cybersecurity: managing human risk...a control to manage human risk. note: in the notes section...
TRANSCRIPT
![Page 1: Cybersecurity: Managing Human Risk...a control to manage human risk. NOTE: In the notes section below are case studies how others obtained ... Managing Human Risk 11 Mitigate human](https://reader036.vdocuments.mx/reader036/viewer/2022070704/5e8d9889963f6a7376228caf/html5/thumbnails/1.jpg)
Cybersecurity: Managing Human Risk
https://sans.org/security-awareness
![Page 2: Cybersecurity: Managing Human Risk...a control to manage human risk. NOTE: In the notes section below are case studies how others obtained ... Managing Human Risk 11 Mitigate human](https://reader036.vdocuments.mx/reader036/viewer/2022070704/5e8d9889963f6a7376228caf/html5/thumbnails/2.jpg)
The ProblemThe goal here is to first explain to leadership what the problem is
![Page 3: Cybersecurity: Managing Human Risk...a control to manage human risk. NOTE: In the notes section below are case studies how others obtained ... Managing Human Risk 11 Mitigate human](https://reader036.vdocuments.mx/reader036/viewer/2022070704/5e8d9889963f6a7376228caf/html5/thumbnails/3.jpg)
2002 20122004 2006 2008 2010
Secu
rity
Con
trol
s
Trustworthy ComputingSoftware Restriction Policies
Automatic UpdatingMicrosoft Secure Development LifecycleFirewall Enabled by DefaultBaseline Security AnalyzerData Execution Protection (DEP)
Malicious Software Removal ToolWindows Defender
ASDLUser Account ControlBitlockerWindows Service HardeningMandatory Integrity Control
AppLockerEncrypted File System
Microsoft Security EssentialsEMET
2014
HumanOS
WindowsOS
2016
Credential GuardBiometrics
2018
Edge Browser
![Page 4: Cybersecurity: Managing Human Risk...a control to manage human risk. NOTE: In the notes section below are case studies how others obtained ... Managing Human Risk 11 Mitigate human](https://reader036.vdocuments.mx/reader036/viewer/2022070704/5e8d9889963f6a7376228caf/html5/thumbnails/4.jpg)
44HumanLaptop
Resources
Technology vs. Human Investment
4
![Page 5: Cybersecurity: Managing Human Risk...a control to manage human risk. NOTE: In the notes section below are case studies how others obtained ... Managing Human Risk 11 Mitigate human](https://reader036.vdocuments.mx/reader036/viewer/2022070704/5e8d9889963f6a7376228caf/html5/thumbnails/5.jpg)
55
CEO Fraud
• Best way to demonstrate how bad guys are bypassing technology by targeting the human, walk through a real, targeted attack.
• Also known as BEC or Business Email Compromise attack.
![Page 6: Cybersecurity: Managing Human Risk...a control to manage human risk. NOTE: In the notes section below are case studies how others obtained ... Managing Human Risk 11 Mitigate human](https://reader036.vdocuments.mx/reader036/viewer/2022070704/5e8d9889963f6a7376228caf/html5/thumbnails/6.jpg)
![Page 7: Cybersecurity: Managing Human Risk...a control to manage human risk. NOTE: In the notes section below are case studies how others obtained ... Managing Human Risk 11 Mitigate human](https://reader036.vdocuments.mx/reader036/viewer/2022070704/5e8d9889963f6a7376228caf/html5/thumbnails/7.jpg)
![Page 8: Cybersecurity: Managing Human Risk...a control to manage human risk. NOTE: In the notes section below are case studies how others obtained ... Managing Human Risk 11 Mitigate human](https://reader036.vdocuments.mx/reader036/viewer/2022070704/5e8d9889963f6a7376228caf/html5/thumbnails/8.jpg)
The SolutionExplain to leadership what a security awareness program is and how it is
a control to manage human risk.
NOTE: In the notes section below are case studies how others obtained support for their awareness program.
![Page 9: Cybersecurity: Managing Human Risk...a control to manage human risk. NOTE: In the notes section below are case studies how others obtained ... Managing Human Risk 11 Mitigate human](https://reader036.vdocuments.mx/reader036/viewer/2022070704/5e8d9889963f6a7376228caf/html5/thumbnails/9.jpg)
Non-existent
Compliance Focused
Promoting Awareness & Behavior Change
Long-Term Sustainment &Culture Change
MetricsFramework
Security AwarenessMaturity Model
![Page 10: Cybersecurity: Managing Human Risk...a control to manage human risk. NOTE: In the notes section below are case studies how others obtained ... Managing Human Risk 11 Mitigate human](https://reader036.vdocuments.mx/reader036/viewer/2022070704/5e8d9889963f6a7376228caf/html5/thumbnails/10.jpg)
1010
Common Misconceptions / Blockers
10
• Awareness programs never work.• Awareness programs are a failure because
someone always clicks• Awareness is just about human prevention
![Page 11: Cybersecurity: Managing Human Risk...a control to manage human risk. NOTE: In the notes section below are case studies how others obtained ... Managing Human Risk 11 Mitigate human](https://reader036.vdocuments.mx/reader036/viewer/2022070704/5e8d9889963f6a7376228caf/html5/thumbnails/11.jpg)
1111
Managing Human Risk
11
Mitigate human risk by changing human behavior.
![Page 12: Cybersecurity: Managing Human Risk...a control to manage human risk. NOTE: In the notes section below are case studies how others obtained ... Managing Human Risk 11 Mitigate human](https://reader036.vdocuments.mx/reader036/viewer/2022070704/5e8d9889963f6a7376228caf/html5/thumbnails/12.jpg)
1212
BJ Fogg Behavior Model
![Page 13: Cybersecurity: Managing Human Risk...a control to manage human risk. NOTE: In the notes section below are case studies how others obtained ... Managing Human Risk 11 Mitigate human](https://reader036.vdocuments.mx/reader036/viewer/2022070704/5e8d9889963f6a7376228caf/html5/thumbnails/13.jpg)
1313
Plan of Attack
• Who• What• How
![Page 14: Cybersecurity: Managing Human Risk...a control to manage human risk. NOTE: In the notes section below are case studies how others obtained ... Managing Human Risk 11 Mitigate human](https://reader036.vdocuments.mx/reader036/viewer/2022070704/5e8d9889963f6a7376228caf/html5/thumbnails/14.jpg)
1414
Who
• Explain the value of identifying different target groups in your training.
• Then explain the different target groups you identified and why
![Page 15: Cybersecurity: Managing Human Risk...a control to manage human risk. NOTE: In the notes section below are case studies how others obtained ... Managing Human Risk 11 Mitigate human](https://reader036.vdocuments.mx/reader036/viewer/2022070704/5e8d9889963f6a7376228caf/html5/thumbnails/15.jpg)
1515
What
• To be successful, focus on as few topics / behaviors as possible.
• Different target groups have different risks.
• Explain what risks / behaviors you are focusing on and why.
![Page 16: Cybersecurity: Managing Human Risk...a control to manage human risk. NOTE: In the notes section below are case studies how others obtained ... Managing Human Risk 11 Mitigate human](https://reader036.vdocuments.mx/reader036/viewer/2022070704/5e8d9889963f6a7376228caf/html5/thumbnails/16.jpg)
1616
How
• Overview of how you will engage and train your workforce.
• Focus on positive engagement• How people benefit personally• Active and continuous reinforcement
![Page 17: Cybersecurity: Managing Human Risk...a control to manage human risk. NOTE: In the notes section below are case studies how others obtained ... Managing Human Risk 11 Mitigate human](https://reader036.vdocuments.mx/reader036/viewer/2022070704/5e8d9889963f6a7376228caf/html5/thumbnails/17.jpg)
1717
Metrics
• What metrics will you use to track and communicate impact?• More strategic metrics?• Specific behavioral metrics?
• What does your leadership care about, how can you demonstrate support of org.
![Page 18: Cybersecurity: Managing Human Risk...a control to manage human risk. NOTE: In the notes section below are case studies how others obtained ... Managing Human Risk 11 Mitigate human](https://reader036.vdocuments.mx/reader036/viewer/2022070704/5e8d9889963f6a7376228caf/html5/thumbnails/18.jpg)
SupportDetail what you need to make this happen
![Page 19: Cybersecurity: Managing Human Risk...a control to manage human risk. NOTE: In the notes section below are case studies how others obtained ... Managing Human Risk 11 Mitigate human](https://reader036.vdocuments.mx/reader036/viewer/2022070704/5e8d9889963f6a7376228caf/html5/thumbnails/19.jpg)
1919
Three “S”s to Success
• Support• Staff• Soft skills
![Page 20: Cybersecurity: Managing Human Risk...a control to manage human risk. NOTE: In the notes section below are case studies how others obtained ... Managing Human Risk 11 Mitigate human](https://reader036.vdocuments.mx/reader036/viewer/2022070704/5e8d9889963f6a7376228caf/html5/thumbnails/20.jpg)
2020
Leadership Support is Key
![Page 21: Cybersecurity: Managing Human Risk...a control to manage human risk. NOTE: In the notes section below are case studies how others obtained ... Managing Human Risk 11 Mitigate human](https://reader036.vdocuments.mx/reader036/viewer/2022070704/5e8d9889963f6a7376228caf/html5/thumbnails/21.jpg)
2121
Minimum Number of FTEs
![Page 22: Cybersecurity: Managing Human Risk...a control to manage human risk. NOTE: In the notes section below are case studies how others obtained ... Managing Human Risk 11 Mitigate human](https://reader036.vdocuments.mx/reader036/viewer/2022070704/5e8d9889963f6a7376228caf/html5/thumbnails/22.jpg)
2222
Soft Skills Lacking
![Page 23: Cybersecurity: Managing Human Risk...a control to manage human risk. NOTE: In the notes section below are case studies how others obtained ... Managing Human Risk 11 Mitigate human](https://reader036.vdocuments.mx/reader036/viewer/2022070704/5e8d9889963f6a7376228caf/html5/thumbnails/23.jpg)
2323
Summary
• To manage human risk we need to change behavior.
• To change behavior we need a mature awareness program.