5/11/2016
1
Cybersecurity AwarenessKeeping your audience engaged and aware
Donna Maskil-Thompson, CIP Senior ManagerSPP CIP Workshop - May 2016
© 2016 BPU - Public 1
Also known as…
“How I learned to Stop Worrying and Love Cybersecurity Awareness”- Bobby Gray – BPU NERC Compliance Officer, 2015
© 2016 BPU - Public 2
5/11/2016
2
Agenda
• Creating a Strategy
• Instructional Design – ADDIE Model
• Adult Learner Characteristics
• Measuring Effectiveness of Program
• Addendum -Examples BPU Cybersecurity Awareness Program
© 2016 BPU - Public 3
Create a Strategy
• Topics and Themes
• Tools and Resources
• Frequency
• Re-evaluate every 90 days
© 2016 BPU - Public 4
5/11/2016
3
Instructional Design – ADDIE Model
Analyze
Design
Develop
Implement
Evaluate
© 2016 BPU - Public 5
Analyze
• Who needs to be trained? (IdentifyRoles)
– Audience Characteristics
– Prior knowledges and skills
• What information do they need tounderstand?
– Goals and Objectives
• Learning Environment– Class size, Type of instruction etc.
– Timeline
© 2016 BPU - Public 6
5/11/2016
4
Adult Attention Span
Attention Span – 8 minutes
“Is this worth my time?”
© 2016 BPU - Public 7
Adult Learning Styles
• Visual – remember what they haveread, seen
• Auditory – remember thingsthrough hearing or saying outloud
• Kinesthetic (Tactile) – rememberthrough experience, feelings
© 2016 BPU - Public 8
5/11/2016
5
Time limits
Break presentations into a series of 5minute experiences
Try and limit your presentation to 20minutes
© 2016 BPU - Public 9
Solve a Problem
• Use real examples
• Give solutions to solve realproblems
• Request Feedback. EncourageSelf-Reporting
© 2016 BPU - Public 10
5/11/2016
6
Earn Respect
“Seek respect, not attention. It lastslonger.”
― Ziad K. Abdelnour
© 2016 BPU - Public 11
Lighten up
“No one will ever claim that theyexperienced Death ByPowerPoint because they felt likedying due to excessive fun during apresentation”
- Leslie Belnap
Source: How-to Conquer Short Attention Spans, 2015
© 2016 BPU - Public 12
5/11/2016
7
Adult Learning Theory- Design
• Be collaborative
• “Voluntary Participation” – it must fit their needs!
• “Mutual respect” – Know your audience
Resource: Understanding and Facilitating Adult Learning, Stephen Brookfield, 1991
© 2016 BPU - Public 13
Remember
Do not read your slides verbatim!
Address audience needs
Take feedback seriously and edit
© 2016 BPU - Public 14
5/11/2016
8
Training Needs Assessment
1. Schedule a meeting with sample audience
2. Brainstorm - Determine common themes and topics.
3. Determine which areas/needs are most important
4. Determine the desired outcomes from the training to addressthese needs.
Outcomes = measures of success (validation)
© 2016 BPU - Public 15
Needs Assessment Checklist
Know what the organization is trying toaccomplish.
Know the history of training within theorganization.
What "needs" will be addressed by thetraining?
Any recent process or procedure changes?Incidents or process failures?
What resources are available for training?
Who needs to be trained?
Who can serve as subject matter experts?
Are any staff going to do the training?
Which companies provide training materials?
What are the Knowledge, Skills, and Abilities?
Review Job Descriptions and Org Charts.
© 2016 BPU - Public 16
5/11/2016
9
Analyze -Developing a Strategy
List 3 objectives of your Cyber Security Awareness Program
Examples:
• Protect the confidentiality, integrity and availability of BES Cyber Systems and relatedInformation.
• Minimize cost of security incidents and potential issues of non-compliance.
• The human factor – ensure every employee knows that security is their responsibility.
Attendance or completion of mandatory training should not be considered an objective!
© 2016 BPU - Public 17
Design
• Determine instructional methods
• Design an Assessment Plan and Course Outline
• Create “Storyboards”/Prototypes– Narratives – Scenarios – Stories– Abstract Concepts– Parts and Components– Motion and Paths– Maps, Charts and Statistical Data– Concrete Ideas– Metaphors
• Think about what engages your audience
© 2016 BPU - Public 18
5/11/2016
10
Design – for the User
• Look and Feel
• User interface
– Graphics, Animation, Sound –
– Pop culture vs Employee “Actors”
• Modules by Theme or Complete Program?
• KEY – Make it memorable
© 2016 BPU - Public 19
Design
• Communicate Policy/Regulations
– Entertain
– Engage
– Reward
© 2016 BPU - Public 20
5/11/2016
11
Develop
• Create the syllabus
• Develop Course (from the Storyboards)– Powerpoint, PDF, etc.– Use color, graphics, gamification!
• Develop Assessment items
Think of training aids and other learning materials
© 2016 BPU - Public 21
Expert Knowledge
• FBI, US-CERT
• Cybersecurity Product Demos/Blogs
• Professional groups
– ASIS
– ISACA
– ISC2
– IASAP
© 2016 BPU - Public 22
5/11/2016
12
In the News
© 2016 BPU - Public 23
Source: www.informationisbeautiful.net
© 2016 BPU - Public 24
5/11/2016
13
Implement
• Put the Plan into action
• Train the Trainer
• Launch Course
© 2016 BPU - Public 25
Evaluation
Formative Evaluation
• Monitors learning to provide feedback– point in time
• Identifies strengths and weaknesses/target areas
• Use for “test” or “sample” groupbefore rolling program out to entireaudience
Summative Evaluation
• Evaluate student learning at the endof the course
• Compares to another standard orbenchmark
• Example – 100% Assessment Scores
Survey your audience – collect feedback and revise as needed!
© 2016 BPU - Public 26
5/11/2016
14
Measuring Effectiveness
How do you measureeffectiveness?
• Internal Control Testing
• Maturity Models
• Analysis of Incident reports
© 2016 BPU - Public 27
Internal Controls
• The policies, procedures, practices and organizational structuresdesigned to provide reasonable assurance that business objectiveswill be achieved and undesired events will be prevented ordetected and corrected.
Reference - ISACA Glossary -(formerly known as Information SystemsAudit and Control Association
© 2016 BPU - Public 28
5/11/2016
15
Writing Control Objectives
• What is the objective of thiscontrol?
– Prevent
– Detect
– Correct
• How does it effectively mitigaterisk?
– SMART criteria
© 2016 BPU - Public 29
Source: ISACA Online, COBIT 5https://cobitonline.isaca.org/books/framework/pdf/framework-chapter08-section02.pdf
© 2016 BPU - Public 30
5/11/2016
16
COBIT 5 vs COBIT 4.1
COBIT 5 Maturity Model (explained) COBIT 4.1 Maturity Model
© 2016 BPU - Public 31
Cybersecurity Capability MaturityModel (ES-C2M2)
© 2016 BPU - Public 32
5/11/2016
17
Analysis of Incidents- RCA
Root Cause Analysis (RCA) involves investigating the patterns ofnegative effects, finding hidden flaws in the system, and discoveringspecific actions that contributed to the problem.
© 2016 BPU - Public 33
In closing…
Users want to learn something theycan use
You can make Cybersecurity FUN
Keep it current with the news.
MAKE IT INTERESTING.
© 2016 BPU - Public 34
5/11/2016
18
© 2016 BPU - Public 35
Questions
© 2016 BPU - Public 36
5/11/2016
19
Addendum
The following slides are examples from BPU’s Cybersecurity AwarenessProgram
If you wish to reuse any of the materials, please notify BPUCompliance team via email ([email protected])
© 2016 BPU - Public 37
BPU Topics (Sample)
• Social Engineering – Phishing/Spearphishing
• Passwords
• Mobile Device Security
• Incident Reporting and Response
• Physical Security
• June – Phish Week (same time as Shark Week)
• September -National Emergency Preparedness Month
• October – Cybersecurity Awareness Month
© 2016 BPU - Confidential 38
5/11/2016
20
Phishing
© 2016 BPU - Public 39
Cybersecurity Awareness MonthOctober 1-2 – Stop. Think. Connect. Best Practices for All Digital Citizens
This basic advice is a guiding principle so that we can navigate the Internet ‒ and our digital lives ‒ safely and more securely.
October 5-9 - Creating a Culture of Cybersecurity at Work
Provide resources that help BPU establish a culture of cybersecurity. Emphasis will focus on employee education and a riskmanagement approach to cybersecurity
October 13-16 - Connected Communities and Families: Staying Protected While We Are Always Connected
We will share simple ways we can protect ourselves and those around us along with what we can do if impacted by a breach,cybercrime or other issue.
October 19-23 - Your Evolving Digital Life
Highlights where we were, where we are today and how we can keep our digital lives safer and more secure with emergingtechnology.
October 26-30 - Building the Next Generation of Cyber Professionals
Information about cybersecurity careers as well as the need for the ongoing Internet safety and security education towardbuilding cyber-literate digital citizens.
© 2016 BPU - Public 40
5/11/2016
21
Physical Security – Badges
• Wear your badge
• Do not leave in your car in plainview
• If someone asks to see yourbadge, show them.
• If you lose your badge, reportimmediately
© 2016 BPU - Public 41
Visitor Access Control
• Clearly identifies visitors
• Relationship between Safety andSecurity
© 2016 BPU - Public 42