Securing The Human: How to Build, Maintain and Measure a High-Impact Awareness Program
Organizations have invested a tremendous amount of money and resources into securing technology, but little if anything into securing their employees and staff. As a result, people, not technology, have become their weakest link in cybersecurity. The most effective way to secure the human element is to establish a high-impact security awareness program that goes beyond just compliance and changes behaviors. This intense two-day course will teach you the key concepts and skills needed to build, maintain and measure just such a program. All course content is based on lessons learned from hundreds of security awareness programs from around the world. You will learn not only from your instructor, but from extensive interaction with your peers, as well. Please bring example materials from your security awareness program that you can show and share with other students during the course.
Finally, through a series of labs and exercises, you will develop your own custom security awareness plan that you can implement as soon as you return to your organization.
You Will Learn:
- The Security Awareness Maturity Model and how to use it as the roadmap for your awareness program.
- How to effectively engage and communicate within your organization.
- How to identify and mitigate the top human risks to your organization.
- How to sustain your security awareness program over the long term, including updating content and communication methods and, ultimately, changing your organization's culture.
- How to measure the impact of your awareness program, track reduction in human risk, and communicate the value of such a program to management.
MGT433.1: Planning and Building
Sun Oct 26th, 2014
9:00 AM - 12:15 PM PT
1:30 PM - 5:00 PM PT
CPE/CMU Credits: 6
- The five stages of the Security Awareness Maturity Model.
- The elements of risk and their role in awareness.
- Learning why humans are so vulnerable and how cyber attackers exploit these vulnerabilities.
- The learning continuum: awareness, training and education.
- Steps to gain management support and a budget.
- Beginning the planning phase with a project charter.
- Developing a steering committee/advisory board.
- Answering the three key questions during the planning phase: who, what and how.
- Who: Identifying the different targets of your awareness program. Whose behaviors do you want to change?
- What: Identifying and prioritizing the topics that will have both the greatest impact on your organization and ensure you are compliant. This includes conducting a human risk analysis step-by-step and identifying the top ten key human risks to your organization, then creating a learning objectives document for each topic.
MGT433.2: Implement and Maintain
Mon Oct 27th, 2014
9:00 AM - 12:15 PM PT
1:30 PM - 5:00 PM PT
CPE/CMU Credits: 6
- How: How will you deploy your program. This includes understanding the cultures within your organization and how to successfully engage people.
- The effective use of imagery, to include imagery within diverse or international environments.
- Top tips for effective translations.
- The two different communication methods: primary and reinforcement and the advantages/disadvantages of each.
- How to effectively present and communicate in person.
- How to effectively communicate using Computer-Based Training (CBT) or eLearning, including use of a Learning Management System (LMS).
- Different reinforcement methods, including newsletters, posters, blogs and podcasts, and the different advantages/disadvantages of each.
- The two key requirements to updating and improving your program.
- Designing, deploying and using metrics to measure the impact of your awareness program, including how to effectively run phishing assessments.
- Walking through the final planning and execution steps, to include documenting a comprehensive project plan.
Who Should Attend
- Security awareness officers.
- Chief Security Officers and security management officials.
- Security auditors, and governance and compliance officers.
- Training, human resources and communications staff.
- Representatives from organizations regulated by industries such as HIPAA, FISMA, FERPA, PCI-DSS, ISO/IEC 27001 SOX, NERC, or any other compliance-driven standard.
- Anyone involved in planning, deploying or maintaining a security awareness program.
MGT433 is a very interactive course. Please bring any example materials from your security awareness program that you can show and share with other students. Example materials can include:
or any other items or imagery you use to help communicate and reinforce your security awareness program.
What You Will Receive
- Course books that include printed slides and detailed notes for each slide.
- Course lab book.
- USB stick with a digital copy of all the labs and the Security Awareness Planning Kit.
You Will Be Able To
- Identify the maturity level of your existing awareness program and decide where to take it next.
- Explain the difference between awareness, education and training.
- Explain the three different variables of risk and how they apply to human risk and security awareness training.
- Explain why people are vulnerable and how cyber attackers exploit these vulnerabilities.
- Create a Project Charter and gain management's support for your security awareness program.
- Identify the different targets of your awareness program.
- Characterize the culture of your organization and determine the most effective communication methods for that culture.
- Identify, measure and prioritize your human risks.
- Design and implement key metrics to measure the impact of your awareness program.
- Create an effective phishing assessment program.
Press & Reviews
"The' Who' and 'What' of training and awareness is just what I needed to take back home." - David Nix, Department of Energy
"Soup to nuts, this class covers the entire designing, building, deploying and measuring of an effective security awareness program." - Chris Sorensen - GE Capital
"MGT433 gives great view on how to build a full security program." - Eman Al Awadhi, TRA
Having been actively involved in information security for more than 15 years, I have seen one constant factor: people are the weakest link. What amazes me is that so many security professionals agree on this point, but so few do anything about it. I am determined to change that. I am extremely excited about MGT433, as we provide organizations with the skills and resources they need to build a high-impact security awareness program that will not only change behaviors, but also measure that change.
- Lance Spitzner