2014_01

cybersecurity-conscious force at home and on travel willtranslate back into the government workplace, resulting inenhanced cybersecurity and operational security.PresentationA common issue among awareness programs is that, inmany cases, information provided does not make the impactit should have on the end user simply because thepresentation format does not align with the end user’spreferred learning style. It is typical to find a “one size fitsall” approach to providing information, such as an on-linePowerPoint brief. Yet educational specialists tend to agreethat within the general populace there are several generationsof learners, each with its own favored means of learning.In general, older generations tend to prefer in-classsessions with instructor interaction, while younger generationstend to prefer distributive learning and technologyfocused approaches. 8To meet an awareness program’s objectives, various methods,modes, and media should be used so that end userscan more readily learn in a manner that meets their personallearning preferences. Examples are:ÊÊMethods. Academic and practical exercises.ÊÊModes. Computer-based training, gaming, role playing,practical exercises, guest speakers.ÊÊMedia. Text, slides, video, Internet.In addition, to keep the end user population engaged,awareness information and activities can be presented usingboth active and passive techniques. Active techniquesrequire user interaction, such as acknowledging an alert oranswering a question. Passive means do not require userinteraction; it is up to the individual whether or not the informationis observed or activity performed. An exampleof a passive technique is posting new threat information toa central viewing site, such as AKO; the end user has thechoice whether to view the information or not.EffectivenessAssessments and metrics analysis is a necessary and criticalcomponent of a successful user awareness program. Akey reason many awareness and training programs fail isbecause they lack embedded assessment methodologies,which include conducting baseline assessments, taking regularmeasurements, and determining where and how adjustmentsneed to be made. Some programs are establishedbut never measure baseline awareness, nor do they routinelyassess awareness over time to determine trends. Thelack of assessments and failure to determine what worksand what does not work for the target audience then leadsto content stagnation, a subsequent drop in the program’susefulness, and expenditure of resources in an ineffectivemanner.There are several methods for collecting metrics and feedback,although no one technique provides a full picture ofthe effectiveness of an awareness program. Surveying theend user population can be effective if initial and follow-upsurveys are collected. A “practical exercise” technique is toconduct a phishing awareness campaign, where random usersare chosen to receive phishing training emails withoutprior knowledge of the “test” email. From the results, programmanagers can establish some baseline and follow-upmetrics to measure whether end users’ behavior is changingover time. In other words, are end users paying attentionto the threat awareness information being presentedthrough other techniques? Industry is seeing a rise in thenumber of organizations introducing phishing campaignsfor employees, resulting in a positive shift in their cybersecuritypostures. Future Army cyber awareness/training programsneed to include assessment methodologies, such asa phishing campaign, and thorough analysis from the verybeginning in order to gauge effectiveness and determine returnon investment.Way AheadTo start an Army-wide shift in culture, the Army shouldadopt a “marketing campaign” aimed at getting end usersto think of their workstation, networks, and data as thingsthat should be defended, not just used, while ensuringend users understand how their actions can and do haveimplications for operational success. A shift in culture willtake much advertising and encouragement, and should bedriven from the top. The level of effort required for theawareness campaign is akin to the seat-belt campaign in the1980s. At the start of that campaign, car drivers viewed theGovernment’s efforts as invasive. Now, wearing seatbelts isthe norm, something that is just habit. This is where cybersecurityneeds to be among end users–a habit.The Army has taken steps to supplement awareness forend users. Current and past efforts include, or have included:ÊÊSecretary of the Army memorandum, MandatoryInformation Assurance/Cybersecurity Awareness, 1February 2013.ÊÊALARACT 329/12: Anti-Terrorism Quarterly Theme–Cyber Threat Awareness (Q2/FY13).ÊÊHQDA/Office of the Provost Marshal General pamphlet:The Cyber Attack Cycle.ÊÊHQDA/Office of the Provost Marshal General pamphlet:Cyber Threat Vignettes, November 2012.36 Military Intelligence