Predrag Tasevski, presenting Methodological approach to security awareness – Kaspersky CyberSecurity Round 2014, Politecnico di Milano, Italy.

December was a last month of 2013, and for sure the best month. Not because of the parties, holidays and vacation that they were coming. But it is because I was selected in a final round of Kaspersky Academy European Round 2014 in Milan, Italy. The conference was a part of CyberSecurity for the Next Generation events that are happening all over the world. The event took place in 11 until 13 of December 2013, in beautiful and unfortunate at that time foggy city Milan, and hosted at Politecnico di Milano. Nevertheless, we had a wonderful time. Before I continue with the presentation of my research paper I would like to thanks the organizers for such a great organization and full and frankly not that busy and indeed interesting agenda. Nice work guys, love you and of course miss you.

Turning to research paper that I presented, "Methodological approach to security awareness", the presentation is available below as well as my presentation notes. Without any further ado I will let the notes to speak for themself, as well as the presentation and the pictures. Hope that you enjoy the reading.

Ladies and gentlemen, dear committee, my name is Predrag Tasevski from Macedonia and currently I’m a post-master student in Eurecom, France. Today I will present you my research study Methodological approach to security awareness. But before we start I would like to share a short story.

Previously I was studying MSc in Cyber security in Estonia. When I was in the middle of the studies, in the 2011, it was one year after finished the first year. I went home for the Christmas holidays. At that time I was curious in opening a company in Macedonia. And for this reason I went to Central register office.

When I reached the room number 10 I knocked on the door. Once, two, three times, and still there was no answer. I push the door and I entered in empty room full of 6 computers. I shouted few times, however there was no answer.

So I started to watch the screens. Unlikely from Estonia, frankly in Macedonia people love paper-work. Indeed, in the bureaus there where open documents and the computer’s ware unlocked. Usually, I always I have with me an external hard drive…

Then the good side and bad side of me come out .…

It took me a few minutes to decide,… and likely the good side of me won. After 30 minutes I was able to get the answers.

Let us just stop for a second and thing what I could do with this data …. Could you imagine how reach I would be nowadays if I backup the data…

While I was on the way back home, I started to think why people are so careless about the information. In reality it just takes one second to lock the computer. Why people coupled with human factor are actually the weakest link in security? And therefore for this reason, we introduce you this study.

Today we will discuss the problem statement and related work. Coupled with the current awareness level. Secondly, methods and approached that we have introduced in this study and the curriculum. Last but not least, we will present the results of the syllabus as a consequence of the implementation in schools, universities, private and public organizations. And finally we will conclude.

Numerous amounts of awareness programs exist in the last 20 years. However their approaches and methods are different. Up to now almost all the academic effort in information security training has concentrated on solving the technical and policy aspects, rather than designing security systems to take into account the human factor. The human factor is being the most vulnerable threat in the system, and it could jeopardize the overall efficiency of the organization and nation. Lastly, few of them have the questionnaire quizzes implemented.

The ideas for the awareness program we have implemented are usually not new, but the uniqueness of our awareness program lies in the style of communication, the systematic approach of the targeted groups and the content delivered. Other unique factors are the baseline survey and questionnaire quiz, and lastly the topic adviser. We believe that no other previously related work as mention in this study has used such systematic approach, methods and targeted groups.

There are three systematical target groups in the syllabus: basic, advance and management. Each part contains certain number of modules, divided into units, which are pursued into separate curriculum. In fact the idea of the target groups is to elevate the awareness level of three different types of groups of information security. We emphasize that the weakest element is human behavior, followed by the socio-technical aspect. Please bear in mind, that this syllabus does not cover the legal aspects.

The study provided the entrance for participants only with the Basic curriculum. The focus is to examine the response of the prior concern about safety and knowledge of protection of IT assets compared to the scores earned. In total we had around 1000 participants, from 11 to 63 years old and around 700 of them where male and the rest female. Most of the them use the computers either at home or work. In the content of how they want to get education about the IT security is that around 430 answered through Online training. Turning to the current awareness level before they entered the course is in fact that only 400 of them were somewhat knowledgeable of how to secure their assets. Also another interesting fact is that a greater number of the participants are least concerned about protecting their mobile devices.

In comparison with the current awareness level we also demonstrate the average percentage score gained in each unit. Subsequently it allows us to pin-point modules which participants are more and less knowledgeable. So as to take tailored measurements for future actions. For instance Network & Internet Security is the most knowledgeable, rather than Physical security.

Finally, the threats to cybersecurity are constantly evolving. Thus we need to ensure that not only the specialist who are protecting IT systems get a proper awareness education, but also the basic, everyday users and managers should too. Every manager can be a user, but every user can not be a manager.

Thereby, only significant changes in user perception, culture and education can effectively reduce the number of information and cybersecurity breaches. Consequently this will raise the awareness level of the human factor in using technologies in everyday life.

The strength of our study lies in the results and evidence of implemented syllabus and it improve everyday work and usage of technologies.

We believe that this approach could be implemented effectively in private, public, military, nations, etc. without a significant degradation in performance.

As well as future studies should examine broader views on policy and legal aspects.

Although I did not win, however let me just remind the others that we are all winners. There were around 60 papers submitted and only 15 were selected for finale round. We should be proud of our self. And of course each one of us did a perfect job in presenting own work. Hope that you all will continue in this path, as well as to see you soon. Friendship and networking that we had there is my gift from others and Kaspersky. Thank you once again. Congrats to the winners. Here is a short note from Kaspersky about the conference, CyberSecurity in Milan.