Cool Security Stuff for End-Users (Input needed!)

SoCalGuy858

I'm working on designing a page of our intranet collaboration portal that is intended to be a "one stop shop" for end-users on security.  Here's what I've got so far... what else would you add to something like this?  The target is the end-user... and the vast majority of ours are non-technical, so I'm trying to keep this well below the "eye-glazing" technical level.

- How to report something suspicious
- Security tips / RSS feed of SANS Tip of the Day
- A listing of cool, end user-related security resources (SANS newsletters, National Cybersecurity Awareness Month resources, threat maps with flashy lights, etc.)
- An RSS feed of a select few "end user-friendly" blogs
- Links to all corporate security policies, procedures, and documents

EDIT so newcomers see this.  This isn't supposed to be 'THE' entire security awareness training program.  We've already got that.  Videos, phish/vish/USB assessments, posters, e-mail alerts, etc.  All supported and enforced by senior management.  This is a "bonus" add-on... a "nice to have".

iBrokeIT

I don't know your environment or users but I think you need to be honest with yourself about your expectations if you are going to implement a "go to this website and read everything" approach.  How many of your users are going to actually use it and will they actually understand the content as it is presented?  Is this approach worth the effort?

SoCalGuy858

It's something that was "requested" (i.e. assigned) by management... doing what I can!  Very good point though!

I'm trying to keep it as simple as possible with as much "cool" stuff as possible... links to thinks like "HaveIBeenPwned", threat maps and other blinky lights... easier-to-read RSS feeds that don't go into too much techy detail, etc, etc.

We already have mandatory video training at the beginning of employment as well as every follow-on quarter (among other things).  This is primarily as a secondary reference.

chrisone

You need to mandate or enforce this with your compliance department. 

This will help your overall end user training goal .... for free. Cofense has CBFree video training. They have compliance modules and awareness modules. The awareness modules are where you educate the users on phishing, spam, etc. All videos are 5mins with 2-4 questions at the end. 

Overview
https://cofense.com/cbfree-computer-based-training/

Awareness Module Signup
https://cofense.com/cbfree-download-awareness-modules/

Compliance Module Signup
https://cofense.com/cbfree-download-cbt-modules/

Hopefully your employer takes security seriously and backs you up on having users review these. I work in the finance industry so its actually law....

iBrokeIT

SoCalGuy858 said:

It's something that was "requested" (i.e. assigned) by management... doing what I can!  Very good point though!

I'm trying to keep it as simple as possible with as much "cool" stuff as possible... links to thinks like "HaveIBeenPwned", threat maps and other blinky lights... easier-to-read RSS feeds that don't go into too much techy detail, etc, etc.

We already have mandatory video training at the beginning of employment as well as every follow-on quarter (among other things).  This is primarily as a secondary reference.

So one of your "vast majority of non technical users" clicks on your intranet page and then clicks on the threat map, what is the expectation here?  Most likely they'll think "oh that's pretty" then close the window without learning a thing.

Effective end user security awareness training should be short, relevant, and if possible entertaining.

A better approach would be to hold webinar that is recorded and posted on your intranet where you provide few examples of recent credential stuffing attacks. Explain how the users can protect themselves by using "HaveIBeenPwned" and a password manager.

Imagine if HR dropped a 200 page packet on your desk, said all of your benefits were changing and walked away without providing any sort of summary or analysis.  That's what you are doing to your users by throwing links and feeds at them without any sort of personal touch and relevant context.

paul78

Perhaps @LisaPlaggemier would comment. She has good ideas about how to do this.

I'm kinda curious myself since I have noticed that most of these types of information dissemination techniques tends to not actually be effective and usually done only to meet a compliance checkbox.

LonerVamp

If you have the ability, put in a new quiz item every week, something easy and interesting.

A recurring section, like a news post, with phishing examples and clues to spot them and what to do can be interesting. Especially if you're pulling redacted, real ones as reported/detected by your controls.

There are two ways, in my mind, to do a portal like this. Some people will think this is mandatory that people read like hawks and visit regularly. I don't think that is realistic. But you should at the very least strive to make it a place someone bored or who is looking for specific information may go to answer their questions. Even if it's a Help Desk tech fielding a call and wanting to reference what security said about this on their portal. Presenting a portal to IT Security is NOT equal to satisfying user security training. It can be just a piece of it.

In my opinion, if even some people use the portal, that's success in my books. It's certainly better than security being a closed book that you can only engage with donuts and incidents.

SoCalGuy858

Thanks for the input, everyone, but I should've clarified earlier, this isn't supposed to be 'security awareness training'.  We've already got that.  Videos, quizzes, phishing assessments, vishing assessments, USB drop assessments, posters, alert e-mail blasts, the whole nine yards.  This is simply a "security team reference page" of sorts.  Management is taking an interest in various teams having their own intranet page/site, so that's what I'm looking at filling ours with.

paul78

@SoCalGuy858 - ahh - ok - that makes sense. You may want to consider also treating it like a marketing page for the team as well. I think that often other internal teams may not understand the value of an internal security team. So you could also do something like:

1. Show the mission statement and charter for the department - for example - what problem does the security team solve for the company.
2. List the out-of-scope items for the team - sometimes people think that security solves all tangential tech items as well. For example - does your team also handle physical access? If that's handled through facilities - maybe a link to their page.
   
3. Some metrics that show the success of the team - this one is tricky because you don't necessarily want to expose confidential info and some info may not have context. But you could show some graphics or stats on things like # of virus infections the team dealt with in the company - maybe the # of attacks (loosely used term) against the perimeter.
   
4. If the team has projects in-flight - a brief "here's what we are currently working on" and most importantly is to list the "why" of the project, and how success will be measured.
   

I really like @Lo@LonerVamp 's idea of using a quiz. Maybe you can gamify it - offer a monthly prize like a Starbucks or Amazon card to the person that has the most points. The quiz questions could not only be general security awareness knowledge but about content on the intranet site.

Just my 2 cents - maintaining an intranet site requires care and feeding - so if your content becomes stall or irrelevant - people will stop visiting it. 

Infosec_Sam

paul78 said:

@SoCalGuy858 - ahh - ok - that makes sense. You may want to consider also treating it like a marketing page for the team as well. I think that often other internal teams may not understand the value of an internal security team. So you could also do something like:

1. Show the mission statement and charter for the department - for example - what problem does the security team solve for the company.
2. List the out-of-scope items for the team - sometimes people think that security solves all tangential tech items as well. For example - does your team also handle physical access? If that's handled through facilities - maybe a link to their page.
   
3. Some metrics that show the success of the team - this one is tricky because you don't necessarily want to expose confidential info and some info may not have context. But you could show some graphics or stats on things like # of virus infections the team dealt with in the company - maybe the # of attacks (loosely used term) against the perimeter.
   
4. If the team has projects in-flight - a brief "here's what we are currently working on" and most importantly is to list the "why" of the project, and how success will be measured.
   

I really like @Lo@LonerVamp 's idea of using a quiz. Maybe you can gamify it - offer a monthly prize like a Starbucks or Amazon card to the person that has the most points. The quiz questions could not only be general security awareness knowledge but about content on the intranet site.

Just my 2 cents - maintaining an intranet site requires care and feeding - so if your content becomes stall or irrelevant - people will stop visiting it. 

I like the idea of including what you're working on! I mean, how else is anyone going to know unless you're rolling out new solutions? Along that same line, I like the idea of having a "Who's who on our security/IT team?" section, where you'd have pictures of everyone on the team, what they do, and where you can contact them. I've seen that kind of switch the dynamic from IT working for your users to working with your users. 

SoCalGuy858

@paul78 and @Infosec_Sam

That's some good stuff right there!  ...and plays into exactly how I'm trying to frame this whole thing: as a marketing tool to spread the word of who we are and what we do; not to be the internal source of training.

Thanks, gents!

SoCalGuy858

chrisone said:

You need to mandate or enforce this with your compliance department. 

This will help your overall end user training goal .... for free. Cofense has CBFree video training. They have compliance modules and awareness modules. The awareness modules are where you educate the users on phishing, spam, etc. All videos are 5mins with 2-4 questions at the end. 

Overview
https://cofense.com/cbfree-computer-based-training/

Awareness Module Signup
https://cofense.com/cbfree-download-awareness-modules/

Compliance Module Signup
https://cofense.com/cbfree-download-cbt-modules/

Hopefully your employer takes security seriously and backs you up on having users review these. I work in the finance industry so its actually law....

Thank you!  We already have a robust and mandated CBT security program, along with routine phishing assessments.  We use KnowBe4 and love it (so far!).  The idea for a security info portal is as a "bonus" resource in addition to these.

SoCalGuy858

chrisone said:

You need to mandate or enforce this with your compliance department. 

This will help your overall end user training goal .... for free. Cofense has CBFree video training. They have compliance modules and awareness modules. The awareness modules are where you educate the users on phishing, spam, etc. All videos are 5mins with 2-4 questions at the end. 

Overview
https://cofense.com/cbfree-computer-based-training/

Awareness Module Signup
https://cofense.com/cbfree-download-awareness-modules/

Compliance Module Signup
https://cofense.com/cbfree-download-cbt-modules/

Hopefully your employer takes security seriously and backs you up on having users review these. I work in the finance industry so its actually law....

Thank you!  We already have a robust and mandated CBT security program, along with routine phishing assessments.  We use KnowBe4 and love it (so far!).  The idea for a security info portal is as a "bonus" resource in addition to these.

LisaPlaggemier

Hi all - some random thoughts...hope it's helpful....

• Don't forget to tell people not just how to report but what to report and when to report (ie immediately, don't try to fix stuff yourself).  Remember, the word "security incident" is our jargon and not everyone knows what constitutes an incident in your environment.  I've used one reporting mechanism for all incident:  data security, physical security, data privacy, data leakage, etc.  Make it easy on people by giving them one central way to report - run the triage behind the scenes.
• I organized my site by area of interest for the audience - so, a tab on AppSec for developers, a tab on travel security for travelers like sales and field engineers, etc.  The home page had up-to-date info, like a "catch of the day" with kudos to people who reported phish.  That being said, if you expect people to visit, you have to keep it current.  It's a beast you gotta feed.
• Use it as a place to drive people for info, like from articles and newsletters.  If you're sending out an email on a topic, include a link to your employee security portal "for more information."
• Def include a who's who in the security team.  With photos.
• @paul78 agree with all his ideas above - tell folks what you do for the company.  Many people will be surprised to know.

SoCalGuy858

That's excellent stuff --- thank you!