Blog: SANS Securing The Human: Category - Security Metrics

Blog: SANS Securing The Human:

Getting Support and Approval for Phishing Assessments

During my human metrics talk at RSA last month, a common question was how to get support for an internal phishing program. Phishing assessments are a powerful metric, not only do they measure a high human risk, but they are repeatable, quantifiable, actionable and low cost. This is why phishing has become one of the most common metrics within security awareness. In addition phishing is a powerful way to reinforce key human behaviors. When I first started in security awareness five years ago, phishing or any type of human assessments, were rare. Now a days, I would say roughly 30% of organizations I work with are doing some type of human assessments as part of their awareness program (surveys, phishing, checking on secured desktops


Top Five Most Popular Security Awareness Topics

At SANS Securing The Human we currently have over 40 topics in our security awareness training library. By breaking up our training into short modules organizations can select and use only the topics that directly apply to them. This enables organizations to create short, yet highly effective training. You can find descriptions and short video clips of all the training topics at our STH.EndUser Demo page. With over 800 customers now using this training library, we can begin to extract some very interesting statistics. One of the metrics we ran for 2013 is what topics, what human risks, are organizations most concerned about. As such, we identified the five most common topics used. In other


Verizon PCI Report - Nearly 70% of Data Breaches Started With the Human

Verizon recently released their 2014 PCI Compliance Report. As stated in the introduction:

"This research is based on quantitative data gathered by our qualified security assessors (QSAs) while performing baseline assessments on PCI DSS 2.0 compliance between 2011 and 2013. The companies that we assessed span many industries and countries."

One of the biggest findings? Humans were the cause of almost 70% of the breaches and that user behavior is an important factor in an organizations's overall security posture. These findings were recently confirmed with the recent Target compromise of over 100 million credit cards and identities.


Phishing Assessments - How Targeted Should It Be?

I'm a huge fan of phishing assessments, not only are they a great way to measure the impact of your program, but a powerful way to reinforce key behaviors. However as with any tool, you have to use it correctly. A common challenge with phishing assessments is how targeted should you make the emails? Make the assessments too simple, and over time people will get complacent. Make them too targeted and people not only resent the program, but you destroy trust. There needs to be a balance.

  1. Start your emails as simple and basic as possible. Yes, its obviously a phishing assessment, but that is what you want. Lots of people will still fall victim, but instead of resenting the program they will respect the program. "Oh yeah, okay I should have ...

The Bad Karma of Releasing Names

One of the most exciting areas for me in the world of security awareness is metrics, we are getting better and better at measuring change in human behavior. One of the most common methods is phishing assessments, as not only are they easy to do but they address one of the most common human attack vectors. A common question I'm asked with metrics is should organizations share the results of who fell victim, perhaps a 'wall of shame'. Absolutely not, in many cases you do not even want to share the names with senior management. Here are several reasons why.

  1. First of all, everyone will eventually fall victim to such an ...