Security awareness programs often struggle with balancing the responsibility of training employees to defend against the threats of today and tomorrow while also proving the importance of the program to all areas of the org. But maybe there’s another way. Is it possible to find the Marty McFly to your Doc Brown? To gain alignment with your executives on the importance of a security awareness program and what it should do so that you're both driving your DeLorean into a high-speed future where you can keep ahead of the fastest threat actors while also proving your program's value every step of the way?

In this keynote, Relativity CSO and CIO Amanda Fennell, will don her own Doc Brown goggles in the hopes of doing just that. She’ll talk about her experience in proving the value of strong security awareness programs, how measuring success in these programs has changed over the past decade and where it goes from here, and how Security leaders can transform their security awareness programs to jump the s-curve, gain buy-in from execs, and future-proof their org in the process. Tune in and find out what this CSO and CIO is looking for in a new-age security awareness program and what you'll need to do to get there.

Security awareness isn't making the whole company aware that you have a security team or checking a compliance box. A great security awareness program influences people to behave in ways that are less risky. Yet many practitioners don't understand how to actually influence and change human behavior. Often, we assume that employees who behave insecurely (say, reuse their password) just need to be trained - but we don't fully understand the driver behind the insecure behavior (perhaps they don't have access to a password manager). In this talk, practitioners will learn to start from the source - the behavior that needs to change - rather than trying to influence behavior from a pre-fixed solution. From there, practitioners will learn how to understand what's driving behavior in the first place, how they can get behavioral data to better understand their audiences, and how to apply behavior science concepts to awareness work (e.g., how to reduce information to focus on our desired behavior, when to use social proof to our advantage in communications). Throughout the presentation, I will also demonstrate ways I've approached awareness work "behavior first," and share valuable resources for learning more about behavior change.

Do you ever feel that just when you've conquered creating and running a great phish training program, a stakeholder or leader comes along and says, “So, when are you going to do X?,” or “Why aren't you doing Y?,” or even more common these days, “Here are the metrics I'm looking for.” I lead the phish training program at a multinational insurance company where we (myself and 3 other team members) phish train 80k employees once a month on a playbook, as well as an additional ~52 targeted campaigns of high-risk groups. I have to satisfy 5 regional CISOs, a Global CISO, and, at times, requests from audit, risk, cyber, and others. We have a very mature program with the goal of improving metrics offerings each year. Let me show you HOW I strategize the development of a playbook and choosing lures to result in metrics they find valuable, how we've approach metrics analysis and development, what the resulting format is, and where we are headed, helping you to think through customizing and designing phish simulation training that meets your company's specific needs.

The aspiration of a successful security champions network is seductive - being able to amplify your security awareness messaging when you (or if you're lucky, your team) has limited resources. An increasing number of Security Awareness job descriptions even specify managing such a channel as a core requirement. In this talk, I'll explain to you why I have said no to my CISO's request to set one up as part of my Awareness Program. Using examples from my own Champions network experiences, I will explain how these initiatives can misfire and become ineffective, and how using them for metrics can result in unintended consequences. With those stories in mind, I will reflect on the essential elements to look for in your overall Information Security strategy and organizational culture to maximize your chances of success when setting up and running a Champions network. Key takeaways will focus on recruitment of potential champions, the importance of strategic goals and alignment with organizational culture.

The 2017 Equifax breach was a defining moment and offered an unprecedented opportunity for corporate self reflection. Who are our riskiest employees and how do we incentivize proper behavior? How do we drive a global "Security First" culture? Can we proactively monitor and mitigate human risk? How do we know when workforce behavior changes? These are some of the questions that led to Equifax's 5 year maturity journey from a compliance focus to a robust, metrics driven, and proactive human risk management program. This session will provide the following best practices:

• A phased step by step approach from analysis, solution design, and implementation
• An understanding of bbarriers to secure behavior to quantifiable measurement of workforce behavioral change
• An innovative 5 pillar approach to building the EFX Security First culture 

At the end of this presentation, you'll walk away with actionable insights on how to build a measurable human risk management program.

How do you drop live email click rates 72% when only given funding to reach 10% of the employee population? Sounds insurmountable! Can such a small percentage of a population actually show results in live phishing clicks? YES! This session will take you through the path she took to using behavioral metrics from email filtering and office Azure metrics to determine employees with the highest risk to the business. Discover how to incorporate assessments and targeted education, to give employees the tools to Phight the Phish. See how she determined how to train the highest threat, persistent clickers using risk results. You will leave this presentation with insights to determine employees that pose the greatest phishing risk and utilize that information to reduce the risk to your business and show ROI.

One-size-fits-all approaches to cybersecurity education and awareness campaigns are known to have limited impact when we consider the diversity of roles and staff they target. But while companies understand the need for campaign differentiation, developing segmented campaigns is challenging in practice due to the lack of relevant behavioural metrics and contextual analysis. In this talk we'll show you how we applied a data science approach to determine the most effective way of driving behavioural change through personalised cybersecurity awareness campaigns. This was achieved by developing individual behavioural profiles using a longitudinal mix-methods study of employees based on individual data on cyber risk perception and risk taking alongside employee contextual data, such as role type and team size. Besides achieving more effective personalised cybersecurity awareness campaigns, our approach provides insights into behavioural risk measurement at employee level and its organisational mapping, early identification of potential ‘hot spots', timely behavioural interventions, and evidence-based risk management. This approach moves away from the traditional assumption of humans being the weakest link in cyber-security systems towards the modern paradigm of “humans as cybersecurity sensors”, leveraging humans' superior detection ability when it comes to new threats and other anomalies that are often invisible to automated systems.

Are you being asked to influence security culture amongst your technical colleagues? Do you sometimes feel out of your depth? What if you could deliver measurable risk reduction in the development of your software and digital services via technical security champions? If you are an organization which depends on its software to carry out its core function, engagement with technical colleagues who build and maintain this software is essential. During this talk we will give an overview of how Sage has developed a network of security champions in a varied technical environment. The key takeaways from the talk will be how to use persona interviews to understand your technical ecosystem and colleagues, the tools and techniques you can then apply to engage with this unique community of colleagues and finally, the metrics you can measure to demonstrate impact and risk reduction. Along the way we will share our lessons learned to help you effectively use these colleagues' expertise and knowledge to identify and mitigate risks to ensure you deliver more secure and reliable digital products and services.

Are you ready for what's ahead? You may have heard buzzwords like Virtual Reality (VR), Augmented Reality (AR), Extended Reality (XR), or maybe even Metaverse. How can these innovative technologies be applied to cybersecurity learning? What's the benefit to immersive virtual experiences compared to other training and collaboration mediums? Is this technology right for you? Where do you even begin? This session will provide you with answers to these questions and more as we share our journey to the Metaverse; a journey that started with a simple security training concept back in 2018, evolved to overcome roadblocks and expanded to deploy advanced technology to help shape human behavior through simulated cyber challenges. In this presentation, you will learn how to use new technologies to shape cybersecurity behaviors through immersive virtual learning and provide you the following key takeaways: 1) The use case for VR: Determining whether VR is right for you; 2) Identifying the right security behaviors: Creating immersive VR experiences that "test behaviors in the wild" and 3) How to deploy innovative learning: key lessons learned and ‘lucky breaks' for a successful VR roll-out ... are you ready?

Welcome to the frightening ABC class on measuring and modifying security behaviour. We will go through practical examples of behavior analysis on security behaviours and use them to highlight how to work with metrics and areas where we have little knowledge today and should start measuring. “Constant vigilance!” may sound like good advice, but what does that actually mean from a behavioural standpoint? How do you stay vigilant day in and day out without anything to reinforce you? The short answer is: You can't. You must replace vigilance with another secure behaviour that you can actually manage to uphold every day. Behaviour analysis is the scientific study of the principles of learning and behaviour. The goal is to describe and understand behaviour in order to be able to predict, and ultimately, change it. The impact is cross-disciplinary, driving progress in areas such as healthcare, workplace safety and organisational management. In the multi-faceted and fast-moving landscape of cybersecurity threats,it is time for cybersecurity to ramp up defences by uniting psychology and security in a creative marriage. But where do you start? There is a strong focus on observation of threats that then lead to defining rules and policies, trainings and campaigns. The intended purpose of them is to inspire specific behaviours that counters the threat. How do we know if we achieve that? We measure! But what do you measure? Just measuring the outcome for rare negative events is, besides being unpleasant, not a strong indicator for a security or risk behaviour. You need to identify the context in which the behaviour exists, and measure both the security behaviour and the factors that reinforce or discourage it. That way we can tailor actions that actually remedy the problem and change behaviour effectively. Preferably by removing discouragement. That is the topic of this talk.

It can be difficult for Security Awareness practitioners to be taken seriously. Despite the crucial importance of Security Awareness and its role in protecting our communities, upper management still often views our efforts as entertaining at best, or a distraction at worst. We are here to equip you with the knowledge and resources to increase your impact and gain the respect you deserve. Join Steffanie AK Schilling, SANS Cyber Innovator and Difference Maker, and Alexandra Panaretos, America's Lead of Human Cyber Risk and Education, as they share how to take your program to the next level and strategically manage Human Cyber Risk. You will walk away with an understanding of

• Risk Management Foundations
• How to identify your organization's top cyber risk and develop corresponding Human Cyber Risk countermeasures (behavior identification and modification aka The Human Element)
• How to prioritize cyber risk and potential human targets
• Manage the evolving threat landscape
• Communicate with the ideals and nomenclature of Executive Leadership

You don't need a direct line to the NSA to access the latest threat intelligence. By utilizing publicly available sources, you can have access to important cyber intelligence to help make your materials come to life. Using real threat intelligence in your cyber security awareness efforts gives your audience insight into threats they may encounter and reduces information security risk. It is worth your time and effort to use intelligence to develop stories and scenarios for your audiences and allows you to create materials that are relatable to your audience. Join us as we discuss how we gather threat intelligence, process the intelligence, develop engaging stories from it, and provide actionable steps our employees can take to reduce risk.

How do you uplift the security awareness of your workforce and equip them not just to know what good security behaviours looks like, but to actively embody these behaviours themselves? In this session we will describe how we have leveraged the Psychology research base to develop our application security strategy and ensure a socio-technical approach to managing both technical and human risk. We will discuss how we have applied this strategy within Maersk's 1800-strong Developer community to understand current security practices, identify areas that need support, and deliver appropriate interventions with our Developers rather than to them. Our presentation will take you step by step through our journey from theory to practice and the challenges we've faced along the way. We will outline how we are using the Theory of Planned Behaviour (Azjen, 1990) as a framework for directing people-centred security interventions, maximising Developer engagement, and collecting data to drive continuous improvement. We will share our experience of delivering application security training and awareness and the benefits we've experienced encouraging peer-to-peer learning and friendly competition. Finally, we will discuss how we have mirrored the agile methodologies employed by our Developers in our approach to delivering organisational change, and the lessons we've learned along the way.

OCM consists of approaches to enable people to successfully participate in a change. When applied to specific behaviors, we can leverage OCM methodologies to increase the success of compliance-required initiatives and to reduce risky behaviors in our workforce. In this talk, we'll discuss the basic building blocks of OCM according to Prosci, cover risky vs. desired behaviors, and learn how to develop specific change management plans to increase the adoption of those new behaviors. This talk will be given in collaboration with Daniel Elliot, Association of Change Management Professionals Florida Board Director. Demo/Workshop: Build out simple change management plans specific to changing risky behaviors or going through compliance-mandated training initiatives.

Join us for a fun evening of networking, Austin eats, summery sips, a private patio, and maybe even a little magic!  We'll unwind at The Reverbery, a unique event space located just an elevator ride away from the Summit. 

Historically, organizations use one of two approaches to security training. Some take a minimalistic approach and focus primarily on password maintenance and email attacks. Others take a compliance approach and ensure users are given comprehensive training on all security areas, using a checkbox framework. These organizations exhaust their resources and fatigue their end-users without material behavior change that would improve the overall security posture of the company. Rather than training users on a proscriptive list of individual behaviors, our approach is to focus more security resources intentionally on awareness and engagement, framing security in digestible terms of personal impact and agency. Individually, the goal is to equip users with security knowledge that is translatable to all areas of life, with the belief that it will collectively improve the security of the whole organization. While measuring security culture change is difficult, there are metrics and outcomes we can use to determine the success of our efforts. We will present our security engagement approach, including strategically identifying areas of focus, simulated phishing, security ambassadors program, virtual security academy, and self-service security. We will use metrics and examples of user engagement that highlight an evolution in our company security culture.

"But, nobody told me!"...That is usually what most individuals say after falling victim to a social engineering scheme or simulation. Frequently, security awareness programs implement best practices to inform individuals of their role to help keep themselves and the company safe. However, has it caught the end user's attention and encouraged them to implement the repeatable processes we desire? Being informed and aware are two different mental concepts, and being aware is more of an agile response to an identifiable threat. Employees and resources are expected to be knowledgeable and care about security the same way customers care about products or services. It's akin to someone describing a tiger to you in great detail from a textbook and having lived experiences of one in person, in the habitat in which the tiger lives to appreciate it fully. However, it is possible to bridge the gaps in security awareness with human-computer interaction psychology methodologies through applying UX/UI Design principles to build security-aware cultures. This talk will demystify how the human brain works when scanning new digital experiences for familiar patterns, which can assist training & awareness professionals in building security first cultures.

You've started a security champions program. Engagement is going from strength to strength. Then you're asked, "how is it reducing risk?' Measuring how many champions are volunteering is easy. Proving there's a direct impact on risk reduction can throw up a challenge. Find out how to derive the answer to the question that could fund or finish the future of your program. In this session, you'll learn:

• How to measure success in the context of new-world human habits and behaviors
• How to uncover and define the exact behaviors that shape security culture
• How to differentiate between metrics and indicators when measuring the behaviors we want to train
• How to apply a proven model for collecting data and calculating KPIs
• Why the key to keeping leadership onside lies in effective performance reporting
• How to make sure security champions are delivering results
• What works and what doesn't, based on real-world security champions programs

Between writing books, articles, and creating a podcast every other week, I'm always facing the need to create something new -- to fill the content void. That's a scary place to be. We wonder where our next idea will come from, we don't want to say the same thing over and over, and we want to use our passion to create something unique and meaningful. In this session, I'll provide my lessons learned as someone who's always having to deliver the next new thing. I'll talk about idea generation, dealing with writer's block, facing impostor syndrome, and more. This won't be a "look at what I've done session," it will be to provide real world tools and strategies that each audience member can use to create their next big thing.

As security awareness professionals become comfortable in their roles, many do not consider how they can evolve and grow their career across the enterprise. By understanding activities and relationships outside of training and awareness, you open yourself to opportunities across business and cybersecurity functions. As our profession matures into managing and mitigating human risk, broadening your skills and role within the organization is critical for career progression. We'll showcase methods to grow your career by helping lead additional cyber initiatives, including tabletop exercises, board presentations, breach and incident communications, and policy development.