9:00 am - 9:20 am CT 2:00 pm - 2:20 pm UTC | Live in Austin, TX - Track 1 Welcome & Opening Remarks |
9:20 am - 10:00 am CT 2:20 pm - 3:00 pm UTC | Live in Austin, TX - Track 1 Keynote | Great Scott! Jumping the Security Awareness S-Curve Security awareness programs often struggle with balancing the responsibility of training employees to defend against the threats of today and tomorrow while also proving the importance of the program to all areas of the org. But maybe there’s another way. Is it possible to find the Marty McFly to your Doc Brown? To gain alignment with your executives on the importance of a security awareness program and what it should do so that you're both driving your DeLorean into a high-speed future where you can keep ahead of the fastest threat actors while also proving your program's value every step of the way?
In this keynote, Relativity CSO and CIO Amanda Fennell, will don her own Doc Brown goggles in the hopes of doing just that. She’ll talk about her experience in proving the value of strong security awareness programs, how measuring success in these programs has changed over the past decade and where it goes from here, and how Security leaders can transform their security awareness programs to jump the s-curve, gain buy-in from execs, and future-proof their org in the process. Tune in and find out what this CSO and CIO is looking for in a new-age security awareness program and what you'll need to do to get there.
Show More
|
10:00 am - 10:20 am CT 3:00 pm - 3:20 pm UTC | Live in Austin, TX - Track 1 Break |
10:20 am - 10:55 am CT 3:20 pm - 3:55 pm UTC | Live in Austin, TX - Track 1 Embracing a "Behavior First" Mindset: How to Influence Behavior in Security Awareness Security awareness isn't making the whole company aware that you have a security team or checking a compliance box. A great security awareness program influences people to behave in ways that are less risky. Yet many practitioners don't understand how to actually influence and change human behavior. Often, we assume that employees who behave insecurely (say, reuse their password) just need to be trained - but we don't fully understand the driver behind the insecure behavior (perhaps they don't have access to a password manager). In this talk, practitioners will learn to start from the source - the behavior that needs to change - rather than trying to influence behavior from a pre-fixed solution. From there, practitioners will learn how to understand what's driving behavior in the first place, how they can get behavioral data to better understand their audiences, and how to apply behavior science concepts to awareness work (e.g., how to reduce information to focus on our desired behavior, when to use social proof to our advantage in communications). Throughout the presentation, I will also demonstrate ways I've approached awareness work "behavior first," and share valuable resources for learning more about behavior change.
Show More
|
10:20 am - 10:55 am CT 3:20 pm - 3:55 pm UTC | Live Online - Track 2 Phish Training: Metrics, Maturity, and How to Continually Evolve Your Program Claire Hughes, Security Education and Awareness Consultant and EMEA Lead, Zurich Insurance. Do you ever feel that just when you've conquered creating and running a great phish training program, a stakeholder or leader comes along and says, “So, when are you going to do X?,” or “Why aren't you doing Y?,” or even more common these days, “Here are the metrics I'm looking for.” I lead the phish training program at a multinational insurance company where we (myself and 3 other team members) phish train 80k employees once a month on a playbook, as well as an additional ~52 targeted campaigns of high-risk groups. I have to satisfy 5 regional CISOs, a Global CISO, and, at times, requests from audit, risk, cyber, and others. We have a very mature program with the goal of improving metrics offerings each year. Let me show you HOW I strategize the development of a playbook and choosing lures to result in metrics they find valuable, how we've approach metrics analysis and development, what the resulting format is, and where we are headed, helping you to think through customizing and designing phish simulation training that meets your company's specific needs.
Show More
|
11:05 am - 11:40 am CT 4:05 pm - 4:40 pm UTC | Live in Austin, TX - Track 1 Shall We Play a Game? | Arcade-Worthy Games Using Office365 Awareness teams are stretching the boundaries of traditional education methods to gain audience attention, as well as make a bigger impact with learning objectives.
The word “gamification” has been thrown around for the past few years on everything from clickable Powerpoint decks to Adobe crossword puzzles. Let’s face it, these get old fast.
Some brilliant and creative people on my team figured out how to use PowerApps, a tool that comes with Microsoft Office365, to build a library of some pretty epic games. We did the heavy lifting so you don’t have to.
Join us as we showcase some of our coolest and hottest games, along with the templates on how you can make them.
Show More
|
11:05 am - 11:40 am CT 4:05 pm - 4:40 pm UTC | Live Online - Track 2 The Equifax Journey: A Guide to Human Risk Management The 2017 Equifax breach was a defining moment and offered an unprecedented opportunity for corporate self reflection. Who are our riskiest employees and how do we incentivize proper behavior? How do we drive a global "Security First" culture? Can we proactively monitor and mitigate human risk? How do we know when workforce behavior changes? These are some of the questions that led to Equifax's 5 year maturity journey from a compliance focus to a robust, metrics driven, and proactive human risk management program. This session will provide the following best practices: - A phased step by step approach from analysis, solution design, and implementation
- An understanding of bbarriers to secure behavior to quantifiable measurement of workforce behavioral change
- An innovative 5 pillar approach to building the EFX Security First culture
At the end of this presentation, you'll walk away with actionable insights on how to build a measurable human risk management program.
Show More
|
11:50 am - 12:25 pm CT 4:50 pm - 5:25 pm UTC | Live in Austin, TX - Track 1 Adventures in Phishing: Using Email Risk Ratings to Lower Risky Phishing Behavior Cathy Click, National and Global Campaigns for FedEx information security How do you drop live email click rates 72% when only given funding to reach 10% of the employee population? Sounds insurmountable! Can such a small percentage of a population actually show results in live phishing clicks? YES! This session will take you through the path she took to using behavioral metrics from email filtering and office Azure metrics to determine employees with the highest risk to the business. Discover how to incorporate assessments and targeted education, to give employees the tools to Phight the Phish. See how she determined how to train the highest threat, persistent clickers using risk results. You will leave this presentation with insights to determine employees that pose the greatest phishing risk and utilize that information to reduce the risk to your business and show ROI.
Show More
|
11:50 am - 12:25 pm CT 4:50 pm - 5:25 pm UTC | Live Online - Track 2 Driving Behavioral Change Through Personalized Cybersecurity Interventions Melanie Timbrell, Senior Manager Cyber Security Awareness, Commonwealth Bank of Australia One-size-fits-all approaches to cybersecurity education and awareness campaigns are known to have limited impact when we consider the diversity of roles and staff they target. But while companies understand the need for campaign differentiation, developing segmented campaigns is challenging in practice due to the lack of relevant behavioural metrics and contextual analysis. In this talk we'll show you how we applied a data science approach to determine the most effective way of driving behavioural change through personalised cybersecurity awareness campaigns. This was achieved by developing individual behavioural profiles using a longitudinal mix-methods study of employees based on individual data on cyber risk perception and risk taking alongside employee contextual data, such as role type and team size. Besides achieving more effective personalised cybersecurity awareness campaigns, our approach provides insights into behavioural risk measurement at employee level and its organisational mapping, early identification of potential ‘hot spots', timely behavioural interventions, and evidence-based risk management. This approach moves away from the traditional assumption of humans being the weakest link in cyber-security systems towards the modern paradigm of “humans as cybersecurity sensorsâ€, leveraging humans' superior detection ability when it comes to new threats and other anomalies that are often invisible to automated systems.
Show More
|
12:25 pm - 1:30 pm CT 5:25 pm - 6:30 pm UTC | Live in Austin, TX - Track 1 Networking Lunch |
12:25 pm - 1:30 pm CT 5:25 pm - 6:30 pm UTC | Live Online - Track 2 Break |
1:30 pm - 2:05 pm CT 6:30 pm - 7:05 pm UTC | Live in Austin, TX - Track 1 All Change, Please! Security Behaviors in the Context of Today’s Risks, Threats, and Vulnerabilities There’s a shift underway. The security community is moving from “entertaining, training, and tricking” users to a more intelligent approach to influencing and measuring security behaviors. Why is this and what exactly does it mean for cyber risk management? Join this session to learn more about how free open-source resources like the Security Behaviour Database can help transform your ability to reduce risk and measure the impact you’re having on your organization’s risk posture.
Show More
|
1:30 pm - 2:05 pm CT 6:30 pm - 7:05 pm UTC | Live Online - Track 2 How to Make a Developer Love Security Are you being asked to influence security culture amongst your technical colleagues? Do you sometimes feel out of your depth? What if you could deliver measurable risk reduction in the development of your software and digital services via technical security champions? If you are an organization which depends on its software to carry out its core function, engagement with technical colleagues who build and maintain this software is essential. During this talk we will give an overview of how Sage has developed a network of security champions in a varied technical environment. The key takeaways from the talk will be how to use persona interviews to understand your technical ecosystem and colleagues, the tools and techniques you can then apply to engage with this unique community of colleagues and finally, the metrics you can measure to demonstrate impact and risk reduction. Along the way we will share our lessons learned to help you effectively use these colleagues' expertise and knowledge to identify and mitigate risks to ensure you deliver more secure and reliable digital products and services.
Show More
|
2:15 pm - 2:50 pm CT 7:15 pm - 7:50 pm UTC | Live in Austin, TX - Track 1 A Trip to the Metaverse: Can Virtual Reality Training Help Your Employees Behave More Securely? Dana Trudeau, Information Security Innovation Lead for Mobile & Extended Reality (XR), Accenture Are you ready for what's ahead? You may have heard buzzwords like Virtual Reality (VR), Augmented Reality (AR), Extended Reality (XR), or maybe even Metaverse. How can these innovative technologies be applied to cybersecurity learning? What's the benefit to immersive virtual experiences compared to other training and collaboration mediums? Is this technology right for you? Where do you even begin? This session will provide you with answers to these questions and more as we share our journey to the Metaverse; a journey that started with a simple security training concept back in 2018, evolved to overcome roadblocks and expanded to deploy advanced technology to help shape human behavior through simulated cyber challenges. In this presentation, you will learn how to use new technologies to shape cybersecurity behaviors through immersive virtual learning and provide you the following key takeaways: 1) The use case for VR: Determining whether VR is right for you; 2) Identifying the right security behaviors: Creating immersive VR experiences that "test behaviors in the wild" and 3) How to deploy innovative learning: key lessons learned and ‘lucky breaks' for a successful VR roll-out ... are you ready?
Show More
|
2:15 pm - 2:50 pm CT 7:15 pm - 7:50 pm UTC | Live Online - Track 2 Put On Your Psychology Glasses and See Metrics in a New Way Welcome to the frightening ABC class on measuring and modifying security behaviour. We will go through practical examples of behavior analysis on security behaviours and use them to highlight how to work with metrics and areas where we have little knowledge today and should start measuring. “Constant vigilance!†may sound like good advice, but what does that actually mean from a behavioural standpoint? How do you stay vigilant day in and day out without anything to reinforce you? The short answer is: You can't. You must replace vigilance with another secure behaviour that you can actually manage to uphold every day. Behaviour analysis is the scientific study of the principles of learning and behaviour. The goal is to describe and understand behaviour in order to be able to predict, and ultimately, change it. The impact is cross-disciplinary, driving progress in areas such as healthcare, workplace safety and organisational management. In the multi-faceted and fast-moving landscape of cybersecurity threats,it is time for cybersecurity to ramp up defences by uniting psychology and security in a creative marriage. But where do you start? There is a strong focus on observation of threats that then lead to defining rules and policies, trainings and campaigns. The intended purpose of them is to inspire specific behaviours that counters the threat. How do we know if we achieve that? We measure! But what do you measure? Just measuring the outcome for rare negative events is, besides being unpleasant, not a strong indicator for a security or risk behaviour. You need to identify the context in which the behaviour exists, and measure both the security behaviour and the factors that reinforce or discourage it. That way we can tailor actions that actually remedy the problem and change behaviour effectively. Preferably by removing discouragement. That is the topic of this talk.
Show More
|
2:50 pm - 3:15 pm CT 7:50 pm - 8:15 pm UTC | Live in Austin, TX - Track 1 Break |
3:15 pm - 3:50 pm CT 8:15 pm - 8:50 pm UTC | Live in Austin, TX - Track 1 Are Your Users Getting Swindled? By now most of us have heard or seen the latest Netflix documentary The Tinder Swindler. Romance scams are scary and looking from the outside, we often see the obvious signs. But did you know that Business Email Compromise (BEC) is one component of an intricate crime network? This talk will provide the history of BEC, how its linked to Romance Scams and what you can do to protect your organization. This threat tactic is costing organizations billions of dollars, its time to start defending against it.
Show More
|
3:15 pm - 3:50 pm CT 8:15 pm - 8:50 pm UTC | Live Online - Track 2 Aligning Your Awareness Efforts to Threat Intelligence You don't need a direct line to the NSA to access the latest threat intelligence. By utilizing publicly available sources, you can have access to important cyber intelligence to help make your materials come to life. Using real threat intelligence in your cyber security awareness efforts gives your audience insight into threats they may encounter and reduces information security risk. It is worth your time and effort to use intelligence to develop stories and scenarios for your audiences and allows you to create materials that are relatable to your audience. Join us as we discuss how we gather threat intelligence, process the intelligence, develop engaging stories from it, and provide actionable steps our employees can take to reduce risk.
Show More
|
4:00 pm - 4:35 pm CT 9:00 pm - 9:35 pm UTC | Live in Austin, TX - Track 1 It’s Easy to Stay Safe Online We in the security profession know it’s not easy, but does
everyone else need to know that? This October’s Cybersecurity Awareness
Month theme is all about keeping it simple and easy for mass appeal and maximum
behavior change. Lisa, the Executive Director of the National
Cybersecurity Alliance, will share the impetus behind this October’s theme and
all the great resources available FOR FREE. She’ll also share ways you
can get involved and partner with the National Cybersecurity Alliance not just
in October but all year long.
Show More
|
4:00 pm - 4:35 pm CT 9:00 pm - 9:35 pm UTC | Live Online - Track 2 Leveraging Organizational Change Management (OCM) for Successful Behavior Change Daniel Elliott, Sr. Change Management Lead, Global Safety Assessment Services, Charles River Laboratories
OCM consists of approaches to enable people to successfully participate in a change. When applied to specific behaviors, we can leverage OCM methodologies to increase the success of compliance-required initiatives and to reduce risky behaviors in our workforce. In this talk, we'll discuss the basic building blocks of OCM according to Prosci, cover risky vs. desired behaviors, and learn how to develop specific change management plans to increase the adoption of those new behaviors. This talk will be given in collaboration with Daniel Elliott, Association of Change Management Professionals Florida Board Director.
Show More
|
4:40 pm - 5:15 pm CT 9:40 pm - 10:15 pm UTC | Live in Austin, TX - Track 1 SANS Security Awareness Survey Results & Day 1 Wrap-Up |
6:00 pm - 7:30 pm CT 11:00 pm - 12:30 am UTC | Live in Austin, TX - Track 1 Social Event | Vibin' at the Reverbery Join us for a fun evening of networking, Austin eats, summery sips, a private patio, and maybe even a little magic! We'll unwind at The Reverbery, a unique event space located just an elevator ride away from the Summit.
Show More
|