Security and Employee Compliance

Loading...

Del curso dictado por University System of Georgia

Cybersecurity and the X-Factor

87 calificaciones

Explore Related Videos

At Coursera, you will find the best lectures in the world. Here are some of our personalized recommendations for you

University System of Georgia

Cybersecurity and the X-Factor

87 calificaciones

Curso 3 de 4 en SpecializationCybersecurity: Developing a Program for Your Business

What is the X-Factor? In Cybersecurity, the X-Factor related to unknown and unpredictable human behavior within and outside of your organization. “No one really knows why humans do what they do”, (David K. Reynolds), and because of this organizations can be unprepared for malicious, untrained, or even best intentioned behavior that can cause alarm and sometimes irreparable harm. This course will introduce you to the types of training available to reduce the impact of the X-Factor, evaluate its effectiveness, explore the Security Education, Training and Awareness (SETA) program, and learn why it may fail. The course will conclude with information designed to assist you with some critical components for your business security program. Activities focused on hactivism, cyberinsurance, and ransomware will round out your knowledge base. Your team of instructors has prepared a series of readings, discussions, guest lectures, and quizzes to engage you in this exciting topic.

De la lección

Introduction to the X-Factor

The X-factor within information security is human behavior within and outside your organization. Our introduction includes an overview of information security management and its goals as well as describing the problem created by non-malicious insider behavior. We include discussion about the purpose of training within organizational cybersecurity efforts and whether it is achieving its purpose.

Course Overview video1:11

Security and Employee Compliance4:26

Industry Q&A: Security and End Users1:47

Pulling it together8:24

Conoce a los instructores

Dr. Humayun Zafar
Associate Professor of Information Security and Assurance
Information Systems
Dr. Traci Carte
Associate Professor Chair, Information Systems
Information Systems
Herbert J. Mattord, Ph.D., CISM, CISSP, CDP
Associate Professor in Information Security and Assurance
Information Systems
Mr. Andy Green
Lecturer of Information Security and Assurance
Kennesaw State University - Department of Information Systems
Michael Whitman, Ph.D., CISM, CISSP
Professor of Information Security
Information Systems

A standing joke in cybersecurity circles is that it's easy to keep your data safe,

just disconnect every computer from the internet.

That might keep the data safe,

but it would also make most systems useless.

So, companies spend a lot of money on sophisticated technology like Firewalls,

Encryption programs, and Real-time intrusion monitoring,

just to name a few.

They also hire highly experienced security professionals,

and engage in security education training and awareness efforts with their employees,

customers, and business partners.

Security Education Training and Awareness,

also known as SETA,

is the fundamental task for security-focused organizations.

These efforts provide critical information to employees to

maintain or improve their current levels of security knowledge.

The benefits of most SETA efforts include improving employee behavior,

helping employees know where or how to report violations,

and enabling organizations to hold employees accountable.

For now, we're going to focus just on the effort to improve employee behavior.

It's reported that over half of all information security breaches are either indirectly,

or directly caused by employee's poor security behaviors.

Some estimates are as high as 95 percent of successful breaches require

one or more employees to become complicit with the hacker in some way.

Let's stop and think about that.

Security breaches might be initiated by some hacktivists or bad actor in a faraway land,

but their success does not rely on the technical genius that they

have so much as it relies on the corporate employees not following procedure.

So how do organizations make sure that employees are aware of,

and are complying with security policies?

They roll out training that is often a boring,

computer-based, voice-over PowerPoint annual event.

In short, here are some things you can do to stay safe from phishing e-mails.

One, never click on unexpected links or attachments.

Compliance is expected because the training is mandated.

There have been a number of academic studies focused on

how and why security training is effective or ineffective.

I am also fairly sure that many disgruntled security managers asked the same question.

So, why is security training not as effective as organizations would like?

First, we have to think about the underlying assumptions behind such training.

Did the designers believe that the security rules are mostly being followed,

and that they are simply reminding the users of the importance of continued compliance?

Or are these annual training efforts intended to improve compliance?

I already mentioned that SETA efforts are focused on improving employee behavior,

but surely some of the employees are doing what they're supposed to do.

To help answer this question,

I asked a security manager to describe training effectiveness in his organization.

He said, "No matter how well you train folks,

it will never keep you 100 percent safe.

Each year we perform two to three phishing training scenarios."

Phishing is the attempt to acquire sensitive information such as usernames, passwords,

and credit card details,

often for malicious reasons,

by masquerading as a trustworthy entity in electronic communication.

He continued, "We are normally 10 to 15 percent effective in harvesting.

For an organization of 4,500-ish people,

that's still about 450 usernames and passwords.

Doing so has created 450 insider threats.

Tax related phishing tests are the best."

So, after annual training,

this organization sends fake e-mails to their employees to see

if anyone will send their log in information and even password.

About 10 to 15 percent do just that.

This is not an uncommon result.

Explora nuestro catálogo

Inscríbete de manera gratuita y obtén recomendaciones personalizadas, actualizaciones y ofertas.

Coursera brinda acceso universal a la mejor educación del mundo, al asociarse con las mejores universidades y organizaciones, para ofrecer cursos en línea.

© 2019 Coursera Inc. Todos los derechos reservados.

Descargar en la App Store

Consíguelo en Google Play