networks and thereby can have access to critical data. Securing the active and accidental insider threat takes very different tactics. Sources: * Ponemon Institute, 2014 Cost of a Data Breach ** 2015 Vormetric Inside Threat Report *** IBM Security Services 2014 Cyber Security Intelligence Index The accidental threat is not necessarily more difficult to detect, but they are almost always more frustrating to organizations. This research focuses on these insider threats. The active insider threat is willingly malicious. These individuals are detected in similar ways that most external threats are. Over 95% of all security incidents investigated recognized human error as a contributing error.***

10. Info-Tech Research Group10Info-Tech Research Group10 An adversary knows the user is always on, always connected, and increasingly mobile – the ability to exploit has exploded. End users today need to be educated and aware of security more than ever Once you accept that your security prevention solutions won’t be successful 100% of the time, you realize the need for end-user security awareness and training. Most technologies and security processes have long developed best practices with standard operating procedures. This is not true for the end user though. They operate in a world of near complete freedom that is expanding more and more. In the end, it is simply not possible to make foolproof security that your end users can’t break. Engineering your security controls around your end users is not a winnable strategy. They play a critical role in your organization’s security and need to be accounted for when preparing controls and techniques for your technology and processes.

11. Info-Tech Research Group11Info-Tech Research Group11 Security culture is the lowest Information Security Governance and Management area Based on the results from 145 unique organizations, Info-Tech Research Group determined that on average security culture was the lowest scoring governance and management area with a score of 40.5%. In fact, 46% of organizations had security culture as their lowest scoring governance and management area. The lowest scoring Governance and Management Area breakdown (% of Organizations)

12. Info-Tech Research Group12Info-Tech Research Group12 Info-Tech Research Group Helps IT Professionals To: Sign up for free trial membership to get practical solutions for your IT challenges www.infotech.com Quickly get up to speed with new technologies Make the right technology purchasing decisions – fast Deliver critical IT projects, on time and within budget Manage business expectations Justify IT spending and prove the value of IT Train IT staff and effectively manage an IT department “Info-Tech helps me to be proactive instead of reactive – a cardinal rule in a stable and leading edge IT environment. - ARCS Commercial Mortgage Co., LP Toll Free: 1-888-670-8889