The Biggest Secrets of Security Awareness

1

K RudolphThe Biggest Secrets of Security Awareness

A1, April 27, 2008Native Intelligence, Inc.

The Biggest Secretsof Security Awareness



Chief Inspiration OfficerNative Intelligence, Inc.

Storyteller

Educator

Creator of awareness courses andaward-winning materials used worldwide

K Rudolph, CISSP

2



Secret 1: Prevention Is Better Than Cure

Why do we invest in security awareness?

What amount of security incidents arepreventable?

What does this mean to securityawareness practitioners?



- Don’t share your password- Don’t discuss confidential information in public- Don’t install a personal modem at work- Create long, strong passwords- Report actual or suspected incidents- Delete e-mail chain messages- Don’t take sensitive data home without permission

How many of these awarenessmessages are common sense?

3



Why do we need to remind people?

What are these messages?

Do we remember what it’s likenot to know about security?

What’s not common knowledge at the IRS?

1



___ of the 102 employees did as requested?

Managers were ___ % more lax than employees.

A follow-up survey found:

___ believed what they had been told.

___ % said that they thought thatchanging their password to one providedby the caller was not the same asdisclosing it, which they knew wasagainst the rules.

4



Prevention beats cure. Securityawareness turns your messages intocommon knowledge.

Does common knowledge set thestage for common sense?

How do we make messages compellingso that they become commonknowledge?

1Take Awayfrom Secret



Secret 2: Security Is Everywhere

5



Powering off yourcomputer withoutclosing theprograms you’reusing is like kickingaway the ladderwhile the painter ison the third story.

How can this housepainter help usexplain propercomputer use?



What has this cat gotto do with securityawareness?

6




A1, April 27, 2008

What about a car door, adraw bridge, or a wide gate?



7





Your Data

8



Your Data



Accelerate learning with analogies.2Take Awayfrom Secret

What Wizard of Oztheme applies tobuilding effectivesecurity awarenesscontent?

9



Secret 3:Work with the Brain to Capture Attention

What are somebrain-compatiblestrategies forgetting attention?



How successful is asales representativewho gets thrownout of the decisionmaker’s office?

10



How can we get the brain’s attention?

What are brains wired to respond to?

(hint)

Why do warning signals have flashing lights?

Why are sirens two or more tones?



How can we apply this to awareness?

Use expectation failure.

Break a pattern. Break a schema.

11



Schema

• Group of generic properties

• Pre-recorded informationstored in our memories

What’s your schema for “sports car” ?



How should we use schemas?

• Communicate complex topics bylayering simple ones (e.g., pomelo)

• Capture attention by breaking them

12



Would you agree that most people expectinformation on our country’s nuclearweapons designs to be well-guarded?



“Potentiallythe greatestbreach ofnationalsecurityin decades.”

Fall 2006

13



We expect people not to click onan Internet ad for a free virus.



We expect that the best way to get managementexcited about a disaster recovery plan is to burndown the building across the street.

14



We expectmedicine totaste bad.



What do staffexpect ofsecurity

awareness?

Will this beboring?

15



Does it have to be that way?

Should it be that way?

What if yourawarenessmaterials leftyour audiencewanting more?



Sourcefire Security Calendar

16



Daily Tips



Daily Tips

17



Daily Tips



What do brains consider important?

Brains pay attention tothings that are unusual,unexpected, out of theordinary, interesting,strange, eye-catching…


A1, April 27, 2008

18



Does empathy get the brain involved?Liz had a very bad day at the office.




Use content thatmakes your audiencefeel something.

Capture attention with changes, the unexpected,by breaking a schema, using empathy, and by involvingthe emotions.

19



What causesdeeper learning?

Secret 4: Work with the Brain to Make Learning Stick


A1, April 27, 2008



More connections means …The more neurons that fire means …Ways, contexts, intelligences…

Plastics, sponges, sieves, or …?

20



Is a picture worth 1,024 words?

Recall and transfer studies show___ % more than words alone?

What should we do to makepictures more effective?



21



Why?

What does this causethe brain to do?

How much do words withinpictures improve a learner’sability to solve problemsrelated to content?



Which is better, a conversational, personal,casual language style or a more and directbusiness-like style? ___ %

Is conversation“learning by doing”?

What if your boss,manager, trainingdepartment, or anyof the PTB wantsyou to…


A1, April 27, 2008

22





23





24





25




A1, April 27, 2008

Should we ask questionsthat don’t have a clear answer?

What do themost accessiblescience writershave in common?



How does emotionalcontent affect memory?

Where were you when...


A1, April 27, 2008

26



Don’t Tell When You Can Show

What did trial attorneyGerry Spence say about words?

How can we visually explainan abstract concept such asvulnerability or threat?



----------------------------What would happen if

someone changedyour data?

----------------------------Whet would happen if

someone chongedyoor deta?

27



----------------------------What would happen

if your datadisappeared?

----------------------------What would happen

if your datadisappeared?




What’s another technique forshowing rather than telling?

Show a choice of actions…Bad choices result in…

What 1980’s commercial did this?

Use as much of the brain as possible, in as many ways asyou can (multiple methods). Also, use images with wordsin them, use mystery, and aim for visceral reactions. Showwith visuals, simulations, and demonstrations, and extremeconsequences.

28



Secret 5: Use Strategic Stories


A1, April 27, 2008



Stories have enormous powers of recall, andthey communicate priorities effectively.

29




A1, April 27, 2008

Do this ______. Don’t do that ______.

Which would you prefer…

How are stories like flight simulators?

Does mental simulation work?

Why are stories powerful?



Which is better, instructing people not toforward chain e-mail or telling them aboutRose Lambert?

30




A1, April 27, 2008

How does telling a story differ frommaking a reasoned argument?




A1, April 27, 2008

The way you deliver a message to peopleis a clue to how they should react.

If you make an argument …

They will …

But stories …

31




A1, April 27, 2008

Do you haveto be creative to

come up withgood stories?



What do 9 out of 10ophthalmologistsrecommend forstory spotting?

What’s a NewsHawk Program?

32



How many surprising elements?

Does it have to be true?

What length should it be?

Can it have more than one message?

What tense should the story be told in?

How many characters should it have?

What makes a story memorable?

What Makes A Useful Story?



Stories are simulations. They can inspire action.You don’t have to be creative to spot and use stories.


Have you recently delivered any messages thathaven’t been effective?

Learn the craft of storytelling for business.

Develop a bucket of stories for trigger events.

Using Strategic Stories

Create a story to redeliver them.

33



1. Prevention is better than cure.

2. Use analogies to accelerate learning.

3. Work with the brain to capture attention.

4. Work with the brain to maintain interest.

5. Use strategic stories.



The Biggest Secrets of Security Awareness

Business

Transcript of The Biggest Secrets of Security Awareness