Professional Documents
Culture Documents
Cisam Module
Cisam Module
AM
IS
(C
CISAM
er
ag
an
M
Certified Information Security Awareness
ss
e ne
Manager
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
September 2023
fo
In
1
Copyright © 2020 CyberSecurity Malaysia
)
AM
Copyright Statement
IS
(C
The copyright of this training program material, which may contain proprietary information, is the property of CyberSecurity Malaysia. The training
er
program material should not be disclosed, copied, transmitted or stored in an electronic retrieval system, or published in any form, either wholly or
ag
in part without prior written consent.
an
M
© CYBERSECURITY MALAYSIA, 2021
ss
Registered office: Level 7, Tower 1
ne
Menara Cyber Axis
e
ar
Jalan Impact
4
Aw
63000 Cyberjaya, Selangor
2
20
MALAYSIA
ity
ch
r
cu
ar
Registered in Malaysia – Company Limited by Guarantee
Se
M
Company No. 726630-U
-5
n
io
Disclaimer at
4
The information, related graphics, materials and others contained in this training program material is for training purposes only. While we strive to
rm
keep the information up-to-date and correct at all times, we make no representations or warranties of any kind, express or implied, about the
fo
completeness, accuracy, reliability, suitability or availability with respect to the information, or related graphics contained herein for any purposes.
In
Hence, any reliance you place on such information, products, services, related graphics and others is therefore strictly at your own risk. All such
d
fie
information, products, services, related graphics and others are provided "as is" without warranty of any kind. CyberSecurity Malaysia hereby
disclaims all warranties and conditions with regards to the information, products, services, related graphics and others mentioned. In no event will
ti
er
CyberSecurity Malaysia be liable for any loss or damage including without limitation, indirect or consequential loss or damage, or any loss or
C
damage whatsoever arising from loss of data or profits resulting from the use or in any way connected with the use of these documents.
2
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
(C
er
ag
an
M
This training is presented in partnership between
ss
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
3
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
(C
er
ag
an
M
ss
e ne
ar
4
Aw
2
• Mobile devices in silent mode
20
ity
h
r
cu
c
• Active participation in the lab sessions & group
ar
Se
M
activities required
-5
n
io
at
4
• Break times will be advised
rm
fo
In
d
fie
ti
er
C
4
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
(C
er
ag
an
M
Introduction To
ss
e ne
ar
The Course
4
Aw
2
20
ity
h
r
cu
c
ar
Session 1
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
5
Copyright © 2020 CyberSecurity Malaysia
Course Objectives
)
AM
IS
(C
er
• Identify current state of your organization’s materials in various formats.
ag
awareness and competence levels.
an
• Evaluate the effectiveness of the program.
M
• Build and maintain a comprehensive
ss
awareness and competence program, • Understanding and overcoming the
ne
obstacles to success.
e
as part of an organization’s information
ar
4
Aw
security program. • Create an effective social engineering
2
20
assessment program.
ity
• Identify awareness, training and
h
r
cu
c
competence needs, develop a training plan,
ar
Se
M
and get organizational buy-in for the
-5
n
funding of awareness and competence
io
at
4
program efforts.
rm
fo
6
Copyright © 2020 CyberSecurity Malaysia
Exam Information
)
AM
IS
(C
er
ag
an
M
• 30 multiple choice questions
ss
ne
• 1 hour 10 minutes, exam duration
e
ar
•
4
Aw
70% passing mark
2
20
ity
• Candidate will be awarded Certified Security Awareness
h
r
cu
c
ar
Manager (CISAM) upon passing
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
7
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
Time Session # Session Title Session Type
(C
8.00am - 9.00am Registration -
er
ag
1 Introduction to the Course
an
Lecture, discussion, brainstorm &
9.00am - 10.15am 2 What is Awareness? exercise
M
ss
3 The Human Factor in Information Security Risk
ne
10.15am - 10.30am Coffee Break
e
Course Schedule - Day 1
ar
The Solution Model to Reduce Information Security Risks Due to
4
4
Aw
Human Factor Lecture, discussion, brainstorm &
2
10.30am - 12.30pm
exercise
20
5 The Plan Stage: Building a Persuasive Business Case
ity
h
r
cu
c
12.30pm - 1.30pm Lunch Break
ar
Se
M
The Plan Stage: Measuring Current Levels & Conducting Needs
6
Assessment
-5
n
Lecture, discussion, brainstorm &
io
1.30pm - 3.15pm
exercise
at The Strategize Stage: Qualities of a Good Awareness Management
4
7
System
rm
fo
The Strategize Stage: Strategies for Awareness Creation & Lecture, discussion, brainstorm &
d
3.30pm - 5.00pm 8
Behaviour Modification exercise
ti fie
er
C
8
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
Time Session # Session Title Session Type
(C
8.00am - 9.00am Registration -
er
ag
9 The Strategize Stage: Communication & Commitment Plan
an
Lecture, discussion, brainstorm &
9.00am - 10.15am
exercise
M
10 The Strategize Stage: Define Indicators for Measurement
ss
ne
10.15am - 10.30am Coffee Break
e
Course Schedule - Day 2
ar
10.30am - 12.30pm 11 The Execute Stage
Lecture, discussion, brainstorm &
4
Aw
2
exercise
20
12 The Measure & Adjust Stage
ity
h
r
12.30pm - 1.30pm Lunch Break
cu
c
ar
13 Obstacles to Success
Se
M
Lecture, discussion, brainstorm &
1.30pm - 3.15pm
exercise
-5
n
14 How to Make End-Users Like & Follow Information Security
io
at
4
3.15pm - 3.30pm Coffee Break
rm
3.30pm - 5.00pm
In
9
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
(C
er
ag
an
M
What is Awareness?
ss
e ne
ar
(and what it is not?)
4
Aw
2
20
ity
h
r
cu
c
ar
Session 2
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
10
Copyright © 2020 CyberSecurity Malaysia
Awareness: A Definition
)
AM
IS
(C
er
Awareness is the “what” component
ag
an
of the education strategy of an
M
ss
organization which tries to change
ne
the behaviour and patterns
e
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
11
Copyright © 2020 CyberSecurity Malaysia
)
Awareness vs Training
AM
IS
(C
er
• Awareness is not training
ag
an
• The purpose of awareness is simply to focus attention on
M
security
ss
ne
• Awareness is intended to allow individuals to recognise
e
ar
information security concerns and respond accordingly
4
Aw
2
• Awareness relies on reaching broad audiences with
20
ity
creative packaging techniques
h
r
cu
c
ar
• Training is one of the “how” components to implement
Se
M
security
-5
n
io
• Training is more formal, having a goal of building
at
4
rm
knowledge and skills to facilitate the job performance
fo
In
d
fie
ti
er
C
12
Copyright © 2020 CyberSecurity Malaysia
Awareness vs Behaviour
)
AM
IS
(C
er
ag
an
M
ss
ne
Example of Awareness
e
ar
4
“I passed the driving test
Aw
2
20
ity
and so I know the driving
h
r
cu
c
ar
Se
rules ”
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
13
Copyright © 2020 CyberSecurity Malaysia
Awareness vs Behaviour
)
AM
IS
(C
er
ag
an
Example of Behaviour:
M
ss
Does that make you a safe driver?
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
14
Copyright © 2020 CyberSecurity Malaysia
Awareness vs Behaviour
)
AM
IS
(C
er
ag
an
M
ss
Awareness
ne
I Know
e
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
Behaviourat I Do
4
rm
fo
In
d
fie
15
Copyright © 2020 CyberSecurity Malaysia
Case Study: Awareness Alone is
)
AM
Not Enough
IS
(C
er
ag
Client Profile
an
M
ss
ne
• Type of industry: Retail
e
ar
•
4
Aw
No of employees: 5,000
2
20
ity
• Position: Market leader
h
r
cu
c
ar
Se
•
M
Type of information handled: Customer data, intellectual property, credit
-5
n
io
card information & etc
at
4
rm
16
Copyright © 2020 CyberSecurity Malaysia
Case Study: Awareness Alone is not Enough
)
AM
IS
(C
er
ag
an
What they told the employees What the employees were doing
M
ss
• Sharing of company / • Customer records were
e ne
customer information is leaked to competitors
ar
4
Aw
wrong • Salary information of top
2
20
ity
• Sensitive information must executives were given to
h
r
cu
c
be safeguarded headhunters
ar
Se
M
• Employee ID cards must • Printouts containing
-5
n
io
be worn and displayed at
at sensitive information were
4
rm
all times seen lying unattended
fo
tailgating is a norm
ti
er
C
17
Copyright © 2020 CyberSecurity Malaysia
)
AM
Case Study: Problem Analysis
IS
(C
er
Visibility and Clarity
ag
an
When you have too many rules, it gets complicated
M
ss
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
18
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
(C
er
ag
an
M
ss
Let’s Listen To Employees
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
19
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
(C
er
ag
an
Don’t Share Which password?
M
Passwords
Network, email,
ss
desktop,
ne
Facebook…???
e
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
Employee
ti
er
C
20
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
(C
er
Protect
ag
Sensitive
an
I don't think I handle
M
Information any sensitive
ss
ne
information
e
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
HR Manager
ti
er
C
21
Copyright © 2020 CyberSecurity Malaysia
)
More Reactions…
AM
IS
(C
er
ag
• “It takes 48-96 hours to get a password
an
reset – What should I do, not do my
M
ss
work?”
e ne
• “I get these annoying “Security Screen
ar
4
Aw
2
Savers” every 90 seconds. Why so much
20
ity
overkill?”
h
r
cu
c
ar
Se
• “We have 100 new employees every
M
-5
n
io
month, whereas the security training is
at
4
rm
once in 6 months. How will you handle
fo
In
22
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
Sticking a Few Posters Doesn’t Make a
(C
er
Difference in the Long Run
ag
an
M
ss
e ne
ar
•
4
The poster near the water cooler is
Aw
2
20
great for 2 weeks
ity
h
r
cu
c
Then it BLENDS into the
ar
•
Se
M
-5
environment
n
io
at
4
rm
fo
In
d
fie
ti
er
C
23
Copyright © 2020 CyberSecurity Malaysia
C
er
tifie
d
In
fo
rm
at
io
n
Se
cu
4 r ity
-5 Aw
M ar
ar
c e
h ne
20 ss
2 4 M
Copyright © 2020 CyberSecurity Malaysia
an
ag
er
(C
IS
AM
)
So What Went Wrong?
24
Question 1
)
AM
IS
(C
er
ag
an
M
I am responsible for
ss
information security
e ne
awareness. How do
ar
people perceive me?
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
25
Copyright © 2020 CyberSecurity Malaysia
Question 2
)
AM
IS
(C
er
ag
an
M
Information
ss
Security??????
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
How does your workforce
-5
n
perceive information
io
at
4
security?
rm
Positively or negatively?
fo
In
d
fie
ti
er
C
26
Copyright © 2020 CyberSecurity Malaysia
Question 3
)
AM
IS
(C
er
ag
an
M
ss
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
27
Copyright © 2020 CyberSecurity Malaysia
Question 4
)
AM
IS
(C
er
ag
an
M
ss
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
28
Copyright © 2020 CyberSecurity Malaysia
)
AM
Analyze this…
IS
(C
er
ag
an
M
It’s our 10th anniversary & the wife
ss
is so happy with the diamond ring
ne
#habib #anniversary #ilovemywife
e
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
29
Copyright © 2020 CyberSecurity Malaysia
)
Analyze this…
AM
IS
(C
er
ag
an
M
ss
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
friends are?
d
fie
ti
er
C
30
Copyright © 2020 CyberSecurity Malaysia
)
Analyze this…
AM
IS
(C
er
ag
an
M
ss
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
sensitive information?
d
fie
ti
er
C
31
Copyright © 2020 CyberSecurity Malaysia
)
Analyze this…
AM
IS
(C
er
ag
an
M
ss
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
32
Copyright © 2020 CyberSecurity Malaysia
)
Analyze this…
AM
IS
(C
er
ag
Hi,
an
I run a Windows 2008 Server, Service
M
Pack 1.0, with MS SQL 2008 for my
ss
external web apps. I am having a
ne
problem with …… and I have installed
e
patch 1.2.3. Can someone help me?
ar
4
Aw
2
Andy Jones
20
ity
Sys Admin
h
r
cu
c
ACME Inc.
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
33
Copyright © 2020 CyberSecurity Malaysia
)
AM
So Why Do People Make Such Mistakes?
IS
(C
er
ag
an
M
ss
e ne
Lack of awareness
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
They think it is safe (perception)
M
-5
n
io
at
4
rm
fo
34
Copyright © 2020 CyberSecurity Malaysia
C
er
tifie
d
In
fo
rm
at
io
n
Se
cu
4 r ity
-5 Aw
M ar
ar
c e
h ne
20 ss
2 4 M
Copyright © 2020 CyberSecurity Malaysia
an
ag
er
(C
IS
AM
)
Let’s Have a Debate
35
)
AM
IS
(C
er
ag
an
M
Humans will always Technology will
ss
ne
fail. Let us focus on always fail. Let us
e
getting fail-proof focus on getting
ar
4
Aw
technology. humans fail-proof.
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
36
Copyright © 2020 CyberSecurity Malaysia
Technology, Process & People
)
AM
IS
(C
er
ag
an
M
ss
e ne
ar
4
Aw
Information
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
Technology & process are just as good as the people that use
fie
ti
them
er
C
37
Copyright © 2020 CyberSecurity Malaysia
)
AM
So What Are We Going to Do?
IS
(C
er
ag
1. Make users “trust” information security as a valuable and
an
M
useful business requirement
ss
ne
2. Make users “trust” the information security team
e
ar
4
Aw
2
3. Make users “behave responsibly” with information
20
ity
h
r
cu
c
ar
Se
M
How will you do it?
-5
n
io
at
4
rm
fo
In
38
Copyright © 2020 CyberSecurity Malaysia
)
AM
Lab 1 (15 Minutes)
IS
(C
er
ag
an
1. List down at least 5 shortfalls of your current
M
ss
security awareness program in your organization.
e ne
ar
4
Aw
2. Propose how the security awareness program can
2
20
ity
be improved for every shortfall identified.
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
39
Copyright © 2020 CyberSecurity Malaysia
)
AM
Summary of Session 2
IS
(C
What did we learn?
er
ag
an
M
1. Difference between awareness & training
ss
e ne
2. Difference between awareness & behaviour
ar
4
Aw
2
20
ity
3. Awareness alone is not enough
h
r
cu
c
ar
Se
M
4. Technology & process alone can’t solve security issues
-5
n
io
at
4
rm
5. Why do people make security mistakes?
fo
In
d
fie
ti
er
C
40
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
(C
er
ag
an
M
The Human Factor In Information
ss
e ne
Security Risks
ar
4
Aw
2
20
ity
h
r
cu
c
Session 3
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
41
Copyright © 2020 CyberSecurity Malaysia
Behavioral Factors
)
AM
IS
(C
er
ag
an
Curiosity
M
ss
Self
ne
Obedience /
Preservation
e
Fear
ar
4
Aw
2
Poor
20
ity
h
r
Security
cu
c
ar
Se
M
Inconvenience Behaviour Carelessness / Poor
-5
n
Attitude
io
at
4
rm
fo
In
Lack of
d
Poor Infrastructure
fie
Awareness
ti
er
C
42
Copyright © 2020 CyberSecurity Malaysia
C
er
tifie
d
In
fo
rm
at
io
n
Se
cu
4 r ity
-5 Aw
M ar
ar
c e
h ne
20 ss
2 4 M
Copyright © 2020 CyberSecurity Malaysia
an
ag
er
(C
IS
AM
)
Brainstorming Session
43
Listen to the HR Manager
)
AM
IS
(C
er
ag
an
M
We use a spreadsheet to process salaries and it
ss
is password protected. If this password is not
ne
shared no one will get the salaries including
e
ar
the CEO.
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
44
Copyright © 2020 CyberSecurity Malaysia
An Executive
)
AM
IS
(C
er
ag
an
M
ss
… has left some printouts
ne
unattended for a few hours.
e
ar
The printouts contain some
4
Aw
2
confidential details of the
20
ity
New IT infrastructure plan of
h
r
cu
c
ar
the company
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
45
Copyright © 2020 CyberSecurity Malaysia
)
AM
An IT Admin Answering the
IS
(C
Manager’s Call
er
ag
an
M
Sure, the login
ss
Excellent job on the ERP integration.
credentials are…
ne
Can I have the admin login to verify
e
Certain things myself…
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
Manager Subordinate
C
46
Copyright © 2020 CyberSecurity Malaysia
)
AM
An Employee Receiving Email from
IS
(C
“Her Bank”
er
ag
an
Oh no I need to quickly
M
click on the link to prevent
ss
my money from being
ne
stolen
e
Dear Valued Customer,
ar
4
Aw
2
20
We believe that someone was
ity
Trying to access your online
h
r
cu
c
banking account without
ar
Se
M
authorization. Please click
-5
n
here to reset your password.
io
at
4
rm
Thank you,
fo
47
Copyright © 2020 CyberSecurity Malaysia
)
AM
Let’s Discuss
IS
(C
er
ag
an
Does Culture Impact Human Approach
M
ss
Towards Information Security?
e ne
ar
4
Aw
2
20
(5 minutes)
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
48
Copyright © 2020 CyberSecurity Malaysia
)
Lab 2 (15 Minutes)
AM
IS
(C
er
Watch the Mr Brown video and identify:
ag
an
M
ss
1. The factors that led to the compromise of the
e ne
company’s information security
ar
4
Aw
2
20
ity
h
r
2. The root human behaviours that led to the
cu
c
ar
Se
M
compromise of the company’s information security
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
49
Copyright © 2020 CyberSecurity Malaysia
)
Summary of Session 3
AM
IS
(C
er
ag
What did we learn?
an
M
1. Human (behavioural) factors in information security risks
ss
e ne
2. Sample instances of behavioural factors play role in information
ar
4
Aw
security
2
20
ity
h
3. Discussion on cultural impact
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
50
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
(C
er
ag
an
The Solution Model to Reduce
M
ss
ne
Information Security Risks Due
e
ar
4
Aw
2
to Human Factor
20
ity
h
r
cu
c
ar
Se
Session 4
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
51
Copyright © 2020 CyberSecurity Malaysia
)
AM
A Security Awareness & Behaviour
IS
(C
Management Model
er
ag
an
M
Management buy-in. Establish
ss
team and priorities. Identify PLAN
ne
needs. Measure current levels.
e
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Conduct evaluation. Collect Develop strategies. Design
Se
MEASURE &
M
feedback. Modify and adjust STRATEGIZE and develop content.
ADJUST
-5
n
for continuous improvement.
io
at
4
rm
fo
In
d
fie
Deliver the
EXECUTE
ti
awareness plan
er
C
52
Copyright © 2020 CyberSecurity Malaysia
The Plan Stage
)
AM
IS
(C
er
• Establish project team and assign responsibilities & priorities
ag
an
• Measure current levels & conduct needs assessment
M
ss
• How?
e ne
ar
4
Aw
1. Choose project team and steering committee
2
20
ity
2. Build business case, cost benefit analysis, ROI & etc
h
r
cu
c
ar
3. Obtain management support
Se
M
-5
n
4. Define the target group
io
at
4
5. Measure current level of security awareness and behaviour (competence) or
rm
fo
53
Copyright © 2020 CyberSecurity Malaysia
)
AM
The Strategize Stage
IS
(C
er
• Design & develop high quality awareness content relevant to
ag
an
the organization
M
ss
• For awareness management:
e ne
1. Coverage
ar
4
Aw
2
2. Format & visibility: verbal, paper & electronic
20
ity
3. Frequency
h
r
cu
c
ar
4. Quality of content
Se
M
-5
n
5. Communication & commitment plan
io
at
4
• For behaviour management:
rm
fo
In
1. Motivational strategies
d
fie
54
Copyright © 2020 CyberSecurity Malaysia
)
AM
The Execute Stage
IS
(C
er
ag
an
• Having an execution plan
M
ss
• Efficiency
e ne
ar
• Collection of feedback
4
Aw
2
20
ity
• Confirmation of receipt
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
55
Copyright © 2020 CyberSecurity Malaysia
)
AM
The Measure & Adjust Stage
IS
(C
er
• Measurement strategy
ag
an
1. Use the selected Security Metrics
M
ss
2. Define sample size
e ne
3. Measure methods
ar
4
Aw
✓ For awareness: interviews, surveys, quizzes, mind-map sessions
2
20
ity
✓ For behaviour: observation, data mining, log review, review of incident
h
r
cu
c
ar
reports, simulated social engineering
Se
M
-5
n
4. Reasonable limitations
io
at
4
rm
5. Behaviour may not always be visible
fo
• Modify & adjust the plan & strategies for continuous improvement
In
d
fie
56
Copyright © 2020 CyberSecurity Malaysia
)
Summary of Session 4
AM
IS
(C
er
What did we learn?
ag
an
M
1. The solution model and the 4 stages:
ss
ne
Plan - Strategize - Execute - Measure & Adjust
e
ar
4
Aw
2
2. The key components of each stage
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
57
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
(C
er
ag
an
M
The Plan Stage -
ss
e ne
ar
4
Aw
Building a Persuasive Business Case
2
20
ity
h
r
Session 5
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
58
Copyright © 2020 CyberSecurity Malaysia
Some Questions to Ponder
)
AM
IS
(C
er
1. Is ISO 27001 only for IT companies?
ag
an
M
2. Can you give examples of non-IT companies that
ss
have implemented ISO 27001?
e ne
ar
4
Aw
2
3. What is the benefit of ISO 27001 for non-IT
20
ity
companies?
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
59
Copyright © 2020 CyberSecurity Malaysia
A Case Study & Discussion
)
AM
IS
(C
er
ag
an
M
ss
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
60
Copyright © 2020 CyberSecurity Malaysia
A Case Study
)
AM
IS
(C
er
ag
The Secret
Where am I What is my
an
Recipe
opening my next annual revenue
M
shop? forecast?
ss
e ne
ar
4
Aw
2
20
ity
h
r
Who is my raw
cu
c
ar
materials
Se
M
supplier?
-5
What are my
n
cost to deliver
io
at
4
rm
the best nasi
fo
lemak in town?
In
d
What is my
fie
Supplier A: at Supplier B: at
annual revenue
ti
forecast?
C
61
Copyright © 2020 CyberSecurity Malaysia
Business Case
)
AM
IS
Should show the management the qualitative and benefits of
(C
er
awareness programs, i.e:
ag
an
M
ss
• Cost-benefit analysis
e ne
• ROI study
ar
4
Aw
2
•
20
Feasibility study
ity
h
r
cu
c
• Project proposal & charter
ar
Se
M
-5
n
• Case studies & in-house security incident statistics
io
at
4
rm
• Project funding request
fo
In
d
fie
ti
er
C
62
Copyright © 2020 CyberSecurity Malaysia
Business Benefits
)
AM
IS
(C
er
• Comply with confidentiality, availability, integrity, privacy and
ag
security standards
an
M
ss
• Defend the organization from information leakage
e ne
ar
• Enforce mandatory organisation-wide security policies
4
Aw
2
20
ity
• Provide both a focal point and a driving force for a range of
h
r
cu
c
ar
awareness, training and educational activities relating to
Se
M
information security, a few of which are already in place but
-5
n
io
are not well coordinated or particularly effective
at
4
rm
fo
63
Copyright © 2020 CyberSecurity Malaysia
Steering Committee
)
AM
IS
(C
er
• Should be driven by the security or HR team
ag
an
• Team of 5 - 10 volunteers to help plan, execute and maintain the
M
ss
program
e ne
ar
• These volunteers should also be the ambassadors
4
Aw
2
20
ity
• Have mix of departments and roles - HR, Procurement, Facilities,
h
r
cu
c
ar
Finance, BU & etc
Se
M
-5
n
io
• Able to dedicate time to work on the program
at
4
rm
fo
In
d
fie
ti
er
C
64
Copyright © 2020 CyberSecurity Malaysia
Stakeholder Analysis
)
AM
IS
(C
er
Current Target
ag
Name Importance Commitment Commitment Engagement Strategies
an
Level Level
M
ss
Keep briefings short and to the point, concentrate on value
ne
Chief Executive Officer High High High
to organization.
e
ar
4
Aw
Show value of project, compliance, project mgmt. keep
Chief Security Officer High High High
2
briefings communications short efficient.
20
ity
h
r
cu
c
Legal / Audit Medium Medium Medium Interested mainly in compliance.
ar
Se
M
-5
This group is key to successful communication. Coordinate
n
Marketing /
io
Medium Blocker Medium with them early to ensure we are following corporate
Communications at
4
communication policy.
rm
65
Copyright © 2020 CyberSecurity Malaysia
Costing
)
AM
IS
(C
How to obtain the budget? (vary greatly from one organization
er
ag
to another):
an
M
ss
A percentage of the corporate training budget
e ne
ar
• A percentage of the IT budget
4
Aw
2
20
• A percentage of each BU’s budget based on the number of personnel
ity
h
r
cu
c
ar
• Allocation of a set amount per user according to the role and the
Se
M
participation within the program
-5
n
io
at
4
• Allocation of a set amount regardless of the awareness goals and
rm
objectives
fo
In
d
66
Copyright © 2020 CyberSecurity Malaysia
Costing - If Budget is Already
)
AM
Allocated
IS
(C
er
ag
an
• It may be necessary to reassess the feasibility of the defined goals &
M
objectives.
ss
e ne
ar
• With an insufficient budget, some of the goals & objectives may have
4
Aw
2
to be curtailed.
20
ity
h
r
cu
c
ar
• Priority should be given to those goals & objectives which were
Se
M
identified as critical for the program.
-5
n
io
at
4
rm
67
Copyright © 2020 CyberSecurity Malaysia
)
AM
Costing - Prepare the Budget
IS
(C
er
ag
• Cost will vary greatly from one organization to
an
M
another, i.e availability of supporting assets,
ss
previous projects & so on
e ne
ar
4
Aw
2
• Table in the next slide contains some of the most
20
ity
h
common cost elements…
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
68
Copyright © 2020 CyberSecurity Malaysia
)
AM
Item Description Cost (RM)
IS
(C
Personnel working on the information security awareness initiative. Whether they are
Personnel full or part-time depends largely on the size of the organisation and the importance of 120,000.00
er
information security relative to other priorities
ag
an
M
The operational costs include rent, website maintenance & etc - information security
Operational Cost 100,000.00
ss
awareness materials, posters, briefing papers, office miscellaneous materials
e ne
• Promo material & distribution
ar
costs
4
Aw
2
• Rewards & prizes costs
20
Branded coasters, pens, prizes for information
ity
Advertisement &
security tests, quizzes and competitions, coffee • Advertisement creative cost 30,000.00
h
Promotions
r
cu
c
for brown-bag meetings and so on
ar
Se
•
M
Advertisement media cost
-5
n
io
at • Individual materials cost 1,000.00
4
rm
In the event an organisation organises
Training
fo
Further funds may be needed to purchase additional security awareness materials, 50,360.00
Contingency
ti
69
Copyright © 2020 CyberSecurity Malaysia
)
Cost Benefit Analysis
AM
IS
(C
Investment Rationale - To increase the effectiveness in daily operations
er
by lowering the costs related to time spent on corrective controls, per
ag
annum
an
M
ss
Projected Costs
ne
One-Time Cost RM302,160.00
e
ar
External Cost for Training During Project -
4
Aw
2
20
Cost of Employee Time for Training (120 Minutes / Employee / Annum) RM120,000.00
ity
h
r
Project Duration (Months) 12 Months
cu
c
ar
Se
Recurring Cost After Project RM150,000.00
M
-5
n
Projected Benefits
io
at
4
Current Average Total Cost for Corrective Controls (per Annum) RM1,200,000.00
rm
70
Copyright © 2020 CyberSecurity Malaysia
)
Critical Success Factors
AM
IS
(C
er
ag
1. Top management support
an
M
2. Baseline needs to be determined before implementing or re-launching a
ss
program
e ne
ar
4
3. Programs will fail if they don’t reach the target audience
Aw
2
20
ity
h
4. Getting publicity is vital, it will multiply the impact by increasing the
r
cu
c
ar
number of people who hear / see the message
Se
M
-5
n
io
5. Programs will fail if they are counter to organisational culture
at
4
rm
fo
71
Copyright © 2020 CyberSecurity Malaysia
Project Charter
)
AM
IS
(C
• Project Title • Project Goals
er
ag
• Project Manager • Project Objectives
an
M
ss
• Project Sponsor • Project Justification
e ne
ar
• Estimated Costs • Key Milestones
4
Aw
2
20
ity
• Finalize Plan Date • Assumptions & Constraints
h
r
cu
c
ar
Se
M
• Program Launch Date • Critical Success Factors
-5
n
io
at
4
rm
• Project Scope
fo
In
d
fie
ti
er
C
72
Copyright © 2020 CyberSecurity Malaysia
)
AM
Preparation for Lab Sessions
IS
(C
er
ag
Pick a company
an
M
ss
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
73
Copyright © 2020 CyberSecurity Malaysia
)
AM
Lab 3 (20 Minutes)
IS
(C
er
ag
1. Identify 5 business benefits in having an information security
an
M
awareness program in your organization
ss
ne
2. Prepare a high-level project charter for an information security
e
ar
awareness program
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
74
Copyright © 2020 CyberSecurity Malaysia
)
AM
Summary of Session 5
IS
(C
er
What did we learn?
ag
an
M
1. Building a business case
ss
e ne
2. Cost-benefit analysis
ar
4
Aw
2
20
ity
3. Identifying business benefits, steering committee & stakeholders
h
r
cu
c
ar
Se
M
4. Project charter
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
75
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
(C
er
ag
an
M
The Plan Stage -
ss
e ne
ar
Measuring Current Levels
4
Aw
2
20
ity
& Conducting Needs Assessment
h
r
cu
c
ar
Se
M
Session 6
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
76
Copyright © 2020 CyberSecurity Malaysia
)
WHO
AM
For lab activity 4:
IS
Defining Target Group
(C
er
1. Determining who is the target of the awareness program
ag
an
M
2. Different targets may require different awareness training:
ss
ne
• General Employees
e
ar
4
Aw
2
20
• IT Staff
ity
h
r
cu
c
ar
• Senior Management
Se
M
-5
n
io
• Janitors / Guards & etc
at
4
rm
fo
• Vendors / Contractors
In
d
fie
ti
er
C
77
Copyright © 2020 CyberSecurity Malaysia
Target Group Analysis
)
AM
IS
(C
1. It is necessary to identify specific target groups with similar
er
ag
interests and priorities.
an
M
2. Once identified research should be conducted to understand each
ss
group’s:
e ne
ar
• Level of awareness of information security issues.
4
Aw
2
20
ity
• Level of behaviour of in handling information assets.
h
r
cu
c
ar
Se
M
• The purposes for which they use ICTs.
-5
n
io
at
4
• Key concerns.
rm
fo
In
78
Copyright © 2020 CyberSecurity Malaysia
Sample Steps in Conducting a Target
)
AM
IS
Group Analysis
(C
er
ag
an
M
ss
Identify Target Target groups are those that are impacted by or can influence the
ne
Groups level of awareness of information security issues
e
ar
4
Aw
2
20
A target group might be concerned about the impact on its
ity
Understand the Situation
h
organisation, loss of control, etc
r
cu
c
ar
Se
M
Assign High (H), Medium (M), Low (L) ratings reflecting each target
-5
n
Assess Level of Awareness group’s level of awareness of information security issues and
io
at
4
knowledge of solutions
rm
fo
In
d
Assign High (H), Medium (M), Low (L) ratings reflecting each target
fie
79
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
How to Measure Awareness Levels?
(C
er
ag
an
• Baseline assessments / Quizzes
M
ss
ne
• Surveys
e
ar
4
Aw
2
20
• Interviews
ity
h
r
cu
c
ar
Se
M
• Online / Internet searches
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
80
Copyright © 2020 CyberSecurity Malaysia
)
AM
How to Measure Behaviour Levels?
IS
(C
er
• Observations
ag
an
M
• Simulated social engineering assessments
ss
ne
• Data mining
e
ar
4
Aw
2
20
• Review of logs
ity
h
r
cu
c
ar
• Incident review
Se
M
-5
n
io
• Early-morning walk-through
at
4
rm
fo
In
d
fie
ti
er
C
81
Copyright © 2020 CyberSecurity Malaysia
)
AM
Lab 4 (20 Minutes)
IS
(C
er
Identify 3 target groups in your organization and other attributes
ag
based on the table below:
an
M
ss
ne
Target Group Name Employee / Vendor / ITD / Senior Management
e
Lab 4 (15 Minutes)
ar
4
Aw
Description Description of the group
2
20
ity
Why Why this group is targeted?
h
r
cu
c
ar
Se
Assign High (H), Medium (M), Low (L) ratings reflecting target group’s level of
Assess Level of Awareness
M
awareness of information security issues and knowledge of solutions
-5
n
io
at
4
Assign High (H), Medium (M), Low (L) ratings reflecting target group’s level of
Assess Level of Behaviour
rm
behaviour towards handling information assets
fo
Location
In
82
Copyright © 2020 CyberSecurity Malaysia
)
AM
Lab 5 (15 Minutes)
IS
(C
er
1. Create 5 survey questions to measure current level
ag
an
of your organization’s information security
M
ss
awareness
e ne
ar
2. Question types must be:
4
Aw
2
20
ity
h
r
✓ Multiple choice
cu
c
ar
Se
M
✓ Yes / No
-5
n
io
at
4
✓ Multiple answers
rm
fo
In
d
fie
ti
er
C
83
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
(C
er
ag
an
Sample Survey
M
ss
e ne
ar
4
Aw
http://humanrisksurvey.securityelevate.com
2
20
ity
h
r
This survey can be used by anyone to gauge the human risk level of
cu
c
ar
Se
the individual. The survey questions are quite generic, you can use it
M
-5
n
as a basis to customize for your business
io
at
4
rm
fo
In
d
fie
ti
er
C
84
Copyright © 2020 CyberSecurity Malaysia
)
AM
Summary of Session 6
IS
(C
er
ag
What did we learn?
an
M
1. Ways to conduct target group analysis
ss
e ne
ar
2. How to measure awareness & behaviour levels
4
Aw
2
20
ity
3. How to create human risk survey
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
85
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
(C
er
ag
an
M
The Strategize Stage -
ss
e ne
ar
Qualities of a Good Awareness
4
Aw
2
20
ity
Management System
h
r
cu
c
ar
Se
M
Session 7
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
86
Copyright © 2020 CyberSecurity Malaysia
)
Coverage
AM
IS
(C
er
• Identify the target workforce / group
ag
an
M
• Tolerable deviation – How much percentage of
ss
e ne
the workforce must receive the training
ar
4
Aw
2
20
• Set realistic expectations
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
87
Copyright © 2020 CyberSecurity Malaysia
)
AM
Format & Visibility
IS
(C
er
1. Format – Different types of information security awareness
ag
content
an
M
ss
2. Visibility – Channels through which the content is delivered
e ne
ar
4
Aw
2
Format Visibility
20
ity
h
r
cu
c
ar
Se
Verbal Live training sessions, video conferences
M
-5
n
io
at
4
rm
Electronic Email, intranet, posters, social media
fo
In
d
88
Copyright © 2020 CyberSecurity Malaysia
)
AM
Frequency
IS
(C
er
ag
1. Gap between 2 awareness deliveries
an
M
ss
2. Critical success factor - the gap should be minimal
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
Which is more effective - drip irrigation or spraying a lot of water
-5
n
io once a day?
at
4
rm
fo
In
d
fie
ti
er
C
89
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
Quality of Content - Impact
(C
er
ag
Visualization
an
M
ss
ne
e
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
Show the impact of poor security awareness & behaviour to the “non-information
security” professional
Copyright © 2020 CyberSecurity Malaysia
90
)
AM
IS
Quality of Content - Business
(C
er
ag
Relevance
an
M
ss
e ne
ar
4
Aw
Oh no, my business is held
2
20
responsible if I install this
ity
h
r
pirated software on this PC
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
Show the impact of poor security awareness & behaviour to the “non-information security” professional
91
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
Quality of Content – Clarity
(C
er
& Ease
ag
an
M
ss
ne
Email security So the email security
e
policy.. 5 quick tips.. policy is……..
ar
this is so cool 6 pages long huh??
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
ag
an
M
ss
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
IS
(C
er
ag
1. Choose one topic & create an awareness poster:
an
M
• Phishing
ss
ne
• Strong password
e
ar
4
Aw
2
•
20
Tailgating
ity
h
r
cu
c
•
ar
Malware
Se
M
-5
n
•
io
Clear desk at
4
rm
fo
2. Create a story board for an awareness video for the topic that you
In
chose
d
fie
ti
er
C
94
Copyright © 2020 CyberSecurity Malaysia
)
AM
Lab 6 - Poster Template
IS
(C
er
ag
an
M
ss
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
95
Copyright © 2020 CyberSecurity Malaysia
)
AM
Summary of Session 7
IS
(C
What did we learn?
er
ag
an
1. Qualities of a good awareness program:
M
ss
•
ne
Coverage
e
ar
• Format
4
Aw
2
20
ity
• Frequency
h
r
cu
c
ar
Se
M
2. Quality of content:
-5
n
• io
at
4
Impact visualisation
rm
fo
• Business relevance
In
d
fie
• Cultural factors
96
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
(C
er
ag
an
M
The Strategize Stage -
ss
e ne
ar
Strategies for Awareness Creation &
4
Aw
2
20
ity
Behaviour Modification
h
r
cu
c
ar
Se
M
Session 8
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
97
Copyright © 2020 CyberSecurity Malaysia
)
AM
Objectives
IS
(C
er
ag
Define strategies:
an
M
ss
ne
1. Awareness creation
e
ar
4
Aw
2
20
2. Behaviour modification
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
98
Copyright © 2020 CyberSecurity Malaysia
)
AM
Effective Awareness Training Plan
IS
(C
er
180 Minutes of Awareness Training in a Year
ag
an
M
Awareness Format / Type Duration
ss
e ne
Induction (classroom / e-Learning) 30 minutes (1 time a year)
ar
4
Aw
2
20
Short videos 4 videos x 5 minutes (4 times a year)
ity
h
r
cu
c
ar
Digital posters / e-newsletters 12 x 5 minutes (12 times a year)
Se
M
-5
n
Short quizzes 12 x 3 minutes (12 times a year)
io
at
4
rm
99
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
(C
er
ag
an
M
ss
e ne
ar
How to Change Behaviour?
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
100
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
(C
er
Debate
ag
an
M
ss
e ne
Awareness can be created using high quality
ar
4
Aw
2
content and training,
20
ity
h
r
cu
c
but how can you change behaviour?
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
101
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
How Can You Change Behaviour?
(C
er
ag
an
M
ss
e ne
ar
What will happen to me if I don’t
4
Aw
2
comply to information security
20
ity
requirements of the company?
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
“ All behaviour is learned through the consequences that follow. If a person likes the
C
consequence, the behaviour will be repeated; if a person does not like the consequence,
the behaviour is less likely to be repeated.” 102
Copyright © 2020 CyberSecurity Malaysia
)
AM
Consequences
IS
(C
er
ag
1. Quality of life
an
M
ss
2. Money
e ne
ar
4
Aw
3. Time
2
20
ity
h
r
cu
c
ar
4. Inconvenience
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
103
Copyright © 2020 CyberSecurity Malaysia
)
Security Trade-Off vs Inconvenience
AM
IS
(C
er
ag
an
M
ss
e ne
ar
4
Aw
2
20
ity
h
Security
r
cu
c
ar
Trade-Off
Se
M
-5
n
io
at
4
rm
fo
In
d
Personal Inconvenience
fie
ti
er
C
104
Copyright © 2020 CyberSecurity Malaysia
)
AM
Security Trade-Off vs Cost
IS
(C
er
ag
an
M
ss
ne
Enforcement or Cost:
e
• Quality of Life
ar
4
Aw
• Career
2
20
ity
• Money
h
r
cu
c
Security
ar
• Time
Se
M
Trade-Off
-5
n
io
at
4
rm
fo
In
d
fie
Enforcement (Cost)
ti
er
C
105
Copyright © 2020 CyberSecurity Malaysia
)
AM
Creating Right Balance
IS
(C
er
ag
an
M
ss
Motivational
ne
Strategies
e
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
Disciplinary
In
Strategies
d
fie
ti
er
C
106
Copyright © 2020 CyberSecurity Malaysia
)
AM
Summary of Session 8
IS
(C
er
ag
What did we learn?
an
M
ss
ne
1. Awareness criterion & behaviour criterion
e
ar
4
Aw
2. Effective awareness training plan
2
20
ity
h
r
cu
c
3. How to change behaviour?
ar
Se
M
-5
n
4. Consequences & security trade-offs
io
at
4
rm
fo
In
d
fie
ti
er
C
107
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
(C
er
ag
an
M
ss
End of Day 1
e ne
ar
4
Aw
2
20
Thank You
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
108
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
(C
er
ag
an
M
The Strategize Stage -
ss
e ne
ar
Communication & Commitment Plan
4
Aw
2
20
ity
h
Session 9
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
109
Copyright © 2020 CyberSecurity Malaysia
Develop Communication Plan
)
AM
IS
(C
1. Communications is crucial for the success of any awareness program.
er
ag
2. The communication & commitment curve below shows the importance of
an
communications to achieve the goals.
M
ss
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
110
Copyright © 2020 CyberSecurity Malaysia
The Basics of
)
AM
IS
Effective Communication
(C
er
ag
an
1. Reach out to as broad an audience as possible.
M
ss
2. Do not be alarmist or overly negative about a situation.
e ne
3. The goal of any awareness raising initiative should be to change the target group
ar
4
Aw
behaviour in a positive way.
2
20
ity
4. The message delivered, the channels used and the sender of the message must be
h
r
cu
c
influential and credible, otherwise the target group may be less inclined to listen .
ar
Se
M
5. The target groups obtain information from a variety of sources. To engage them
-5
n
io
successfully, more than one communication channel must be used.
at
4
rm
111
Copyright © 2020 CyberSecurity Malaysia
)
Channels of Communication
AM
IS
(C
er
Channel Advantages Disadvantages
ag
an
Brochure / Magazine a) Easier to define message a) Not a static source of
M
content & format information as material
ss
b) Allows for careful study of could be lost
ne
content by target group b) May only appeal to a select
e
ar
c) Established audiences can target group
4
Aw
2
be reached
20
ity
h
Comic a) Instant appeal to certain a) Difficult to incorporate
r
cu
c
ar
target groups like the young messages with more detail
Se
M
b) Message content can be b) May only appeal to a select
-5
n
more abstract in nature target group
io
at
4
rm
CBT / e-Learning / a) Enables training over a) Can be expensive to create
fo
112
Copyright © 2020 CyberSecurity Malaysia
Channels of Communication
)
AM
IS
(C
er
Channel Advantages Disadvantages
ag
an
Email a) Relatively cheap channel to a) Your intended audience may not
M
target mass audience. attend.
ss
b) Allows target group to digest b) Not a proactive channel with the
ne
information in own time target group expected to
e
participate
ar
4
Aw
c) Does not reach those without
2
20
email
ity
h
r
Leaflet / Fact a) Can provide a lot of a) Need to organise distribution
cu
c
ar
Sheet information. channels so your leaflets get the
Se
M
b) Cost effective to produce right audience.
-5
n
io
at b) Not a static source of information
4
as material could be lost
rm
fo
it engaging
C
113
Copyright © 2020 CyberSecurity Malaysia
)
Channels of Communication
AM
IS
(C
Channel Advantages Disadvantages
er
ag
an
Screensaver a) Places information on the a) Requires development.
M
computer so users are likely b) Inexperienced users may be
ss
to see it unable to install it.
ne
c) Does not reach those without
e
computers
ar
4
Aw
SMS a) Message content can be a) Need to work with telecoms
2
20
delivered straight to the provider
ity
h
target group ensuring b) Effective channel to alert the
r
cu
c
ar
visibility target group of dangers but
Se
M
not raise awareness due to
-5
n
limited content
io
at
4
c) Can be very expensive
rm
AM
IS
(C
er
ag
Channel Advantages Disadvantages
an
M
Video - DVD / VCD a) Allows for creative freedom a) May not reach a
ss
ne
with awareness message. technologically naïve
e
b) Professionalism of channel if audience
ar
implemented correctly could
4
Aw
2
help enforce message
20
ity
h
Website a) Can be updated to reflect a) May not reach a
r
cu
c
ar
changes. technologically naïve
Se
M
b) Can present content for audience.
-5
n
multiple audiences. b) Implies trainee has some
io
at
4
c) Can easily link to other technical knowledge already.
rm
information c) Not a proactive channel and
fo
overlooked
er
C
115
Copyright © 2020 CyberSecurity Malaysia
)
AM
Define Communication Objectives
IS
(C
er
1. Information security communications should effectively involve, enroll and
ag
an
communicate with all key target groups to support successful awareness
M
raising
ss
ne
2. Objectives could be:
e
ar
•
4
Promote the vision for network and information security and its benefits
Aw
2
20
across organzation;
ity
h
r
cu
c
• Actively involve and engage all identified target groups;
ar
Se
M
-5
•
n
Provide affected target groups with an understanding of the information
io
security issues and what those issues will mean to them;
at
4
rm
fo
address concerns;
d
fie
•
ti
Build energy and momentum to support the creation of the new learning
er
environment
C
116
Copyright © 2020 CyberSecurity Malaysia
Sample Communication Goals
)
AM
IS
& Channels
(C
er
ag
an
M
Generate Create Develop Engage in
ss
Target Group
Awareness Understanding Knowledge Solutions
e ne
ar
4
Aw
Group 1 x x x
2
20
ity
h
r
cu
c
ar
Group 2
Se
x x x
M
-5
n
io
at
4
rm
Group 3 x x x
fo
In
Workshops
fie
117
Copyright © 2020 CyberSecurity Malaysia
Choosing the Awareness Topics
)
AM
IS
(C
er
1. Identifying the topics related to information security that are critical for the
ag
organisation and the target audience
an
M
2. Following are some of the topics:
ss
ne
• Information security policies and procedures.
e
ar
• Workstation security.
4
Aw
2
20
• Website policies.
ity
h
r
cu
c
•
ar
Asset management (e.g. USB flash drives, printing devices, PDA, mobile phones
Se
M
Social engineering.
-5
n
•
io
Third-party and partner security.
at
4
rm
• Incident response.
d
fie
ti
• Email security
er
C
118
Copyright © 2020 CyberSecurity Malaysia
)
AM
Identifying Learning Objectives
IS
(C
er
ag
an
Topic Password protection
M
ss
Target
ne
All employees / Contractors / vendors
Group
e
ar
Although the news of computer crimes elicit use of sophisticated tools or
4
Aw
2
techniques, the fact of the matter is that poor passwords are major
20
ity
Background contributors in the holes of information security efforts.
h
r
cu
c
In this module, the learners will be introduced to best practices in
ar
Se
M
creating and maintaining strong passwords.
-5
n
io
1) Learners can explain the difference between a weak and a strong
at
4
password.
rm
3) Learners understand the risks of using the same password for access
Objectives
d
119
Copyright © 2020 CyberSecurity Malaysia
)
Mapping Topics with Target Group
AM
IS
(C
er
ag
Topic TG 1 TG 2 TG 3 TG 4
an
M
Social Engineering
ss
x x x
ne
Importance of Data
e
ar
Back-up x x
4
Aw
2
20
ity
WiFi Security x x x x
h
r
cu
c
ar
Se
Insider Threat
M
x
-5
n
io
at
4
Firewall Protection x x x
rm
fo
Management x x X
d
fie
ti
er
C
120
Copyright © 2020 CyberSecurity Malaysia
)
AM
Reinforcement of Knowledge
IS
(C
er
ag
• A security culture can only be built if practice
an
M
becomes habit - awareness training must be
ss
ne
reinforced.
e
ar
4
Aw
2
• It is a best practice to pick a security theme and run
20
ity
h
r
the program with various content and
cu
c
ar
Se
M
communication channels for a minimum 90 days
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
121
Copyright © 2020 CyberSecurity Malaysia
Sample Awareness Plan with
)
AM
IS
Reinforcement of Knowledge
(C
er
ag
Security Awareness Theme: Phishing
an
M
ss
2015 January February March
e ne
ar
Phishing Incident Case Reporting Phishing
Topic
4
Aw
Identifying Phishing Email
2
Study Incident
20
ity
h
r
cu
c
ar
Channel
Se
Video (LMS) Infographics Email newsletter
M
-5
n
io Final assessment &
at
4
Baseline assessment &
rm
Measure Online quiz simulated phishing
simulated phishing attack
fo
attack
In
d
fie
122
Copyright © 2020 CyberSecurity Malaysia
)
AM
Lab 7 (15 Minutes)
IS
(C
er
Pick a security awareness topic.
ag
Identify the learning objectives for the selected topic.
an
M
Topic
ss
Password protection
ne
Target Group All employees / Contractors / vendors
e
ar
4
Aw
Although the news of computer crimes elicit use of sophisticated tools or
2
20
techniques, the fact of the matter is that poor passwords are major contributors in
ity
Background the holes of information security efforts.
h
r
cu
c
In this module, the learners will be introduced to best practices in creating and
ar
Se
maintaining strong passwords.
M
-5
n
io
1) Learners can explain the difference between a weak and a strong password.
at
4
2) Learners understand the risks of password sharing with other users.
rm
3) Learners understand the risks of using the same password for access with
Learning Objectives
fo
123
Copyright © 2020 CyberSecurity Malaysia
)
AM
Lab 8 (20 Minutes)
IS
(C
er
Use the security awareness topic from Lab 7
ag
Create the communication plan for the selected topic
an
M
ss
Target Audience Who will be receiving the message
e ne
Communication Channel
ar
The form in which the message will be sent
4
Aw
2
20
The communication needs of the target group
Communication Needs
ity
h
r
cu
c
The content of the communication
ar
Message
Se
M
-5
n
Who is responsible for making this communication
Communication Owner
io
happen
at
4
rm
What we hope to accomplish through this communication
Objectives
fo
In
124
Copyright © 2020 CyberSecurity Malaysia
)
Summary of Session 9
AM
IS
(C
What did we learn?
er
ag
an
1. The importance of having a solid communications plan
M
ss
2. What should be included in a communications plan
e ne
ar
3. Various channels of communication
4
Aw
2
20
ity
4. Defining communications objectives
h
r
cu
c
ar
Se
M
5. Choosing awareness topics and mapping with target groups &
-5
n
io
channels at
4
rm
7. Reinforcement of knowledge
ti
er
C
125
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
(C
er
ag
an
M
The Strategize Stage -
ss
e ne
ar
Define Indicators for Measurement
4
Aw
2
20
ity
Session 10
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
126
Copyright © 2020 CyberSecurity Malaysia
)
AM
Two (2) Things to Measure
IS
(C
er
ag
an
1. Measure the IMPACT of the security
M
awareness program
ss
e ne
ar
4
Aw
2. Measure the DEPLOYMENT of the security
2
20
ity
awareness program
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
127
Copyright © 2020 CyberSecurity Malaysia
)
AM
Security Metrics to Measure
IS
(C
the IMPACT
er
ag
an
Security Metric has 2 criterions:
M
ss
ne
1. Awareness Criterion
e
ar
4
Aw
2
2. Behaviour Criterion
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
128
Copyright © 2020 CyberSecurity Malaysia
Sample Security Metrics
)
AM
IS
(C
er
ag
Metric Awareness Criterion Behaviour Criterion
an
M
ss
ne
Employees must be able to Employees must actually detect
Phishing Detection
e
identify phishing emails and report phishing emails
ar
4
Aw
2
20
ity
Employees must know the
h
r
Employees must actually create
cu
c
Strong Password method & requirement to
ar
and use strong passwords
Se
M
create strong passwords
-5
n
io
at
4
Employees must know different Employees must actually classify
rm
Information
information classification information in a day-to-day
fo
Classification
In
criteria work
d
ti fie
er
C
129
Copyright © 2020 CyberSecurity Malaysia
)
AM
How to Measure Awareness Levels?
IS
(C
er
ag
• Baseline assessments / Quizzes
an
M
ss
ne
• Surveys
e
ar
4
Aw
2
20
• Interviews
ity
h
r
cu
c
ar
Se
M
• Online / Internet searches
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
130
Copyright © 2020 CyberSecurity Malaysia
Measuring Behaviour Levels
)
AM
IS
(C
Let’s discuss:
er
ag
an
1. Can behaviour be measured? If so, how?
M
ss
ne
2. Is qualitative and quantitative measurement possible?
e
ar
4
Aw
3. Is 100% accuracy in behaviour measurement a must?
2
20
ity
h
r
cu
c
4. What strategies will you use for measuring behaviour?
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
131
Copyright © 2020 CyberSecurity Malaysia
)
AM
How to Measure Behaviour Levels?
IS
(C
er
ag
• Observations
an
M
• Simulated social engineering assessments
ss
ne
• Data mining
e
ar
• Review of logs
4
Aw
2
20
ity
• Incident review
h
r
cu
c
ar
• Early-morning walk-through
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
132
Copyright © 2020 CyberSecurity Malaysia
Case Study 1
)
AM
IS
(C
er
1. Tester places 6 USB flash drives in specific locations: rest rooms,
ag
an
conference room & pantry
M
ss
2. The USB flash drives labeled “2022 Staff Bonus”
e ne
ar
3. Within a few minutes each of the flash drives were grabbed by
4
Aw
2
20
employees
ity
h
r
cu
c
ar
4. Employees insert the flash drives into their computers – and the
Se
M
-5
n
tester was able to capture the employees details and computer
io
at
4
rm
details
fo
In
d
fie
ti
er
C
133
Copyright © 2020 CyberSecurity Malaysia
)
Case Study 2
AM
IS
(C
er
1. Tester sends a simulated phishing email to the employees
ag
an
2. Expected reaction from the employees:
M
ss
• Not clicking on the link
e ne
ar
• Report the incident to the security team
4
Aw
2
20
ity
3. Result:
h
r
cu
c
ar
• More 70% of the employees clicked on the link
Se
M
-5
n
io
• Less than 1% of the employees actually reported it even though
at
4
rm
the link
d
fie
ti
er
C
134
Copyright © 2020 CyberSecurity Malaysia
)
AM
More Examples
IS
(C
er
ag
• Pose as janitors or courier guy
an
M
• Leave printed documents with sensitive information lying around
ss
ne
at public area
e
ar
4
Aw
• Fake phone calls requesting for access to Top Management
2
20
ity
h
• Visits during early mornings and weekends
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
135
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
(C
er
ag
an
M
ss
ne
Metrics to Measure the DEPLOYMENT
e
ar
4
Aw
(next slide)
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
136
Copyright © 2020 CyberSecurity Malaysia
)
AM
What is How it is When it is Who
IS
Metric Details
Measured? Measured? Measured? Measures?
(C
er
ag
Primary training is when people are taught all
Who has and has
Reports from awareness material for the first time or in a
an
not completed
Training LMS or sign-in single sitting, usually online computer based
annual security Annually Training team
M
Completion sheets from training (CBT) or onsite workshops.
awareness
ss
onsite workshops
training
e ne
ar
4
Aw
2
20
For a security awareness program to have an
ity
impact it must communicated to people on a
h
r
regular basis. This metric measures other
cu
c
ar
communications methods that repeat and
Se
Types of reinforce lesson objectives from annual
M
Types of
materials training. Examples of such metrics can include:
reinforcement
-5
n
distributed to • Monthly hits to internal security blog or
io
Communication training, who it is
at communicate Monthly Security team website
4
Methods being
program • Monthly newsletters, posters or
rm
communicated to,
screensavers
and how often.
fo
Webcasts
• Number of emails sent
d
fie
ti
er
C
137
Copyright © 2020 CyberSecurity Malaysia
Document Lessons Learned
)
AM
IS
(C
er
1. An excellent opportunity for feedback & growth
ag
an
2. Tips for constructive feedback session
M
ss
• Consider limiting time during the session
e ne
• Have team members bring documented ideas to the meeting
ar
4
Aw
2
• Team members should be encouraged to keep logs or diaries during the
20
ity
h
program
r
cu
c
ar
Se
M
• Consider adding a lessons learned section to the status report
-5
n
io
• Strategically schedule the times to capture the lessons learned
at
4
rm
fo
138
Copyright © 2020 CyberSecurity Malaysia
)
AM
Methods to Collect Feedback
IS
(C
er
ag
• Feedback collection feature in the LMS
an
M
• Surveys (can also be anonymous)
ss
e ne
• Q&A sessions
ar
4
Aw
2
20
• Emails
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
139
Copyright © 2020 CyberSecurity Malaysia
)
AM
Lab 9 (15 Minutes)
IS
(C
er
ag
an
Creating Strategies to Measure Current Levels
M
ss
1. Create 3 security metrics that are valid for your
e ne
ar
business
4
Aw
2
20
ity
2. Create the awareness and behaviour criterions
h
r
cu
c
ar
Se
M
3. List down how you will measure the awareness
-5
n
io
at
4
rm
and behaviour criterions for the security metrics
fo
In
d
fie
ti
er
C
140
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
(C
Metric Who
er
Criterion How to Measure Frequency
ag
Name Measures
an
M
Awareness Behaviour Awareness Behaviour
ss
ne
Social Employee is Number of Online quiz Report of Monthly Security
e
Lab 9 (Template)
ar
Engineer able to identify employees suspected Team
4
Aw
ing a social who are able Social
2
20
engineering to identify, Engineering
ity
h
attack while stop and attacks
r
cu
c
ar
also able to report a social
Se
M
stop and engineering
-5
n
report the attack
attack
io
increase
at
4
rm
fo
In
d
fie
ti
er
C
141
Copyright © 2020 CyberSecurity Malaysia
)
AM
Summary of Session 10
IS
(C
er
What did we learn?
ag
an
M
1. Critical to measure both the IMPACT & the DEPLOYMENT of the
ss
ne
awareness program
e
ar
4
Aw
2
2. Security metrics have 2 criterions
20
ity
h
r
cu
c
ar
3. Methods to measure awareness and behaviour levels
Se
M
-5
n
io
4. Document lessons learned
at
4
rm
fo
142
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
(C
er
ag
an
M
ss
e ne
The Execute Stage
ar
4
Aw
2
20
ity
h
r
cu
c
Session 11
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
143
Copyright © 2020 CyberSecurity Malaysia
)
Execution Plan
AM
IS
(C
er
ag
1. After the PLAN & STRATEGIZE stages, create an execution
an
M
ss
plan
e ne
ar
2. Have steering committee review and keep them updated
4
Aw
2
20
3. Execute plan
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
144
Copyright © 2020 CyberSecurity Malaysia
)
AM
Before & During Execution
IS
(C
er
1. Confirm the program team
ag
an
M
2. Review work plan
ss
ne
3. Launch & execute plan
e
ar
4
Aw
2
20
4. Deliver communication
ity
h
r
cu
c
ar
5. Document lessons learned
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
145
Copyright © 2020 CyberSecurity Malaysia
)
Efficiency
AM
IS
(C
er
ag
1. Efficiency of channels in delivering the program
an
M
2. Emails must reach the target workplace, not got to SPAM
ss
ne
3. Videos must stream at an optimum speed
e
ar
4
Aw
4. Training sessions:
2
20
ity
• Trainer must knowledgeable
h
r
cu
c
ar
Se
M
• Able to articulate the topics well
-5
n
• io
at
4
Use tools and examples
rm
fo
• Encourage discussion
In
d
fie
ti
er
C
146
Copyright © 2020 CyberSecurity Malaysia
Confirmation of Receipt
)
AM
IS
(C
er
Proof that the learner received the content
ag
an
M
ss
• A simple “attendance ledger” that can be used for
e ne
ar
classroom training sessions
4
Aw
2
20
ity
h
r
cu
c
• A SCORM or similar system can track attendance if
ar
Se
M
-5
n
io
the content is delivered through an electronic LMS
at
4
rm
fo
In
d
fie
ti
er
C
147
Copyright © 2020 CyberSecurity Malaysia
)
Summary of Session 11
AM
IS
(C
What did we learn?
er
ag
an
M
1. Execution plan and checklist
ss
ne
2. Efficiency of execution & confirmation of receipt of awareness
e
ar
4
Aw
content
2
20
ity
3. Note: Handout – Execution Checklist
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
148
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
(C
er
ag
an
M
The Measure
ss
e ne
ar
& Adjust Stage
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
Session 12
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
149
Copyright © 2020 CyberSecurity Malaysia
Measuring the Success of
)
AM
IS
the Program
(C
er
ag
an
Four categories that success can be measured:
M
ss
ne
1. Process improvement
e
ar
4
Aw
2. Attack resistance
2
20
ity
3. Efficiency & effectiveness
h
r
cu
c
ar
Se
M
4. Internal protections
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
150
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
(C
er
ag
an
M
Process Improvement
ss
e ne
ar
4
Aw
Deals with the development, dissemination and
2
20
ity
deployment of recommended security guidelines as
h
r
cu
c
ar
well as awareness training
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
151
Copyright © 2020 CyberSecurity Malaysia
Process Improvement:
)
AM
IS
Example of Evaluation Metrics
(C
er
ag
an
1. Has the organization developed an overall security
M
policy? Is it readable and concise? (Expected answer:
ss
ne
YES)
e
ar
4
Aw
2
20
2. Is the overall security policy endorsed at the highest
ity
h
levels of the organization? (Expected answer: YES)
r
cu
c
ar
Se
M
-5
n
io
3. What percentage of the employees know that a security
at
4
policy exists? How many have read it? (Expected
rm
fo
change: increase)
In
d
fie
ti
er
C
152
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
(C
er
ag
an
M
ss
Attack Resistance
e ne
ar
4
Aw
2
20
Concerned with recognition of a security event and
ity
h
r
cu
c
resistance to an attack.
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
153
Copyright © 2020 CyberSecurity Malaysia
Attack Resistance:
)
AM
IS
Example of Evaluation Metrics
(C
er
ag
an
1. To which extent do staff recognize attacks?
M
ss
2. To which extent do staff fall prey to attacks?
e ne
ar
4
Aw
3. What percentage of surveyed individuals recognize a security event
2
20
scenario when tested?
ity
h
r
(Expected change: increase)
cu
c
ar
Se
M
-5
n
4. What percentage of users failed testing to reveal their password?
io
at
4
(Expected change: decrease)
rm
fo
In
d
fie
ti
er
C
154
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
(C
er
ag
an
M
ss
Efficiency & Effectiveness
e ne
ar
4
Aw
2
Focused on efficiency and effectiveness with regard to
20
ity
h
r
security incidents.
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
155
Copyright © 2020 CyberSecurity Malaysia
Efficiency & Effectiveness:
)
AM
IS
Example of Evaluation Metrics
(C
er
ag
an
1. What percentage of security incidents experienced by
M
individuals had human behaviour as a majority factor in
ss
ne
the root cause? (Expected change: decrease)
e
ar
4
Aw
2
20
2. What percentage of downtime was due to such security
ity
h
r
incidents? (Expected change: decrease)
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
156
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
(C
er
ag
an
M
ss
Internal Protections
e ne
ar
4
Aw
2
Concerned with how well an individual is protected
20
ity
h
r
against potential threats.
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
157
Copyright © 2020 CyberSecurity Malaysia
Internal Protections:
)
AM
IS
Example of Evaluation Metrics
(C
er
ag
an
1. What percentage of an organisation’s software, partners and
M
suppliers have been reviewed for security (including awareness)?
ss
(Expected change: increase)
e ne
ar
4
Aw
2
2. What percentage of an organisation’s critical data is “strongly”
20
ity
protected, including awareness for data managers, administrators,
h
r
cu
c
etc.? (Expected change: increase)
ar
Se
M
-5
n
io
3. What percentage of an employee’s system scanned had malicious
at
4
software or semi-malicious spyware installed? (Expected change:
rm
fo
decrease)
In
d
fie
ti
er
C
158
Copyright © 2020 CyberSecurity Malaysia
)
AM
Measurement Approach
IS
(C
er
ag
For each Security Metrics:
an
M
▪ Audit the awareness criterion
ss
e ne
▪ Audit the behaviour criterion
ar
4
Aw
2
20
ity
▪ Select a suitable sample size which gives confidence in the result
h
r
cu
c
ar
Se
M
▪ Quantity the scores
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
159
Copyright © 2020 CyberSecurity Malaysia
Gather Data
)
AM
IS
(C
er
1. Recommended that a combination of qualitative and quantitative
ag
information be captured when collecting data
an
M
2. Data should be continuously captured
ss
e ne
3. Methods to capture data:
ar
4
Aw
2
20
I. Questionnaires & feedback collection
ity
h
r
cu
c
ar
II. Website statistics
Se
M
-5
n
io
III. General observations
at
4
rm
fo
160
Copyright © 2020 CyberSecurity Malaysia
Review Program Objectives
)
AM
IS
(C
er
1. Program objectives need to be revisited in light of the effectiveness
ag
an
results
M
ss
2. Reviewing the objectives allow for a serious assessment to take
ne
place.
e
ar
4
Aw
2
20
3. What has the team achieved?
ity
h
r
cu
c
ar
Se
4. Have the benefits been realized? (if so, celebrate)
M
-5
n
io
at
4
5. If not, what is required to achieve the desired results?
rm
fo
In
161
Copyright © 2020 CyberSecurity Malaysia
)
AM
Implement Lessons Learned
IS
(C
er
ag
• Which lessons can be applied to increase the
an
M
effectiveness and success of the program in the
ss
future?
e ne
ar
• The main focus should be to learn from past
4
Aw
2
20
ity
experiences both positive and negative, then to put
h
r
cu
c
ar
that learning into practice.
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
162
Copyright © 2020 CyberSecurity Malaysia
Adjust Program
)
AM
IS
(C
er
• Experiences gained since the launch provide the
ag
an
knowledge and understanding to adjust the
M
program to make it more successful
ss
e ne
ar
• Adjustments could involve each and every activity
4
Aw
2
20
ity
and task performed in the context of the program
h
r
cu
c
ar
Se
M
• The key is to make adjustments whilst maintaining
-5
n
io
at
4
the focus on the program objectives and goals
rm
fo
In
d
fie
ti
er
C
163
Copyright © 2020 CyberSecurity Malaysia
)
Adjust (Update)
AM
IS
(C
er
• Your technology, your business requirements, and
ag
an
threats are constantly changing.
M
ss
• Update content at least once a year.
e ne
• You and steering committee need to review and
ar
4
Aw
2
20
update training.
ity
h
r
cu
c
• Ensure you have budget allocated for updates
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
164
Copyright © 2020 CyberSecurity Malaysia
Re-launch
)
AM
IS
(C
er
• After adjustment based on what was learned, the
ag
an
next step is to re-launch the program (completing
M
the tasks in Stage 3 - Execute)
ss
e ne
ar
• It is an ideal opportunity to follow-up on additional
4
Aw
2
20
topics or to reinforce subjects that have been
ity
h
r
cu
c
covered at an earlier stage
ar
Se
M
-5
n
io
• Learn from previous and on-going experiences, build
at
4
rm
165
Copyright © 2020 CyberSecurity Malaysia
)
AM
Lab 10 (15 Minutes)
IS
(C
er
ag
Create at least 2 evaluation metrics for:
an
M
ss
ne
I. Process improvement
e
ar
4
Aw
2
II. Attack resistance
20
ity
h
r
cu
c
III. Efficiency & effectiveness
ar
Se
M
-5
n
IV. Internal protections
io
at
4
rm
fo
In
d
fie
ti
er
C
166
Copyright © 2020 CyberSecurity Malaysia
)
Summary of Session 12
AM
IS
(C
What did we learn?
er
ag
an
1. 4 categories to measure the success of the program:
M
ss
ne
I. Process improvement
e
ar
4
Aw
II. Attack resistance
2
20
ity
h
r
III. Efficiency & effectiveness
cu
c
ar
Se
M
-5
n
IV. Internal protections
io
at
4
rm
167
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
(C
er
ag
an
M
ss
e ne
Obstacles to Success
ar
4
Aw
2
20
ity
h
r
cu
c
Session 13
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
168
Copyright © 2020 CyberSecurity Malaysia
)
AM
Lack of Management Support
IS
(C
er
ag
• One of the most essential aspects of a security awareness
an
program and also the most challenging.
M
ss
ne
• For security messages to be effective, they must be supported
e
ar
from the top down.
4
Aw
2
20
ity
h
• Expressing desire to support security initiatives is one thing,
r
cu
c
ar
Se
putting it into action is another.
M
-5
n
io
at
•
4
Managers’ primary goal is to meet their business objectives
rm
169
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
Implementation of New Technology
(C
er
ag
an
• When new technology is implemented, it often requires a
M
behaviour change or new level of user understanding.
ss
e ne
• Most of the time technology moves faster than or
ar
4
Aw
2
independently from the awareness program.
20
ity
h
r
cu
c
• The awareness team is not up to date nor adequately informed
ar
Se
M
of these types of educational opportunities until it is too late.
-5
n
io
at
4
rm
170
Copyright © 2020 CyberSecurity Malaysia
)
One Size Fits All
AM
IS
(C
er
• Failure to segment audience adequately - appropriate
ag
an
messages are not delivered.
M
ss
• This results in messages being ignored.
e ne
ar
4
Aw
• Information technology users receive hundreds of messages
2
20
ity
every day from a multitude of sources.
h
r
cu
c
ar
Se
M
• It is critical to segment audiences and ensure that people only
-5
n
io
receive the messages they need.
at
4
rm
fo
171
Copyright © 2020 CyberSecurity Malaysia
)
Too Much Information
AM
IS
(C
er
• Over-education is quite a common mistake.
ag
an
M
• Individuals have a threshold of how much information they are
ss
ne
willing to accept from any one source.
e
ar
4
Aw
• If individuals are inundated with a constant barrage of
2
20
ity
messages, it is likely to turn their attention away.
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
172
Copyright © 2020 CyberSecurity Malaysia
Lack of Organisation
)
AM
IS
(C
er
• Many awareness programs fail to develop consistent processes
ag
an
and strategies for delivering messages to users.
M
ss
• Without a consistent style, theme and delivery, it is difficult for
e ne
the user to engage in the program or even know what to
ar
4
Aw
expect.
2
20
ity
h
r
cu
c
• It is key to develop consistency in communications.
ar
Se
M
-5
n
io
• This will also help establish an identity for the program and
at
4
rm
build a relationship with the audience.
fo
In
d
fie
ti
er
C
173
Copyright © 2020 CyberSecurity Malaysia
)
AM
Failure to Follow Up
IS
(C
er
• It is quite common for security awareness programs to be
ag
launched with great enthusiasm only to fizzle out with little
an
M
success.
ss
ne
• Many programs fail to establish and maintain a regular cycle of
e
ar
4
Aw
communication.
2
20
ity
h
r
• Important to establish regular communications so that users
cu
c
ar
Se
receive regular reminders of the key messages.
M
-5
n
io
at
4
• Many programs fail to follow up with their audiences and
rm
solicit feedback.
fo
In
d
needs.
C
174
Copyright © 2020 CyberSecurity Malaysia
)
Getting the Message Where It Will
AM
IS
Have an Effect
(C
er
ag
an
• In large communities - it is a real challenge to deliver the right message
M
to the right audience.
ss
e ne
• For example, even if a central IT security team of an MNC has already
ar
4
Aw
developed a thorough communication strategy with a well-maintained
2
20
process for targeted communications, delivering the right messages to
ity
h
r
the right audience can still be very difficult.
cu
c
ar
Se
M
• Email groups based on individual criteria can be helpful, but do not fully
-5
n
io
solve the problem.
at
4
rm
fo
audience.
ti
er
C
175
Copyright © 2020 CyberSecurity Malaysia
Lack of Resources
)
AM
IS
(C
er
ag
• Usually stems from the lack of management support.
an
M
• Without management support, it is difficult to secure
ss
adequate resources; without adequate resources, a
e ne
security awareness program is limited in what it is able to
ar
4
Aw
achieve.
2
20
ity
h
r
• This could also result from a budget cut.
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
176
Copyright © 2020 CyberSecurity Malaysia
)
AM
No Explanation of “Why”
IS
(C
er
ag
• Many security awareness programmes fail to educate users on why security
an
is important.
M
ss
•
ne
All other aspects are covered, but unfortunately the information that is
e
most likely to motivate users to change behaviour is omitted.
ar
4
Aw
2
20
• Users who understand why certain types of behaviour are risky are most
ity
h
likely to take ownership of the issue and change their behaviour .
r
cu
c
ar
Se
M
• For example, if guidelines on a new password process with more stringent
-5
n
io
complexity rules are communicated, users will most likely view the new
at
4
process as nothing more than an inconvenience.
rm
fo
•
In
misused and the potential impact this could have, then users are much
fie
177
Copyright © 2020 CyberSecurity Malaysia
Changing Long-Established
)
AM
IS
Behaviour
(C
er
ag
an
• In many organizations, security is often implemented as an afterthought.
M
ss
ne
• Security is not always integrated from the very beginning, users have
e
ar
months, weeks and even years to develop bad habits.
4
Aw
2
20
ity
• Not only is there a need to educate users on security, but also users need
h
r
cu
c
help to “unlearn” any bad habits.
ar
Se
M
-5
n
• Such users tend to have more difficulty buying into the value of security -
io
at
4
typical thinking is “the organisation has operated just fine for many years
rm
178
Copyright © 2020 CyberSecurity Malaysia
Security is an ITD Problem, Not
)
AM
IS
Mine…
(C
er
ag
an
• Many users share the perception that security is the sole
M
ss
responsibility of the ITD.
e ne
ar
• They tend to limit their role to the bare minimum of compliance to
4
Aw
2
maintain their jobs rather than the big picture of how to be a part
20
ity
of the solution.
h
r
cu
c
ar
Se
M
• Users must understand that IT staff cannot tackle information
-5
n
io
security alone. at
4
rm
fo
In
d
fie
ti
er
C
179
Copyright © 2020 CyberSecurity Malaysia
)
Summary of Session 13
AM
IS
(C
er
What did we learn?
ag
an
Obstacles to success:
M
ss
• Lack of management support
ne
• Implementation of new technology
e
ar
4
Aw
• One size fits all
2
20
ity
• Too much information
h
r
cu
c
ar
• Lack of organization
Se
M
• Failure to follow-up
-5
n
io
at
4
• Getting the message when it will have an effect
rm
• Lack of resources
fo
In
• No explanation of “why”
d
fie
180
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
(C
er
How to Make End-Users
ag
an
M
ss
Like & Follow
e ne
ar
Information Security
4
Aw
2
20
ity
h
r
cu
c
ar
10 Quick Tips
Se
M
-5
n
io
at
4
Session 14
rm
fo
In
d
fie
ti
er
C
181
Copyright © 2020 CyberSecurity Malaysia
)
AM
1 Move from “Attendance” to
IS
(C
er
“Participation”
ag
an
M
Attendance is just a number
ss
ne
Participation is “Involvement”
e
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Are you doing an
Se
M
awareness program to
-5
n
io satisfy the auditor or to
at
4
rm
tick a check-box?
fo
In
d
fie
ti
er
C
182
Copyright © 2020 CyberSecurity Malaysia
)
AM
2 Aim for “Sensitization” not
IS
(C
er
“Memorization”
ag
an
M
It’s your responsibility to read the policies
ss
ne
vs.
e
ar
It’s OK if you get the SENSE and INTENT of IT Security
4
Aw
2
20
ity
h
r
cu
c
You can’t expect
ar
Se
M
someone to know how
-5
n
io
at an engine works to
4
rm
test.
In
d
fie
ti
er
C
183
Copyright © 2020 CyberSecurity Malaysia
)
AM
3 Understand How People Make Security
IS
(C
er
Decisions
ag
an
M
Of these two, which terrifies you the most?
ss
ne
Obesity kills more people than sharks
e
ar
4
Aw
2
20
ity
What appears
h
r
cu
c
harmless may be
ar
Se
M
more
-5
n
io
at harmful…think
4
rm
phishing?
fo
In
d
fie
ti
er
C
184
Copyright © 2020 CyberSecurity Malaysia
)
AM
4 Engage the Audience, Visualize the Risks
IS
(C
er
ag
an
M
The end-user is not a security expert
ss
Engage them, Visualize the risks for them
e ne
ar
4
Aw
2
20
ity
h
r
“A picture is worth a 1000
cu
c
ar
Se
words” (or)
M
-5
n
io A poster has more impact
at
4
rm
than a security policy
fo
In
d
fie
ti
er
C
185
Copyright © 2020 CyberSecurity Malaysia
)
AM
5
Go Beyond Awareness
IS
(C
er
ag
Awareness → Behaviour → Culture
an
Goal: Responsible Information Security Culture
M
ss
e ne
ar
4
Aw
2
When majority of the
20
ity
workforce handles Information
h
r
cu
c
ar
responsibly, you can say that
Se
M
you have a “Responsible
-5
n
io Information Security Culture”
at
4
rm
fo
In
d
fie
ti
er
C
186
Copyright © 2020 CyberSecurity Malaysia
)
AM
6
A Little Bit of Fun is OK
IS
(C
er
ag
Security is so much jargon…
an
M
Lighten it a bit
ss
e ne
ar
What the heart accepts, the
4
Aw
2
mind understands and the
20
ity
hands implement…
h
r
cu
c
ar
If you can get the end-user to
Se
M
smile, you have won their
-5
n
io heart…
at
4
rm
fo
In
d
fie
ti
er
C
187
Copyright © 2020 CyberSecurity Malaysia
)
AM
7
Think Drip Irrigation
IS
(C
er
ag
Small doses, but more frequent
an
M
…keeps your workforce Security Healthy
ss
e ne
ar
Spread your security
4
Aw
2
20
awareness program around
ity
h
r
the year….10 minutes a month
cu
c
ar
Se
M
is 120 minutes of security
-5
n
awareness session a year…
io
at
4
rm
fo
In
d
fie
ti
er
C
188
Copyright © 2020 CyberSecurity Malaysia
)
AM
8 Target the Workforce, not just the
IS
(C
er
Employees
ag
an
M
Who has access to Information Assets?
ss
ne
Employees, Freelance, Contractors, Guards….
e
ar
4
Aw
2
20
ity
h
r
cu
c
Is your security guard and
ar
Se
M
janitor part of the security
-5
n
awareness program?
io
at
4
rm
fo
In
d
fie
ti
er
C
189
Copyright © 2020 CyberSecurity Malaysia
)
AM
9
Measure… Manage… Improve…
IS
(C
er
ag
What you cannot measure, you cannot manage…
an
M
What you cannot manage, you cannot improve…
ss
e ne
Awareness score is 87%
ar
4
Aw
2
20
ity
Assess “Awareness” and
h
r
cu
c
MEDIUM HIGH AWARENESS
ar
LOW AWARENESS AWARENESS
“Behaviour”
Se
M
Independently
-5
n
io
Competence score is 65%
at
4
rm
fo
In
MEDIUM
fie
COMPETENCE COMPETENCE
ti
er
C
190
Copyright © 2020 CyberSecurity Malaysia
)
AM
Stop Instructing, Start Dialogues
IS
10
(C
er
ag
an
Instruction is always one-way
M
When you have dialogues, it
Dialogues are two-way…
ss
shows that you are listening
e ne
to the end-user. That shows
ar
4
Aw
RESPECT
2
20
ity
h
r
cu
c
…you will receive it back.
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
191
Copyright © 2020 CyberSecurity Malaysia
)
AM
Summary of Session 14
IS
(C
er
ag
an
What did we learn?
M
ss
1. 10 tips on how to make end-users to like and follow
e ne
information security?
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
192
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
(C
er
ag
an
M
Planning a Simulated
ss
e ne
ar
Phishing Assessment
4
Aw
2
20
ity
h
r
cu
c
ar
Session 15
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
193
Copyright © 2020 CyberSecurity Malaysia
C
er
tifie
d
In
fo
rm
at
io
n
Se
cu
4 r ity
-5 Aw
M
How Phishing Works?
ar
ar
c e
h ne
20 ss
2 4 M
Copyright © 2020 CyberSecurity Malaysia
an
ag
er
(C
IS
AM
)
194
)
AM
IS
(C
Technical Solutions Are Not
er
ag
an
Doing The Job
M
ss
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
195
Copyright © 2020 CyberSecurity Malaysia
)
AM
Phishing Sites are on the rise!
IS
(C
er
ag
an
M
ss
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
Source:APWG
ti
er
C
196
Copyright © 2020 CyberSecurity Malaysia
)
AM
What Makes Phishing Work?
IS
(C
er
ag
• Phishing uses tactics that motivate a response - greed, fear, ambition,
an
curiosity
M
ss
• Sometimes simple is dangerous - shipping notifications, funny pictures
e ne
ar
• Employees don’t really know better
4
Aw
2
20
ity
• Deception is key - look-alike URLs, obfuscated file attachment names
h
r
cu
c
ar
Se
M
• Includes a “call to action” (e.g. “Open this now!”, “Click here now!”)
-5
n
io
at
4
• Employees are conditioned to both trust email and be responsive
rm
fo
In
d
fie
ti
er
C
197
Copyright © 2020 CyberSecurity Malaysia
)
AM
Traditional Awareness Training vs
IS
(C
Dynamic Training
er
ag
an
M
ss
• Periodic (mostly annual) - but attacks happen 24/7
e ne
• Compliance-driven
ar
4
Aw
2
• A lot for a user to consume & retain
20
ity
h
r
• Sometimes boring
cu
c
ar
Se
M
• Wide array of topics
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
198
Copyright © 2020 CyberSecurity Malaysia
Why Phishing Assessment?
)
AM
IS
(C
er
ag
• Recreate the very same attacks that bad guys are
an
M
launching. Excellent way to measure change in behaviour.
ss
ne
1. Measures a high human risk
e
ar
2. Simple, low-cost and easy to repeat
4
Aw
2
20
ity
3. Quantifiable measurements
h
r
cu
c
ar
Se
4. Actionable
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
199
Copyright © 2020 CyberSecurity Malaysia
)
AM
Teachable Moment
IS
(C
er
ag
an
• Simulated phishing attacks create a perfect
M
ss
teachable moment
e ne
• The immersive, visceral simulation captures the
ar
4
Aw
2
20
user’s attention
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
200
Copyright © 2020 CyberSecurity Malaysia
Teachable moment
)
AM
IS
(C
er
Oops! The email you just responded to was a fake phishing email. Don't worry! It was
ag
sent to you to help you learn how to avoid real attacks. Please do not share your
an
experience with colleagues, so they can learn too.
M
ss
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
201
Copyright © 2020 CyberSecurity Malaysia
Some Key Points - 1
)
AM
IS
(C
er
ag
• Remember that while computers do not have
an
M
feelings, people do. Emotion, not technology, is
ss
ne
your biggest challenge
e
ar
4
Aw
• Announce and explain your phishing program
2
20
ity
h
r
ahead of time
cu
c
ar
Se
M
• Start your program with very simple phishing
-5
n
io
at
4
emails, then increase difficulty only after people
rm
fo
202
Copyright © 2020 CyberSecurity Malaysia
Some Key Points - 2
)
AM
IS
(C
er
ag
• Ensure there are at least 2-3 ways people can detect
an
M
the phish
ss
ne
• Do not embarrass people by releasing names of
e
ar
4
Aw
victims, nor should their names be reported to
2
20
ity
management. Only notify management of repeat
h
r
cu
c
ar
offenders
Se
M
-5
n
io
• No Viagra phishing emails, nor “wall of shame”
at
4
rm
203
Copyright © 2020 CyberSecurity Malaysia
How to Phish
)
AM
IS
(C
er
ag
an
M
• URL Shorteners
ss
ne
• E-mail Marketing Solutions
e
ar
•
4
Aw
Cloud Phishing Services
2
20
ity
• Pen Testing Software
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
204
Copyright © 2020 CyberSecurity Malaysia
)
AM
Example of Phishing Email
IS
(C
er
ag
an
M
ss
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
205
Copyright © 2020 CyberSecurity Malaysia
C
er
tifie
d
In
fo
rm
at
io
n
Se
Another Example
cu
4 r ity
-5 Aw
M ar
ar
c e
h ne
20 ss
2 4 M
Copyright © 2020 CyberSecurity Malaysia
an
ag
er
(C
IS
AM
)
206
Click Results
)
AM
IS
(C
er
• If an end user falls victim to an email assessment, you have
ag
an
two general options:
M
ss
e ne
1. Error message/no feedback (Good for a baseline)
ar
4
Aw
2
2. Immediate feedback that explains this was a test,
20
ity
h
what they did wrong and how to protect themselves
r
cu
c
ar
Se
(Good for reinforcing key behaviors)
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
207
Copyright © 2020 CyberSecurity Malaysia
Follow Up
)
AM
IS
(C
er
ag
• Send results of test to all employees 24 – 48 hours later
an
M
ss
• Explain results, how they could have detected phishing
e ne
email and what to look for in the future. Include image of
ar
4
Aw
2
phishing email
20
ity
h
r
cu
c
ar
• Include your monthly security awareness newsletter
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
208
Copyright © 2020 CyberSecurity Malaysia
C
er
tifie
d
In
fo
rm
at
io
n
Se
cu
4 r ity
-5 Aw
M ar
ar
c e
h ne
20 ss
2 4 M
Copyright © 2020 CyberSecurity Malaysia
an
ag
er
(C
IS
AM
)
209
Reaction to Violations
)
AM
IS
(C
er
ag
• First violation: employee is notified and given additional or
an
follow-up training
M
ss
ne
• Second violation: employee is notified and manager is
e
ar
4
Aw
copied
2
20
ity
h
r
cu
c
• Third violation: manager is required to have meeting with
ar
Se
M
employee and report results to security
-5
n
io
at
4
rm
210
Copyright © 2020 CyberSecurity Malaysia
The Impact
)
AM
IS
(C
er
ag
1. First phish: 30-60% fall victim
an
M
2. 6-12 months later: Low as 5%
ss
ne
3. The more often the assessments, the more effective the
e
ar
impact:
4
Aw
2
20
ity
• Quarterly: 19%
h
r
cu
c
ar
• Every other month: 12%
Se
M
-5
n
• Monthly: 5%
io
at
4
rm
of tests
d
fie
ti
er
C
211
Copyright © 2020 CyberSecurity Malaysia
Human Sensors
)
AM
IS
(C
er
ag
1. Another valuable metric is how many reported the attack
an
M
ss
2. At some point, may need to develop a policy on what to
ne
report. One example:
e
ar
4
Aw
• Do not report when you know you have a phish; simply
2
20
ity
delete
h
r
cu
c
ar
Se
• Report if you don’t know (think APT)
M
-5
n
io
• Report if you fell victim
at
4
rm
fo
In
d
fie
ti
er
C
212
Copyright © 2020 CyberSecurity Malaysia
)
AM
Summary
IS
(C
er
ag
an
• Phishing assessments are a powerful and simple way to measure (and reinforce)
M
behavior change
ss
e ne
ar
4
Aw
2
20
ity
h
r
cu
c
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
213
Copyright © 2020 CyberSecurity Malaysia
)
AM
IS
(C
er
ag
an
M
ss
Simulated Phishing
e ne
ar
Attack Plan
4
Aw
2
20
ity
h
r
cu
c
Phishing Plan Handout (softcopy)
ar
Se
M
-5
n
io
at
4
rm
fo
In
d
fie
ti
er
C
214
Copyright © 2020 CyberSecurity Malaysia
)
AM
Conclusion
IS
(C
er
• Raising information security awareness is not a one-time effort
ag
an
• Analyze your target group
M
ss
• Prepare a business case
e ne
•
ar
Plan how to measure success
4
Aw
2
20
• Plan and implement the awareness initiative appropriately
ity
h
r
cu
c
•
ar
Keep senior management interested with the initiative
Se
M
-5
•
n
Ensure to have senior management support during the entire
io
at
4
lifecycle of the initiative
rm
fo
• Show results
In
d
• Share success
fie
ti
er
C
215
Copyright © 2020 CyberSecurity Malaysia
C
er
tifie
d
In
fo
rm
at
io
n
Se
cu
4 r ity
-5 Aw
M ar
ar
c e
h ne
20 ss
2 4 M
Copyright © 2020 CyberSecurity Malaysia
an
ag
er
(C
IS
AM
)
216