Metrics of Enterprise Security Culture Change
Вставка
- Опубліковано 20 вер 2022
- SANS Security Awareness Summit 2022
Speaker:
Shelly Epps, Director of Security Program Management; Lead for Security Outreach and Education, Duke Health
Gaylynn Fassler, Information Security Analyst, Duke Health
Historically, organizations use one of two approaches to security training. Some take a minimalistic approach and focus primarily on password maintenance and email attacks. Others take a compliance approach and ensure users are given comprehensive training on all security areas, using a checkbox framework. These organizations exhaust their resources and fatigue their end-users without material behavior change that would improve the overall security posture of the company. Rather than training users on a proscriptive list of individual behaviors, our approach is to focus more security resources intentionally on awareness and engagement, framing security in digestible terms of personal impact and agency. Individually, the goal is to equip users with security knowledge that is translatable to all areas of life, with the belief that it will collectively improve the security of the whole organization. While measuring security culture change is difficult, there are metrics and outcomes we can use to determine the success of our efforts. We will present our security engagement approach, including strategically identifying areas of focus, simulated phishing, security ambassadors program, virtual security academy, and self-service security. We will use metrics and examples of user engagement that highlight an evolution in our company security culture.
View upcoming Summits: www.sans.org/u/DuS
Download the presentation slides (SANS account required) at www.sans.org/u...
