SACP EXAM
4 Realms of an Experience
1) Entertainment (passive participation + absorption); 2) Educational(active participation + absorption); 3) Esthetic (passive participation + immersion); 4) Escapist(active participation + immersion)
Pine & Gilmore's Experience Economy
4 quadrant matrix for describing experiences(TSA-186-194)
Texas Health Privacy Law
Texas's Health Privacy Law, H.B. No. 300 § 181.101, requires employees to be trained about both the state's law and HIPAA. This is one of the few state health laws that mandates training about Texas's own health privacy law. Additionally, it requires training about HIPAA. Penalties for violating the Texas law are quite high, equivalent to HIPAA.
NERC CIP
The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection Standard. §CIP-004-3(B)(R1) The Responsible Entity shall establish, document, implement, and maintain a security awareness program to ensure personnel having authorized cyber or authorized unescorted physical access to Critical Cyber Assets receive on-going reinforcement in sound security practices. The program shall include security awareness reinforcement on at least a quarterly basis using mechanisms such as: • Direct communications (e.g., emails, memos, computer based training, etc.) • Indirect communications (e.g., posters, intranet, brochures, etc.) • Management support and reinforcement (e.g., presentations, meetings, etc.).
5 Key Principles for Designing Memorable Experiences
Theme the experience Harmonize impressions with positive cues Eliminate negative cues Mix in memorabilia Engage all 5 senses
Adapt Communication to Target Audience
Theory of Mind Taking the time to uncover the WHY will help us "learn to see through our participant's eyes so that we can create compelling messages that will connect with them" (TSA-48) We must consider how our messaging will contextualize within the lives of our learners, making sure to give adequate weight to anything that will create relevant connections and resonate. (TSA-70,74) WHO are you speaking to? WHAT makes that audience member unique? WHEN is the best time to get the message to your audience? WHERE should your audience receive the info? WHY should the recipient care and WHY do you need to get their attention? HOW will the info be delivered (device and format)? Your employees each have different roles and responsibilities, and those impact the systems they interact with, the schedules they have, peer groups, social expectations, and more
Build Business Case for Security Awareness Strategy
There is a level of security expertise and organizational development savvy required to understand the critical elements that need to be included in a program and then how to marry those different elements into bite-size chunks Security awareness training is continuous; there is no end Think about your awareness program outreach in three areas: Content, Experiences, and Relationships Use current events and stories about organizations that are similar to yours in terms of industry, size, orother demographic characteristics, so long as you do it in a way that's not fearmongering or alarmist(TSA-260) ■ "How comfortable would your CEO or legal counsel be in demonstrating that they've taken reasonable and appropriate steps to raise awareness, influence behavior, and build an appropriate organizational culture around security?" (Hallas, TSA-296)
Cialdini's Principles of Persuasion
These can be leveraged to influence and connect with stakeholders to get buy-in and in program elements and strategy for end-users - RECIPROCITY - SCARCITY - AUTHORITY - COMMITMENT & CONSISTENCY - LIKING - SOCIAL PROOF (or CONSENSUS) - UNITY
Establish Business Needs and Benefits
To build a strong security awareness program, you first need to determine your objective as it relates tooverall corporate objectives ■ Compliance: because the auditors/regulations require it ■ Info dissemination: because we need to get the word out■ Behavior shaping: because we want to influence and manage actions ■ Culture shaping: because it helps create the collective's core values, beliefs, attitudes, actions The goal of an awareness program is having employees act in vigilant and secure ways; although simple, if you do not know what outcomes you want to drive, you will not know how to measure and represent your results
SEC Cybersecurity Examination Initiative
Training: Information with respect to training provided by the firm to its employees regarding information security and risks, including the training method (e.g., in person, computer based learning, or email alerts); dates, topics, and groups of participating employees; and any written guidance or materials provided. Here is a KnowBe4 / Foley & Lardner Whitepaper by Michael R. Overly, Esq., CISA, CISSP, CIPP, ISSMP, CRISC that will help you better understand why having an effective security awareness program can prevent a significant amount of fees and fines: http://info.knowbe4.com/whitepaper-overly-kb4-13-08-20
FACTA - FTC Red Flags Rule
Under the FACTA, which amends the Fair Credit Reporting Act, the FTC created the Red Flags Rule. That rule requires training as part of an Identity Theft Prevention Program. See 16 CFR 681.1(d)-(e). Employees should be trained about the various red flags to look out for, and/or any other relevant aspect of the organization's Identity Theft Prevention Program.
RITUALS (4 Pillars of Cultural Influence)
rituals engage people around the things that matter most to an org, instilling a sense of shared purpose and experience, sparking behaviors that make the org more successful ● All rituals start with setting an explicit intention and a great one will reinforce the mindset and behavior you want to "enculturate" in a way that feels authentic to the org and its people
Behaviors (Security Culture Dimensions)
the actions and activities of employees that have direct or indirect impact on the security of the organization "A person's behavior is the visible result of culture. ... Focus only on behavior, on what you can see, and you might change it, at least until you stop looking at it. After that,people tend to go back to their old, unconscious way of doing things." (PCS-46)
Attitudes (Security Culture Dimensions)
the feelings and beliefs that employees have toward the security protocols and issues
Norms (Security Culture Dimensions)
the knowledge of and adherence to unwritten rules of conduct in the organization
Compliance (Security Culture Dimensions)
the knowledge of written security policies and the extent that employees follow them
Risk tolerance level
the measure of risk that can be lived with, or the chance of failure that is at an acceptable level (understanding that zero risk is unachievable)
Communication (Security Culture Dimensions)
the quality of communication channels to discuss security-related topics,promote a sense of belonging, and provide support for security issues and incident reporting
Prompt Fatigue
utilize multiple types/styles of encouraging prompts (rather than solely relying on one),make extrinsic prompts intrinsic when possible, and establish the desired behavior as a cultural norm(TSA-119-120)
PCI DSS
§12.6 - Make all employees aware of the importance of cardholder information security.• Educate employees (for example, through posters, letters, memos, meetings and promotions).• Require employees to acknowledge in writing that they have read and understood the company's security policy and procedures.
Health Insurance Portability & Accountability Act (HIPAA)
§164.308.(a).(5).(i) - Implement a security awareness and training program for all members of its workforce (including management)
Federal Information Security Management Act (FISMA)
§3544.(b).(4).(A),(B) - Securing awareness training to inform personnel, including contractors and other users of information systems that support the operations and assets of the agency, of information security risks associated with their activities; and their responsibilities in complying with agency policies and procedures designed to reduce these risks.
Sarbanes-Oxley (SOX)
§404(a).(a).(1) - The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C 78m or 78o(d)) to contain an internal control report which shall - state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting. If you are planning to go public in the future, start now with a security awareness training project
Gramm-Leach Bliley Act
§6801.(b).(1)-(3) - In furtherance of the policy in subsection (a) of this section, each agency or authority described in section 6805(a) of this title shall establish appropriate standards for the financial institutions subject to their jurisdiction relating to administrative, technical and physical safeguards - • To insure the security and confidentiality of customer records and information; • To protect against any anticipated threats or hazards to the security or integrity of such records; • To protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
ISO/IEC 27001 & 27002
§ISO 27002 8.2.2 - All employees of the organization and, where relevant, contractors and third party users should receive appropriate awareness training and regular updates in organizational policies and procedures, as relevant for their job function
CobiT
§PO7.4 Personnel Training - Provide IT employees with appropriate orientation when hired and ongoing training to maintain their knowledge, skills, abilities, internal controls and security awareness at the level required to achieve organizational goals. §DS7 - Management of the process of Educate and train users that satisfies the business requirement for IT of effectively and efficiently using applications and technology solutionsand ensuring user compliance with policies and procedures is: [...] 3 Defined when a training and education program is instituted and communicated, and employees and managers identify and document training needs. Training and education processes are standardized and documented. Budgets, resources, facilities and trainers are beingestablished to support the training and education program. Formal classes are given to employees on ethical conduct and system security awareness and practices. Most training and education processes are monitored, but not all deviations are likely to be detected by management. Analysis of training and education problems is only occasionally applied
Traits of a good computer security event (or "guaranteed-to-be" malicious hacker/malware events)
■ Can be used to detect malicious events ■ Single occurrence or unexpected change from baseline number in a given time that indicatesprobability of unauthorized activity ■ Low number of false positives and false negatives■ Readily understood by receivers/viewers ■ Important enough to warrant investigative/forensic action
Determine Modality and Channel of Communication
"A good communication strategy will find ways of putting your message in front of your audience and willdo so in ways that are relevant to their lives and their modes of work and play." (TSA-70) You can and should leverage cultural trends to your advantage; a key to capturing someone's attention is to understand where their attention is already captured Potential locations for specifically and intentionally designing your awareness and behavior intervention points: parking lot, walking into building, lobby, near/inside elevator, walking through office,approaching/at workstation, logging into computer, navigating to and interacting with specific systems, breakroom, near trash/shredding bins, approaching/inside restrooms, meal areas (TSA-244)
Frames
"Each of us has our own frame that we carry around with us and use to filter and interpret the world around us. That means our frames have a direct influence on our behaviors because our behaviors and decisions are shaped by our reactions to the world and unfolding circumstances." (TSA-109-110) Frames feed System 1 thinking and are self-reinforcing (e.g. circular arguments) - "When the facts don't fit the frame, the facts get rejected, not the frame." Preestablished Frames (e.g., worldviews, peer groups, previous experiences, pressures at work or home, habits) vs Transient Frames (e.g., executive behavior, known and perceived expectations, social currency and pressure, subliminal messages, fears, ambitions)
Identify and Communicate with Stakeholders
"Keep in mind that 'key' people exist at all levels of the organization from the CEO and other C-level executives setting the tone at the top to cultural carriers—staff—that espouse the right values and do the right things day in day out.
Assess Threat Landscape
"See most computer defenses for what they are: inefficient, incorrectly ranked, and wastes of money and resources. ... No longer accept unranked items of things to do. Instead of blindly accepting dogma, ...require data to back it up. And ... only value other people's data after you measure and weigh it against your own data and experiences." - Roger Grimes ■ The primary focus should be on the most critical initial-compromise exploits that will cause the most harm ■ The possibilities for attack are endless, and you have to defend against all of them as an org "Grasping a hacker's motivation helps you understand their ultimate objectives and what value they hope to obtain from your organization." - R.G.
Obtain Authorizations for Program (e.g., Legal, HR, Execs)
"The spirit is that there are two levels: 1 - have executive support so you don't cause political issues or while other departments are running campaigns and cause confusion. 2- People run phishing campaigns without the mental health of the organization but running phishing campaigns that are aligned with protection and the heart of the organization in mind. For example, if there are layoffs happening, don't send phishing emails about layoffs. Get HR, legal, and marketing on board with the program to get the majority of the buy-in for the organization. Go to marketing to create the vision from the program because they are better at it than security people, and if they are involved they become advocates and defend the IT team vs go against them." - Perry Carpenter
Evaluate Organizational Security Culture to Identify Areas of Alignment or Possible Disconnect
"Whenever you have a huge, long-term structure problem that isn't being solved by traditional means, it requires a paradigm shift in thinking, often across an entire industry or larger culture. Following a data-driven defense involves impacting every part of the organization, not just the computer security or IT departments." - Roger Grimes Having the capacity to engage your audience in a way that will drive a cultural shift to being more aware as an entire entity Status quo can be uncovered via cultural surveys (both anonymous and non-anonymous for best view),focus groups, direct observation, behavioral metrics (e.g. data from SIEM, DLP, EPP, web proxies,monitoring systems), face-to-face interviews, and others (TSA-149)
Review Previous Threats and Incidents
"You need to get the data [and experiences] to find out what is really being successful against your organization and focus on that [rather than a lot of the stuff that you've been told to fear]." - Roger Grimes
Participate in Developing Policies Pertaining to Non-compliance
"You want to look for any disconnect that you can. Do you have policies for if you fail or click on a phish;what happens? Unless you are going to use the same policies at the CEO level it should be in a print and not selective. Following an established process you get a behavior replacement for example clicking on the PAB button or letting IT aware of the email. Let people know over and over again that this is the way we do things and set the standards." - Perry Carpenter
Determine Key Learning Objectives
"Your 'why' maps directly to the amount of impact your program will have." (TSA-32) Use risk assessment and data-driven defense to determine the threats your employees most need to learn to protect themselves against Run a security culture assessment to create a baseline to find out where gaps exist and need to be addressed
security leaders' top motivations for creating a strong security culture
"[In 2020] building business success (49%), business integrity (43%), and a sense of customer security(41%)
For [Geert] Hofstede, culture is:
'software of the mind' that allows individuals to align their thoughts,beliefs, and actions in order to solve specific problems."
10 Core Principles of Corporate Culture
(TSA-148) ■ Every organization has a culture. ■ Culture impacts performance. ■ Culture can be a significant business risk. ■ Culture works on human logic, not business logic. ■ Organizations are shadows of their leaders. ■ Cultural drift. ■ Policies drive culture (more than we realize). ■ You get the culture you ignore. ■ There is no perfect corporate culture. ■ Leaders and employees change cultures, not consultants
Draft Communications for Stakeholder Review and Approval
(blank)
Finalize Communications
(blank)
Establish Target Audience
- Audience Segmentation - Personas - Security Behavior Journey Map Brainstorming Cheatsheet
Power prompts...
...contain elements that intend to increase motivation (e.g. playing to the curiosity gap), make the desired behavior easier, or both (TSA-122)
Engagement models that do not account for global and social dynamics....
...will have the effect ofalienating your security department.
Review Risk Assessment Reports
Are there any deficiencies that need to be improved? "There is a gulf of difference between the most critical potential threats and the most likely successful threats, and the difference matters more than everything else." (DDD-226) "Risk assessment tries to predict what threats an organization is most likely to be exposed to in the future. Any risk assessment assumes the risk that the predicted threats and risks might not align to the actual risks and threats that occur in the future." (DDD-226) It's almost a guarantee that any given risk assessment will never be 100% accurate
Security Culture Dimensions
Attitudes Behaviors Cognition Communication Compliance Norms Responsibilities
Brainstorming Worksheet for Obtaining Stakeholder Support
Complete worksheet once before meeting stakeholder to present your program, and again post-meeting to both correct any inaccuracies in your assumptions and add thoughts/notes ■ Stakeholder Name ■ Title & Department ■ Stakeholder's Primary Business Drivers & Needs. What is their core business? How is their success measured? ■ Potential Stakeholder Concerns, Questions, etc. How might elements of your program feel like they work against their core mission andvalues? Might elements of your program feel like they take focus from areas that they aremeasured against? ■ Departmental Benefits if Program is Successful. How might elements of your program make their department look good?. How might elements of your program help their program perform better?. How might elements of your program help their department link to a greater organizational mission or support a broader goal? ■ Benefits to Stakeholder if Program is Successful How might elements of your program increase their social currency? How might elements of your program help their career? Can this help them feel connected with a greater cause? ■ Additional Notes & Comments● Additional pre-or post-meeting thoughts go here
Review Organization's Mission and Goals
Conduct a series of interviews or quick surveys to understand how different divisions, divisional leaders,and other demographic groups view security, understand policy and best practices, and what they trulyhold important (TSA-253) Can also help understand whether key execs are in alignment and/or political or logistical hurdles you need to work through
Think about your awareness program outreach in three areas
Content, Experiences, and Relationships
Distribute Communications
Continually seek out new and better ways to communicate and influence What would you do (or best step flow) for an in-person campaign?
Identify Key Content/Messaging
Craft/discover something of value to talk about, and connect with the emotion, need, and humanity ofyour audience (TSA-43) Training needs to be targeted to the most damaging types of social engineering that your organization specifically faces (DDD-207)
Align Communication with Brand/Company Culture
Effective communicators partner across their organization to give their messaging further reach Celebrate top phish reporters, book clubs on security topics, go-to security gurus (outside of IT),individual team discussions on content○ "Your organizational culture will 'win out' over your security awareness goals every time unless you are able to weave security-based thinking and values into the fabric of your overarching organizational culture." (TSA-257) Change agents of security culture: C-suite, security awareness teams, security researchers,security practitioners (PSC-36-38)
Review Risk Management Reports
How can your security awareness program play a role in implementing risk-aligned mitigation strategies against your org's biggest threats? (DDD) Are there any deficiencies that need to be improved? (DDD-182) Are root causes being identified and acted upon? Are communications focusing on the right things and communicating them across the organization? Can all employees name the top successful threats? Are the right mitigations being applied, and how do they succeed?
Massachusetts Data Security Law
It's called 201 CMR 17.03, mandates training to maintain a comprehensive information security program. The training should focus on reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper, or other records containing personal information. Training must be "ongoing" and must be given for not only permanent employees but also temporary and contract employees. You can find a listing of most of those state privacy laws at the Morrison & Foerster's Privacy Library. Many of these privacy laws require some type of awareness training, or at a minimum that the privacy requirements are communicated to employees in that state.
Implement Improvements Based on Feedback and Previous Run Cycles
How do you use the feedback to improve the overall campaign? Continuously implement program improvements; be ready to adapt to shifting priorities and landscapes Ongoing surveys, work with culture carriers, and behavioral indicators (incident reporting, SIEM,DLP, employee monitoring tech) help keep your finger on the pulse of your org's specific security-related sentiments and actions "A transformational program has more in common with a conversation than it does a monologue."(TSA-269)○ "A transformational security awareness program is adaptive and anticipatory, always seeking ways tomeet your people where they are with the security-related information and interventions that they need."(TSA-269) "A proactive security awareness training program and continuous effort to improve security culture will help employees to recognize and address their blind spots." (CLTRe21-10)
Maslow's Hierarchy of Needs
If people's basic needs aren't being met (physical and safety), then they will exist in a constant state of 'fight or flight.' They won't be able to mentally process information given, and they will struggle to think or act on anything that isn't going to potentially provide some relief from the distress that they feel." (TSA-165) How can you help people in your org feel a sense of connection to a bigger purpose? How can you make them feel like they are part of a community? How can you build their esteem and self-worth? How can you fuel their creativity and sense of purpose? People in bottom of pyramid: find ways to HELP People in middle of pyramid: find ways to INCLUDE, ASSIMILATE, RECOGNIZE People in top of pyramid: find ways to ENCOURAGE, SUPPORT, grant FREEDOM,RESPONSIBILITY
Are there any deficiencies that need to be improved? (Risk Assessment)
Is threat intelligence accurate about the top current and future most likely successful threats? Is threat detection of the top threats accurate? Are there too many false negatives or false positives? Are there some top threats that you are missing altogether? Are emerging threats being seen and dealt with faster?
Determine Delivery Method
It's all about delivering the right content and behavioral interventions to the right segments of your user population
Define Content Based on Audience (e.g., Social, Environmental, Regional)
Learning objectives/tactics may need to be adjusted based on audience demographics, departments,and levels within the organization Region, technical level, age, department ○ Evaluating the various needs across your diverse learner population will help you resist one-size-fits-all approaches so you can tailor your program with the right content to drive the outcomes you want to achieve ○ Experiential engagement - creating situations that people step into and out of can be leveraged to create learning opportunities; never take the "one and done" approach (TSA-186)
Coordinate Scheduling of Communications with Stakeholders
Leverage executive support to help cascade the messaging and reinforce importance Leverage organizational initiatives and current events to reinforce the idea that security is relevant to the bigger picture, adding a level of "importance by association"
Create and Curate Content
Leveraging engaging, fun, culturally and contextually relevant content will help gain and keep userinterest Security campaigns that actually work are powered by messages that are personal, emotional, and relevant (TSA-38)
US State Privacy Laws
Many states in the United States have their own individual privacy laws.
Document and Validate Compliance Objectives
Map your program to established industry best practices (such as the NIST Cybersecurity Framework or the National Association of Corporate Directors guidance on cybersecurity)
Identify Potential Cultural/Organizational Misalignment
Maslow's Hierarchy of Needs *4 Pillars of Cultural Influence Culture gaps can be uncovered by doing initial surveying/interviewing at the beginning of the program,and can be dealt with by: (TSA-257) SAFE (riskiest) ROUTE: Modifying your program expectations and goals based on the gap you've uncovered Working with org leaders to see how you can influence the org culture as a whole■ Utilizing a hybrid approach where some goals are modified while also trying to influence the culture Covert processes - organizational forces and dynamics that are hidden but exert powerful effects on our communications and efforts to achieve goals (e.g. hidden agendas, unspoken rules, organizationaltaboos) (PCS-61)
Conduct Training
Pine & Gilmore's Experience Economy Experiential engagement is about creating situations that people can step into and back out of, and canbe leveraged to create learning opportunities (TSA-187-193) Meetings, presentations, lunch-&-learns, tabletop exercises (TTX), rituals, webinars, games,simulated phishing & social engineering, other simulations & embodied learning (AR/VR)
Determine Schedule and Cadence for Training
Opinions and behaviors aren't changed by hearing info once; we need reinforcement and an ongoingcampaign (TSA-76)○ "If there is something worth saying to your people, then you need to say it over and over... or risk gettingdrowned out in the noise of life." (TSA-78) ○ Information and training that are not frequently used are quickly forgotten (TSA-101-102) ■ After training, 90% of what you've learned is lost by the time you get back to your job; theremaining 10% will also be lost quickly if they're not immediately and repeatedly applied Prompt Fatigue - utilize multiple types/styles of encouraging prompts (rather than solely relying on one),make extrinsic prompts intrinsic when possible, and establish the desired behavior as a cultural norm(TSA-119-120) ■ Power prompts contain elements that intend to increase motivation (e.g. playing to the curiosity gap), make the desired behavior easier, or both (TSA-122) ○ "Humans ... crave predictability and struggle to find patterns, even when none exist. Variability is the brain's cognitive nemesis and our minds make deduction of cause and effect a priority over other functions like self-control and moderation. [...] Recent neuroscience has revealed that our dopamine system works not to provide us with rewards for our efforts, but to keep us searching by inducing a semi-stressful response we call desire." (Nir Eyal in "Variable Rewards: Want to Hook Users?", TSA-132) ■ Evoke a feeling of success to ensure that people will want to continue to repeat the desired behavior you're teaching them about (TSA-130-131) ■ Provide rewards on an "unpredictable, variable schedule" to make sure the brain doesn't lose its dopamine release effect when the reward is provided
Measure Learning Outcomes
Reliable data means that a log is generated every time the same event occurs with an accurate timestamp, the information is useful, and is resistant to unauthorized, malicious modification or interruption (DDD-156) "By examining how employees report on specific topics, we can help their organization to improve security culture by focusing their efforts where it matters most. Specifically, we looked at how employees report their sentiments about having access to security-related information, how they think about passwords, and their access to the security team." (CLTRe21-10)
Research and Deliver Applicable Security Awareness Subject Matter (e.g.,incidents, solutions, preventions, statistics, reinforcement)
Researching & measuring those results
Track Training Compliance Against Target(s)
SMARTER goal setting framework (TSA-254-256) SPECIFIC enough to focus and direct your efforts ● What exactly are you hoping to achieve in the next n weeks/months? (content delivery,behavior change, culture shaping, other refined goals) MEASURABLE so you can keep track of progress and identify gaps # of campaigns, course completion %, average test scores by department, phishing test resiliency change over time, # of special on-site training events (e.g., TTX), # of self-reported suspected security issues, # of reported suspected phishing emails versus #of accurate reported phishing emails and known unreported phishing emails● Potential areas: password hygiene, physical security-related issues, engagement of culture carriers, culture survey response change over time ACTIONABLE with a clear initiating verb that prompts specific activity Examples: Reduce our phish failure %; establish our dashboard; deliver agreed-upon metrics; increase use of shredding bins; reduce instances of tailgating● Remember that every goal needs to be specific and timed Frame them as OKRs -- an objective with clear key results RISKY enough to leverage our natural tendency to rise to challenges TIME-KEYED so you're prompted exactly when to act EXCITING enough to inspire and harness the power of your intrinsic motivation The "why" behind the importance can help generate excitement, especially during theinherent wax/wane of administering a long-term program RELEVANT within the overall context of your organization and people
*4 Pillars of Cultural Influence
STRUCTURES — a person's social environment determines how/what that person will behave,believe, and value Data points collected in culture assessments give a picture of different structures (orgroups) that already exist in your org, and can be used to segment your training Culture carriers are a social structure that can be harnessed to influence (and infiltrate)other existing social structures throughout the org PRESSURES — behavioral norms are naturally established by a culture; social control theory points to the fact that deviance is avoided because it's seen as a such by the culture to which it belongs. Pressure Rewards: peer recognition, acceptance, inclusion ("one of us"). Pressure Sanctions: peer disapproval, exclusion ("not one of us"). 4 Social Bonds that promote conformity and dissuade deviance:a. Attachment - circle of close social connections that influence and provide feedback regarding good vs bad behavior. Commitment - level of commitment a person is to the overarching group, whichcan be strengthened or hinderedc. Involvement - ability to continue to be involved in social activities based on desiredbehaviors and valuesd. Belief - reinforcement of shared beliefs, values, and vision across a culture, whichoften explain why a given social norm is best REWARDS — feeling like one's efforts, intrinsic value, and good work are both noticed and appreciated● Different segments react differently to types of rewards● Rewards don't necessarily need to be material; sometimes recognition itself goes a long way: gamification, real-time stats, community competitions, community encouragement● Remember to build in unpredictability and variability to the frequency and structure in order to increase engagement and fight against complacency RITUALS — rituals engage people around the things that matter most to an org, instilling a sense of shared purpose and experience, sparking behaviors that make the org more successful● All rituals start with setting an explicit intention and a great one will reinforce the mindset and behavior you want to "enculturate" in a way that feels authentic to the org and its people
SACP
Security Awareness and Culture Professional
Federal Guidelines for the Sentencing of Organizations
You might want to have a look at The Federal Guidelines for the Sentencing of Organizations. This is not regulation per se, but something that affects how your organization will be treated when there is a breach (under federal law). §8C2.5 of the Guidelines define an organizational culpability score [for the misdeeds of employees and officers]. Culpability is inversely related to the organization implementing an 'effective compliance and ethics program'. §8B2. defines an effective compliance and ethics program to include a training program in the organizations standards and procedures. So in Federal Court, the organization is culpable in its workforce's misuse of corporate information assets to the degree that the organization does not train employees with respect to appropriate conduct. It is likely that non-federal jurisdictions will apply something very similar to the Federal Guidelines.
STRUCTURES (4 Pillars of Cultural Influence)
a person's social environment determines how/what that person will behave,believe, and value Data points collected in culture assessments give a picture of different structures (or groups) that already exist in your org, and can be used to segment your training Culture carriers are a social structure that can be harnessed to influence (and infiltrate)other existing social structures throughout the org
Culture carriers
are people who have intimate knowledge of company values that are particularly good at leading by example for their peers, holding a considerable amount of social influence and passion for those values (TSA-156-163) ■ Offer peer-level support for anyone struggling with security content ■ Serve as a communications network that links directly back to you, gathering info as they disseminate your message(s) on biggest risks, popular topics, and impact metrics ■ Making it formal (e.g., champions, ambassadors, liaisons, sentinels) and giving it intentional support will make it successful
PRESSURES (4 Pillars of Cultural Influence)
behavioral norms are naturally established by a culture; social control theory points to the fact that deviance is avoided because it's seen as a such by the culture to which it belongs Pressure Rewards: peer recognition, acceptance, inclusion ("one of us") Pressure Sanctions: peer disapproval, exclusion ("not one of us") 4 Social Bonds that promote conformity and dissuade deviance: a. Attachment - circle of close social connections that influence and provide feedback regarding good vs bad behavior b. Commitment - level of commitment a person is to the overarching group, which can be strengthened or hindered c. Involvement - ability to continue to be involved in social activities based on desired behaviors and values d. Belief - reinforcement of shared beliefs, values, and vision across a culture, which often explain why a given social norm is best
Audience Segmentation
breaking down the entirety of your audience into different types of people(e.g. region, job type, age groups, technical proficiency) (TSA-74) Debugging behaviors across segments using the Fogg Behavior Model (TSA-117-132) for Prompts, Ability, and Motivation ● Person has sufficient Motivation and Ability - when Prompted, person will perform Behavior ● Person has sufficient Motivation but lacks sufficient Ability - when Prompted, person will want to perform the Behavior, but will be unable to do so, causing frustration or disillusionment ● Person lacks Motivation but has sufficient Ability - when Prompted, the person has the Ability to do the Behavior, but doesn't care enough to do it, and will become agitated if repeatedly Prompted ● Person lacks both Motivation and Ability - when Prompted, the person is unAble to perform the Behavior and is apathetic about it
Example culture rituals
celebration rituals, eating rituals, storytelling rituals, company cheers, 360° reviews,annual office parties, blood drives, community service events
Theory of Mind
communicating from a strong Theory of Mind means taking into account that other people may view or react to the same information differently (TSA-47)
UNITY (Cialdini's Principles)
people value the input of those they have a core identity or shared unique experience with (something that creates a deep, immediate sense of connection) Learn to speak the same lingo a stakeholder's specific area uses Adopt a tone in all communications that will help employees trust and confide in the security department
AUTHORITY (Cialdini's Principles)
people will follow the leader if they see them as experts or authority figures
Personas
creating an identifiable profile (or "composite sketch") of each segment that tells you about their distinct motivations, fears, priorities, challenges, common questions, relevant job duties, systems,technologies, job-specific terminology, history of security issues and successes, character traits, social influences, etc. -- and ultimately how you can specifically tailor messaging to help that addresses their individual needs (their WHY) (TSA-74) ■ Get a generic idea of what a given persona's day is like; do their job duties, peer groups, or pace of work change throughout the month or within certain "peak" seasons? (TSA-242) ■ Consider emotions and motivations: How do those shape the person's day? How do they shape how the person interacts with systems, security requirements, and so on? Does their emotional state or motivation change when dealing with different technology and/or security touch points? ■ What and who influences them? What is the social component? Are there times of the day or seasons of the year that may cause a flux in behavior (e.g., busier times like holidays)? Times when the org has an influx of temporary workers? Times of mass movement within the office(e.g., lunch, morning meetings)? ■ Where do they physically go throughout the day (physical, technological, social touch points)?How does this persona make decisions at each major touch point? (Considering time pressures,social pressures, etc.) ■ Who do they see and under what circumstances? What are their goals? What traps do they fall into? What distracts or tempts them?
Trojan Horses of the Mind
emotions & feelings, branding & visuals, sound & music, words & story "Find your 'why' for each audience type and then develop your strategy for your segments. Combinegreat communication techniques with behavior design principles and leverage culture carriers toreinforce your security-related messaging, values, and behaviors throughout the organization." Trojan Horses of the Mind Curiosity Gap
Cognition (Security Culture Dimensions)
employees' understanding, knowledge, and awareness of security issues and activities
REWARDS (4 Pillars of Cultural Influence)
feeling like one's efforts, intrinsic value, and good work are both noticed and appreciated ● Different segments react differently to types of rewards ● Rewards don't necessarily need to be material; sometimes recognition itself goes a long way: gamification, real-time stats, community competitions, community encouragement ● Remember to build in unpredictability and variability to the frequency and structure in order to increase engagement and fight against complacency
People in top of pyramid
find ways to ENCOURAGE, SUPPORT, grant FREEDOM,RESPONSIBILITY
People in bottom of pyramid
find ways to HELP
People in middle of pyramid
find ways to INCLUDE, ASSIMILATE, RECOGNIZE
Responsibilities (Security Culture Dimensions)
how employees perceive their role as a critical factor in sustaining orendangering the security of the organization
Curiosity gap
intentionally creating a "mental itch that needs scratched" by teasing with info
Framing
is the process we can use to construct a new frame through language, visuals, context,or other cues (TSA-113) "Framing will be a critical part of how you justify, deliver, and report on your security awareness program." (TSA-114)
RECIPROCITY (Cialdini's Principles)
people don't like to feel indebted How can you offer help and support to your critical stakeholders? To your culture carriers? To your end-users?
SCARCITY (Cialdini's Principles)
people don't like to feel like they're going to miss out (FOMO), and feel pressurefrom limited time/resources Keyword is "limited" -- limited time to give feedback on program, limited availability swag, part of a limited group of exclusive people
COMMITMENT & CONSISTENCY (Cialdini's Principles)
people don't want to be seen as "fickle" or "wishy-washy" and expect words and actions to line up How does your program align with or provide the values a stakeholder claims to hold themselves to? Can you get a promise to support your program in a way that the promiser won't want to go back on?
LIKING (Cialdini's Principles)
people like others who are similar, who pay them compliments, and who cooperate towards mutual goals
SOCIAL PROOF (or CONSENSUS) (Cialdini's Principles)
people tend to conform to what others around them aredoing and saying Win support of more difficult stakeholders by using the support of the initial stakeholders as social proof Culture carriers are in themselves a form of social proof: "Their job is to advocate for (explicit social proof) and demonstrate (implicit social proof) the values, beliefs, and behaviors that you want to spread through the organization. And they create virality and sustainability by serving as a continual form of social proof."
Data-Driven Computer Defense Lifecycle
■ Collect better and localized threat intelligence Focus on current, local, and most successful threats first, followed by the most likely successful future threats to help better define the actual top, most damaging threats ■ Rank risk appropriately. Give less emphasis to security vendors' priorities and more to the actual threat intel of your own org's experience ■ Create an effective communications plan. Clearly communicate the newly ranked top threats across the org, tailoring the message for each group depending on the level of detail and strategy that group needs. Effective comm depends on giving the right education in the right places focused one liminating the top threats ■ Define and collect metrics. Gut feelings and experience are either backed up or replaced by good data. "If you can't measure it, you can't do it" ■ Select and deploy defenses. Focus on root cause analysis (e.g. unpatched software, social engineering, misconfiguration, human error) to create mitigation strategies. "Stop one malware program, and you stop one malware program. Stop one root cause exploit avenue, and you stop every malware program (and hacker) that might otherwise have used that root cause to be successful." ■ Review and improve plan as needed. At the core of this cyclical plan is the necessary adaptability to a moving, constantly changing plan (much like the threats it is addressing)
Berger's STEPPS framework for enculturation
■ Social Currency - we share things that make us look good ■ Triggers - top of mind, tip of tongue■ Emotion - when we care, we share ■ Public - built to show, built to grow ■ Practical - news you can use ■ Stories - info travels under the guise of idle chatter
Security Behavior Journey Map Brainstorming Cheatsheet
■ Who are they? ■ When is it? (time of day) ■ Where are they? (location) ■ What are they doing or about to do? (event/behavior) ■ What is their goal? ■ What are they feeling? (emotions) ■ Who else is around? (social) ■ Are there any other interesting or important aspects of the context they are in? ■ How might they make mistakes or deliberately make insecure choices? ■ Thoughts on the Fogg Behavior Model (B=MAP) elements for encouraging secure behaviors? ■ What program elements can we use to encourage and reinforce the behavior we want? ■ How can we reward people who are doing the right thing or people who accept intervention?
The 8 Ps of Marketing in an Awareness Context
■Product (promoted security-related message or behavior) ■ Price (time, effort, or sacrifice of end-user to participate in training) ■ Place (where the training takes place and the form it uses as its vehicle) ■ Promotion (activities, forums, or people used to support or promote the training) ■ Physical Evidence (subtle and not-so-subtle cues provided about the value and traits of your"product") ■ People (people involved in creating, advocating, and receiving your "product" and how they add to or subtract from the tone and direction of the culture) ■ Process (formal training plan and methodologies used to promote your "product" that guide itscontinual improvement and sustainability) ■ Partners (other methods put in place to propagate, such as advocate/champion programs)
Common information security culture traits
■Techno-romanticism (tech front and center as both problem and likely solution) ■ Defeatism (bad guys have won, you're already owned, only thing that can be done is contain the damage and clean up the mess) ■ Exceptionalism (security is the not only the biggest problem the world faces in a world full of problems, it's also unique and no one can understand what it's like to be responsible for infosec) ■ Paranoia (addressing risk differently from security standpoint as opposed to risk in other aspects of life)
