← All talks

Cyber resilience: Awareness is not enough

BSides Athens12:05211 viewsPublished 2021-06Watch on YouTube ↗
Speakers
Michalis Michalos
Tags
CategoryCommunity
StyleTalk
About this talk
Abstract: Whether you call it human factor, insider threat, or human error, organization members comprise the #1 issue to tackle, when it comes to cyber resilience. It’s no secret, that either unintentionally or not, the human factor remains a substantial threat. While a lot of organizations have recognized this threat and established awareness trainings or relevant attack simulations (e.g. phishing campaigns), this has been proved to provide a push forward but not enough. Attacks become more sophisticated,complicated, and if they manage to evade technical controls, it’s up to the human factor to recognize and stop an attack.Within this context, the concept of Cyber Security Culture constantly ascends and while awareness might constitute a positive force to provide knowledge, Culture is a strategically set of actions that will institute a mindset of “this is how we do things around here”. Also, while awareness relies on individual’s skills, culture fosters dimensions including attitudes, behavior, norms and more.This presentation is an introduction and exploration of the Cyber Security Culture, what it is, what comprises it, why it is important and how it can be established and upcycled, in practice. Bio: Michalis works as a Security Operations Center Analyst at an international telecommunications and technology company. An MSc in Networks & Data Communications graduate, he looks for IOCs and how to make the most out of them to defend and preserve cyber resiliency. Following an 6-year career in IT including a 3-year complement course as freelancer, he is focused solely in cyber security over the last two years. Father, husband, owns a wine cooler and enjoys the outdoors as a volunteer of the Soma Hellinon Proskopon.
Show transcript [en]

Hi, my name is Michalis and I'm going to introduce you to the concept of cybersecurity culture and discuss why awareness is not enough in order to achieve cyber resilience. A few things about myself: I work as a Security Operations Center Analyst and Engineer at PCCW Global. I have seven years experience in ICT and the last two years I work solely for cybersecurity. You may reach me out on Twitter and LinkedIn in order to connect.

If you think about the content of this presentation, first we'll introduce the importance of the human factor in cybersecurity. We will get to know the cybersecurity culture definition, how to cultivate cybersecurity culture, cybersecurity culture frameworks, activities and relevant maturity. So, about the human factor facts. Phishing campaigns for 2020 have been the second top infection vector. At the same time, over 100 executives were targeted in precision phasing campaigns. 58% of organizations have reported that employees did not take into consideration cybersecurity guidelines. Almost 50% of data loss incidents that have taken place were due to people's mistakes. And last but not least, a recent report indicates that 99% of attacks observed require human interaction to succeed.

A recent report from Forrester indicates that the most newly hired chief information security officers would be best served by initially focusing time and attention on their workforce, not their systems and processes.

So what's the difference between awareness and cybersecurity culture? Well, awareness is referred to as the knowledge that something exists or understanding of a situation or subject at the present time based on information or experience. While cybersecurity culture covers a wider, a broader perspective and refers to the knowledge, beliefs, perceptions, attitudes, assumptions, norms and values of people regarding cybersecurity and how they manifest in people's behavior with information technologies. So to put it in simple words, it's something, someone would say that it's how we do things around here. So how we handle cybersecurity. So, the first step is to understand how we can cultivate cybersecurity culture and ENISA has a clear path of eight steps that were introduced in

the guideline on what exactly has to be done. First, you have to assemble a team. A team that is not comprised only by IT, but it could be other functions that have direct that directly affect cybersecurity culture within an organization. So one could say it could be legal, management and others. The second is to outline the business, to understand what your business is and what the current status of cybersecurity is in order to know, to get to know what you have to tackle in detail. So you have to know the structure, you have to know which functions might need more effort, and also to understand in detail the security of your organization. The third is

to set out the goals. What do you want to achieve? What needs to be tackled? What needs to be improved? The fourth point, which is very important and we'll discuss it later on as well, is to quantify the cybersecurity culture, the current cybersecurity culture. So this is a step that needs to carry out an assessment. of the current status of cybersecurity culture. So after all this, you might need to write down some actions. What can you do in order to improve cybersecurity in your organization? How to foster, how to make people to change their behaviors and attitudes towards things that are being carried out daily that have to do with cybersecurity. Sixth is about execution. So you roll out everything that

you have documented in the previous step, all the actions, and you closely supervise in order to see how it goes. Seventh step includes evaluation. So what has been done so far? Which actions have gone well? And maybe this is the step that you have to re-evaluate the cybersecurity culture and see what changed. And the eighth and most important step is the step of upcycle. So we've gone through all this, we've gone far, but we might need to reevaluate some things and take some further actions in order to improve ourselves. So you go back from steps two to five, redefine them and then go back to execution and then you start from the beginning. So, discussing the

frameworks that comprise the cybersecurity culture. In order to assess cybersecurity culture, there are a lot of frameworks that you can take into consideration. There are a lot of academic and commercial ones. So, some of them are mentioned here, but let's go deep and get acquainted with one that was recently published, the Sains Enhanced Framework. So, in order to assess cybersecurity culture, there are different elements. In this framework there are five: superstructural, which includes all outside forces from organizations that directly affect cybersecurity culture, artifacts, espoused values, certus assumptions and knowledge.

For each and every one, you can also see an example. So, for example, for the artifacts that are the visible organization structure and process of... that there are visible elements of organization structure and process, the organization member is asked if he or she can understand the information security policy sections that are applicable to my job, to his job. So about knowledge, for example, are the necessary underlying information security knowledge that an organization member is supposed to have? So the relevant assessment question would be, I know what the risk is when opening emails from unknown senders, especially if there is an attachment. So by taking into account step two of the structure and the relevant security assessment, and then going to step four where

cybersecurity culture is assessed, actually assessed, By taking into account the elements and dimensions, one can build the questionnaire in order to make the relevant assessment. But moving forward from the assessment to the actual activities that need to take place, again, ENISA has a proposal on specific activities, which are comprised of three categories, online, hybrid and offline. You may already be acquainted with some of them: emails, online training courses, conduct mock attacks where you can perform phishing tests within an organization, trainings, events, etc. There are a lot of options that you can take into consideration in order to provide activities and cultivate cybersecurity culture. But up until now you know how to assess cybersecurity culture, what and how to

improve it with specific ideas for activities. So how do you know where you stand with cybersecurity culture? Is there a maturity model? Yes, there is. You can take this into account. So you can either consider that you don't have a cybersecurity culture, so it's not available. You have a repeatable culture. sort of cybersecurity culture where there is a program designed for compliance or audit requirements. So let's say for example if you have a yearly audit for ISO you might need to take some steps towards it. Cybersecurity culture is defined where specific goals are defined for behavioral change. either controlled where there are specific necessary processes, there are resources and leadership to support long-term and life

cycle cybersecurity culture and the last step is optimizing where progress and impact is measured with demonstratable ROI. Well, this is the most important because this is the level where you can actually measure the return of investment when you perform an assessment for cybersecurity culture. So let's say that if you do have a cybersecurity culture program in place and some of the actions that take place have indeed improved the performance of employees, what have you gained through the years of this program that is in place, how many incidents you may have avoided, how many emails maybe employees and organization members have reported to the help desk, etc. An important note to take into consideration here is that SANS Institute reports

that most companies do not get beyond level 3. Level 3 is the defined level where goals are defined for behavioural change. So you understand that it's quite... Cybersecurity culture is a big challenge and maybe needs a lot of effort to be deployed. So you may find at this link some of the links and references that were used in order to provide this presentation. Before I close it, I would like to refer to you to a quote from Lao Tse, where a journey of a thousand miles begins with a single step. So you might need to take into consideration the guidelines mentioned in this presentation in order to start cultivating your cybersecurity culture. It definitely is going to improve your

cyber resilience. Thank you for watching this presentation and enjoy B-Sides Athens 2021.

Related talks

37:13
Phishing With Phineas (Again) Hack Recreation On Steroids
BSides Athens · 2022
16:00
Talk 15 - Michael McGinley - Parting ways with Purdue? The Effect of Industry4.0 on ICS Security Arc
BSides Athens · 2021
34:30
T2 04 Evil Twin with Wifiphisher - George Chatzisofroniou
BSides Athens · 2016
10:23:09
Security BSides Athens 2025 Live Stream
BSides Athens · 2025
6:20:25
Security BSides Athens Live Stream
BSides Athens · 2021
29:48
Cyber Security in the modern distributed enterprise: protecting Airbus
BSides Athens · 2020
[ feedback ]