Thanks to everyone who joined us last night at SANS Las Vegas for my presentation  Securing The Human.  We had a really interactive crowd which makes events like these so much fun.  As promised, I've posted the latest version of the presentation online for all to download and share.  The focus of the presentation was on why humans are so vulnerable, how cyber attackers exploit those vulnerabilities, and what we can do to 'patch' the vulnerabilities.  Throughout the presentation we compared the human to the idea of being nothing more then another operating system, however an operating system ten years behind all others in terms of security. After the event we had a community discussion on some of the key points of what does and does not work in security awareness.  Some key points shared include

  • One of the greatest challenges security is facing is communicating the value of awareness to management.  This so reminds me of security ten years ago when the biggest battle in security was getting management's attention.  We now have management's attention, but everything is focused on the technical issues, not on the human issues.  One of the things I want to put together is a cheat sheet for all of us out there on how to create awareness .... on the value of awareness.
  • Several people shared horror stories about how in their organization there is absolutely no awareness, for example employees storing credit cards in excel spreadsheets on community shared laptops.  We agreed that it is not the fault of these people, they simply were not aware.  However it is stories like these that need to brought  to management.  In addition, the best way to leverage stories is to use ones about your own organization.  Management will not care about what happens in other organizations, only their own.