Blog: SANS Securing The Human: Category - Security Awareness Metrics

Blog: SANS Securing The Human:

Start With Simplest Behaviors First

A common challenge I run into when helping others build a security awareness program is trying to decide on what human risks to focus on. You only have so much time and resources to communicate to others, and people can only remember so much. If you can only change 10 behaviors this year, which 10 are you going to change? I've seen awareness programs fail because organizations never took the time to prioritize their human risks/behaviors and as a result overwhelmed people with a huge laundry list of random do's and don'ts.

One of the interesting things I learned from Dr. Fogg and his behavior model is that different behaviors have different levels of difficulty. Some behaviors will be easy to change and some will be hard. While this sounds intuitive, his model helps you understand why this is the case. One take away for me was this. Once you identify the top behaviors you want to change, focus on the easiest ones first. Some


Technical Guidance on Phishing Assessments

Several weeks ago we released thePhishing Planning Kit, a resource to help organizations plan and maintain an effective phishing assessment program. This kit is based on the suggestions, lessons learned and feedback from numerous security awareness officers who are actively leading their own phishing assessment programs. The reason we released the kit is that most organizations that have problems with their phishing assessment is not due to technical issues but how they failed to properly communicate and execute it.

EJ recently asked for some technical questions on rolling out his phishing program (see the comments in the Phishing Planning Kit post), and I wanted to take a moment to answer his questions. First, the simplest way to address most of your technical issues is to use a phishing service. There are many to choose from and all are similar and good, including


Guest Post - Measuring Human Risk - #SecAwareSummit

Editor's Note: This is a guest Blog Post from Dan deBeaubien. Below is a description of his upcoming talk on "Measuring Human Risk - What is Your Security Score" at theSecurity Awareness Summit 10 Sep in Dallas.

Assuming that we know what to do in a given circumstance related to cyber security - install a firewall, do an audit, train our staff, whatever, and, also assuming that many resources abound to address these situations as they arise, the emergent issue is often where to start. We can't do everything, everywhere - we need to know where to begin, and where to go next. In my role at Michigan Tech, and working closely


Guest Post - Selling Enthusiasm - #SecAwareSummit

Editor's Note: This is a guest Blog Post from Matt Beland, the Chief Security Officer at the law firm Davis Wright Tremaine LLP. Below is a description of his upcoming talk on "Selling Enthusiasm" at the Security Awareness Summit 10 Sep in Dallas.

Everyone's familiar with the old saying - "There are three things that matter in property: location, location, location." Well, in Security Awareness, we also have three things that matter - "communication, communication, communication". After all, the whole point of Security Awareness is communicating the things our users need to know - the threats, the tools, the responses.

But communication is hard. Our users have their own priorities and interests, they're often awash in a sea of communication on dozens of topics - how do we make ourselves heard, and not just heard, but understood? The key is engagement. If


Just Released - The Phishing Planning Kit

One of the biggest challenges with an effective phishing program is not the technology you use, but how you communicate and implement your phishing program. To assist you in getting the most out of your phishing program we have put together the Phishing Planning Kit. Based on the feedback and input of numerous security awareness officers, this kit walks you through step-by-step how to implement an effectively phishing program that your employees will actually like. In addition we include lessons learned such as how often you should do your phishing emails, who to target, what type of phishing emails you should use, what to do with violators, and what to report and to whom. Get all