Securitygenic: Fighting User Apathy and Indifference

THOTCON 0x7

Presented by: Chris Carlis
Date: Thursday May 05, 2016
Time: 14:00 - 14:25
Location: Turbo Room
Track: Track 2

We, as information security professionals, are not good at convincing people to care about information security. We may be passionate, intelligent, and dedicated in the pursuit of defending our organizations but, when it comes to motivating our co-workers to employ even the most basic of security measures, our efforts often fall flat. Motivating people is a problem that often does not align well with our core skillsets. Yet, as attackers today look to compromise organizations, social engineering attacks against employees are an increasingly attractive option. Ranging from remote and impersonal to in local, personal interaction, these attacks rely upon our users making bad security decisions. We, as defenders, deploy numerous technical countermeasures in an effort to remove the responsibility of security from the user. These systems are often both expensive and easily bypassed. Additionally, user security training is mandated but easily misses the mark and can lack real lasting effectiveness. We must continue to look for additional solutions to strengthen the weak end-user link in our defenses. In this talk we look at a expanding our usual methods of user education and leveraging non-conventional resources to amplify and increase the lasting effectiveness of information security training. Enlisting the help of individuals with the training, experience, and understanding in what is needed to motivate a largely apathetic base into incorporating better security behavior into their everyday lives. Our information security programs need Marketing. We will discuss some the benefits of incorporating marketing into your security program. We will cover some of the political, business, and interpersonal challenges that may arise and strategies for overcoming them. Finally we will discuss methods of popularizing this practice outside out individual organizations.

Chris Carlis

Chris Carlis, a Dell SecureWorks Red Team member, enjoys grassroots InfoSec communities & investigating finer points of Impostor Syndrome.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats