Assessing the Effectiveness of Security Awareness Training

Similar documents
NUMBER: HR DATE: April 14, REVISED: March 29, Vice President for Human Resources Division of Human Resources

DEPARTMENT OF DEFENSE Defense Commissary Agency Fort Lee, VA DIRECTIVE

NORWICH UNIVERSITY TELECOMMUTING POLICY Reviewed and approved on April 30, 2012 OBJECTIVE

Teleworking and access to ECHA IT systems

Effective date of issue: March 1, 2004 (Revised September 1, 2009) Page 1 of 7 STATE OF MARYLAND JUDICIARY. Policy on Telework

4.5 POLICY ON TELEWORK

Employee Telework Screening Survey

Corporate Guidelines

Telecommuting Policy

San Francisco Bay Area

PURPOSE/SCOPE: To establish policy and procedures for the implementation and monitoring of a telecommuting and work-at-home program.

FLORIDA ATLANTIC UNIVERSITY ALTERNATIVE WORK ARRANGEMENTS

Ethics for Professionals Counselors

FLORIDA DEPARTMENT OF JUVENILE JUSTICE PROCEDURE

Policy on Telecommuting

Sonoma County s Mobile Work Program

Emergency Medical Services Division Policies Procedures Protocols

Guide to Enterprise Telework and Remote Access Security (Draft)

FLORIDA DEPARTMENT OF JUVENILE JUSTICE PROCEDURE

Competition Guidelines Competition Overview Artificial Intelligence Grand Challenges

octo TELEWORK POLICY IV. POLICY Policy Number: OCT Effective Date: February 23, 2016 I. PURPOSE Ill. SCOPE

SafetyFirst: The Journey to High Reliability

Sanilac County Community Mental Health Authority

Yukon Government s. Telework Guidelines. February 2010 Policy, Planning & Communication Branch, PSC

Vacancy Announcement

Vacancy Announcement

Use and Management of Small Unmanned Aircraft Systems

STATE OF FLORIDA DEPARTMENT OF. NO TALLAHASSEE, April 1, Safety INCIDENT REPORTING AND ANALYSIS SYSTEM (IRAS)

STATE BOARD FOR TECHNICAL AND COMPREHENSIVE EDUCATION PROCEDURE

Out of Sight, On Your Mind:

Completing the Specialty Practice Assessment Tool: Guide for Behavioral Health Organizations and Divisions

Telecommuting. Policy Statement. Reason for the Policy. Applicability of the Policy. Policy V

telework va A Sample Telework Pilot Program s Guidelines

Expanded IP Office Telecommuter Mode for use by remote Avaya Contact Center Select (ACCS) Agents

Assessing and improving the use of near-miss reporting to prevent adverse events and errors in rural hospitals

Understanding Duty of Care

A Candid Survey of Federal Managers June 2014

a GAO GAO DOD BUSINESS SYSTEMS MODERNIZATION Improvements to Enterprise Architecture Development and Implementation Efforts Needed

Inteligentní pracovní prostředí

Remote Workers: Out of Sight, NOT Out of Mind

TELECOMMUTING POLICY

Technical Supplement For Joint Standard Instrumentation Suite Missile Attitude Subsystem (JMAS) Version 1.0

HIPAA PRIVACY TRAINING

12.01 Safety Management Plan UWHC Administrative Policies

State of Delaware TELECOMMUTING POLICY

COUNTY OF EL DORADO, CALIFORNIA

City and County of San Francisco Telecommuting Program Policy

Rule 3-65 TELEWORK. HOME OFFICE: A work site provided by the employee in the employee s residence.

FLORIDA DEPARTMENT OF JUVENILE JUSTICE PROCEDURE

Report No. D September 25, Controls Over Information Contained in BlackBerry Devices Used Within DoD

Radford University Telework Agreement

ELECTIVE COMPETENCY AREAS, GOALS, AND OBJECTIVES FOR POSTGRADUATE YEAR ONE (PGY1) PHARMACY RESIDENCIES

Quality Improvement Programme: Safe and Effective Transfusion in Scottish Hospitals The Role of the Transfusion Nurse Specialist (SAET Study)

Army Identity and Access Management (IdAM)

Radiological Nuclear Detection Task Force: A Real World Solution for a Real World Problem

PILOT TELECOMMUTING POLICY AND PROGRAM

LPN 8 Hour Didactic IV Education

Institute of Medicine. Committee on Public Health Strategies to Improve Health

Project Overview for the Technical Compliance Monitoring System

GENERAL HOSPITAL ORIENTATION Revised: January 2013 EE Intl Hosp Ort

HIPAA Privacy & Security

PACIFIC FLEX TELECOMMUTING REQUEST FORM

INSIDER THREATS. DOD Should Strengthen Management and Guidance to Protect Classified Information and Systems

University of Illinois College of Medicine SURGERY CLERKSHIP STUDENT EVALUATION FORM

GAO INDUSTRIAL SECURITY. DOD Cannot Provide Adequate Assurances That Its Oversight Ensures the Protection of Classified Information

ebook 6Six Steps to Developing a Successful Clinical Smartphone Strategy

Creating an Insider Threat Program. NCMS June 2015

The attitude of nurses towards inpatient aggression in psychiatric care Jansen, Gradus

NOVA SOUTHEASTERN UNIVERSITY

Hazardous Materials Transportation Security Requirements

PFF Patient Registry Protocol Version 1.0 date 21 Jan 2016

Contact Rideshare staff to find out more about both of these options.

Women s Safety XPRIZE

Change organizational designation from HAF/IM to SAF/AAI. DOD Administrative Instruction 117, Telework Program, March 31, 2015.

Standard NUC Nuclear Plant Interface Coordination

Clinical Research Proposal To the Jersey City Medical Center Institutional Review Board

Assuming Accountability

Investigation Report H2017-IR-02 Investigation into multiple alleged unauthorized accesses of health information at South Health Campus

Team Leader Clinical Support Services

Registered Nurse Peritoneal Dialysis

Telecommuting Guidelines

The Impact of New Technology in Health Care on Privacy

Guidance Document for a Board-Led Safety Committee at Boys & Girls Clubs

PRIVACY IMPACT ASSESSMENT (PIA) For the

NURSING FACILITY ASSESSMENTS

TAPP The Telework Assessment and Profile Process Who is TCR? What is the TAPP Where does the TAPP fit in? Why is a Strategy Needed?

FDA Medical Device Regulations vs. ISO 14155

The telecommuting option is not an employee benefit it is a management option that provides an alternative means to fulfill work requirements.

Global Security Evolution

10/4/2012. Disclosure. Leading a Meaningful Event Investigation. Just Culture definition. Objectives. What we all have in common

Hospital Survey on Patient Safety Culture: Debrief and Action Planning

Subj: DEPARTMENT OF THE NAVY CYBERSECURITY/INFORMATION ASSURANCE WORKFORCE MANAGEMENT, OVERSIGHT, AND COMPLIANCE

TELECOMMUTING AGREEMENT

12/12/2016. The Impact of Shift Length on Mood and Fatigue in Registered Nurses: Are Nurses the Next Grumpy Cat? Program Outcomes: Background

A PHIPA Update from the IPC

ONC Health IT Certification Program: Enhanced Oversight and Accountability

U.S. Department of Defense: Defense Logistics Agency (DLA) achieves unmatched agility through telework and BYOD strategy

Advanced Technology Overview for the Huntsville Aerospace Marketing Association

1. INTRODUCTION 2. BACKGROUND

Total Collaboration Management

Transcription:

Assessing the Effectiveness of Security Awareness Training Steve Kruse Security Principal @ RSA steve.kruse@rsa.com Bill Pankey Consultant @ Tunitas Group bpankey@tunitas.com

State of Security Awareness Training 2010 Survey of Industry Security Awareness Training Methods used to assess effectiveness: Training completion / compliance rate: 100% [cost] (User) Behavioral \ attitude measures: 13% Correlation w/ security incident metrics: 7% High level of CISO / CIO satisfaction Minimal expenditure on user awareness / training Unsupported by empirical data

Assessment Problem Prospective Forecast user error / security violations Useful Support corrective action beyond merely more training required Efficient & reliable Summarize a lot of behavior & context

Security Awareness Calibration How does the human fit into the security plan? As a threat Then the actor must know enough and be motivated not to act in a certain fashion As a counter-measure Then the actor must know enough and be motivated to act in a certain fashion What are the capabilities of users? Compliance while completing work assignments Recognizing threats \ reporting Managing risk

Maturity Model Provides a common scale for calibration Characterize security policy / plan expectations Characterize user awareness / likely behavior Summarize to reduce complexity Baseline user awareness general relationship between user and systems Approach to motivation / awareness / etc

User Awareness Maturity Model Competent & Practiced Expects to manage security risk (recognize and mitigate) when performing duties. Risk aware Considers information security risk in performance of company duties, but Unsure of appropriate action; sometime will report incidents * Compliant Aware of risks identified in company policy Will take action identified in company security policy Consciously incompetent Avoids behavior believed to risky, even if that results in some productivity loss Blissfully unaware Uses any capability provided them little recognition or acceptance of most information security threats At this level, prevalent view is that information security is a property of IT systems and largely a matter of architecture and configuration. Security largely independent of user behavior. * Typical target

Discretion Underlying Maturity Factors More flexibility allowed users as maturity increases Participation More risk management responsibility as maturity increases

Risk Map UnAnticipated Risk Accepted Risk Policy Expectation Opportunity User Awareness

Example: A Teleworker Policy Applied to at home and alternate work location scenarios - provisions at each maturity level Blissfully Unaware There will be no in-person client interviews or contact conducted at the telecommuters home. Consciously Incompetent Telecommuters are responsible for clarifying any questions regarding the applicability of rules, policies, practices and instructions through discussions with their supervisor. Compliant Use of county equipment and supplies is limited to authorized persons for purposes relating to county business. Risk Aware The employee must designate a workspace at home that is maintained in safe condition and free from hazards. Practiced and Competent Telecommuters will take all precautions necessary to secure county information and equipment in their home, prevent unauthorized access to any county system or information

Example: Behavioral Scoring @ Company with the teleworker policy Competent Risk Aware Blissfully Unaware Consciously Incompetent

Example: Behavioral Scoring @ Company with the teleworker policy Blissfully unaware Risk Aware Consciously incompetent Compliant

Example: Response Illusory Policy assuming too much user maturity > 10% of users making incompetent choice when working w/ client confidential material at home Reconsidering teleworker policy Increased technical safeguards to protect against the errors of the blissfully unaware VPN use of RDP (remote desktop protocol) / terminal services Restriction on accessing email attachments through OWA

Questions for Empirical Research Does user capability at higher maturity level indicate capability at lower level? (i.e. form a Guttmann scale ) Users making appropriate choices at one level of policy will make appropriate choices at lower levels of policy Can user maturity be reliably measured with test scenarios? High whole / part test correlations Does maturity modeling capture persistent aspects of user security understanding and capability? Insignificant correlation between responses after controlling for maturity level

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback