Guest Editor: Today's post is from Eric Johnson. Eric is a Senior Security Consultant at Cypress Data Defense and the Application Security Curriculum Product Manager at SANS. In this series of posts Eric will take a look at laying a foundation for Developer Security Awareness Training.
In the previous post, we laid the foundation for developer security awareness training. Now let's talk about the metrics we can collect to help improve our program.
It's all about the metrics
As we previously mentioned, establishing a common baseline for the entire development team would
We are very excited to announce the release of the 2015 Security Awareness Report. This report details the findings from the Security Awareness Survey taken in October, 2014 by 220 security awareness officers. This report will help you gain the management support and resources you need to be successful, and enable you to benchmark your awareness program against other organizations in your industry. This report would not be possible without the help of the community. We would especially like to thank Bob Rudis of the Verizon DBIR team and Lance Hayden of Cisco for all their amazing support. Below is the summary of the report. You can
After several years of running phishing programs and working with other organization's on theirs, I'm starting to notice a trend. Sooner or later everyone falls victim to a phishing assessment. Heck, even I fell victim to a phishing assessment once, and it was my own assessment (happy to share that story, but the price is a beer at a local con). Here is the interesting part though, most people only fail once. It is almost as if failing a phishing test is a rite of passage, once you fall victim you truly remember the incident, rarely to ever fall victim again. The majority of people who I see falling victim each month are new hires. As they are new to the organization and new to awareness, they too
One of the ideas I pulled from John Kotter's book Leading Change was a suggestion on Human Resources. Have your HR team align performance evaluations, compensation, or promotions based on peoples' security behaviors. This does two things. First, it increases motivation because people see an actual, tangible gain by changing their behaviors. But even more importantly, Mr. Kotter points out that this demonstrates that the leadership is serious about security, that they want to make secure behaviors part of the organization's DNA. I thought this was a great idea. Here are some examples of metrics your HR could use to track employees and staff.
- Employee had no security violations in past 12 months
- Employee successfully completed all awareness training
- Employees on their own reviewed online profile to confirm
Editor's Note: This is a guest Blog Post from Cheryl Conley, head of Lockheed Martin's Security Education and Awareness team. Lockheed is one of the most targeted (and phished) organizations in the world. Below are her thoughts on Phishing as she wraps up 2014.
I hope everyone survived NCSAM, we at Lockheed had a very successful run. We were very pleased with the participation across the enterprise and eager to capitalize on the flurry of interest from our non-cyber employee base. October was a very busy month, while we started planning for NCSAM in June, the activities during the month included our monthly phishing efforts. As we wind down for 2014, the email testing team is taking a breather. We feel December has too many activities that conflict with a phishing assessment, to include enterprise activities such as compliance deadlines and many of the employees are out of office on vacation or travel. Also much of the leadership will