How Behavioral Data Shaped a Security Training Makeover

  /     /     /  
Publicated : 23/11/2024   Category : security


How Behavioral Data Shaped a Security Training Makeover


A new program leveraged behavioral data of employees to determine when they excelled at security and where they needed improvement.



BLACK HAT 2019 – Las Vegas – As human error continues to top data breach causes, security leaders grapple with how to get employees to care about, and adopt, stronger security habits.
When you think about the ways how you could lower that number, the first thing that comes to mind is training, said Aika Sengirbay, current security awareness program manager at Airbnb and former senior security engagement specialist at Autodesk, in the Black Hat briefing Its Not What You Know, Its What You Do: How Data Can Shape Security Engagement.
But compliance-focused trainings are not enough to change human behavior, and especially not enough when it comes to security behaviors, she added. Noticing the old way of training was broken, Autodesk sought new ways to improve its employee security training strategy.
Companywide trainings, often done to check the box on security awareness, are not typically measured and dont offer a way to track improvement. All employees receive the same general training, which fails to engage and rarely drives progress. They wanted the new methodology to recognize their skill levels, respect their time, and motivate them to learn about security.
To accomplish this, the Autodesk teamed up with Elevate Security. Their first step was to create a list of desired employee behaviors: handle sensitive data, patch, increase reporting, and use multifactor authentication and VPNs, said Elevate co-founder Masha Sedova.
If you had a magic wand, what would your employees be doing right now? Sedova asked the audience. These end up actually being mindsets; theyre not things you can measure in a tangible way. This master list became a bank of open-ended behaviors they wanted to see.
Step two drilled into vital behaviors, which required the team to create a list of questions to prioritize worker activity: What would be the most damaging to your company? for example. What are your most frequent incidents? What do your stakeholders care most about?
Step three was to find data to measure progress and inform future strategies, Sengirbay said. The team ran internal phishing assessments, worked with incident response teams to identify suspicious messages, and consulted with enterprise device admins to see who used password managers. They pulled from the learning management tool to see who had completed training.
An employee was considered successful if they had not submitted their credentials to a phishing page, sent sensitive data through appropriate channels, installed and used a password manager within the 30 days prior, and completed the required training.
This all contributed to the Individual Security Snapshot, a program designed to present employees with prioritized security behaviors, identify strengths, provide recommendations for training, and reward behaviors. A considerable amount of effort went into creating a dynamic scoring system that was culturally relevant and ongoing, and urged people to change their actions.
How do we communicate this in a way that actually shifts behavior? said Sedova of employees security feedback. The team wanted their scoring system to be on a sliding scale so people would know they could change it with ongoing good behavior, similar to a credit score. They illustrated the scale with dragons: Poor security habits earned them a flimsy dragon on one end of the spectrum; strong habits made them an indestructible dragon on the other.
To add incentive, they leveraged social proof, which uses the context of what other people are doing to influence someones decision. For example, one alert informed employees they were 3.2 times more like to fall for a phish than others in the department. Another said 12% of your department has installed LastPass and mentioned Autodesks CEO was using the tool.
Were tapping into the things that make us all human, Sedova explained. Amazon reviews work the same way: If you know someone else is using something, youre likely to try it.
Security Snapshot reinforces good behavior by awarding employees virtual badges when they do things like detect all of their phishing email, report suspicious behavior, or complete a training. This intrinsic motivation doesnt work for everyone, Sedova said, but its effective for many.
As a security professional, Ive seen security teams do a great job of punishing people who do the wrong thing but rarely tell employees when they do something right, she added.
The Snapshot approach worked. Sixty percent of employees were willing to engage with Snapshot emails, Sengirbay said. Each email shifted the average security score across the organization. Autodesk was ultimately able to increase the number of people with scores of 70 or above by 170%. Researchers noticed low performers only had a 17% open rate of the emails, while those with higher scores and better security practices had a 58% open rate.
Data can help us see what reality is and stop driving our awareness programs based on assumptions we have, Sengirbay added. With contextual information to inform their training strategy, the researchers saw opportunity for changes they didnt know they needed.
Related Content:
6 Actions That Made GDPR Real in 2019
Yes, FaceApp Really Could Be Sending Your Data to Russia
WhatsApp Messages Can Be Intercepted, Manipulated
Black Hat 2019: Security Culture Is Everyones Culture

Last News

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
How Behavioral Data Shaped a Security Training Makeover