Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lance Spitzner

Published byJacob Hicks Modified over 9 years ago

Similar presentations

Presentation on theme: "Lance Spitzner"— Presentation transcript:

1 Lance Spitzner www.securingthehuman.org/blog lspitzner@sans.org @securethehuman

2 Non-Existent Compliance Focused Promoting Awareness & Change Long Term Sustainment Metrics Security Awareness Maturity Model

3 Useful Metrics Focus on just a few, high-value metrics. –A metric that measures a human risk or behavior that you care about –A metric that is actionable –A metric that is low cost/automated –A metric that repeatable

4 2 Types of Awareness Metrics Metrics that measure the deployment of your awareness program. Are you compliant? Metrics that measure the impact of your awareness program. Are you changing behavior?

5

6 Key Points Computers do not have feelings, but people do. Announce and explain your metrics program ahead of time, then start slow & simple Do not embarrass people nor release names of those who fail to management. Only notify management of repeat offenders. Focus on real-world risks, do not ‘trick’ people.

7 Example Metric - Phishing Recreate the very same attacks that the bad guys are launching. Excellent way to measure change in behavior. –Measures a top human risk –Simple, low-cost and easy to automate –Repeatable and quantifiable measurements –Actionable

8 Get Approval Before conducting any type of assessment, make sure you have appropriate approvals. If you can’t get approval, try a test run against the blockers (HR, Legal). Make sure security team knows ahead of time. Let them know each time you do it and whom to contact when things go wrong.

9 Example

10 Click Results If an end user falls victim to an email assessment, you have two general options –Error message/no feedback –Immediate feedback that explains this was a test, what they did wrong and how to protect themselves

11

12 Follow-up Send results of test to all employees 24 hours later. Explain the results, how they could have detected phishing email and what to look for in the future. Include an image of phishing email. Include your monthly security awareness newsletter.

13 Violations First violation: Employee is notified and given additional or follow-up training. Second violation: Employee is notified and manager is copied. Third violation: Manager is required to have meeting with employee and report results to security. Fourth violation: Employee reported to HR.

14 The Impact First phish: 30-60% fall victim. 6-12 months later: As low as 5%. The more often the assessments, the more effective the impact. –Quarterly: 19% –Every other month: 12% –Monthly:05% Over time, you will most likely have to increase the difficulty of the tests.

15 Human Sensors Another valuable metric is how many reported the attack. At some point, you may need to develop a policy on what to report. For example: –Do not report when you know you have a phish. Simply delete. –Report if you don’t know (think APT). –Report if you fell victim.

16 How To Phish URL Shorteners Email Marketing Solutions Cloud Phishing Services Pen Testing Software

17

18 The Attack

19

20 Are People Updating Devices?

21 Physical Security Behaviors See if an unauthorized person can enter or walk around facilities without an ID badge. Check desktops to make sure computer screens are locked and there is no sensitive information left on desks. Check parked cars for mobile devices left in the open.

22 Number of Infected Computers Track the number of infected computers on monthly a basis. As most infections are the result of human behavior, the number should go down over time. One Defense Industry organization had such a dramatic drop in infections they could free up half a FTE (Full-Time Employee).

23 Visualizing Your Measurements

24 Next Generation Awareness 3 rd Generation STH will be about understanding and measuring User Risk – security and compliance TOGETHER. Measurable metrics to understand whether you’re winning or losing. SANS Security Awareness Summit will have a focus around this initiative – 10 September 2014 in Dallas. Interested in being involved in the development of this new approach? - John Fitzgerald (jfitzgerald@sans.org).

25 Summary Metrics are a powerful way to both measure and reinforce your awareness program. securingthehuman.org/resources/metrics sans.org/mgt433

Download ppt "Lance Spitzner"

Similar presentations

NIMAC 2.0: The Accessible Media Producer Portal NIMAC 2.0 for AMPs.

NIMAC 2.0: The Accessible Media Producer Portal NIMAC 2.0 for AMPs.
INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.

INADEQUATE SECURITY POLICIES Each covered entity and business associate must have written polices that cover all the Required and Addressable HIPAA standards.
A note for you We have created this presentation for you, the outstanding employee who has IT security on the brain. We want to help you spread the word.

A note for you We have created this presentation for you, the outstanding employee who has IT security on the brain. We want to help you spread the word.
HR Time Collection System. Time Collection System Overview Types of Time Collection Devices (TCD) Kaba web clockKaba wall clock.

HR Time Collection System. Time Collection System Overview Types of Time Collection Devices (TCD) Kaba web clockKaba wall clock.
Supervisor Training - Student Job Workflow Presentation by Kathy Johnson Select Applicant Choose Action Move in Workflow 1.

Supervisor Training - Student Job Workflow Presentation by Kathy Johnson Select Applicant Choose Action Move in Workflow 1.
Everything you want to know about managing mobile devices in the enterprise Ivan Hemmans hemmans.com From A to Z.

Everything you want to know about managing mobile devices in the enterprise Ivan Hemmans hemmans.com From A to Z.
The Most Critical Risk Control: Human Behavior Lynn Goodendorf Director, Information Security Atlanta ISACA Chapter Meeting June 20, 2014.

The Most Critical Risk Control: Human Behavior Lynn Goodendorf Director, Information Security Atlanta ISACA Chapter Meeting June 20, 2014.
Module 6 Reinforcement Activity Risk Management

Module 6 Reinforcement Activity Risk Management
Www.audiblemagic.com Audible Magic Corporation 985 University Avenue #35 Los Gatos, CA 95032 USA 408.399.6405 x145 www.audiblemagic.com Tools to Help Universities.

Audible Magic Corporation 985 University Avenue #35 Los Gatos, CA USA x145 Tools to Help Universities.
CVM EMPLOYEE KABA GUIDE. WHAT IS Kaba? Beginning Saturday, September 27th, temp employees who have been submitting bi-weekly timesheets will now enter.

CVM EMPLOYEE KABA GUIDE. WHAT IS Kaba? Beginning Saturday, September 27th, temp employees who have been submitting bi-weekly timesheets will now enter.
Internet Security PA Turnpike Commission. Internet Security Practices, rule #1: Be distrustful when using the Internet!

Internet Security PA Turnpike Commission. Internet Security Practices, rule #1: Be distrustful when using the Internet!
Network security policy: best practices

Network security policy: best practices
Turn ordinary workers into unstoppable teams.. Validate skills using the 2007 Microsoft ® Office system. Microsoft Business Certification represents an.

Turn ordinary workers into unstoppable teams.. Validate skills using the 2007 Microsoft ® Office system. Microsoft Business Certification represents an.
Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer

Citadel Security Software Presents Are you Vulnerable? Bill Diamond Senior Security Engineer
Turn ordinary workers into unstoppable teams.. Validate skills using the 2007 Microsoft ® Office system. Microsoft Business Certification represents an.

Turn ordinary workers into unstoppable teams.. Validate skills using the 2007 Microsoft ® Office system. Microsoft Business Certification represents an.
Turn ordinary workers into unstoppable teams.. Validate skills using the 2007 Microsoft ® Office system. Microsoft Business Certification represents an.

Turn ordinary workers into unstoppable teams.. Validate skills using the 2007 Microsoft ® Office system. Microsoft Business Certification represents an.
St. Mark’s Community Service 2012-2013 New Website and x2VOL Sophomores, Juniors, and Seniors August 27, 2012.

St. Mark’s Community Service New Website and x2VOL Sophomores, Juniors, and Seniors August 27, 2012.
Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.

Lean and (Prepared for) Mean: Application Security Program Essentials Philip J. Beyer - Texas Education Agency John B. Dickson.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Comprehensive Training for Distributor on Help Desk Application

Comprehensive Training for Distributor on Help Desk Application

Similar presentations

Ads by Google