Infosec leaders from two state governments and two blue-chip ASX-listed firms say that getting people to remember and act on their cyber security training remains a key challenge.
Speaking at the CeBIT conference, the representatives from BHP Billiton, the Star Entertainment Group, and the Victorian and NSW state governments differed on how to spread infosec awareness - and then measure how much of it has stuck.
“How many people here measure their security culture by how many people will attend security training?” NSW Office of the Government Chief Information Security Officer cyber security engagement manager Charlotte Wood said.
“Please don’t measure cyber culture by how many people will turn up. Instead, look for [evidence of] the positive behaviours that you want to see.
“Are people actually locking their workstations when they walk away? How do we measure that? By actually doing a floor walk, running a campaign, and then doing another floor walk.
“You can also measure [effectiveness] or a change in behaviour by ensuring people are actually reporting incidents or near misses to the helpdesk.”
Rachael Leighton, an information security awareness specialist in Victoria’s Department of Economic Development, Jobs, Transport and Resources, said that personalising cyber security had given the department the best results.
Leighton said that rather than focusing campaigns and training on specific workplace information security (“we’ll be lucky to get three people in the room”), the department had instead led campaigns around cyber safety at home.
“By enabling people to understand what we want them to do at home and making it about how to keep your elderly parents safe online or how to stop your kids being groomed, we’re getting full houses in all the sessions we’ve done,” she said.
“The strategy we’re taking is if we can encourage people to create safe behaviours at home that will translate across into the workplace, and people are more interested in buying in.
“People are more interested in knowing what impacts them and how they keep their family safe as opposed to some information or spreadsheet or some secure document, so that’s where we’re focusing our campaign.”
Personalising infosec messages was broadly supported.
“You can give people plenty of knowledge but if they don’t care about it, if they don’t know why it matters, then they’re not going to ask the right questions or be cyber-aware,” Wood said.
“I think, from my experience, security really works well when people understand what’s in it for them, and what does it mean for me from a personal perspective and for the nature of work that I do,” BHP Billiton’s global CISO Thomas Leen said.
Leen said he looked for people demonstrating their understanding of safe behaviours at work, such as not discussing confidential topics in public spaces.
However, in a large organisation, this could be a difficult metric for success.
He suggested a simpler metric might be to test staff after they complete a training session “so you know how [well] the training has worked”.
However, the Star Entertainment Group’s general manager of IT governance, risk and cyber resilience, Hank Opdam, declared this kind of testing “rubbish”.
He said tests were simply “the company’s way of saying we now know that you know and [of holding that against you] if you screw up in the future”.
“The really important thing is if they actually remember something,” Opdam said.
Opdam argued that perhaps organisations were too focused on changing people’s behaviours instead of making security compliance as easy as possible.