It's Not What You Know, It's What You Do: How Data Can Shape Security Engagement

Conference:  BlackHat USA 2019



When it comes to security training, one size does not fit all. Company-wide and even role-based security trainings do not acknowledge the strengths and weaknesses in an individual's security performance. It is redundant on topics where users are proficient and often appeals to the bottom denominator of understanding. This approach does not respect an employee's intelligence or recognize the successes and strengths in fulfilling security tasks. The end result is mediocre and unmotivating training that fails to empower users with the motivation and skills to defend against current threats.In early 2019, Autodesk, in partnership with Elevate security, rolled-out an innovative new approach to security learning. By leveraging the security behavioral traits of each employee, they created ongoing security snapshots with recommended security trainings and action items for each person.This behavioral data was used to highlight when employees were excelling at security tasks and where they needed most improvement. This gave each individual a quarterly security finish line, the opportunity to acknowledge when employees were meeting or exceeding a security task and provided customized follow-up when an employee had room for improvement. Further, data analytics were used to drive "social acceptance" of key security behaviors by demonstrating a comparison of performance between groups.This talk will walk through the Autodesk case study of how to create and deliver data-driven security snapshots. It will also go through an exploration of what data was chosen, how to effectively showcase this data for maximum impact in behavior change and share the successful measured outcomes on security behavior change from this initiative.