O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
Building a Culture of Digital Self Defense Ben Woelk, CISSP, CPTC Program Manager Rochester Institute of Technology 4 Octo...
Why Build a Culture of Digital Self Defense? OR
Who Am I? • Member, EDUCAUSE HEISC Awareness and Training Working Group • Vice President, Society for Technical Communicat...
Key Points • The Problem • Changing the Culture • Awareness Plan Basics • Measuring Your Success © Ben Woelk 2018
THE PROBLEM © Ben Woelk 2018
Security Awareness isn’t Working – Why not? – “The fact is that people know the answer to awareness questions but they do ...
Why Not? 1. Not understanding what security awareness really is 2. Reliance on checking the box 3. Failing to acknowledge ...
Wrong Behaviors? • What are we saying our users should do? • Google Research http://googleonlinesecurity.blogspot.com/2015...
THE SOLUTION © Ben Woelk 2018
Culture Change • Culture--the set of shared attitudes, values, goals, and practices that characterizes an institution or o...
Success Factors 1. Security awareness has to be professionally prepared and organised in order to work. 2. Invoking fear i...
Making Good Security Habitual • Contextualization • Repetition and Branding • Reward © Ben Woelk 2018
© Ben Woelk 2018
An impossible dream? © Ben Woelk 2018
AWARENESS PLANS © Ben Woelk 2018
Building the Plan • Determine Goal • Identify and Profile Audience • Develop Messages • Select Communication Channels • Ch...
Implementing the Plan Topics and Activities (Monthly or Quarterly) – Topics (top three cyber security issues) – Specific a...
METRICS © Ben Woelk 2018
Measuring Your Success • What can and should we measure? – Number of incidents? – Engagement? – Specific areas • Phishing ...
Discuss Ben Woelk Ben.woelk@rit.edu ben@benwoelk.com 20
Resources • Woelk, Ben. “Building a Culture of Digital Self Defense,” EDUCAUSE Review Security Matters blog, September 20,...
Thank You
Próximos SlideShares
Carregando em…5
×

Building a Culture of Digital Self Defense

76 visualizações

Publicada em

NYSERNET Conference presentation on building a cyber security culture in higher education: thinking strategically, building a communications plan, best practices in security awareness.

Publicada em: Educação
no profile picture user

  • Entre para ver os comentários

  • Seja a primeira pessoa a gostar disto

Building a Culture of Digital Self Defense

  1. 1. Building a Culture of Digital Self Defense Ben Woelk, CISSP, CPTC Program Manager Rochester Institute of Technology 4 October 2018
  2. 2. Why Build a Culture of Digital Self Defense? OR
  3. 3. Who Am I? • Member, EDUCAUSE HEISC Awareness and Training Working Group • Vice President, Society for Technical Communication, Associate Fellow (2018) • Adjunct professor teaching Intro to Computing Security and technical communication classes at the Rochester Institute of Technology • Practice areas in security awareness, policies and procedures, introverted leadership development, mentoring © Ben Woelk 2018
  4. 4. Key Points • The Problem • Changing the Culture • Awareness Plan Basics • Measuring Your Success © Ben Woelk 2018
  5. 5. THE PROBLEM © Ben Woelk 2018
  6. 6. Security Awareness isn’t Working – Why not? – “The fact is that people know the answer to awareness questions but they do not act accordingly to their real life (ISF, 2014, NIST, 2003).” (Bada and Sasse, 2014) © Ben Woelk 2018
  7. 7. Why Not? 1. Not understanding what security awareness really is 2. Reliance on checking the box 3. Failing to acknowledge that awareness is a unique discipline 4. Lack of engaging and appropriate materials 5. Not collecting metrics 6. Unreasonable expectations 7. Relying upon a single training exercise Winkler Ira and Manke Samantha (2013). 7 Reasons for Security Awareness Failure, CSO Magazine, July 10. Retrieved from http://www.csoonline.com/article/2133697/metrics-budgets/7-reasons-for-security-awareness-failure.html © Ben Woelk 2018
  8. 8. Wrong Behaviors? • What are we saying our users should do? • Google Research http://googleonlinesecurity.blogspot.com/2015/07/new-research-comparing-how-security.html © Ben Woelk 2018
  9. 9. THE SOLUTION © Ben Woelk 2018
  10. 10. Culture Change • Culture--the set of shared attitudes, values, goals, and practices that characterizes an institution or organization (Merriam Webster) • What would culture change look like? © Ben Woelk 2018
  11. 11. Success Factors 1. Security awareness has to be professionally prepared and organised in order to work. 2. Invoking fear in people is not an effective tactic, since it could scare people who can least afford to take risks. 3. Security education has to be more than providing information to users – it needs to be targeted, actionable, doable and provide feedback. 4. Once people are willing to change, training and continuous feedback is needed to sustain them through the change period. 5. Emphasis is necessary on different cultural contexts and characteristics when creating cyber security-awareness campaigns. Bada, Maria; Sasse, Angela; Nurse, Jason R. C. Cyber Security Awareness Campaigns Why do they fail to change behavior? Conference paper. January 2015. © Ben Woelk 2018
  12. 12. Making Good Security Habitual • Contextualization • Repetition and Branding • Reward © Ben Woelk 2018
  13. 13. © Ben Woelk 2018
  14. 14. An impossible dream? © Ben Woelk 2018
  15. 15. AWARENESS PLANS © Ben Woelk 2018
  16. 16. Building the Plan • Determine Goal • Identify and Profile Audience • Develop Messages • Select Communication Channels • Choose Activities and Materials • Establish Partnerships • Implement the Plan • Evaluate and Make Mid-Course Corrections © Ben Woelk 2018 Woelk and Schaufler, It Doesn’t Take Magic: It Doesn't Take Magic: Tricks of the Trade to Create an Effective Security Awareness Program
  17. 17. Implementing the Plan Topics and Activities (Monthly or Quarterly) – Topics (top three cyber security issues) – Specific audiences and deliverables – Calendar of Deliverables © Ben Woelk 2018
  18. 18. METRICS © Ben Woelk 2018
  19. 19. Measuring Your Success • What can and should we measure? – Number of incidents? – Engagement? – Specific areas • Phishing • Compliance issues • BYOD or mobile device management • Data loss/leakage prevention McElroy, Lori, and Eric Weakland. “Measuring the Effectiveness of Security Awareness Programs” (Research Bulletin). Louisville, CO: EDUCAUSE Center for Analysis and Research, December 16, 2013 © Ben Woelk 2018
  20. 20. Discuss Ben Woelk Ben.woelk@rit.edu ben@benwoelk.com 20
  21. 21. Resources • Woelk, Ben. “Building a Culture of Digital Self Defense,” EDUCAUSE Review Security Matters blog, September 20, 2016 • Woelk, Ben. The Successful Security Awareness Professional: Foundational Skills and Continuing Education Strategies. Research bulletin. Louisville, CO: ECAR, August 10, 2016 • _________W.H. Kellogg Foundation, Strategic Communication Plan, https://www.wkkf.org/resource-directory/resource/2006/01/template-for- strategic-communications-plan • Various, EDUCAUSE Security Awareness https://library.educause.edu/topics/cybersecurity/security-awareness • Templates, Presentation, Resources list https://drive.google.com/drive/folders/0B45bhFW7CueDbkVGQ1JXMzdFYXM?usp=s haring © Ben Woelk 2018
  22. 22. Thank You

×