Christian Tijsmans is founder of Connect the Dotz and Paul Wilkinson is the owner/director of GamingWorks
How critical is cyber security training for organizations?
Not-for-profit IT governance body, ISACA said in its State of Cybersecurity report that 82% of board directors are either concerned or very concerned about cyber security. 66% stress ‘enforcing security policy', 58% ‘mandating security awareness training’ and 43% ‘Following good security practices themselves’ as important executive level behaviours to demonstrate support for cyber security and risk mitigation.
Meanwhile, AXELOS’ guide on the role of people in security awareness, Are your people playing an effective role in your cyber resilience? (updated January 2017), revealed ‘most organizations are underestimating the ‘human factor’ of employees behaviour. 75% of large organizations suffered staff-related security breaches in 2015’! These insights clearly show the need to mandate security awareness training. And this training needs to focus not just on technology but also on the ‘people factor’, which means everyone in an organization.
At the recent CIONet event in Belgium – entitled ‘How to optimize risk and security awareness’ – we facilitated two cyber security and resilience business simulation games. The aim was to show how a business simulation – or interactive, experiential learning session – can create awareness and change attitude by creating new insights, and capturing new behaviours. Indeed, security awareness should result in behaviour change to prevent the human factor being the most damaging security risk.
The goals of the simulation sessions were to explore:
- What is the role of an executive manager in understanding the issues and of setting strategy and policy?
- What should leaders be doing to ensure a change in attitude and a discipline in behaviour?
- What should leaders do to balance the right investments in cyber security and cyber resilience?
- What actions can be taken away and initiated in an organization?
And, as part of the simulation, players were provided with AXELOS' RESILA™ best practices to inform some of their activities. These include:
- Clear board-level ownership and responsibility
- Adoption of tailored learning and development of all staff
- Clear understanding of critical assets
- Clear view on key threats, risks, and vulnerabilities
- Common language used by all stakeholders
- An assessment of the companies’ cyber resilience maturity
- Appropriate balance of controls to prevent, detect and correct.
Oceans 99™ Business simulation
In the game the various stakeholders make use of information systems for planning, managing, transporting and monitoring three world-renowned objects that the Bank of Tokyo is exhibiting. The challenge is to bring the objects to Tokyo, on time, safely and securely. However, there are rumours that Oceans 99, a criminal organization, wants to steal the objects.
The two teams were tasked with designing a security policy, performing a risk assessment and developing a strategy for investing in security counter measures. Observers using checklists from the RESILIA guidance relating to board room responsibilities monitored how the teams worked.
While it was fun playing a game the point was to learn. And even in this intense, time-pressured situation it was interesting to see how an IT-related set of stakeholders and decision-makers all focused on ‘technology solutions’ and not the ‘human factor’.
So, the delegates’ key learning points and take-aways were:
- Identify your ‘crown-jewels’ (critical information assets) before writing your security policy. It isn’t all about systems and servers and technology.
- Security policy is a team effort – not only IT – that needs advance preparation.
- Create more security and risk awareness of threats, vulnerabilities and business risk among both the board and employees; people awareness is key, especially with social engineering as the current threat.
- Create a structured approach for risk assessment and a security roadmap for everyone. Organize the business to listen and actively steer the risks while involving business leaders in the risk management process. Work with all key stakeholders to define a risk strategy and prioritize appropriate investments.
- Users are the most vulnerable assets who need awareness training and control systems (including clear consequences) to mitigate risk.
- You need to balance security with end-user requirements for flexibility.
- Governance is the basis of an information security programme and the board needs to take ownership and the lead in getting approval for, communicating, implementing and enforcing security governance. The board needs to recognize the risks their business is facing today and whether these risks are well mitigated or managed.
- Roles and responsibilities are key to any project.
- Technology is not the solution.
See our RESILA™ section and our guide Are your people playing an effective role in your cyber resilience? (updated January 2017) for more information about cyber resilience.
See the GamingWorks website for more details of the Oceans99™ simulation.