Developing a Full-Spectrum
Security Training Program
Wayne State University
Computing & Information Technology
Kevin Hayes, CISSP, CISM
Information Security Officer
Geoff Nathan
Faculty Liaison
Agenda
•
•
•
•
•
Background
Our First Pilot
Program Implementation
Program Results
Feedback from You
Why We Didn’t Already Have
IT Security Awareness Education
• Taking the training required effort people
either would not or could not perform.
• Nobody in authority wanted to take on both
the technical and political challenges.
• We had an old Blackboard course, but it was
annoying to access & never updated.
So what changed?
• Threats are growing, creating a technology
arms race that’s difficult to keep up with.
• People have been asking for training and
guidance more frequently.
• We wanted to ensure a cohesive program was
developed – not just deliver static and stale
content in a “one size fits all” approach.
Setting the Table for Change
• We get about 10 calls a day from vendors
promising us the perfect technical solution
that will solve all our security woes, but…
• …funding and staff difficult to come by.
• Academic environment makes it a challenge to
put restrictive controls in place.
• But, with a new administration came a new
opportunity.
First Steps
• Large push by Information Security Office and
Quality, Communications & Compliance
• Drafted a Program Charter.
• Audience will be all managers, IT staff, and
individuals with enterprise system (Banner in
our case) access – about 2500 people.
• Charter approval by IT Risk/Oversight Group.
• Started with a Pilot Implementation directed
at internal IT staff only.
Beginning the Pilot
• We were new at this and still evaluating
various goals.
• Decided to purchase online videos.
• Evaluated SANS STH and TeachPrivacy.
• Forced own department to take TeachPrivacy.
• Trickled content (2-3 per month) over a few
months.
• Content loaded in Accelerate HR CMS.
What happened in the Pilot?
• 250 people watched the videos.
• Solicited and measured feedback:
– “These videos are a joke at best.”
– “The content is passable, but the quality of the
software and presentation is deplorable. I would
not pay anyone for this service, but I might show it
to my less technically literate employees if it were
free and there were no better free alternatives.”
The Pilot showed deficiencies
• Half people liked trickle, half liked all at once.
• Content did not use WSU terminology or
policies.
• Issues with clarity and wording of quiz
questions.
• Videos had poor production: monotone
narration, use of clip art, low audio quality.
Pilot conclusions
• Content was good, delivery not so much.
• People still wanted to learn things, kinda.
• Resistance for taking the training:
– “I already know this”
– “I don’t have time”
– “The system is frustrating to use”
– “There’s no point to this”
• We knew we had to make significant changes.
A light turns on
• Our primary job is to teach things. Why are we
limiting ourselves?
• News Flash: People learn differently.
• Why can’t we do different things to address
the underlying reasons people won’t take the
training?
A star is born
•
•
•
•
We decided to offer different training methods.
Use same learning objectives for all training.
Taking any one training method will certify you.
Learn to be flexible via three options:
– Online Videos
– In-Person Seminar
– Advanced Placement Exam
• Created a new project plan for implementation.
A few more goals
• Did not want to exclude any employees.
• Wanted content to change frequently and be
dynamic.
• Doesn’t require substantial resources to
maintain.
– Getting program started took several people many
months to identify and iron out many wrinkles.
Different training;
same education.
• No matter how you learn, content is the same:
1.
2.
3.
4.
5.
6.
Need for IT Security
Properly Securing Data
Credential Management
Phishing & Email Attacks
Dealing with Malware
Reporting IT Security Incidents
• Goal is to make people aware of security.
Option One:
Updated Online Videos
• Online videos are great for self-starters who want
to knock out bits and pieces here and there.
• Purchased selection of training videos from
Inspired eLearning
• Addressed production quality.
• 3 modules for staff, 4 for managers.
• Installed in Accelerate HR LMS
– Blackboard had issues with >1000 registration and
large gradebooks.
Option One:
Updated Online Videos
Option Two:
Created In-Person Seminar
• Created 90 minute presentation.
• Held across campus several times a month.
– Have AM and PM sessions on a Friday.
– Sessions held in different campus buildings.
• Allows for more interactivity and “traditional
learning”.
• Sign up using existing training registration
system.
Option Two:
Sign-up facility
Option Three:
Created Test-Out Option
• For those that already know security
(or at least claim to).
• Created online 24 Question “Advanced
Placement Exam” in Qualtrics based on
learning objectives and program content.
• Only one try permitted per 12 months.
• No easy questions.
• High Passing percentage required (85%).
Option Three:
Created Test-Out Option
Keeping the training simple
• “Have an answer for every yes, but”
• Created portal landing page:
– https://computing.wayne.edu/securityawareness
• Try for minimal-click solutions where possible.
• Created Program FAQ and Knowledge Base
with tips and actionable advice on security
topics.
• Made easy quick reference sheet.
Comes with a handy hand-out
Tracking Program Completion
• Our web developers created a web application
to consolidate completion data:
– Weekly CSV Import for Online Videos
– Attendance Sheet for In-Person Seminars
– Qualtrics HTTP POST Call for AP Test
• Permit managers to see progress of their
employees and department as a whole.
• Awesome spread sheet developed during web
application development.
Tracking Program Completion
Testing the new approach
• Perform beta testing and solicit feedback for
all three methods of training:
– Gave demo of seminar to C&IT staff.
– AP Test to select Provost staff. (AVP’s and Deans
Council)
– Online videos to HR staff.
• Very positive feedback on all approaches.
• Feedback used to fine-tune each offering.
Making it rewarding
• Training should not be one-way effort.
• Give something tangible back to those who
“toiled”.
• Certificate on fancy paper and is JPEG-signed
by CIO, ISO, & Faculty Liaison.
• Congratulations letter physically signed by ISO.
• People have been requesting and proudly
displaying their certificates.
Fancy certificate paper:
10 cents each.
Employees voluntarily
showcasing their
certificates:
PRICELESS.
Making the Push
• Provost’s office critical to getting off the
ground – especially after the Pilot phase.
• Provost kept in the loop during all beta testing
phases.
• Provost insisted their office, as well as all the
deans and senior staff, be trained first.
• Email message from our president sent to the
identified population of 2500 people.
Midflight Changes
• Executive management needed shorter seminar.
– Really difficult to cut presentation by one-third.
– Less background information and content review.
– Directly focus on key points.
• Break up regular seminar to include breaks.
• Wording changes in AP exam.
• Reduce AP exam passing grade from 90% to 85%
Final & Current Product
•
•
•
•
•
•
Comprehensive, multi-modal training options.
Not time intensive; less than two hours.
Simple to access.
Support from executive management.
Leverage good reputation of IT and ISO.
Not a lot of ongoing InfoSec time investment:
– 4-6 hours per month for Seminars
– 30 Minutes per week for certificates.
Analyzing Program Results
• Continue to measure and evaluate all training
options.
• All topics by far rated as “Very Useful” by
attendees, scoring at least 6.4 out of 7.
• Giving personal anecdotes and stories the most
effective in getting information across.
Security Training teaches
“How much do you feel you personally learned?”
30
25
20
15
10
5
0
Nothing
Few Things
Fair Amount
A Whole Lot
Security Training is valuable
• 90% of respondents rated the amount of
content delivered as “Just Right”.
• All respondents felt this training met their
expectations, with 60% of them having their
expectation exceeded.
• Respondents are rating the training as
valuable, applicable, and recommend it to
their coworkers.
Security Training is accepted
Applicable
Valuable
Recommended
50
45
40
35
30
25
20
15
10
5
0
1
Worst
2
3
4
5
Best
Security Training is working
• Spearheaded by Provost, all Deans & Senior Staff.
• Over 530 individuals have been certified.
• All three training options are proving successful.
145
27%
243
46%
AP Test
145
27%
Videos
Seminar
Security Training is working
• Official Program Rollout March 1st
• Steady Certification Progress; about 50 per week
after initial surge.
• Managers mandating training for their staff.
Certifications over Time
400
350
300
250
200
150
100
50
0
12/10/2014
1/10/2015
2/10/2015
3/10/2015
Feedback on Security Training
“I thought the training program was wellconceived and informative. It was appropriate for
WSU employees at a wide range of positions
within the university. The speakers had solid
expertise and experience with the topic and made
the presentations interesting and engaging.”
“Your examples of incidents were good and
relevant to me.”
Feedback on Security Training
“I thought it was an excellent training session;
Geoff and Kevin are knowledgeable, articulate,
and they made the session entertaining.”
“The training was very informative and I think
that all staff should attend one of the sessions if
possible. Thanks!”
Feedback on Security Training from
a faculty member (!)
“The committee was one of the first to receive an
exceptional presentation on internet security. I
have sat on the FSST committee for about seven
years and to the best of my recollection have
never before seen a presenter receive a round of
applause. I encourage you and your chairs to
invite them to present at their departmental
meetings.”
Security Training is ongoing
• Content continually updated based on
participant feedback and new threats.
– Updated information in training materials
– New Knowledge Base articles and actionable tips
• Send courtesy emails to certified employees
every few months with applicable content.
• We come to users and hold dedicated seminars
for staff around their schedule.
Future Goals
• Security Awareness certification will be needed
for enterprise system access.
– Waiting for “Critical Mass” of certifications.
– Mandated by University IT Governance Council.
– Identity Management will be used to enforce.
• Certification currently lasts two years,
eventually move down to one.
• Make part of HR onboarding process.
Your Feedback
& Discussion
Developing a Full-Spectrum
Security Training Program
Wayne State University
Computing & Information Technology
Kevin Hayes, CISSP, CISM
Information Security Officer
Geoff Nathan
Faculty Liaison