Building a Security Awareness Program that just fits.

Today I will not provide you with another chapter from my book draft but talk about a topic that fascinates me since some time.



 

Awareness trainings are the neglected pillar of cybersecurity, especially when a CISO has a strong technical background, like I have. When I think about cybersecurity I think about SECURITY people that follow SECURITY processes and policies which are implemented with SECURITY tools, because as security engineer I learnt over many years how to to solve problems with algorithms, compilers, and machines. During my career the number of people I was responsible for increased a lot and at the same time these people are less and less IT-aware.


Maybe you know this path and thinking, then I would recommend you to take a look into the event logs of a virus scanning tool or intrusion prevention system. Funny, but 99,99% of the events are caused through people! And what happens outside your infrastructure, or by "out of bound" attacks to circumvent detection systems (e-mail vs social media)?
So, there is no reason to build thicker walls to protect the people, instead help your colleagues to protect themselves.
Don't tell them what not to do, but tell them what works to protect them.

Building a security awareness program is like building a vulnerability management program for people. (little joke) It makes a lot of sense to put the majority of your effort into the planning phase to get the ground work right and not just rent a of-the-shelf information security training e-learning program that every employee has to go through once a year. For compliance reason that might make sense, but personally I always challenged myself in being faster than last time clicking through such trainings and never fully followed the content. Maybe I was not the only one.

For me the following steps worked well to define a awareness training that just fits. So far I don't have long-term data to share but will do so later.

1.) What are your goals?
What would you like to achieve with the training? Like, an improved security posture for the company. Reaching every employee at least once a year. Teaching what matters. But also fulfilling compliance requirements.
How should employees perceive the training? Like, it should fit their daily work and their tight  schedule.

2.) What is the threat landscape of your company?
While the goals are the governing framework of how to teach and how to measure, this question will lead us to the "What" - the content of the training.

Your threat landscape is build of requirements which come from 3 directions:
  • Compliance: PCI-DSS, your cyber insurance, data protection law, contractual requirements, and so on
  • Crown jewels: The critical business processes, that are essential to make money and if disrupted or stolen brings your company's income to 0 very quickly
  • Adversary interest or intent: like copying the recipe of a vaccine, causing reputational damage to get a competitive advantage, mass spreading ransomware (which makes you just a random victim), stealing company budget with BEC...
Don't limit your view to cyber, talk to your enterprise risk manager (ERM), business continuity management (BCM) team, or to the C-level managers to get a complete view.

BTW. to quantify the "How" of attack vectors and the "How" of the amount of cost the Data Breach Report from IBM is a very good source.
 
3.) Adversary personas
To further define the "What" we need to dig deeper into the adversary interest. Here you can let your creativity run (almost) free.

I would assume that most companies are not the daily target of nation-sate actors. Nevertheless if you are part of an international company think about subsidiaries close to governments known for their cyberattack capabilities and their strong cybercrime scene, like North Korea, China, Iran, Russia, and also the USA and some NATO partner states. Your subsidiary might become of interest if you transfer a lot of money world-wide, have huge Internet outlets or knots, doing research, being political engaged, or are the top vendor for a key technology (this often affects SME here in Germany).
 
But as I said, don't let your creativity fly too high and lose ground.
Talk to ERM and the legal department to better understand the history of your business risks.
 
The corporate (cyber)crime aims to get a competitive advantage not just by stealing money but also by damaging your company's reputation.

If you are responsible for the cybersecurity of a University your adversary persona might look out for details of upcoming exams or wants to change grades.
 
What is mostly ignored is the insider threat, either intentionally or accidentally. If I sum up the categories of the root causes for malicious data breaches from the IBM Data Breach Report where employees are the target or the actor, than I get 29%. 1/3 of all data breaches are caused by employees, either directly or indirectly. And this number does not count people leaving the company, starting at a competitor and taking secret business information with them! 

The term "persona" is from the UX design domain as far as I know, and we will use it that way later for the employees. For the adversary I recommend using the "diamond model" (see my blog post "Terminology, Frameworks and Standards - Part 2"). By using this model you have the ability to bring the intent and the technology used together on the "social-political axis" and the "technology axis".

4.) What topics to teach?
Now you know what your threats are, these are the topics to teach.

5.) How to measure success?
I am sure you know the quote "You can't manage what you can't measure" (the author is unknown as far as I know), anyway before you start your awareness campaign make sure you have a good way to measure your impact to the people of the company.

For example if you came to the conclusion that ransomware is a big issue for you ("What to teach") than you should be able to analyze the antivirus scanner, endpoint detection agent, IPS, web-proxy blacklist, etc etc log files to see if the number of detected malware decreases (this value needs to be normalized to the overall malware volume).
If your topic is Phishing, run a simulated phishing campaign and measure the "click rates".

I think you got it.

6.) Employee personas
To understand the people you need to protect send special questionnaires about age, gender, interest, work style and work tools etc to the line managers of your company to get a better understanding.
 
If we stick to the analogy of having a "vulnerability management program for people", then this is your asset database. :-)
 
Create personas for your leadership team, blue collar workers, marketing personal, the HR department and so on (check the org-chart). These are your "fishes" and the "bait" has to be tasty for the "fish" not for the "fisher" (you).

7.) How to teach the topics?
Think about which kind of training best fits the employee personas you just generated. Of course you still can do the yearly information security training for compliance reasons if you have to but to really reach out and change something, create content and use channels that fit your colleagues:
  1. ad-hoc e-mails for critical and hot topics
  2. 1:1 training for members of the executive board
  3. 2 to 5 minute videos for blue collar workers
  4. fancy comic style one pagers for the marketing people
  5. short checklists with easy language for Boomers, finance, purchasing
  6. games for ...
  7. and deep technical training for IT staff
Tell your colleagues always why there is a problem and not only what to do and not to do.

8.) And finally the awareness training content

With all the information you gathered in the previous steps you have the puzzle pieces to create the training material that just fits!



Popular posts from this blog

Release #3: Terminology, Frameworks and Standards - Part 1

Image
I n my previous blog posting we defined our CDC, the function it provides and introduced some basic terms. Next we will look at catalogues and models that help defenders to understand the actions of attackers. The MITRE ATT&CK catalogue categorizes typical attack techniques and tactics and provides many additional information which is often very helpful in the daily life of a CDC architect or analyst. Info Box Tactics, Techniques and Procedure (TTPs) ! TTPs are an attacker's actions, regardless of the phase in the kill chain. This refers to tactics, techniques and procedures, not the underlying strategy.   MITRE ATT&CK™ Matrix The MITRE ATT&CK™ Framework describes itself on the web page (https://attack.mitre.org/) as follows: MITRE ATT&CK™ is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for th
Read more

Facebook: Magnitude of the leaked data

Image
About 2 days ago bleepingcomputers reported about a leak of over 500.000.000 Facebook user records. Scratching the surface revealed that the data is available to nearly everyone. Here are some numbers to estimate the magnitute of the leak. 77 Gb of plaintext data from 105 countries world wide can be found on the Internet. Some indicators make clear that at least part of the data is from 2019, but only Facebook can make clear if there is also more current data included. The collections seem not to be from one web scraping session, but might be local web scraping campaigns in each country. Some file names are even in local languages. A world map with all countries (file size in MB).     Here are the top 20 based on file size in MB.   The data is of the following categories. name sex relationship status address employer email address (very seldom) year of birth (very seldom) telephone number (very seldom) some dates and IDs Note that citizens from various EU states are affected which is
Read more

Release #1: Cyber Defense in highly regulated Markets - Intro

T oday, in the middle of the 21st century terms like "Cyberwar" and "Cybercrime" are omnipresent in our society. Fortunately the Cyberwar is (yet) no real war between states; instead it is a mixture of sabotage, espionoage, psyops, manipulation of information and as well the theft of money(1)(2)(3). The relams of nation-state hackers and cyber crimnals and also tradional crimnals overlap because it is oportunistic ("Go where the money is.").(4)   Between the 80s and the 90s of the 20th century our current situation was mostly just in the heads of computer nerds and cyberpunk authors. Some of the computer freaks stepped over the border, people that were called "Hackers" pushed the technology and thinking beyond its intention and limits, found failures (bugs) in the systems and codes to get control over telephone and computer systems for fun and to learn how they work. In these days every bigger IT company had their own Unix-flavor with their own h
Read more