Blog: SANS Securing The Human

Blog: SANS Securing The Human

Idea for Human Metrics - Tracking Updates

Its always challenging to find a good security awareness metric. By good, I mean not only does the metric need to measure a human behavior that I care about, but the metric is easy and low cost to repeatedly measure. So I'm always excited when I find what I feel is a good security awareness metric, and here is one I would like to share - updated devices.

The behavior we want to measure is are employees updating their devices? This is an important behavior, as we all know the more updated and current your devices are, the fewer vulnerabilities they have. For some organizations this is not an issue, as IT is responsible for keeping all the systems updated. However for other organizations, especially smaller ones, employees often update the

...

Trick for Rewarding Good Behavior

Just finished up SANS MGT433 class this week at SANS 2014 in Orlando. One of the things I love most about teaching is I always learn something new. One of the students had a great idea for rewarding. In general you want to avoid providing purely monetary awards for good behavior, you quickly run out of budget. Instead, recognition is not only cheaper, but often more effective. For example, if someone receives a "Microsoft Tech Support" phone call and stops the attack cold, an organization's first response is to often to reward the person with a gift card. Instead of providing just money make a hero out of the person, post a story about what she did, how she figured out the attack and where she reported it. Not only are you publicly recognizing the individual for their great work, but promoting and reinforcing the good behaviors that secure your organization.

One of our students took the idea one step further. Instead of just

...

Updating Your Awareness Training

A common mistake I often see organizations make with their security awareness program is failing to plan long term. Quite often organizations get caught up in the initial roll-out of their training, but forget to plan on updating their program at some point. Its key that you update your program at a minimum once a year. Some things to consider.


  1. If your only goal is to meet compliance requirements, keep in mind compliance standards are constantly changing, you need to update your program to stay current. In addition, which standards you fall under can also change. For example, while you may not think you fall under HIPPA, after a review of HR and accounts payable you may ...

New Poster Helps Your IT Admins Become Human Sensors

Most security awareness training is focused on changing human behavior. People already know how to perform a specific skill, awareness simply teaches them how to perform it more securely, such as when using email. However there are times when you need to teach people new skills. While not designed for awareness training, a new poster recently created by the SANS Forensics instructors fits the bill perfectly. This two sided poster, called "Know Normal - Find Evil" documents different ways a forensics expert can identify if a system is compromised or not. While designed for forensic professionals, I feel this poster is a great resource for almost any IT admin, even if they have no security experience. The poster identifies system processes,

...

Job Description for Security Awareness Officer

Organizations around the world are beginning to address the human when securing their organization. The days of just compliance focused training are gone, we need to also effectively change behavior. To achieve that, you need the right person in charge. Below is an attempt to describe what the job description of a security awareness officer could look like.

Security Awareness Officer

This individual is overall responsible for our security awareness and education program. Ultimately this person's job is to reduce risk to our organization by ensuring all employees, staff and contractors know, understand and follow our security requirements and behave in a secure manner.

Our Security Awareness Program

...