5/11/2016

1

Cybersecurity AwarenessKeeping your audience engaged and aware

Donna Maskil-Thompson, CIP Senior ManagerSPP CIP Workshop - May 2016

© 2016 BPU - Public 1

Also known as…

“How I learned to Stop Worrying and Love Cybersecurity Awareness”- Bobby Gray – BPU NERC Compliance Officer, 2015

© 2016 BPU - Public 2

5/11/2016

2

Agenda

• Creating a Strategy

• Instructional Design – ADDIE Model

• Adult Learner Characteristics

• Measuring Effectiveness of Program

• Addendum -Examples BPU Cybersecurity Awareness Program

© 2016 BPU - Public 3

Create a Strategy

• Topics and Themes

• Tools and Resources

• Frequency

• Re-evaluate every 90 days

© 2016 BPU - Public 4

5/11/2016

3

Instructional Design – ADDIE Model

Analyze

Design

Develop

Implement

Evaluate

© 2016 BPU - Public 5

Analyze

• Who needs to be trained? (IdentifyRoles)

– Audience Characteristics

– Prior knowledges and skills

• What information do they need tounderstand?

– Goals and Objectives

• Learning Environment– Class size, Type of instruction etc.

– Timeline

© 2016 BPU - Public 6

5/11/2016

4

Adult Attention Span

Attention Span – 8 minutes

“Is this worth my time?”

© 2016 BPU - Public 7

Adult Learning Styles

• Visual – remember what they haveread, seen

• Auditory – remember thingsthrough hearing or saying outloud

• Kinesthetic (Tactile) – rememberthrough experience, feelings

© 2016 BPU - Public 8

5/11/2016

5

Time limits

Break presentations into a series of 5minute experiences

Try and limit your presentation to 20minutes

© 2016 BPU - Public 9

Solve a Problem

• Use real examples

• Give solutions to solve realproblems

• Request Feedback. EncourageSelf-Reporting

© 2016 BPU - Public 10

5/11/2016

6

Earn Respect

“Seek respect, not attention. It lastslonger.”

― Ziad K. Abdelnour

© 2016 BPU - Public 11

Lighten up

“No one will ever claim that theyexperienced Death ByPowerPoint because they felt likedying due to excessive fun during apresentation”

- Leslie Belnap

Source: How-to Conquer Short Attention Spans, 2015

© 2016 BPU - Public 12

5/11/2016

7

Adult Learning Theory- Design

• Be collaborative

• “Voluntary Participation” – it must fit their needs!

• “Mutual respect” – Know your audience

Resource: Understanding and Facilitating Adult Learning, Stephen Brookfield, 1991

© 2016 BPU - Public 13

Remember

Do not read your slides verbatim!

Address audience needs

Take feedback seriously and edit

© 2016 BPU - Public 14

5/11/2016

8

Training Needs Assessment

1. Schedule a meeting with sample audience

2. Brainstorm - Determine common themes and topics.

3. Determine which areas/needs are most important

4. Determine the desired outcomes from the training to addressthese needs.

Outcomes = measures of success (validation)

© 2016 BPU - Public 15

Needs Assessment Checklist

Know what the organization is trying toaccomplish.

Know the history of training within theorganization.

What "needs" will be addressed by thetraining?

Any recent process or procedure changes?Incidents or process failures?

What resources are available for training?

Who needs to be trained?

Who can serve as subject matter experts?

Are any staff going to do the training?

Which companies provide training materials?

What are the Knowledge, Skills, and Abilities?

Review Job Descriptions and Org Charts.

© 2016 BPU - Public 16

5/11/2016

9

Analyze -Developing a Strategy

List 3 objectives of your Cyber Security Awareness Program

Examples:

• Protect the confidentiality, integrity and availability of BES Cyber Systems and relatedInformation.

• Minimize cost of security incidents and potential issues of non-compliance.

• The human factor – ensure every employee knows that security is their responsibility.

Attendance or completion of mandatory training should not be considered an objective!

© 2016 BPU - Public 17

Design

• Determine instructional methods

• Design an Assessment Plan and Course Outline

• Create “Storyboards”/Prototypes– Narratives – Scenarios – Stories– Abstract Concepts– Parts and Components– Motion and Paths– Maps, Charts and Statistical Data– Concrete Ideas– Metaphors

• Think about what engages your audience

© 2016 BPU - Public 18

5/11/2016

10

Design – for the User

• Look and Feel

• User interface

– Graphics, Animation, Sound –

– Pop culture vs Employee “Actors”

• Modules by Theme or Complete Program?

• KEY – Make it memorable

© 2016 BPU - Public 19

Design

• Communicate Policy/Regulations

– Entertain

– Engage

– Reward

© 2016 BPU - Public 20

5/11/2016

11

Develop

• Create the syllabus

• Develop Course (from the Storyboards)– Powerpoint, PDF, etc.– Use color, graphics, gamification!

• Develop Assessment items

Think of training aids and other learning materials

© 2016 BPU - Public 21

Expert Knowledge

• FBI, US-CERT

• Cybersecurity Product Demos/Blogs

• Professional groups

– ASIS

– ISACA

– ISC2

– IASAP

© 2016 BPU - Public 22

5/11/2016

12

In the News

© 2016 BPU - Public 23

Source: www.informationisbeautiful.net

© 2016 BPU - Public 24

5/11/2016

13

Implement

• Put the Plan into action

• Train the Trainer

• Launch Course

© 2016 BPU - Public 25

Evaluation

Formative Evaluation

• Monitors learning to provide feedback– point in time

• Identifies strengths and weaknesses/target areas

• Use for “test” or “sample” groupbefore rolling program out to entireaudience

Summative Evaluation

• Evaluate student learning at the endof the course

• Compares to another standard orbenchmark

• Example – 100% Assessment Scores

Survey your audience – collect feedback and revise as needed!

© 2016 BPU - Public 26

5/11/2016

14

Measuring Effectiveness

How do you measureeffectiveness?

• Internal Control Testing

• Maturity Models

• Analysis of Incident reports

© 2016 BPU - Public 27

Internal Controls

• The policies, procedures, practices and organizational structuresdesigned to provide reasonable assurance that business objectiveswill be achieved and undesired events will be prevented ordetected and corrected.

Reference - ISACA Glossary -(formerly known as Information SystemsAudit and Control Association

© 2016 BPU - Public 28

5/11/2016

15

Writing Control Objectives

• What is the objective of thiscontrol?

– Prevent

– Detect

– Correct

• How does it effectively mitigaterisk?

– SMART criteria

© 2016 BPU - Public 29

Source: ISACA Online, COBIT 5https://cobitonline.isaca.org/books/framework/pdf/framework-chapter08-section02.pdf

© 2016 BPU - Public 30

5/11/2016

16

COBIT 5 vs COBIT 4.1

COBIT 5 Maturity Model (explained) COBIT 4.1 Maturity Model

© 2016 BPU - Public 31

Cybersecurity Capability MaturityModel (ES-C2M2)

© 2016 BPU - Public 32

5/11/2016

17

Analysis of Incidents- RCA

Root Cause Analysis (RCA) involves investigating the patterns ofnegative effects, finding hidden flaws in the system, and discoveringspecific actions that contributed to the problem.

© 2016 BPU - Public 33

In closing…

Users want to learn something theycan use

You can make Cybersecurity FUN

Keep it current with the news.

MAKE IT INTERESTING.

© 2016 BPU - Public 34

5/11/2016

18

© 2016 BPU - Public 35

Questions

© 2016 BPU - Public 36

5/11/2016

19

Addendum

The following slides are examples from BPU’s Cybersecurity AwarenessProgram

If you wish to reuse any of the materials, please notify BPUCompliance team via email (BPUNERC@bpu.com)

© 2016 BPU - Public 37

BPU Topics (Sample)

• Social Engineering – Phishing/Spearphishing

• Passwords

• Mobile Device Security

• Incident Reporting and Response

• Physical Security

• June – Phish Week (same time as Shark Week)

• September -National Emergency Preparedness Month

• October – Cybersecurity Awareness Month

© 2016 BPU - Confidential 38

5/11/2016

20

Phishing

© 2016 BPU - Public 39

Cybersecurity Awareness MonthOctober 1-2 – Stop. Think. Connect. Best Practices for All Digital Citizens

This basic advice is a guiding principle so that we can navigate the Internet ‒ and our digital lives ‒ safely and more securely.

October 5-9 - Creating a Culture of Cybersecurity at Work

Provide resources that help BPU establish a culture of cybersecurity. Emphasis will focus on employee education and a riskmanagement approach to cybersecurity

October 13-16 - Connected Communities and Families: Staying Protected While We Are Always Connected

We will share simple ways we can protect ourselves and those around us along with what we can do if impacted by a breach,cybercrime or other issue.

October 19-23 - Your Evolving Digital Life

Highlights where we were, where we are today and how we can keep our digital lives safer and more secure with emergingtechnology.

October 26-30 - Building the Next Generation of Cyber Professionals

Information about cybersecurity careers as well as the need for the ongoing Internet safety and security education towardbuilding cyber-literate digital citizens.

© 2016 BPU - Public 40

5/11/2016

21

Physical Security – Badges

• Wear your badge

• Do not leave in your car in plainview

• If someone asks to see yourbadge, show them.

• If you lose your badge, reportimmediately

© 2016 BPU - Public 41

Visitor Access Control

• Clearly identifies visitors

• Relationship between Safety andSecurity

© 2016 BPU - Public 42