Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

8/8/2019
06:40 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

How Behavioral Data Shaped a Security Training Makeover

A new program leveraged behavioral data of employees to determine when they excelled at security and where they needed improvement.

BLACK HAT 2019 – Las Vegas – As human error continues to top data breach causes, security leaders grapple with how to get employees to care about, and adopt, stronger security habits.

"When you think about the ways how you could lower that number, the first thing that comes to mind is training," said Aika Sengirbay, current security awareness program manager at Airbnb and former senior security engagement specialist at Autodesk, in the Black Hat briefing "It's Not What You Know, It's What You Do: How Data Can Shape Security Engagement."

"But compliance-focused trainings are not enough to change human behavior, and especially not enough when it comes to security behaviors," she added. Noticing the old way of training was "broken," Autodesk sought new ways to improve its employee security training strategy.

Companywide trainings, often done to "check the box" on security awareness, are not typically measured and don't offer a way to track improvement. All employees receive the same general training, which fails to engage and rarely drives progress. They wanted the new methodology to recognize their skill levels, respect their time, and motivate them to learn about security.

To accomplish this, the Autodesk teamed up with Elevate Security. Their first step was to create a list of desired employee behaviors: handle sensitive data, patch, increase reporting, and use multifactor authentication and VPNs, said Elevate co-founder Masha Sedova.

"If you had a magic wand, what would your employees be doing right now?" Sedova asked the audience. "These end up actually being mindsets; they're not things you can measure in a tangible way." This "master list" became a bank of open-ended behaviors they wanted to see.

Step two drilled into "vital behaviors," which required the team to create a list of questions to prioritize worker activity: "What would be the most damaging to your company?" for example. "What are your most frequent incidents?" "What do your stakeholders care most about?"

Step three was to find data to measure progress and inform future strategies, Sengirbay said. The team ran internal phishing assessments, worked with incident response teams to identify suspicious messages, and consulted with enterprise device admins to see who used password managers. They pulled from the learning management tool to see who had completed training.

An employee was considered "successful" if they had not submitted their credentials to a phishing page, sent sensitive data through appropriate channels, installed and used a password manager within the 30 days prior, and completed the required training.

This all contributed to the "Individual Security Snapshot," a program designed to present employees with prioritized security behaviors, identify strengths, provide recommendations for training, and reward behaviors. A considerable amount of effort went into creating a dynamic scoring system that was culturally relevant and ongoing, and urged people to change their actions.

"How do we communicate this in a way that actually shifts behavior?" said Sedova of employees' security feedback. The team wanted their scoring system to be on a sliding scale so people would know they could change it with ongoing good behavior, similar to a credit score. They illustrated the scale with dragons: Poor security habits earned them a "flimsy" dragon on one end of the spectrum; strong habits made them an "indestructible" dragon on the other.

To add incentive, they leveraged social proof, which uses the context of what other people are doing to influence someone's decision. For example, one alert informed employees they were "3.2 times more like to fall for a phish" than others in the department. Another said "12% of your department has installed LastPass" and mentioned Autodesk's CEO was using the tool.

"We're tapping into the things that make us all human," Sedova explained. Amazon reviews work the same way: If you know someone else is using something, you're likely to try it.

Security Snapshot reinforces good behavior by awarding employees virtual badges when they do things like detect all of their phishing email, report suspicious behavior, or complete a training. This intrinsic motivation doesn't work for everyone, Sedova said, but it's effective for many.

"As a security professional, I've seen security teams do a great job of punishing people who do the wrong thing" but rarely tell employees when they do something right, she added.

The Snapshot approach worked. Sixty percent of employees were willing to engage with Snapshot emails, Sengirbay said. Each email shifted the average security score across the organization. Autodesk was ultimately able to increase the number of people with scores of 70 or above by 170%. Researchers noticed low performers only had a 17% open rate of the emails, while those with higher scores and better security practices had a 58% open rate.

"Data can help us see what reality is and stop driving our awareness programs based on assumptions we have," Sengirbay added. With contextual information to inform their training strategy, the researchers saw opportunity for changes they didn't know they needed.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
The Flaw in Vulnerability Management: It's Time to Get Real
Jim Souders, Chief Executive Officer at Adaptiva,  8/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5034
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave Legacy Pairing functionality of Nest Cam IQ Indoor version 4620002. A set of specially crafted weave packets can cause an out of bounds read, resulting in information disclosure. An attacker can send packets to trigger this vuln...
CVE-2019-5035
PUBLISHED: 2019-08-20
An exploitable information disclosure vulnerability exists in the Weave PASE pairing functionality of the Nest Cam IQ Indoor, version 4620002. A set of specially crafted weave packets can brute force a pairing code, resulting in greater Weave access and potentially full device control. An attacker c...
CVE-2019-5036
PUBLISHED: 2019-08-20
An exploitable denial-of-service vulnerability exists in the Weave error reporting functionality of the Nest Cam IQ Indoor, version 4620002. A specially crafted weave packets can cause an arbitrary Weave Exchange Session to close, resulting in a denial of service. An attacker can send a specially cr...
CVE-2019-8103
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...
CVE-2019-8104
PUBLISHED: 2019-08-20
Adobe Acrobat and Reader versions, 2019.012.20035 and earlier, 2019.012.20035 and earlier, 2017.011.30142 and earlier, 2017.011.30143 and earlier, 2017.011.30142 and earlier, 2015.006.30497 and earlier, and 2015.006.30498 and earlier have an out-of-bounds read vulnerability. Successful exploitation ...