Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/8/2019
06:40 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

How Behavioral Data Shaped a Security Training Makeover

A new program leveraged behavioral data of employees to determine when they excelled at security and where they needed improvement.

BLACK HAT 2019 – Las Vegas – As human error continues to top data breach causes, security leaders grapple with how to get employees to care about, and adopt, stronger security habits.

"When you think about the ways how you could lower that number, the first thing that comes to mind is training," said Aika Sengirbay, current security awareness program manager at Airbnb and former senior security engagement specialist at Autodesk, in the Black Hat briefing "It's Not What You Know, It's What You Do: How Data Can Shape Security Engagement."

"But compliance-focused trainings are not enough to change human behavior, and especially not enough when it comes to security behaviors," she added. Noticing the old way of training was "broken," Autodesk sought new ways to improve its employee security training strategy.

Companywide trainings, often done to "check the box" on security awareness, are not typically measured and don't offer a way to track improvement. All employees receive the same general training, which fails to engage and rarely drives progress. They wanted the new methodology to recognize their skill levels, respect their time, and motivate them to learn about security.

To accomplish this, the Autodesk teamed up with Elevate Security. Their first step was to create a list of desired employee behaviors: handle sensitive data, patch, increase reporting, and use multifactor authentication and VPNs, said Elevate co-founder Masha Sedova.

"If you had a magic wand, what would your employees be doing right now?" Sedova asked the audience. "These end up actually being mindsets; they're not things you can measure in a tangible way." This "master list" became a bank of open-ended behaviors they wanted to see.

Step two drilled into "vital behaviors," which required the team to create a list of questions to prioritize worker activity: "What would be the most damaging to your company?" for example. "What are your most frequent incidents?" "What do your stakeholders care most about?"

Step three was to find data to measure progress and inform future strategies, Sengirbay said. The team ran internal phishing assessments, worked with incident response teams to identify suspicious messages, and consulted with enterprise device admins to see who used password managers. They pulled from the learning management tool to see who had completed training.

An employee was considered "successful" if they had not submitted their credentials to a phishing page, sent sensitive data through appropriate channels, installed and used a password manager within the 30 days prior, and completed the required training.

This all contributed to the "Individual Security Snapshot," a program designed to present employees with prioritized security behaviors, identify strengths, provide recommendations for training, and reward behaviors. A considerable amount of effort went into creating a dynamic scoring system that was culturally relevant and ongoing, and urged people to change their actions.

"How do we communicate this in a way that actually shifts behavior?" said Sedova of employees' security feedback. The team wanted their scoring system to be on a sliding scale so people would know they could change it with ongoing good behavior, similar to a credit score. They illustrated the scale with dragons: Poor security habits earned them a "flimsy" dragon on one end of the spectrum; strong habits made them an "indestructible" dragon on the other.

To add incentive, they leveraged social proof, which uses the context of what other people are doing to influence someone's decision. For example, one alert informed employees they were "3.2 times more like to fall for a phish" than others in the department. Another said "12% of your department has installed LastPass" and mentioned Autodesk's CEO was using the tool.

"We're tapping into the things that make us all human," Sedova explained. Amazon reviews work the same way: If you know someone else is using something, you're likely to try it.

Security Snapshot reinforces good behavior by awarding employees virtual badges when they do things like detect all of their phishing email, report suspicious behavior, or complete a training. This intrinsic motivation doesn't work for everyone, Sedova said, but it's effective for many.

"As a security professional, I've seen security teams do a great job of punishing people who do the wrong thing" but rarely tell employees when they do something right, she added.

The Snapshot approach worked. Sixty percent of employees were willing to engage with Snapshot emails, Sengirbay said. Each email shifted the average security score across the organization. Autodesk was ultimately able to increase the number of people with scores of 70 or above by 170%. Researchers noticed low performers only had a 17% open rate of the emails, while those with higher scores and better security practices had a 58% open rate.

"Data can help us see what reality is and stop driving our awareness programs based on assumptions we have," Sengirbay added. With contextual information to inform their training strategy, the researchers saw opportunity for changes they didn't know they needed.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27225
PUBLISHED: 2021-03-01
In Dataiku DSS before 8.0.6, insufficient access control in the Jupyter notebooks integration allows users (who have coding permissions) to read and overwrite notebooks in projects that they are not authorized to access.
CVE-2021-27132
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
CVE-2021-3144
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
CVE-2021-3148
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.