Our Approach to Cybersecurity

Cyber security and Human Behaviors

Presenters: Hend Ezzeddine Catherine Zaruba

Center for Medicare and Medicaid Services Security Control Oversight & Update Training (CSCOUT) conference

EXPRESSWORKS

1

Only amateurs attack machines; professionals target people.Bruce Schneier

Peoples behaviors are currently a major source of cyber security threats. 2

Agenda EXPRESSWORKS

3

With more connectivity comes more risksHuman error is a major concern

EXPRESSWORKS

*Ponemon Institute, Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data, May 2015A comprehensive identity-theft kit containing a health insurance record can be worth as much as $1,000

Incidents amonghealthcare payers and providers soared 60% over 2013,..an increase that was almost double that reported by all industries. Investment in information security increased 66% over 2013

#

Source: 1. PwC, The Global State of Information Security Survey, 20152. Dell SecureWorks, Hackers Sell Health Insurance Credentials, Bank Accounts, SSNs and Counterfeit Documents, for over $1,000 Per Dossier, July 15, 20133. PwC, The Global State of Information Security Survey, 2015

4

Technology is not enoughHuman error is a major concern

88%Spear phishing

70%

Biggest cyber security threatin healthcare

40%

Root cause of the healthcare organizations data breach

EXPRESSWORKSCause of security incidentsIn healthcare

Employee negligenceUnintentional employee action*Ponemon Institute, Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data, May 2015

#

A closer look at the nature of cyber security incidents pinpoints that relying on technology is not enough. Most of incidents are not caused by a technological failure, but human errors that could have been prevented through a more holistic approach. 5

Most organizations adopt a fragmented response to cyber threatsHuman error is a major concern

EXPRESSWORKS

Use mobile devices to exchange data and provide servicesHealthcare provider

The patient

Accesscomplete medical records online

Healthcare payerLower cost and speed payments

Security professional

Protect sensitive data

#

Technology-centric and compliance-driven cybersecurity initiatives deepen the gap between the need to protect company assets and the reliance on connectivity to thrive as a business.This gap is what drives the wrong human behavior and increase human errors, putting the entire organization at risk.When the solutions include the people side, cybersecurity becomes everyones responsibility.

6

Agenda EXPRESSWORKS

7

Are you satisfied with every performance aspect of your cyber security effort?Integrating Behavioral change to reduce human error

EXPRESSWORKS

Minimizing human errors calls for a multi-disciplinary approach to cyber security and behavioral change is one of them.How to reduce human errors?

#

Software and Hardware performance is what most companies focus onHuman performance relates to adopting the right culture, expressed through safe behaviorsProcess Performance relates to the operating model of your cyber security approachLeadership performance relates to the commitment and support provided by the C-suite and the board

8

Agenda EXPRESSWORKS

9

Security related-behaviors are usually a response to visual or informational triggersApplying behavioral change to reinforce cyber resilience

EXPRESSWORKS

Train the users to avoid cyber threatsDesign of Security Technology

Reinforce security complianceWhat human behaviors need to be reinforced?

#

Focusing on human behavior when designing cyber security technologies, training users on cyber threats and reinforcing compliance is widely recognized as a key element of success. When users are given the tools to recognize cyber threats, they are able to behave in the right way.

10

Apply Human Performance engineering to your designApplying behavioral change to reinforce cyber resilience

EXPRESSWORKS

Active warning

Require the user to deliberately decide accessing a web site or downloading an attachmentPassive warning

Provide the user with a warning message and the option to learn more and/or disregard the warning

#

Consider which type of security warnings will be most effective in triggering the right behaviors. For example, active warnings will require the user to deliberately decide accessing a web site or downloading an attachment.

11

Use perceptual learning to effectively train usersApplying behavioral change to reinforce cyber resilience

EXPRESSWORKS

Spear phishing trainingPay close attention to the email addressIs the message personally addressed to you?Is there an immediate action required from you?.Is there a link or an attachment?

Train specific visual skills that require split-second decisions.

#

Perceptual learning in humans occurs when a person is repeatedly exposed to specific stimuli (information). Perceptual learning involves long lasting and amazing changes to the human perceptual system that incredibly improve ones ability to respond to the environment.

12

Use operational security techniques to keep your staff alertApplying behavioral change to reinforce cyber resilience

EXPRESSWORKS

Train them to recognize pretexting or social enginnering incidents

Test them frequently to help them practice in real-time and gain consistency

Once they have succeeded a few times, they will spread the word

#

When training your users or your business partners, use scenario based training that puts individuals under the test. By training them frequently, you will use the effect of being watched to your advantage: users are more alert and want to pass the test every single time. 13

Maintain compliance by promoting the right behaviorApplying behavioral change to reinforce cyber resilience

EXPRESSWORKS

This email is to notify you that it is time to change your password.

Click here to change your password.

Complying with our security compliance will allow you to maintain your access and keep your data safe.

Please do your part in maintaining that. Did you know

85% of our customers comply with our password change policy.

Please do your part in maintaining this high performance compliance. Social Proof - the evidence of the crowd. Peoples behavior is largely shaped by the behaviors of others around them.

Prospect Theory- By framing an action as a gain rather than a loss makes people more likely to take it. Email notification to change your password

#

When behavioral science is applied to your communication, you will be able to maximize the effectiveness of your message

14

Integrating behavioral change is key to reinforcing cyber resilienceTodays key learning

EXPRESSWORKS

I have diversified work assignments and access to the right training.

I understand our cybersecurity solution and how to measure its effectiveness.I own cybersecurity for myself and my organizationI feel empowered to make the right decisions and can access the C-suite/board as needed

#

15

Doing without doingClosing Comments

EXPRESSWORKS

Once people adopt the right behaviors, complying with cyber security will become a second natureEveryone in your organization will know what to do with minimum guidance.

Leonard BernsteinHaydn Symphony No 88

#

Video: Leonard conducting w/o moving a figure because everyone already knows what to do (from TEDTalk on leadership hes there and moving his head, but its not very intense.Make sure you link back with the very first slide as we opened up the presentation with one of his quotes

***If youre on a Mac***Watch from 2:22s to 3:32s : https://www.youtube.com/watch?v=oU0Ubs2KYUI

16

We are ready for your questionsThank you for your attention

EXPRESSWORKS

#

Video: Leonard conducting w/o moving a figure because everyone already knows what to do (from TEDTalk on leadership hes there and moving his head, but its not very intense.Make sure you link back with the very first slide as we opened up the presentation with one of his quotes

***If youre on a Mac***Watch from 2:22s to 3:32s : https://www.youtube.com/watch?v=oU0Ubs2KYUI

17