Making Security Awareness Measurable

Presented at DeepSec 2017 „Science First!“, Unknown date/time (Unknown duration).

Security awareness campaigns aim at educating and training your workforce with regards to IT security. Those trainings take time and can be rather complex - which makes them also expensive. However, we still lack the scientific base of how to design a successful security awareness campaign and how to evaluate it's success. Especially when it comes to elaborate social engineering attacks. In this talk I will introduce scientific sound methods and tools from industrial and organisational psychology and industrial education to measure the success of security awareness campaigns. I will show human factors that enable or limit the success of training campaigns and how to enhance future campaigns based on lessons learned from former campaigns. All while keeping in mind that humans are not the weakest link in a security system, but the only defensive measure we have.

Presenters:

• Stefan Schumacher - Magdeburger Institut für Sicherheitsforschung
  Stefan Schumacher is the president of the Magdeburg Institute for Security Research and editor of the Magdeburg Journal for Security Research in Magdeburg/Germany. He started his hacking career before the fall of the Berlin Wall, on a small East German computer with 1.75 MHz and a Datasette drive. Ever since he liked to explore technical and social systems, with a focus on security and how to exploit them. He was a NetBSD developer for some years and involved in several other Open Source projects and events. He studied Educational Science and Psychology, has done a lot of unique research about the Psychology of Security with a focus on Social Engineering, User Training and Didactics of Security/Cryptography. Currently he's leading the research project Psychology of Security,focusing on fundamental qualitative and quantitative research about the perception and construction of security. He presents the results of his research regularly at international conferences like AusCert Australia, Chaos Communication Congress, Chaos Communciation Camp, DeepSec, DeepIntel, Positive Hack Days Moscow or LinuxDays Luxembourg and in security related journals and books.

Links:

• https://deepsec.net/archive/2017.deepsec.net/speaker.html#PSLOT323

Similar Presentations:

• AppSec USA 2015 / Cisco’s Security Dojo: Raising the Application Security Awareness of 20,000+
• DeepSec 2019 „Internet of Facts and Fears“ / Practical Security Awareness - Lessons Learnt and Best Practices
• BSidesLV 2023 / Social Engineering: Training The Human Firewall