Presentation is loading. Please wait.

Presentation is loading. Please wait.

LAB2-R04 Achieving and Measuring Success with the Security Awareness Maturity Model Lance Spitzner Director SANS Securing The Human @lspitzner.

Published byLennart Hermann Modified over 5 years ago

Similar presentations

Presentation on theme: "LAB2-R04 Achieving and Measuring Success with the Security Awareness Maturity Model Lance Spitzner Director SANS Securing The Human @lspitzner."— Presentation transcript:

1 LAB2-R04 Achieving and Measuring Success with the Security Awareness Maturity Model Lance Spitzner Director SANS Securing The Human @lspitzner

2 Security Controls WindowsOS HumanOS 2002 2004 2006 2008 2010 2012 2014
EMET WindowsOS Microsoft Security Essentials AppLocker Encrypted File System ASDL User Account Control Bitlocker Windows Service Hardening Mandatory Integrity Control Security Controls Windows Defender Malicious Software Removal Tool Automatic Updating Microsoft Secure Development Lifecycle Firewall Enabled by Default Baseline Security Analyzer Data Execution Protection (DEP) Trustworthy Computing Software Restriction Policies HumanOS 2002 2004 2006 2008 2010 2012 2014

3 Security Awareness Maturity Model
Metrics Framework Metrics Framework Long-Term Sustainment and Cultural Change Long-Term Sustainment & Culture Change Promoting Awareness and Behavioral Change Promoting Awareness & Behavior Change Compliance- Focused Compliance Focused Nonexistent Non-existent

4 BJ Fogg Model

5 Your Strategic Plan WHO
WHAT – This is what we will focus on for today, completing two group labs. This is also what drives your metrics. HOW

6 WHAT Do You Teach? Focus on topics that have the greatest ROI:
People can remember only so much—cognitive overload You have limited time and resources to teach Fewer topics are easier to reinforce Avoid “training fatigue” Identify the greatest human risks to your organization, and then develop training modules to address each of those risks

7 Start With Key Assets / Data
For most organizations, key assets are your data Identify who is handling your most sensitive data and how This will help identify your highest risks areas / highest risk target groups Then identify what threats / behaviors expose that data to the greatest risk (don’t worry about prioritizing yet)

8 Past Assessments / Incidents
Any penetration tests in the past 6-12 months? If so, which human risks were identified? What were the most common or damaging human-related incidents in the past 6-12 months? Take your Incident Response and Help Desk teams out to lunch. They are great sources of information.

9 Verizon DBIR

10 Staying Current on Human Risks
Blogs / Twitter are a great way to stay current @schneierblog krebsonsecurity.com @briankrebs taosecurity.blogspot.com @taosecurity isc.sans.org @sans_isc nakedsecurity.sophos.com @nakedsecurity

11 Measuring Your Human Risk
Every organization measures risk differently; use what works best for your organization Quantitative A precise / accurate measurement that produces a numeric value—a complex and time-consuming approach Qualitative An estimate or comparative measurement (high, medium, low)—a fast and simple approach

12 Qualitative Analysis X X Probability 4 4 16 5 1 5 Impact Topic %
VH / 5 H / 4 L / 2 M / 3 VL / 1 X Topic % Impact Risk Score Probability Phishing 4 4 16 Tracking Cookies 5 1 5 VH / 5 H / 4 M / 3 L / 2 VL / 1 Impact

13 Lab – Prioritize Your Human Risks
You have identified 18 human risks in your organization, prioritize the top nine for your organization; this is your Core training for all employees You can find a description of each risk/topic in your Lab workbook Be sure to take into consideration your existing technical controls and past training

14 Prioritization Matrix

15 Top Risks? Which topics would you eliminate and why? What was missing?
Which topics do you feel are the most important and why? Which topics would you eliminate and why? What was missing? Which topic would you start and end with? Want to learn more about risk analysis? Consider SANS MGT415.

16 Learning Objectives Your job is only half done; you now need to identify what behaviors manage those top risks Create a separate learning objectives document for each risk This is a living document that covers the target, goal, and learning objective of each risk

17 Sample Learning Objectives

18 Example Learning Objectives

19 Typical Password Learning Objectives
A common security awareness topic is passwords: Minimum of 12 characters 1 symbol 1 number 1 capital letter No two repeated letters Change every 90 days Costs associated with this

20 What Are We Missing? Do not get infected Do not share your passwords
Do not log in using untrusted systems Personal questions are just another password Passphrases—Where is my Coffee? Password Managers Use two-step verification whenever possible

21

22 Lab – Learning Objectives
Pick one of the most important topics from your top nine topic list Document that topic using the Learning Objective template What did you pick and why? This page intentionally left blank.

23 Example Metric: Phishing
Phishing is a useful metrics for most organizations: Measures a key human risk organizations care about Simple, low cost and easy to repeat Quantifiable measurements that are actionable 90% fall victim in the first hour

24 Key Points Biggest difference between technical and human metrics is that humans have feelings Announce your metrics program ahead of time, and then start slow and simple Do not embarrass people (no Viagra s) Do not release names of those who fail. Only notify management of repeat offenders Focus on real-world risks, do not “trick” people Always make sure there are at least two ways to detect an assessment

25 Click Results If an end user falls victim to a phishing assessment, you have two general options: No feedback Immediate feedback that explains this was a test, what they did wrong, and how to protect themselves

26

27 Human Risk Survey Sometimes, the simplest way to measure a behavior is to simply ask Survey can measure behaviors that you normally do not have access to Survey can also measure attitudes and perceptions (culture) Think of a human risk survey as a human vulnerability scanner

28 Data May Already Be There
There may not be a need to collect data because you already have the data. Check with: Security Operations Center Incident Response Team Help Desk Human Resources Example: Number of infected computers per month

29 Summary Key to building a mature awareness program is having a strategic plan that answers WHO, WHAT and HOW WHAT consists of two parts, prioritizing your top human risks and then identifying the key behaviors that manage that risk Those key behaviors drive your metrics Often the hardest part about awareness is NOT deciding what to teach, but deciding what NOT to teach.

30 Webcasts / Courses / Summits
securingthehuman.sans.org/events

Download ppt "LAB2-R04 Achieving and Measuring Success with the Security Awareness Maturity Model Lance Spitzner Director SANS Securing The Human @lspitzner."

Similar presentations

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
Lance Spitzner

Lance Spitzner
VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.

VULNERABILITY MANAGEMENT Moving Away from the Compliance Checkbox Towards Continuous Discovery.
People Who Change the World Need the Tools to Do it! Holly Ross, Executive Director Security Matters It’s not about the network.

People Who Change the World Need the Tools to Do it! Holly Ross, Executive Director Security Matters It’s not about the network.
Windows 2000 Security Policies & Practices: How to build your plan Mandy Andress, CISSP President ArcSec Technologies.

Windows 2000 Security Policies & Practices: How to build your plan Mandy Andress, CISSP President ArcSec Technologies.
ESCCO Data Security Training David Dixon September 2014.

ESCCO Data Security Training David Dixon September 2014.
Module 14: Configuring Server Security Compliance

Module 14: Configuring Server Security Compliance
 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.

 INADEQUATE SECURITY POLICIES ›Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA.
| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.

| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.
Logging Antivirus Examples Use recent examples from media of such attacks (RSA, Epsilon, Oak Ridge National Labs, HBGary). Articles in business magazines.

Logging Antivirus Examples Use recent examples from media of such attacks (RSA, Epsilon, Oak Ridge National Labs, HBGary). Articles in business magazines.
 When you receive a new email you will be shown a highlighted in yellow box where your email can be found  To open your new email just double click.

 When you receive a new you will be shown a highlighted in yellow box where your can be found  To open your new just double click.
1 Combatting Breach Fatigue Presented to MidSouth Users Group October 2015.

1 Combatting Breach Fatigue Presented to MidSouth Users Group October 2015.
September 20, 2016 How to Defend Your Organization from a Cyber Breach LTC Tim Bloechl (U.S. Army, Ret.) Director, Cyber Security Business.

September 20, 2016 How to Defend Your Organization from a Cyber Breach LTC Tim Bloechl (U.S. Army, Ret.) Director, Cyber Security Business.
Lesson 13 PROTECTING AND SHARING DOCUMENTS

Lesson 13 PROTECTING AND SHARING DOCUMENTS
Advanced Endpoint Security Data Connectors-Charlotte January 2016

Advanced Endpoint Security Data Connectors-Charlotte January 2016
Why is this called “the ostrich effect”?

Why is this called “the ostrich effect”?
Build an Enterprise IT Security Training Program

Build an Enterprise IT Security Training Program
Information Security Policy

Information Security Policy
Safety and Security Management Fundamental Concepts

Safety and Security Management Fundamental Concepts
Security Awareness Program

Security Awareness Program

Similar presentations

Ads by Google