Is your cybersecurity training reaching the right people?

Cybersecurity training should be targeted so it changes behaviours to minimise cyber harm. As the Victorian government found, the most appropriate targets might not be who you first think.
Written by Stilgherrian , Contributor

There's plenty of talk about cybersecurity awareness. But how many organisations know what their cybersecurity training is meant to achieve, let alone whether it works?

Shane Moffitt is assistant chief information security officer (CISO) for the Victorian state government, an organisation with some 311,000 employees. He's responsible for the implementation of the state's cybersecurity strategy.

Taking people out of their jobs for training is expensive -- far more expensive that the cost of developing the training itself -- so he wanted the best return on investment. That meant taking a strategic approach.

What behaviours needed to be changed to reduce the number of incidents logged and measured in the government's central incident registry?

One obvious example was patching.

"The Victorian Government, like many large enterprises, has an issue with ICT asset management and currency and keeping things up to date on what we call legacy kit," Moffitt told the AusCERT Cyber Security Conference on Australia's Gold Coast last week.

"We know that will cause harm. So we want to get proactive on that, and get people to actually address it before the harm's caused."

Moffitt pushed the importance of patching to his tech workers, and plans to eventually push all of the Australian Signals Directorate (ASD) Essential Eight cybersecurity strategies across the entire Victorian public service.

"And then we worked out we'd picked the wrong behaviour changes," he said.

"We spoke to our ICT workers and we went 'Patch. You know you need to patch'. And they go 'Yeah I know we need to patch, but I can't. The equipment's out of date. And why is the equipment out of date? Because my executive won't give me the money to upgrade it.'"

From an executive's point of view, replacing legacy equipment can seem like a bad move. They'd have to spend some of their capital budget on the new kit, plus more operating budget because now they'd be patching again, but there'd be no change to the operational results.

So the training strategy was changed. Executives were trained in better risk assessment, and in how to balance cyber risks against the need to deliver better government services.

The government partnered with the Australian Institute of Company Directors (AICD), who already run cyber risk training. The AICD could do it more efficiently, and trainees would come away with a recognisable item for their CV.

The government also developed an awareness video for executives, dramatising a scenario where refusing the budget to replace a legacy system led to a data breach, and ultimately to a media disaster for the state premier.

They're also developing an "ICT asset framework" to track the currency of assets, and give that visibility.

Training was also targeted at executives and public servants more generally to reduce the impact of phishing.

"The register shows approximately 56% of all our incidents would have been prevented if someone had not succumb to a fishing scam. It's ridiculous," Moffitt said.

"We're never going to get to zero. We don't expect to get it to zero. [But] we are confident we can reduce it by 10%, or 20%, or 50%. It's worth the investment in both the incidents themselves and the cost of managing those incidents."

The next round of training materials will depict a wider range of employees, not just office workers.

"People who wear uniforms identify themselves separately to people who wear suits. When we released a video of an office worker, a nurse, or a police officer, they immediately disengaged and disassociated with them, so it doesn't work effectively," Moffitt said.

Related Coverage

Audit rules Victoria's public health system as 'highly vulnerable' to cyber attacks

The Victorian Auditor-General's Office finds health system could suffer the same fate as the UK's National Health Service and Singapore's SingHealth.

Victoria earmarks AU$53m for digital service delivery and citizen engagement

The state Budget is also prioritising ambulance radio upgrades, acute healthcare through initiatives such as a digital patient records system, and a handful of tech-related projects in schools.

Victoria looks to make public transport info available in real-time

The state's transport authority has gone to tender for help in delivering a mobile app that contains journey planning capability, real-time information, disruption notifications, and myki card management.

Digital Council reports NSW and Victoria have the most data-based digital initiatives

Just under 100 data and digital government initiatives are currently underway in Australia, a report from the Australian Digital Council has revealed.

Melbourne students are guinea pigs for NEC's facial recognition fraud tech

NEC's NeoFace facial recognition software will be used by Melbourne-based Cambridge Boxhill Language Assessments in a bid to ensure those sitting tests are those enrolled.

Editorial standards