8:40 am - 9:00 am
CT
1:40 pm - 2:00 pm UTC | Opening Remarks |
9:00 am - 9:20 am
CT
2:00 pm - 2:20 pm UTC | Table Top Introductions - Get to know your neighbor |
9:20 am - 10:00 am
CT
2:20 pm - 3:00 pm UTC | In-Person & Streaming Live Online Keynote | Uncovering the Dark World of Nation State Scams Join us for a powerful and eye-opening presentation by Erin West, a leading expert in combating transnational organized crime and the founder of Operation Shamrock. In this engaging one-hour talk, Erin will uncover the dark world of 'pig butchering' scams— sophisticated schemes run by global criminal networks that exploit victims through manipulation and financial deception. She will shed light on how these crimes are part of a larger international threat, exploiting gaps in law enforcement, banking, and regulatory systems. Erin’s work focuses on fostering collaboration between law enforcement, financial institutions, and policymakers to disrupt these criminal enterprises and protect communities worldwide. Her insights will leave you with a deeper understanding of these pervasive crimes, the systemic changes needed to combat them, and how we can all play a role in building a safer, more resilient global community. Don’t miss this opportunity to learn from a leader at the forefront of this critical fight. |
10:00 am - 10:20 am
CT
3:00 pm - 3:20 pm UTC | Break |
10:20 am - 10:55 am
CT
3:20 pm - 3:55 pm UTC | Virtual Track Game On! Building a Winning Cybersecurity Culture Through Gamification Encouraging your workforce to actively engage with cybersecurity awareness content can be a challenge. Employees often perceive information security as daunting, technical, and restrictive—making it difficult to spread awareness beyond the surface level. So how can we deepen user engagement and build trust by showing information security as approachable, digestible, and fun? Through games.
Leveraging tools our company already has (PowerPoint and PowerApps), we create completely customized games catered to current company needs and security trends. Since “leveling up” our gamification efforts, we’ve seen a significant increase in audience participation. Users report they are better able to retain information, feel more secure in their cybersecurity decision-making, and actively seek out our other content.
At the conclusion of this presentation, attendees will be able to:
• Think creatively about resources that might already be available at their company.
• Learn strategies for selecting a topic and theme.
• Design themed graphics.
• Develop a marketing plan to distribute their games.
• Gather metrics and feedback to demonstrate learning and effectiveness.
Show More
|
10:20 am - 10:55 am
CT
3:20 pm - 3:55 pm UTC | In-Person & Streaming Live Online How Boola the Cyber Bee Transformed Yale's Awareness Program: Building Buzz to Boost Engagement Branding isn't just for marketing—it's a powerful tool for driving cybersecurity awareness and engagement. At Yale University, we developed Boola the Cyber Bee as a recognizable figure to promote cybersecurity best practices across campus. This session will explore the process of building and evolving a cybersecurity awareness brand, leveraging partnerships, and using innovative marketing strategies. Attendees will learn practical steps to establish or enhance their own programs, making security awareness fun, engaging, and memorable. Expect interactive discussion, creative ideas, and actionable takeaways to boost your institution’s cybersecurity culture.
Show More
|
11:00 am - 11:35 am
CT
4:00 pm - 4:35 pm UTC | Virtual Track Reeling in the Right Vendor: A Project Manager's Guide to Security Awareness Platform Selection Overwhelmed by selecting security awareness and phishing simulation vendors? This session delivers a project management-driven approach to confidently navigate the process, ensuring stronger security programs and a resilient organization. We'll transform chaotic vendor selection into an effective project, covering: - Functional Requirements: Defining your organization's unique needs.
- Demo Testing: Evaluating demonstrations and identifying red flags.
- User Acceptance Testing (UAT/POC): Designing scenarios and measuring platform performance.
- Acquisition: Negotiating contracts and managing implementation.
Attendees will gain a repeatable methodology (including an evaluation grid), skills to define requirements, execute effective POCs, mitigate selection risks, and apply practical project management principles. |
11:00 am - 11:35 am
CT
4:00 pm - 4:35 pm UTC | In-Person & Streaming Live Online From Mismatched to Mastery: Crafting the Perfect Fit for Cybersecurity Awareness Casie Clark, Cybersecurity Manager, Governance, Outreach & Awareness, Whirlpool Imagine trying to fit every employee into the same pair of shoes — uncomfortable, right? The same happens when organizations apply a ‘one-size-fits-all’ approach to cybersecurity awareness. As our environments evolve and our adversaries become increasingly sophisticated, doubling-down on this outdated and rigid approach is no longer a match for the complexities we face in modern security threats.
Join us for an enlightening session where you'll discover how to revolutionize your cybersecurity awareness program. Learn from your security awareness peers on how you can ditch your generic human risk mitigation plan and tailor your approach to fit the unique needs of your organization and audience.
We'll explore:
* Why customization is key: Understand the pitfalls of generic strategies and the benefits of a personalized approach, considering your industry, job functions and high-risk roles.
* Evolving beyond the old ways: Gain practical tips on how to transition from outdated methods to innovative, effective practices.
* Measurable success: See the tangible outcomes of a tailored strategy, from increased leadership buy-in and reduced risk to improved KPIs.
Don't miss this opportunity to transform your cybersecurity awareness efforts and make a lasting impact on your organization's security posture.
Show More
|
11:40 am - 12:20 pm
CT
4:40 pm - 5:20 pm UTC | Virtual Track People Are Not the "Weakest Link in Cybersecurity". Our understanding of people is. Inge Wetzer, Principal Social Psychologist Cybersecurity & Compliance, Bureau Veritas Cybersecurity “Humans are the weakest link in cybersecurity.” A statement frequently made in the field of security, and taken for granted by many. What has gained less attention however, is the (lack of) understanding of people that exists in the field of cybersecurity. Attempts to tackle the human factor have mainly focused on increasing awareness from cybersecurity specialists’ point of view. However, cybersecurity experts have a different motivation and different interests in this specific topic. Therefore, they tend to set up campaigns from their own point of view; sending knowledge to their target audience on what they think is important, and more dangerously, based on their own assumptions. Interestingly, ‘people’ is as much an expertise as is ‘cybersecurity’. Strangely enough, the tendency exists to ask security experts to take care of the people part. Nevertheless, people, and more specifically their behavior, is the expertise of psychologists. How hilarious we would find the idea of asking a psychologist to build a firewall, the normal we find the idea to ask a IT specialist to influence people’s behavior.
The fact that not the people are the weakest link, but our understanding of them is, is hopeful. It gives us some control back! The solution is to be found in our understanding of the employees. This presentation focuses on insights from psychology, and how they can be applied into the field of cybersecurity. It highlights the most interesting perspectives from psychology and shows how these can be translated into an effective awareness and behavior program.
Show More
|
11:40 am - 12:20 pm
CT
4:40 pm - 5:20 pm UTC | In-Person & Streaming Live Online Lightning Talks 11:40 - 11:50 am | Deepfake diaries: The latest AI-based attacks and how to help your employees detect them, Kerry Tomlinson What are the newest AI-fueled attacks your employees face at work and at home? You'll see real-life video and audio deepfakes that attackers are currently using to try to trick people into giving up passwords, data and money. Learn how and when cyber criminals are deploying this AI-generated content, the latest methods on how to unmask the fakes, and strategies for sharing these skills with your employees. Award-winning reporter Kerry Tomlinson shares her collection of real-world deepfake attacks and provides practical tips for people to protect themselves, from employees and CEO's to their families at home. She'll lay out a game plan for incorporating this essential information into your awareness program now and in the future as AI continues to evolve. 11:50 - 12:00 pm | Designing Globally Relevant Awareness Campaigns, Angel Jordan Creating effective security awareness programs for global workforces requires more than just translation—it demands an understanding of cultural context. This session will demonstrate how to design security campaigns that respect cultural differences while enhancing engagement and behavior change. Key Takeaways:
Attendees will learn actionable strategies to build globally relevant security programs using a step-by-step approach: - Conducting a Cultural Audit: Learn how to assess cultural norms, communication styles, and regional priorities through employee feedback, focus groups, and cultural ambassador partnerships.
- Tailoring Messaging for Impact: Discover how to adapt security messages to align with cultural values. Examples include using competitive gamification for U.S. teams, storytelling for Indian audiences, and regional customs for Latin American campaigns.
- Building Collaborative Partnerships: Understand how to engage employee resource groups (ERGs), local leaders, and cultural ambassadors to co-create content that feels authentic and respectful.
- Avoiding Cultural Missteps: Gain practical tips for identifying and addressing unintentional stereotypes or assumptions while celebrating cultural identity in your campaigns.
12:00 - 12:10 pm | From NGO to Cyber: The Psychology of Doing More With Less, Anna Pieczatkowska I spent half my career running grassroots campaigns for nonprofits where budgets were tight but creativity thrived. Then I stepped into corporate information security and realized that the same inventive approach—plus a background in psychology—could transform how we tackle human risk. In this session, I’ll show you how to borrow from the nonprofit playbook with practical strategies for planning cost-effective yet high-impact events, unearthing hidden talent, and proving to leadership that imagination can outperform big spending. If you’re tired of hearing “we can’t afford that,” learn how to turn budget limits into powerful opportunities that truly engage employees and elevate your security culture. Expect rapid storytelling, hands-on tips, and a refreshing perspective on why the best way to ignite real change might just come from the nonprofit world. 12:10 - 12:20 pm | Collaboration and Competition: Leveraging School Spirit, Cindy McKendall & Kendall WilliamsPersuading faculty and staff to care about security awareness at an educational institution is often challenging. Budgets are small, attention spans are short and responsibilities such as teaching take precedence. Being secure can be a low priority, and cybersecurity can even conflict with educational ideals like openly sharing research data. This is as true for small colleges as it is for large universities such as those in the Big Ten. When you think of Big Ten universities, you may picture them clashing on the football field, the basketball court or the soccer pitch. But Big Ten institutions can and do work together outside of sports arenas! In this presentation, participants will learn how different universities of the Big Ten (which now comprises eighteen institutions of higher education) came together to motivate employees at each institution. Representatives from each university cooperated and collaborated to plan a cybersecurity game show event that was the culmination of Cybersecurity Awareness Month. By harnessing the power of school spirit and friendly competition, faculty and staff from across the Big Ten learned about cybersecurity, increased their security awareness and had fun doing it. In this presentation, we’ll demonstrate how we were able to harness a natural competitive spirit to deliver security awareness in a fresh, new way via gamification, while delivering cost savings to our institutions through collaboration. Participants will come away from this presentation with ideas on how to incorporate competition into their own security awareness programs, as well as ways to reach and involve disengaged employees in security awareness. |
12:25 pm - 1:30 pm
CT
5:25 pm - 6:30 pm UTC | Lunch |
1:30 pm - 2:45 pm
CT
6:30 pm - 7:45 pm UTC | Workshops | In-Person Attendees Only Workshop | Hidden Gems: Free & Cheap Tools to Level Up Your Training Tired of dry, lecture-based cybersecurity training? Join me for a hands-on exploration of free and budget-friendly tools that transform learning into engaging games and interactive experiences. In this demo-packed session, we’ll ditch the static slides and dive into practical applications of readily available software, proving that effective training doesn't have to break the bank.
We'll journey through a curated selection of tools, showcasing how to build compelling cybersecurity games, interactive simulations, and dynamic training modules. Discover how to leverage free game engines, accessible graphic design platforms, and collaborative online tools to create immersive learning experiences. You’ll witness real-time demonstrations of how these resources can be combined to teach complex cybersecurity concepts in a fun, digestible way.
Attendees will learn:
* How to utilize free and low-cost game engines to create interactive cybersecurity scenarios.
* Practical techniques for designing engaging visuals and graphics without needing advanced design skills.
* Methods for building collaborative learning environments using accessible online platforms.
* Strategies for incorporating gamification elements into training to boost learner engagement and knowledge retention.
* Actionable steps to immediately implement these tools into your own training programs.
Leave this session with a toolkit of practical skills and resources, ready to transform your cybersecurity training from mundane to masterful. You’ll gain the confidence to create captivating learning experiences that empower your audience to master critical cybersecurity skills through play and interaction. Come ready to play, learn, and build!
Show More
|
1:30 pm - 2:05 pm
CT
6:30 pm - 7:05 pm UTC | In-Person & Streaming Live Online Challenges and Solutions for Building a Cybersecurity Culture in a Complex Organization As the Cybersecurity Culture and Competence Manager at KONE, a global organization with over 65,000 employees, including factory workers and operatives, I face a significant challenge in implementing and embedding a strong cybersecurity culture. While cybersecurity is a top priority for our leadership, and there is strong engagement from the highest levels, we encounter recurring obstacles in translating this commitment into tangible change. The complexity of our organization—spread across multiple countries, languages, cultures, and business units—presents unique challenges when it comes to reaching every employee and driving real behavioral change.
In this session, I will explore these challenges and offer practical solutions for building a sustainable cybersecurity culture in large, diverse organizations. I’ll share the key lessons learned from our efforts, including the communication barriers faced when working with a global, multilingual workforce and the difficulties in creating consistent cybersecurity awareness across varied employee segments, from office-based professionals to factory operatives.
Despite strong organizational support, the reality is that implementing a culture change is not as simple as setting goals and expecting results. We will dive into why initiatives often fall short, even when leadership buy-in is evident, and how to address the gap between strategy and execution. I’ll provide actionable insights into how organizations can:
-Leverage innovative tools and platforms to overcome cultural, language, and accessibility barriers.
-Establish effective communication channels that resonate with diverse employee groups.
-Measure and track the success of cybersecurity culture initiatives, despite the complexities of a global organization.
Through real-life examples, I will explain what has worked and what hasn’t in our journey.
Show More
|
2:10 pm - 2:45 pm
CT
7:10 pm - 7:45 pm UTC | In-Person & Streaming Live Online Hacking Minds & Shaping Behaviors: How to Drive Habit Changes in Your Cybersecurity Awareness Program Through Neuroscience & Behavioral Psychology? Leandro Rocha, Security Awareness Officer, Clube de Regatas do Flamengo Building a lasting security culture is a big challenge, especially when many users lack the motivation to change their habits.
In this presentation, I will explore how principles of neuroscience, behavioral psychology, and practical learning can enhance engagement, improve knowledge retention, and drive lasting behavioral change within cybersecurity awareness programs.
This approach is grounded in real-world practice, developed and implemented during my role as Security Awareness Officer at Flamengo, one of Brazil’s largest soccer clubs, with over 40 million supporters.
We’ll break down three of the most common hurdles faced by cybersecurity awareness managers—and the science-backed techniques to overcome them.
1. Knowledge retention: How to prevent information from being forgotten?
One of the greatest challenges in any security awareness training program is ensuring that knowledge is retained over time rather than quickly forgotten. The human brain learns more effectively when information is delivered in a spaced, interactive format rather than through a single, intensive training session. In this session, I will explore how neuroscience-based learning techniques—such as spaced repetition, short and frequent simulations, quizzes, prior knowledge activation, multisensory learning (Visual, Auditory, and Kinesthetic), and gamification—can enhance information retention and elevate your program from a simple compliance requirement to a truly impactful experience for your users.
2. Behavioral change: how to turn knowledge into action?
Knowing is not the same as doing. To drive meaningful behavior change, applying BJ Fogg’s behavior model to the security awareness training program can be highly effective. We will explore the importance of understanding your audience, identifying their motivations and expectations, providing immediate feedback and positive reinforcement, setting progressively challenging goals, and leveraging social recognition. These strategies are essential for making secure behaviors become second nature.
3. Emotional engagement: How to get users to care?
Traditional training programs fail because they lack emotional connection. True engagement occurs when employees feel like an integral part of the process. I will explore how techniques designed to create stimuli and encourage interaction—such as gamification, storytelling, and social dynamics—can cultivate authentic involvement, spark curiosity, and reinforce each individual’s role as a key player in the organization’s defense, making awareness initiatives more dynamic, engaging, and rewarding.
In addition to addressing the challenges mentioned, I will share lessons learned and present key metrics and KPIs to evaluate the impact of the mentioned techniques, such as phishing report rates, training participation rates, and engagement rates.
Key Takeaways
Regardless of their organization’s size or maturity level, by the end of the presentation, participants will gain practical insights and tools to:
- Apply neuroscience and behavioral psychology methodologies in information security programs;
- Make the program more attractive and engaging, increasing user participation and engagement;
- Improve knowledge retention and content assimilation;
- Promote lasting and effective behavioral changes by encouraging the adoption of secure habits in daily routines, empowering users to actively assist the company in mitigating real-world risks; and
- Measure the program’s impact using concrete metrics and data.
Show More
|
2:50 pm - 3:10 pm
CT
7:50 pm - 8:10 pm UTC | Break |
3:10 pm - 12:35 pm
CT
8:10 pm - 5:35 pm UTC | Workshops | In-Person Attendees Only Workshop | Human-Centric Security: Enhancing Security Awareness Programs through Design Thinking In today's rapidly evolving threat landscape, traditional security awareness programs often struggle to design engaging, effective initiatives that truly meet the needs of their user population. This session will introduce attendees to the transformative power of Design Thinking/Human-Centered Design in developing and enhancing security awareness and human risk management programs.
Design Thinking is a creative problem-solving approach that balances user needs with technical feasibility and business viability. By fostering innovative thinking and challenging traditional assumptions, Design Thinking ensures that security initiatives are not only effective but also engaging and sustainable.
During this session, participants will gain a comprehensive understanding of what Design Thinking is and why it is crucial for modern security programs. We will explore the key phases of Design Thinking—Empathize, Define, Ideate, Prototype, and Test— and provide simple techniques for applying each phase to security awareness and human risk management.
Attendees will learn how to:
Empathize: Conduct user research to understand the needs, motivations, and pain points of their target audience.
Define: Identify and articulate problem statements and objectives based on insights gathered during the empathize phase.
Ideate: Generate innovative ideas and solutions through brainstorming sessions and collaborative workshops.
Prototype: Develop tangible representations of ideas to test and refine concepts.
Test: Evaluate prototypes with real users to gather feedback and iterate on solutions.
By the end of this session, attendees will be equipped with practical strategies to evolve their security awareness programs from mere compliance exercises to dynamic, user-centered initiatives that effectively mitigate human risk. Join this session to discover how Design Thinking can drive meaningful change and foster a culture of security within your organization.
Show More
|
3:10 pm - 3:45 pm
CT
8:10 pm - 8:45 pm UTC | In-Person & Streaming Live Online Transparency Over Secrecy – How We Built a Security Scorecard That Drives Accountability Without Fear Gina Andrews, Senior Information Security Program Manager, Rocket Security awareness programs often stop at training and phishing simulations, but that’s just scratching the surface. Real culture change happens when employees understand their security behaviors and feel empowered to improve them. What if every employee had their own Security Score?
At our organization, we broke from industry norms by designing a Security Scorecard to empower employees, engage leadership, and create transparency around human risk. Many companies hesitate to show employees their security scores, fearing resistance or punitive associations. However, we found that the key to cultural change isn’t secrecy—it’s visibility.
In this session, we'll share how we built a Team Member Security Scorecard that engages employees, empowers leadership, and makes human risk more transparent and how we accomplish this without creating fear or finger-pointing. We’ll break down:
Securing Leadership Buy-In: How we partnered with executives, risk leaders, and HR to position the scorecard as an awareness tool, not a punishment.
Building the Scoring Model: How we weighed different security behaviors, like phishing simulations, MFA usage, and password hygiene to reflect real-world risk.
Messaging That Engages, Not Alarms: How we introduced the scorecard through onboarding, leader huddles, and champions programs to foster education and ownership.
Driving Culture with Transparency: How we integrated the score into performance conversations, executive dashboards, and company-wide business goals.
Lessons Learned: The challenges we faced (and how we tackled them). From gamification to data privacy concerns to internal politics.
Since its launch, our Security Scorecard has become a core part of how we talk about security. It sparks conversations in teams, influencing leadership decisions, and helping employees see how their individual actions impact the company’s overall risk.
Whether you're starting from scratch or looking to evolve your employee engagement program, you'll leave this session with practical steps, pitfalls to avoid, and lessons learned to help you bring transparency and accountability to your security culture.
Show More
|
3:50 pm - 4:25 pm
CT
8:50 pm - 9:25 pm UTC | In-Person & Streaming Live Online Beyond Click Rates: Using Holistic Metrics to Drive Security Awareness Success Security awareness programs often default to measuring success through phishing click rates, but true effectiveness requires a more comprehensive approach. This talk will explore how to build a robust security awareness metrics strategy that goes beyond surface-level engagement and creates a feedback loop for continuous improvement.
Attendees will learn how to:
• Identify and Track High-Risk Groups: Not all users pose the same risk. We’ll discuss why you should leverage metrics to track high-risk user groups—such as those with privileges access, frequent security violations, or those traveling to higher risk regions—and tailor education accordingly.
• Set and Measure Long-Term Training Goals: Measuring awareness requires a multi-year approach. This talk will outline strategies for setting meaningful security training goals over a 2–3 year period, including tracking improvements in user behavior, reporting rates, and secure decision-making.
• Develop Holistic Security Metrics: A strong awareness program integrates multiple data points—such as phishing simulation results, training completion, engagement with the security team, and security tool usage—to paint a clearer picture of a security awareness program. We’ll discuss how to aggregate these metrics into meaningful insights.
• Use Metrics as a Feedback Loop: Security awareness should not be a one-and-done effort. We’ll cover how to use metrics to refine content, adjust approach to engagements, and drive the direction of your security awareness program. By continuously analyzing metrics, teams can identify trends, adapt training approaches, and demonstrate measurable security improvements over time.
By the end of this session, security awareness professionals will walk away with a practical framework for tracking engagement metrics that truly reflect behavioral change, risk reduction, and the long-term impact of their awareness programs.
Show More
|
4:30 pm - 4:45 pm
CT
9:30 pm - 9:45 pm UTC | Wrap Up |
