resources.infosecinstitute.com Open in urlscan Pro
162.159.135.42  Public Scan

Form analysis
2 forms found in the DOM

https://resources.infosecinstitute.com

<form class="position-relative" action="https://resources.infosecinstitute.com">
  <input type="text" placeholder="Search" name="s">
  <button type="submit" class="fas fa-search"></button>
  <div class="fas fa-times close-search" id="close-search"></div>
</form>

POST https://resources.infosecinstitute.com/wp-comments-post.php

<form action="https://resources.infosecinstitute.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">
  <p class="comment-notes"><span id="email-notes">Your email address will not be published.</span> <span class="required-field-message" aria-hidden="true">Required fields are marked <span class="required" aria-hidden="true">*</span></span></p>
  <p class="comment-form-comment"><label for="comment">Comment <span class="required" aria-hidden="true">*</span></label> <textarea id="comment" name="comment" cols="45" rows="8" maxlength="65525" required="required"></textarea></p>
  <p class="comment-form-author"><label for="author">Name <span class="required" aria-hidden="true">*</span></label> <input id="author" name="author" type="text" value="" size="30" maxlength="245" required="required"></p>
  <p class="comment-form-email"><label for="email">Email <span class="required" aria-hidden="true">*</span></label> <input id="email" name="email" type="text" value="" size="30" maxlength="100" aria-describedby="email-notes" required="required"></p>
  <p class="comment-form-url"><label for="url">Website</label> <input id="url" name="url" type="text" value="" size="30" maxlength="200"></p>
  <p class="form-submit"><input name="submit" type="submit" id="submit" class="submit" value="Post Comment"> <input type="hidden" name="comment_post_ID" value="62447" id="comment_post_ID">
    <input type="hidden" name="comment_parent" id="comment_parent" value="0">
  </p>
</form>

Text Content

 * Boot camps & training
 * Awareness & anti-phishing
 * Community

 * 
 * 
 * * Topics
     
   * Certification Prep
     
   * Cyber Work
     
   * About us
     
   * 
 * * Back
   * Industry insights
   * Phishing
   * Hacking
   * Capture the flag (CTF)
   * Professional development
   * Security awareness
   * Penetration testing
   * Cyber ranges
   * General security
   * Management & compliance
   * Malware analysis
   * MITRE ATT&CK™
   * News
   * Application security
   * Digital forensics
   * View all
 * * Back
   * 
 * * Back
   * (ISC)² CISSP
   * CompTIA A+
   * EC-Council CEH
   * ISACA CDPSE
   * (ISC)² CCSP
   * CompTIA Network+
   * ISACA CISA
   * Microsoft Azure
   * (ISC)² CSSLP
   * CompTIA Security+
   * ISACA CISM
   * PMP
   * Cisco CCNA
   * CompTIA CySA+
   * ISACA CRISC
   * Other
   * CMMC
   * CompTIA CASP+
   * ISACA CGEIT
   * View all
 * * Back
   * Cyber Work Podcast
   * Cyber Work Applied
   * Cyber Work Live
 * * Back
   * Contact us
   * Contributors



 1. Topics
 2. Industry insights
 3. Reducing cybersecurity risks with strong awareness reporting

Industry insights


REDUCING CYBERSECURITY RISKS WITH STRONG AWARENESS REPORTING


February 21, 2022 by Patrick Mallory
Share:
AddThis Sharing Buttons
Share to FacebookFacebookShare to TwitterTwitterShare to RedditRedditShare to
LinkedInLinkedIn

Although cybersecurity has always been a top concern for business executives,
the rapid and dramatic shift to a remote and flexible work environment has put
this form of risk at the forefront of their minds.

Regardless of industry or location, nearly half of all executives surveyed in a
recent MetricStream report noted that cybersecurity was their top business
risk. 

At the same time, a look at the top passwords in use, which all involve a series
of sequential numbers or keystrokes — showcases just how significant the divide
is between principle and practice.

Unfortunately, lax and insecure passwords are often the tip of the iceberg to
understand the role and importance of cybersecurity awareness training. This
program should enforce good password hygiene and provide and encourage safe
browsing, email, mobile, and other security best practices. 

So whether your organization is just beginning to establish its cybersecurity
awareness program or if you’re looking to take it to the next level, here are
some key things your training may be missing.


SHOULD YOU PAY THE RANSOM?

Download The Ransomware Paper for real-world ransomware examples, mistakes and
lessons learned.

DOWNLOAD NOW


MEASURING THE IMPACT OF A CYBERSECURITY AWARENESS PROGRAM

According to the most recent Verizon Data Breach Investigations Report, about 22
percent of security incidents in 2021 can be traced back to human error from
employees inside of an organization. This number has stayed roughly the same
since 2018. Unfortunately, trends from most of this same period showed that
organizational budgets for security awareness training were actually steadily
increasing, growing from about $137 per employee in 2018 to $203, according to
Mimecast.

So how can the number of human-enabled attacks stay the same even as spending
for security awareness training continues to increase? One answer could be that
organizations could just decide to spend more even if they are not getting the
proverbial awareness bang for their security buck.

As with many other aspects of evaluating the return on investment of a strong
cybersecurity program, evaluating the role and benefits of cybersecurity
awareness can be difficult. While some organizations attempt to measure the
number of threats blocked by existing security controls, phishing messages are
scanned and deleted. The open rate of phishing-awareness campaigns in today’s
high-risk environments — matched by high scrutiny of security budgets — isn’t
enough. 

This challenge is one that Infosec’s Jordan Filip, Client Success team Lead, and
Kevin Angeley, Senior Sales Engineer, have been working hard to help
organizations overcome, which the two discussed in a recent Infosec Inspire
Session.

“We’ve realized that what customers need and should expect from their security
awareness training program is the same level of enterprise-grade reporting that
helps drive other parts of their business,” notes Angeley. “Since we’ve been
collecting information and working with our customers to create and identify key
performance indicators in their account, we’ve learned that success goes beyond
the phishing rate you see on your dashboard.” 


OTHER INDICATORS OF THE STRENGTH OF YOUR SECURITY CULTURE

Most organizations with security awareness programs are familiar with some of
the more common phishing-related metrics, such as the report rate and the time
to report. Many others also have methods to measure the impact of security
awareness programs among their employees, such as collecting feedback from
courses or surveys. 

However, with IBM reporting the average cost of a data breach is at an all-time
high of $4.24 million, Angeley and Filip wanted to help organizations go beyond
these metrics and use additional data analysis tools and key performance
indicators to spot trends and measure success.

While there are several dimensions to these metrics, Angeley and Filip believe
that they all boil down to identifying ways to measure and increase engagement
to mitigate security risk. 

“This is an important correlation because engaged learners learn more
effectively, retain more, and are less likely to fall victim to a security
attack,” emphasizes Angeley.


COMPREHENSIVELY MEASURING SECURITY AWARENESS

Angeley and Filip help organizations take advantage of Infosec’s Security
Cultural Surveys, which measure the performance of security awareness programs
with questions that tie back to five different domains. Able to be completed
once a year or biannually, the five domains that Infosec’s Security Culture
Survey covers include:

Confidence: How learners feel about putting their security knowledge to
practical use. These questions are a great way to identify the maturity of a
security awareness program over time. 

 * Sample Question: How confident are you that you would know what to do if you
   witnessed a cybersecurity incident? 

Responsibility: How well learners understand their role in implementing their
organization’s cybersecurity program.

 * Sample questions can cover specific policies and procedures expected for
   employees in a specific functional role (i.e., human resources professionals
   keeping data private)

Engagement: The number of employees completing the required cybersecurity
awareness training on time and how relevant the program is to their role in the
organization.

 * Sample Question: How relevant is the cybersecurity training you receive at
   work to your life and activities outside of work?

Trust: How employees perceive IT and security in their organization and their
perception of the strength of their existing security program.

 * Sample Question: How comfortable are you reaching out to your IT or security
   team for assistance? 

Outcomes: How well do employees understand the impact of a security incident on
the health or reputation of their organization.

 * Sample Question: How seriously do you think a cybersecurity issue would be
   taken if you reported one at your workplace?


HOW TO TAKE YOUR CYBERSECURITY AWARENESS PROGRAM TO THE NEXT LEVEL

There is more to a strong cybersecurity awareness program than just phishing
training, regular training, and at least an annual survey. 

So what are some of the recommendations that Angeley and Filip have for
organizations to bolster their overall security programs?

 * Identify champions from across the functional areas within your organization
   that can act as an extension of your security team and help communicate
   across groups.
 * Focus on building trust in your organization’s IT and security teams by
   resolving issues that result in workarounds, highlighting successes, and
   recognizing staff that demonstrates your program’s values.
 * Find ways to keep security training new and relevant, including updated
   statistics case studies and gamifying the training to encourage healthy
   competition.
 * Refine training topics and regular communications based on organizational
   events or based on overall behavioral trends .
 * Engage managers and executives in helping to promote and encourage
   involvement in the security program. 
 * Develop key performance indicators and a regular reporting mechanism to track
   the security program’s metrics over time.
 * Partner with other functional experts within your organization, such as the
   training and learning professionals within the Human Resource department.
 * Establish a consistent schedule to promote and highlight your security
   program, even utilizing a tool to automate the process and communications.


SHOULD YOU PAY THE RANSOM?

Download The Ransomware Paper for real-world ransomware examples, mistakes and
lessons learned.

DOWNLOAD NOW


BRINGING IT ALL TOGETHER

While there is broad agreement across organizations about the value and
importance of cybersecurity, especially the role each employee plays, EY
reported that only 29 percent of Fortune 100 companies utilize security
awareness programs. 

Your organization can be different.

Fortunately, you don’t have to lay the groundwork for a strong, measurable, and
agile security awareness program on your own. Experts like Angeley and Filip,
believe that taking a people-first approach and utilizing trusted and refined
tools like the Infosec IQ Cybersecurity Culture Survey can help your
organization be better prepared for the threats of tomorrow.  

 


SOURCES 

 * Cybersecurity is Greatest Post-Pandemic Concern in 2021, According to
   MetricStream Risk Management Survey, PRNewswire
 * 2021 Data Breach Investigations Report, Verizon
 * Employee Negligence Remains the Biggest Threat in Data Breaches, Bitdefender
 * The ROI of Security Awareness Training, Mimicast and Osterman Research
 * Cost of a Data Breach Report 2021, IBM and the Ponemon Institute
 * What companies are disclosing about cybersecurity risk and oversight, EY

Posted: February 21, 2022
Share:
AddThis Sharing Buttons
Share to FacebookFacebookShare to TwitterTwitterShare to RedditRedditShare to
LinkedInLinkedIn

Uh-oh!

We've encountered a new and totally unexpected error.

Get instant boot camp pricing





Thank you!

A new tab for your requested boot camp pricing will open in 5 seconds. If it
doesn't open, click here.


Author

PATRICK MALLORY

View Profile

Patrick’s background includes cyber risk services consulting experience with
Deloitte Consulting and time as an Assistant IT Director for the City of
Raleigh. Patrick also has earned the OSCP, CISSP, CISM, and Security+
certifications, holds Master's Degrees in Information Security and Public
Management from Carnegie Mellon University, and assists with graduate level
teaching in an information security program. Patrick enjoys staying on top of
the latest in IT and cybersecurity news and sharing these updates to help others
reach their business and public service goals.


THE RANSOMWARE PAPER

We spent nine months collecting ransomware insights. See what we learned about:

-Mistakes from those who paid
-Challenges of a quick recovery
-Future trends of ransomware

GET REPORT
In this Series
 * Reducing cybersecurity risks with strong awareness reporting
 * Could psychology be the key to cybersecurity awareness? Research points to
   yes
 * How IT pros can keep their organization on the cutting edge
 * Cyber talent diversity: It’s time to redefine the face of security
 * Cybersecurity and Windows 11: What you need to know
 * The NIST NICE Framework: How to improve cybersecurity role clarity and
   recruiting
 * The evolving role of cyber insurance as part of a layered security strategy
 * Log4j vulnerability explained: Zero-day attacks and how to contain them
 * Passwords and people: Your secret weapons against cybercriminals
 * Collaboration is key: IBM and Booz Allen Hamilton weigh in on attracting and
   retaining cyber talent
 * Finding the right MSSP for securing your business and training employees
 * Making the old new again: The power of experiential learning to build
   cybersecurity skills
 * 3 steps to get your business cybersecurity-ready in 2022
 * The ransomware paper (part 3): New trends and future concerns
 * Inside phishing data: What works and doesn’t work with employee training
 * Your next security bug won’t even be in the software that you wrote
 * Security in Action Framework: Determine if an MSSP is a good fit for you
 * Most valuable cybersecurity skills to learn in 2022
 * The ransomware paper (part 2): Real-life scenarios and lessons learned
 * Fixing the cybersecurity skills gap: Draw on wider talent pools
 * Why recent cyberattacks are shining a spotlight on the state of cybersecurity
   today
 * Adding cybersecurity services: 5 things MSPs need to know
 * Cybersecurity awareness: What it is and how to start
 * The most common cyber threats facing SMBs and how to prevent them
 * The ransomware paper (part 1): What is ransomware?
 * How gamification boosts security awareness training effectiveness 
 * How to map MITRE ATT&CK against security controls 
 * Cyber risks of digitizing legacy systems in healthcare environments
 * Death rays, Death Stars and deathware?
 * Attackers don’t hack in: They log in with your credentials
 * Which cybersecurity certifications are best for your career?
 * Predicting the October 2021 surprise
 * How to design the best cybersecurity training program for your enterprise
 * Cybersecurity is a public health crisis, so why don’t we treat it that way?
 * 3 tips to build a stronger cybersecurity team with Katie Boswell and Jason
   Jury
 * Is AI the cybersecurity skills shortage silver bullet?
 * Upskilling to deepen employee engagement & retention
 * Ask us anything about developing security talent and teams (session #2)
 * Ask us anything about security awareness, behavior & culture (session #2)
 * Influencing security mindsets to build a culture of cybersecurity
 * Gamification — Cybersecurity’s turn to play
 * Developing security talent and teams: A roundtable discussion
 * Close Your Skills Gap: Putting the NICE Workforce Framework for Cybersecurity
   to Work
 * Flip the funnel: Fixing the cybersecurity talent pipeline challenge
 * Security awareness behavior & culture: Ask us anything
 * Implementing global security awareness programs: Collaboration & cultural
   relevance
 * Rethinking the human factor in security awareness
 * Storytelling in cybersecurity: The impact of a great story (with Sarah
   Moffatt)
 * Cybersecurity Predictions For 2021
 * Key findings from Infosec’s 2020 IT & security talent pipeline study
 * 3 steps to close your organization’s cybersecurity skills gap

Related Bootcamps
Incident Response


JOIN THE QUEST FOR NEW SKILLS!

 * Get hands-on experience
 * Win over $1,000 in prizes
 * New challenges every month

Join Monthly Challenge


LEAVE A REPLY CANCEL REPLY

Your email address will not be published. Required fields are marked *

Comment *

Name *

Email *

Website



RELATED ARTICLES

Industry insights

COULD PSYCHOLOGY BE THE KEY TO CYBERSECURITY AWARENESS? RESEARCH POINTS TO YES

March 21, 2022
Christine McKenzie
Industry insights

HOW IT PROS CAN KEEP THEIR ORGANIZATION ON THE CUTTING EDGE

March 19, 2022
Seth Robinson
Industry insights

CYBER TALENT DIVERSITY: IT’S TIME TO REDEFINE THE FACE OF SECURITY

March 14, 2022
Susan Morrow
Industry insights

CYBERSECURITY AND WINDOWS 11: WHAT YOU NEED TO KNOW

March 13, 2022
Drew Robb

 * 
 * 
 * 
 * 
 * 

Topics

Hacking Penetration testing Cyber ranges Capture the flag Malware analysis
Professional development General security News Security awareness Phishing
Management, compliance & auditing Digital forensics Threat intelligence DoD 8570
View all topics

Certifications

CISSP CCSP CGEIT CEH CCNA CISA CISM CRISC A+ Network+ Security+ CASP+ PMP CySA+
CMMC Microsoft Azure View all certifications

Careers

IT auditor Cybersecurity architect Cybercrime investigator Penetration tester
Cybersecurity consultant Cybersecurity analyst Cybersecurity engineer
Cybersecurity engineer Incident responder Information security auditor
Information security manager View all careers

Company

Contact us About Infosec Work at Infosec Newsroom Partner program

Newsletter

Get the latest news, updates and offers straight to your inbox.

 * ©2022 Infosec Institute, Inc.
    * 
    * Trademarks
    * Privacy Policy

Infosec, part of Cengage Group