BLACK HAT 2019 – Las Vegas – As human error continues to top data breach causes, security leaders grapple with how to get employees to care about, and adopt, stronger security habits.
"When you think about the ways how you could lower that number, the first thing that comes to mind is training," said Aika Sengirbay, current security awareness program manager at Airbnb and former senior security engagement specialist at Autodesk, in the Black Hat briefing "It's Not What You Know, It's What You Do: How Data Can Shape Security Engagement."
"But compliance-focused trainings are not enough to change human behavior, and especially not enough when it comes to security behaviors," she added. Noticing the old way of training was "broken," Autodesk sought new ways to improve its employee security training strategy.
Companywide trainings, often done to "check the box" on security awareness, are not typically measured and don't offer a way to track improvement. All employees receive the same general training, which fails to engage and rarely drives progress. They wanted the new methodology to recognize their skill levels, respect their time, and motivate them to learn about security.
To accomplish this, the Autodesk teamed up with Elevate Security. Their first step was to create a list of desired employee behaviors: handle sensitive data, patch, increase reporting, and use multifactor authentication and VPNs, said Elevate co-founder Masha Sedova.
"If you had a magic wand, what would your employees be doing right now?" Sedova asked the audience. "These end up actually being mindsets; they're not things you can measure in a tangible way." This "master list" became a bank of open-ended beha ..
Support the originator by clicking the read the rest link below.
