5/11/2016

Cybersecurity Awareness
Keeping your audience engaged and aware

Donna Maskil-Thompson, CIP Senior Manager

SPP CIP Workshop - May 2016

© 2016 BPU - Public 1

Also known as…

“How I learned to Stop Worrying and Love Cybersecurity Awareness”
- Bobby Gray – BPU NERC Compliance Officer, 2015

© 2016 BPU - Public 2

1
 5/11/2016

Agenda
• Creating a Strategy
• Instructional Design – ADDIE Model
• Adult Learner Characteristics
• Measuring Effectiveness of Program

• Addendum -Examples BPU Cybersecurity Awareness Program

© 2016 BPU - Public 3

Create a Strategy
• Topics and Themes

• Tools and Resources

• Frequency

• Re-evaluate every 90 days

© 2016 BPU - Public 4

2
 5/11/2016

Instructional Design – ADDIE Model

Analyze

Design

Develop

Implement

Evaluate

© 2016 BPU - Public 5

Analyze
• Who needs to be trained? (Identify
Roles)
– Audience Characteristics
– Prior knowledges and skills

• What information do they need to

understand?
– Goals and Objectives

• Learning Environment
– Class size, Type of instruction etc.
– Timeline

© 2016 BPU - Public 6

3
 5/11/2016

Adult Attention Span

Attention Span – 8 minutes

“Is this worth my time?”

© 2016 BPU - Public 7

Adult Learning Styles

• Visual – remember what they have
read, seen

• Auditory – remember things

through hearing or saying outloud

• Kinesthetic (Tactile) – remember

through experience, feelings

© 2016 BPU - Public 8

4
 5/11/2016

Time limits
Break presentations into a series of 5
minute experiences

Try and limit your presentation to 20

minutes

© 2016 BPU - Public 9

Solve a Problem
• Use real examples

• Give solutions to solve real

problems

• Request Feedback. Encourage

Self-Reporting

© 2016 BPU - Public 10

5
 5/11/2016

Earn Respect
“Seek respect, not attention. It lasts
longer.”
― Ziad K. Abdelnour

© 2016 BPU - Public 11

Lighten up
“No one will ever claim that they
experienced Death By
PowerPoint because they felt like
dying due to excessive fun during a
presentation”
- Leslie Belnap

Source: How-to Conquer Short Attention Spans, 2015

© 2016 BPU - Public 12

6
 5/11/2016

Adult Learning Theory- Design

• Be collaborative

• “Voluntary Participation” – it must fit their needs!

• “Mutual respect” – Know your audience

Resource: Understanding and Facilitating Adult Learning, Stephen Brookfield, 1991

© 2016 BPU - Public 13

Remember
Do not read your slides verbatim!

Address audience needs

Take feedback seriously and edit

© 2016 BPU - Public 14

7
 5/11/2016

Training Needs Assessment

1. Schedule a meeting with sample audience

2. Brainstorm - Determine common themes and topics.

3. Determine which areas/needs are most important

4. Determine the desired outcomes from the training to address

these needs.

Outcomes = measures of success (validation)

© 2016 BPU - Public 15

Needs Assessment Checklist

 Know what the organization is trying to  Who needs to be trained?

accomplish.
 Who can serve as subject matter experts?
 Know the history of training within the
organization.  Are any staff going to do the training?
 What "needs" will be addressed by the  Which companies provide training materials?
training?
 What are the Knowledge, Skills, and Abilities?
 Any recent process or procedure changes?
Incidents or process failures?  Review Job Descriptions and Org Charts.
 What resources are available for training?

© 2016 BPU - Public 16

8
 5/11/2016

Analyze -Developing a Strategy

List 3 objectives of your Cyber Security Awareness Program

Examples:

• Protect the confidentiality, integrity and availability of BES Cyber Systems and related
Information.

• Minimize cost of security incidents and potential issues of non-compliance.

• The human factor – ensure every employee knows that security is their responsibility.

Attendance or completion of mandatory training should not be considered an objective!

© 2016 BPU - Public 17

Design
• Determine instructional methods

• Design an Assessment Plan and Course Outline

• Create “Storyboards”/Prototypes
– Narratives – Scenarios – Stories
– Abstract Concepts
– Parts and Components
– Motion and Paths
– Maps, Charts and Statistical Data
– Concrete Ideas
– Metaphors

• Think about what engages your audience

© 2016 BPU - Public 18

9
 5/11/2016

Design – for the User

• Look and Feel
• User interface
– Graphics, Animation, Sound –
– Pop culture vs Employee “Actors”

• Modules by Theme or Complete Program?

• KEY – Make it memorable

© 2016 BPU - Public 19

Design
• Communicate Policy/Regulations

– Entertain

– Engage

– Reward

© 2016 BPU - Public 20

10
 5/11/2016

Develop
• Create the syllabus

• Develop Course (from the Storyboards)– Powerpoint, PDF, etc.

– Use color, graphics, gamification!

• Develop Assessment items

Think of training aids and other learning materials

© 2016 BPU - Public 21

Expert Knowledge
• FBI, US-CERT
• Cybersecurity Product Demos/Blogs

• Professional groups
– ASIS
– ISACA
– ISC2
– IASAP

© 2016 BPU - Public 22

11
 5/11/2016

In the News

© 2016 BPU - Public 23

Source: www.informationisbeautiful.net

© 2016 BPU - Public 24

12
 5/11/2016

Implement

• Put the Plan into action

• Train the Trainer

• Launch Course

© 2016 BPU - Public 25

Evaluation
Formative Evaluation Summative Evaluation
• Monitors learning to provide feedback • Evaluate student learning at the end
– point in time of the course

• Identifies strengths and weaknesses/ • Compares to another standard or

target areas benchmark

• Use for “test” or “sample” group • Example – 100% Assessment Scores

before rolling program out to entire
audience

Survey your audience – collect feedback and revise as needed!

© 2016 BPU - Public 26

13
 5/11/2016

Measuring Effectiveness
How do you measure
effectiveness?

• Internal Control Testing

• Maturity Models
• Analysis of Incident reports

© 2016 BPU - Public 27

Internal Controls
• The policies, procedures, practices and organizational structures
designed to provide reasonable assurance that business objectives
will be achieved and undesired events will be prevented or
detected and corrected.

Reference - ISACA Glossary -(formerly known as Information Systems

Audit and Control Association

© 2016 BPU - Public 28

14
 5/11/2016

Writing Control Objectives

• What is the objective of this
control?
– Prevent
– Detect
– Correct

• How does it effectively mitigate

risk?
– SMART criteria

© 2016 BPU - Public 29

Source: ISACA Online, COBIT 5

https://cobitonline.isaca.org/books/framework/pdf/framework-chapter08-section02.pdf
© 2016 BPU - Public 30

15
 5/11/2016

COBIT 5 vs COBIT 4.1

COBIT 5 Maturity Model (explained) COBIT 4.1 Maturity Model

© 2016 BPU - Public 31

Cybersecurity Capability Maturity

Model (ES-C2M2)

© 2016 BPU - Public 32

16
 5/11/2016

Analysis of Incidents- RCA

Root Cause Analysis (RCA) involves investigating the patterns of
negative effects, finding hidden flaws in the system, and discovering
specific actions that contributed to the problem.

© 2016 BPU - Public 33

In closing…

Users want to learn something they

can use

You can make Cybersecurity FUN

Keep it current with the news.

MAKE IT INTERESTING.

© 2016 BPU - Public 34

17
 5/11/2016

© 2016 BPU - Public 35

Questions

© 2016 BPU - Public 36

18
 5/11/2016

Addendum
The following slides are examples from BPU’s Cybersecurity Awareness
Program

If you wish to reuse any of the materials, please notify BPU

Compliance team via email (BPUNERC@bpu.com)

© 2016 BPU - Public 37

BPU Topics (Sample)

• Social Engineering – Phishing/Spearphishing
• Passwords
• Mobile Device Security
• Incident Reporting and Response
• Physical Security

• June – Phish Week (same time as Shark Week)

• September -National Emergency Preparedness Month
• October – Cybersecurity Awareness Month

© 2016 BPU - Confidential 38

19
 5/11/2016

Phishing

© 2016 BPU - Public 39

Cybersecurity Awareness Month

October 1-2 – Stop. Think. Connect. Best Practices for All Digital Citizens
This basic advice is a guiding principle so that we can navigate the Internet ‒ and our digital lives ‒ safely and more securely.

October 5-9 - Creating a Culture of Cybersecurity at Work

Provide resources that help BPU establish a culture of cybersecurity. Emphasis will focus on employee education and a risk
management approach to cybersecurity

October 13-16 - Connected Communities and Families: Staying Protected While We Are Always Connected
We will share simple ways we can protect ourselves and those around us along with what we can do if impacted by a breach,
cybercrime or other issue.

October 19-23 - Your Evolving Digital Life

Highlights where we were, where we are today and how we can keep our digital lives safer and more secure with emerging
technology.

October 26-30 - Building the Next Generation of Cyber Professionals

Information about cybersecurity careers as well as the need for the ongoing Internet safety and security education toward
building cyber-literate digital citizens.

© 2016 BPU - Public 40

20
 5/11/2016

Physical Security – Badges

• Wear your badge
• Do not leave in your car in plain
view
• If someone asks to see your
badge, show them.

• If you lose your badge, report

immediately

© 2016 BPU - Public 41

Visitor Access Control

• Clearly identifies visitors

• Relationship between Safety and

Security

© 2016 BPU - Public 42

21