Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Most Critical Risk Control: Human Behavior Lynn Goodendorf Director, Information Security Atlanta ISACA Chapter Meeting June 20, 2014.

Published byElfrieda Todd Modified over 9 years ago

Similar presentations

Presentation on theme: "The Most Critical Risk Control: Human Behavior Lynn Goodendorf Director, Information Security Atlanta ISACA Chapter Meeting June 20, 2014."— Presentation transcript:

1 The Most Critical Risk Control: Human Behavior Lynn Goodendorf Director, Information Security Atlanta ISACA Chapter Meeting June 20, 2014

2 AGENDA FOR THIS SESSION  Why technical defenses are not enough  Formal policy vs. training and awareness  What does an effective security awareness program look like?

3 LESSONS FROM DATA BREACHES Epsilon – spear phishing attack AOL – not understanding data classification Google, Yahoo and 18 others: users needed to update browsers Gawker Media –used weak passwords for multiple applications Target – began with phishing attack on 3 rd party

4 FORMAL POLICY Provides management guidance and intention Protects company liability Must be “translated” into key concepts and messages Requires partnership with Human Resources

5 What does an effective security awareness program look like?

6 KNOW YOUR AUDIENCE Language Work environment Types of computing devices Job roles

7 KEEP IT SIMPLE

8 REPEAT…REPEAT…REPEAT Screensavers Newsletters Posters Online training Webinars

9 EXPLAIN WHY

10 MAKE IT FUN!

11 ASK FOR FEEDBACK

12 TRACK AND MEASURE

13 RECOGNITION AND REWARDS

14 AWARENESS TOPICS How to spot Key logging devices Is Email Spam Harmful? Watering hole attacks Storing paper records Visitors who may be imposters Are cookies bad for you? All about malware

15 MORE AWARENESS TOPICS Create and remember strong passwords Get Going with Mobile Security What is a mobile botnet? Found any free USB drives? What did you capture on camera? Erase those whiteboards! We love to share email chain letters

16 AND MORE AWARENESS TOPICS Dialing for Dollars: Phone Scams Cell phone ringtone scams Dangers of Counterfeit Software Wi-Fi Security Tips at Home Email Etiquette for Your Career Has your Facebook account been hacked?

17 STANDARDS NIST Special Publication 800-50 “Building an Information Technology Security Awareness and Training Program” ISO 27002:2013 Section 7.2.2 Deliver Information Security Awareness Programs Australian Government: Protective Security Governance Guidelines – Security Awareness Training

18 COST OF SECURITY AWARENESS Budgetary Planning: $5 - $10 per person per year Online courses Posters, Screen savers Newsletters Pens, Buttons, Etc.

19 WRAP UP AND QUESTIONS Is an annual awareness session adequate? Are acknowledgments of policy enough? Are there better ways to audit that will help to drive improvement?

Download ppt "The Most Critical Risk Control: Human Behavior Lynn Goodendorf Director, Information Security Atlanta ISACA Chapter Meeting June 20, 2014."

Similar presentations

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.

ANNUAL SECURITY AWARENESS TRAINING – 2011 UMW Information Technology Security Program Annual Security Awareness Training for UMW Faculty and Staff.
MOBILE DEVICES & THEIR IMPACT IN THE ENTERPRISE Michael Balik Assistant Director of Technology Perkiomen Valley School District.

MOBILE DEVICES & THEIR IMPACT IN THE ENTERPRISE Michael Balik Assistant Director of Technology Perkiomen Valley School District.
SECURITY AND INFORMATION SYSTEMS THE EVOLUTION OF SECURITY SYSTEMS Created By: Jamere Hill Instructor: Kyhia Bostic Section 19653 University of Houston.

SECURITY AND INFORMATION SYSTEMS THE EVOLUTION OF SECURITY SYSTEMS Created By: Jamere Hill Instructor: Kyhia Bostic Section University of Houston.
K eep I t C onfidential Prepared by: Security Architecture Collaboration Team.

K eep I t C onfidential Prepared by: Security Architecture Collaboration Team.
Information Security Awareness Training

Information Security Awareness Training
Security Awareness Lloyd Guyot – Steelcase Ed Jaros – Tenundra Inc. July 17, 2003.

Security Awareness Lloyd Guyot – Steelcase Ed Jaros – Tenundra Inc. July 17, 2003.
Chapter 8 Chapter 8 Digital Defense: Securing Your Data and Privacy

Chapter 8 Chapter 8 Digital Defense: Securing Your Data and Privacy
9/20/07 STLSecurity is Everyone's Responsibility 1 FHDA Technology Security Awareness.

9/20/07 STLSecurity is Everyone's Responsibility 1 FHDA Technology Security Awareness.
Welcome to New Hire Orientation Information Security

Welcome to New Hire Orientation Information Security
CS691 Robin Kimzey Cell Phone Security a little computer in your pocket an easy target for malcontents.

CS691 Robin Kimzey Cell Phone Security a little computer in your pocket an easy target for malcontents.
New Faculty Orientation to Privacy and Security at UF Susan Blair, Chief Privacy Officer Kathy Bergsma, Information Security.

New Faculty Orientation to Privacy and Security at UF Susan Blair, Chief Privacy Officer Kathy Bergsma, Information Security.
INFORMATION SECURITY UPDATE Al Arboleda Chief Information Security Officer.

INFORMATION SECURITY UPDATE Al Arboleda Chief Information Security Officer.
Threats and ways you can protect your computer. There are a number of security risks that computer users face, some include; Trojans Conficker worms Key.

Threats and ways you can protect your computer. There are a number of security risks that computer users face, some include; Trojans Conficker worms Key.
Threats to I.T Internet security By Cameron Mundy.

Threats to I.T Internet security By Cameron Mundy.
Information Security Technological Security Implementation and Privacy Protection.

Information Security Technological Security Implementation and Privacy Protection.
Protecting Yourself Online (Information Assurance)

Protecting Yourself Online (Information Assurance)
Design of a cyber security awareness campaign for Internet Cafés users in rural areas WA Labuschagne, MM Eloff, N Veerasamy, L Leenen, M Mujinga CSIR /

Design of a cyber security awareness campaign for Internet Cafés users in rural areas WA Labuschagne, MM Eloff, N Veerasamy, L Leenen, M Mujinga CSIR /
TITLE : E-SAFETY NAME : ABDUL HAFIQ ISKANDAR BIN ROZLAN PROGRAM : SR221 NO.STUDENT : 2011390663.

TITLE : E-SAFETY NAME : ABDUL HAFIQ ISKANDAR BIN ROZLAN PROGRAM : SR221 NO.STUDENT :
Implementing Security Education, Training, and Awareness Programs

Implementing Security Education, Training, and Awareness Programs
ISMS for Mobile Devices Page 1 ISO/IEC 27001 Information Security Management System (ISMS) for Mobile Devices Why apply ISMS to Mobile Devices? Overview.

ISMS for Mobile Devices Page 1 ISO/IEC Information Security Management System (ISMS) for Mobile Devices Why apply ISMS to Mobile Devices? Overview.

Similar presentations

Ads by Google