[SOUND] Hi, I'm Dr. Traci Carte, this module focused on one overarching concept. Security management occurs within a socio-technical system. Socio-technical models have been around for a long time, and they fundamentally portray that technical work, for example, IT, IS, cyber security, happens within a larger system. So, while technical workers and departments may focus on technologies and tasks, these efforts impact and are impacted by the organization's social system. Social systems are made up of structures and people. Further, such modules suggest that for technical departments or groups, ignoring the social system, the structures of the people, may very well result in poor achievement of the group's goals. In our context, this means that, when information security groups ignore the social system, the organization's information assets as less safe. This is not news to most folks working in the business of cyber security. This point was illustrated in our introductory example, where annual security training was rolled out, and when the security personnel tested its effectiveness, they found 10% to 15% of their employes were still non-compliant. This is not a technical challenge, it comes from the social system. The Business of Cybersecurity includes three, sometimes competing, objectives. Balancing information security and business needs, ensuring compliance, and maintaining cultural fit notice. These include a mix of technical and organizational goals. Cybersecurity personnel are charged with keeping information assets secure. But at the same time, they cannot do this at the expense of business effectiveness or efficiency. However this includes not exposing the organization to lawsuits or bad publicity for failing to faithfully comply with established standards. These often revolve around information privacy. Or confidentiality. Finally, security professionals must realize that any efforts targeted at changing human behavior must take into consideration organisational culture. These objectives are pursued using two mechanisms. Organizational integration and social alignment. Organizational integration are structure and process often formalize within the organizational structure.This include thing like reporting relationships and decision making rights. These are also important to bridging technical and social systems, because they provide the authority or perceive the authorities To engage in effort to change employee behavior. The social alignment mechanisms include some formal efforts, like security awareness programs, as well as informal efforts like mentoring and executive commitment, which signals that the proper security behavior is part of the culture. One of the clearest linkages between security efforts and social systems is user training. Security training is often defined as providing members of the organization with detailed information And hands-on instruction to enable them to perform their duties securely. However, in this module we argue that training can take many forms ranging from annual web-based training, a very overt activity to awareness efforts, which are more covert, to mentoring. Which is likely to be focused on understanding and buy-in of security efforts in ways that are less about dictating behavior, like an overt training video would be. Training must have all of these, because in order for training to be effective, the subject of the training, the user must be primed and ready to learn. Now if we return to the question poised in the introductory video, what is the intention of annual security training? I think it's safe to assume that annual security training has a duel focus on both reinforcing good behaviors, encouraging good users to keep complying. And improving compliance which includes reducing bad behavior. In other words the annual training video is supposed to remind and place to follow the rules. And why the rules are important? Rules like changing your password regularly Not clicking through on embedded links on your email, et cetera. It is further meant to convey to employees who are not following these rules that they should change their behavior. As such, security training has its desired outcome, reinforcing good behavior, In changing bad behavior. Can both efforts be accomplished at the same computer-based training? Perhaps the better question is should both efforts should be attempted to the same training. Most learning models. Focus on changing behavior. Social learning theory, one of the most popular theories for describing organizational learning. Conceives of learning as a continuous reciprocal interaction between behavior and controlling conditions. Fundamentally, any effort to change someone's behavior must take in the consideration current behavior, it must model new behavior, and then it must reinforce the new behavior. Alternatively, there's an old change model called the Lewin/Schein Change Model that says you have to unfreeze people, move them, and then refreeze them. Unfreezing requires that the target individuals become Dissatisfied with the status quo. Moving refers to introducing the change or desired new behavior. And refreezing requires that the target individual adopts the new behavior into his or her routine. These suggest that training efforts must demonstrate. And awareness of how users do their jobs and the role technology plays. It must introduce the desired security compliance behavior and then it must reinforce such behavior. Further, as demonstrated by the readings there are new threats to security being introduced everyday. Lack of awareness, and a burgeoning technology industry that introduces new applications by the minute can result in employees craving more and more technology to make their work lives easier. If security teams say no to new technologies, employees may bring them into the organisational servers as shadow IT. Phishing attacks are getting more and more sophisticated. Security groups must continually update training programs to reflect changes in the technical world. Further, more sophisticated training scenarios are needed. As mentioned in one reading, scenario-based training may help employees not just know what to do But when to do it. Well, it is unlikely that an extra long video can accomplish all of these things, the complimentary activities described in your readings can help. Security awareness efforts can run year round and include the latest concerns that need to be brought to employees attention. Good mentoring to intervene before bad practices take route An executive commitment that includes modeling and rewarding that desire behaviors can lessen the burden of annual training perhaps it won’t have to change bad behavior. Ultimately good security programs within the organizations need formal structures that defined decision making rights But these structures must be complemented by coordination and communication. And security managers must recognize and leverage the social environment. Well, organizations need security personnel who have deep technical knowledge. They equally We need security personnel who understand people and the role they play in the security plan. [MUSIC]