Why Most Cyber Security Training Fails and What We Can Do About it

Black Hat USA 2017

Presented by: Arun Vishwanath
Date: Thursday July 27, 2017
Time: 11:00 - 11:50
Location: Mandalay Bay GH

To date, the only pro-active, user-focused solution against spear phishing has been cyber security awareness training. However, multiple lines of evidence—from continuing news stories of bigger and bolder breaches to objective academic assessments of training effects—point to its limited effectiveness.

Yet, organizations continue to spend millions of dollars and countless man-hours on it. The problem is our current approach of providing the same form of training to everyone: it is is akin to prescribing the same medicine to every patient, sometimes repeatedly, without so much as diagnosing him or her. Small wonder then that spear phishing continues to wreck havoc. At the core of the problem is our inability to diagnose what ails the patient: Who is at risk from spear phishing? Why are they at risk? And how much of a risk are they?

The current presentation will provide a mechanism for answering these questions by using the Cyber Risk Index (CRI)—an empirically derived quantitative metric that helps identify the likely victims of different spear phishing attacks, reasons for their victimization, and the remedial measures that would best work to protect them. CRI scores range from 0–100 and can be derived using existing training and simulated spear phishing/pen-testing methods that most organizations use. Using a case study of an actual spear phishing pen-test that was conducted in a large, US based financial firm, the presentation will detail how CRI scores are derived and used. The talk will detail how the CRI helped assess the value of training and identify why training worked for some employees while not for most others. It will also discuss how the CRI helped identify the weak-links in the organization, design individualized training and protections, track improvements—and overtime improve individual readiness and enhance the organization's cyber reliance.

Arun Vishwanath

Dr. Arun Vishwanath studies the "people problem" of cyber security. His research focuses on improving individual, organizational, and national resilience to cyber attacks by focusing on the weakest links in cyber security—all of us Internet users. His particular interest is in understanding why organizational insiders willingly exfiltrate sensitive organizational data; why people become unintentional insiders by falling prey to social engineering attacks that come-in through email and social media; and on ways we can harness this understanding to secure cyber space. He has written and published over two-dozen peer-reviewed articles on technology users and cyber security issues and my research has been presented to principals at national security and law enforcement agencies around the world. He is a frequent commentator on cyber security issues in CNN and other major national and international news outlets.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats