Effecting Behavioural & Organisational Change

in Cyber Security

Philip Hall

28th July 2017

Page 2 | Effecting Behavioural & Organisational Change in Cyber Security : Phil Hall

1. The perfect storm & cyber awareness relevance

2. Cyber attacks - the human / people element

3. Insights from our cyber security awareness & culture journey

• Planning, behaviours & metrics

• Phishing simulations, reconnaissance & targeted phishing attacks

• Cultivating “Cyber Heroes” and a positive culture change

• “Gamification”

• Walking in the shoes of the cyber attacker

3. Summary & catalysts for success

Agenda

Page 3 | Effecting Behavioural & Organisational Change in Cyber Security : Phil Hall

Means Motive Opportunity

Cybercrime industrialisation,

digital underground, gov hacking tools,

anything as a service, crypto currencies

2016:

Cyber Crime $450 Billion Dollar industry

2019:

Predicted to reach $2 Trillion

Digital growth,

“everything” online / connected,

mobile, IoT,

hackable buildings,

smart meters, smart tvs, locks, cars…

The perfect storm & cyber awareness relevance

Page 4 | Effecting Behavioural & Organisational Change in Cyber Security : Phil Hall

• Attackers are increasingly focusing on people in order to circumvent controls & processes

• When technology capabilities are strong, attackers move on to the next weak point

• Quickest and fastest way of attack is to bypass the technology, through people

Cyber attacks – the human / people element

Page 5 | Effecting Behavioural & Organisational Change in Cyber Security : Phil Hall

Planning, behaviours & metrics – “Engineering” View

Page 6 | Effecting Behavioural & Organisational Change in Cyber Security : Phil Hall

Planning, behaviours & metrics – “Markitecture” View

Page 7 | Effecting Behavioural & Organisational Change in Cyber Security : Phil Hall

5507 AMP Staff targeted

Very low sophistication

generic click only scenario

Phishing simulations, reconnaissance & targeted phishing attacks

Page 8 | Effecting Behavioural & Organisational Change in Cyber Security : Phil Hall

Cyber intel, reconnaissance and targeted simulated attacks

• We utilise intel from real phishing attacks for AMP wide phishing simulations• Perform reconnaissance using publicly available information from public social media • Create and send customised phishing emails to AMP threat communities and teams

If an AMP staff member does fall for a phishing email, they are instantly presented with information to help them learn how to spot and report the phishing email.

We only promote and highlight the skills required to successfully spot & report a phishing email, rather than victimising those that do fall for a phishing email.

• There are no losers – only “AMP Cyber Heroes”• We congratulate & reward those who demonstrate the correct

response & behaviours

Page 9 | Effecting Behavioural & Organisational Change in Cyber Security : Phil Hall

Building a culture of “Cyber Heroes”

Page 10 | Effecting Behavioural & Organisational Change in Cyber Security : Phil Hall

“Gamification” – Top down, bottom up

Competitiveness drives engagement

PWC “Game of Threats”

with Board, C level,

and key AMP staff & threat communities

Page 11 | Effecting Behavioural & Organisational Change in Cyber Security : Phil Hall

Bringing Cyber To Life – Cyber lunch & learns, workshops & presentations

Relevant & topical

Page 12 | Effecting Behavioural & Organisational Change in Cyber Security : Phil Hall

Walking in the shoes of the cyber attacker

Page 13 | Effecting Behavioural & Organisational Change in Cyber Security : Phil Hall

AMP Cyber Security Awareness & Culture Outcomes - Artefacts

Page 14 | Effecting Behavioural & Organisational Change in Cyber Security : Phil Hall

Suspicious email reporting has increased dramatically, and click throughs has decreased

High participation & engagement in cyber events we run across all of AMP

We’ve extended our influence across the entire business

We’ve grown our cyber team (without any additional FTE!) and now have active security ‘ambassadors’ across the business and IT

Dollar for dollar – the awareness and culture program has been the most cost effective control we have ever implemented

AMP Cyber Security Awareness & Culture Outcomes

Page 15 | Effecting Behavioural & Organisational Change in Cyber Security : Phil Hall

1. The commitment of all your staff to protect your organisation is an essential component of strong cyber defence and response

2. A critical part of your cyber strategy must be to keep all your staff “cyber savvy”

3. Think outside your immediate business / organisation – make it personal

4. Integrate gamification whenever possible

5. Develop a positive security culture – reward your staff for the right attitudes & behaviours

6. Keep it topical, reward and repeat!

Summary & Catalysts For Success

Thank you

For additional information, contact:

Philip Hall

Cyber Awareness & Cyber Intelligence

https://www.philiphall.com