Questions Flashcards
What groups are common stakeholders for a Cyber Awareness & Training program?
Stakeholders can include:
1) audience
2) InfoSecurity team
3) Comms
4) Training team
5) Legal
6) Privacy
7) HR
8) Physical Security team
9) Security Ambassadors or Champions.
-Mark Majewski, Security Awareness Program Builder
After giving security training, how can you measure learning outcomes?
1) Phish simulations
2) SOC report rates for suspected phishes
3) test fake MFA approvals
4) desk checks for passwords and unlocked screens
6) USB baiting (leave a USB out and see if folks plug them in)
7) Culture surveys about how common / supported info sec is in the org
8) ask pentesters to run hashed users’ passwords against common passwords
-Mark Majewski
How can you make a Business Case for a cyber awareness & training program?
Make a business case for an awareness program: regs, business, threats, costs.
1) What regulations your org needs to comply with
2) Business objectives - align A&T with them
3) Threat and impacts
–Past incidents at your org’s costs
–IBM’s Cost of a Data Breach Report
–Verizon Data Breach Investigations Report
–use BIA to identify business impact for IT apps to be down
4) Costs for program resources
-Mark Majewski, Security Awareness Program Builder
What should be in the charter for a Cyber A&T program?
Risk, mission, scope, costs
1) Risk - Give a few examples of kinds of human risks (social engineering, phishing, passwords, etc).
2) Mission - High-level risks mission statement for your program (e.g. “Our mission is to reduce human risk to ensure that team members KNOW HOW to, FEEL responsible for, and ACT to protect the company’s information assets.”)
3) Governance (who runs the program, relationship to CISO, who report up to such as committee)
4) What’s in scope (which companies; which locations; which audiences – e.g. general, privileged/IT admins, coders, infrastructure teams, sr leaders, contractors, those who don’t use computers),
-Mark Majewski, Security Awareness Program Builder
What kind of policies related to non-compliance should a Cyber A&T lead participate in writing?
1) Information Security Policy (overview of IT security rules - overarching policy for cyber)
2) Acceptable Use Policy (what computer use is ok vs not, e.g. no porn or moonlighting on company equipment).
-Pluralsight “Building and Implementing a Security Awareness Training Program” by Jeremy Turner
How can you implement improvements based on feedback and previous run cycles
Me: do a QA cycle, pilot and get feedback, talk to people about what worked/didn’t, then update the training.
Improvements to cyber processes at the org:
1) Work with Cyber to reset weak passwords
2) Ban common passwords
3) Make a password strength meter.
-Mark Majewski
How do you identify key content and mesaging for a security communication?
Make a Comms Brief & Plan that says:
1) Who - audience
2) What are you really trying to say, in plain language, for the planners
3) What message will you send
4) Where (what channel/modality)
5) Why - what risk does it counter
6) Why - objective
7) Why - How the message aligns with goals
8) When
-Mark Majewski
How can you adapt communications to a target audience? What method will help you keep track of what to send to whom?
Make personas per audience group (e.g. Customer Service rep vs HR vs exec admin):
1) what they do/priorities
2) what tools they use
3) top security risks by role
4) preferred comms method.
-Mark Majewski
When reinforcing security awareness with communications, what modalities and channels can we use?
You can use:
1) emails
2) company intranet / portal posts
3) digital signage
4) posters
5) video
6) podcast
7) article in newsletter
8) fairs or events or summits
9) Champions / Ambassadors briefs
10) cyber escape rooms
- Mark Majewski
What’s the difference between reach and engagement?
Reach is about eyes. (People seeing your message)
Engagement is about actions. (People doing something with your message)
-Digital marketing
What are good questions for a cybersecurity culture survey?
Ask team members to rate questions about the group’s practices rather than individual knowledge.
E.g. “Protecting client data is a priority in our company”
and
“Secure behavior is rewarded”.
-Mark Majewski
What are Security Champions or Security Ambassadors?
Volunteer “hobbyists” who volunteer to stay informed and engaged on the latest in InfoSec. They help to amplify messages and tell their peers about secure practices.
-Mark Majewski
What things are we looking for in our users’ baseline level of security awareness?
How much do average users actually know about:
1) good passwords
2) physical security like locking computer and not letting unbadged folks piggyback through the door
3) what to not post on social media
4) social engineering attacks like phishing
5) mobile devices risk and controls
6) how to handle sensitive data
knowledge)
What things are we looking for in our IT staff’s baseline level of security awareness?
For IT staff, do they know:
1) OWASP Top 10
2) certifications
3) threat modeling
4) incident response processes
5) SSDLC (secure software development life cycle)
6) MITRE ATT&CK matrix (adversarial tactics techniques and common knowledge)