LDR433: Managing Human Risk

Cybersecurity is no longer just a technical challenge but also a human one, people play a role in 80% of all breaches. For most organization their biggest challenge has become human risk management. This course enables security professionals to effectively build, manage and measure their human risk by changing and securing their workforce’s behaviors. Students are provided a structured roadmap with a step-by-step strategy on how to engage and secure their workforce, to include seven highly interactive team labs and the course Digital Download Package. In addition, this is the only SANS short course to provide a credential, the industry recognized SSAP.

Ways to Learn

Cybersecurity learning – at YOUR pace! OnDemand provides unlimited access to your training wherever, whenever. All labs, exercises, and live support from SANS subject matter experts included.

The full SANS experience live at home! Get the ultimate in virtual, interactive SANS courses with leading SANS instructors via live stream. Following class, plan to kick back and enjoy a keynote from the couch.

Did someone say ALL-ACCESS? On-site immersion via in-classroom course sessions led by world-class SANS instructors fill your day, while bonus receptions and workshops fill your evenings.

Instructor-led live online classes

LDR433: Managing Human Risk

Instructor-led live online Training 

$10,000  $8,200

Who Should Attend LDR433?

      • Security awareness, training, engagement or culture officers
      • Security management officials
      • Security Ambassadors or Champions officers
      • Security auditors, and governance, legal, privacy or compliance officers
      • Training, human resources and communications staff
      • Representatives from organizations regulated by industries such as HIPAA, GDPR, FISMA, FERPA, PCI-DSS, ISO/IEC 27001 SOX, NERC, or any other compliance-driven standard
      • Anyone involved in planning, deploying or maintaining a security education, training, influence or communications program

      NICE Framework Work Roles:

      • Cyber Instructional Curriculum Developer (OPM 711)
      • Security Awareness & Communications Manager (OP 712)

      “I think the course is really engaging and works at two levels: 1. Would provide someone starting out with a solid foundational knowledge 2. Allows an existing programme to benchmark and get new ideas, to supplement the existing work.” – Brian Wright, Student Loans Company Unlimited

Training Features

Live Interactive Learning

Lifetime Access

24x7 Support

Hands-On Project Based Learning

Industry Recognized Certification

Cloud

Course Curriculum

Overview

Section 1 covers the fundamentals by specifically answering what is human risk and how organizations can effectively manage it. We start with students defining the maturity of their existing program and provide a roadmap on how to improve their program maturity. We then cover critical foundations for a successful program; leadership support, a program charter, and partnerships. We then cover the fundamentals of risk management and how to identify and prioritize your top human risks.

Exercises
  • Benchmarking your program’s maturity against your peers
  • Developing key partnerships
  • Identifying your top human risks
Topics
  • How to map and benchmark your programs maturity
  • The five stages of the Security Awareness Maturity Model
  • The fundamentals of risk and risk management
  • The definition of human risk and the three variables that define it
  • Why humans are so vulnerable and the latest methods cyber attackers use to exploit these vulnerabilities
  • Steps to gain and maintain leadership support for your program
  • How to develop and leverage effective partnerships
  • Developing a strategic plan that prioritizes your organization’s human risk, the behaviors to manage those risks, and changing those behaviors.
  • A walk-through on how to conduct a human risk assessment and how to prioritize your organization’s top human risks, including leveraging the latest in Cyber Threat Intelligence (CTI).
  • How to identify and manage role-based risks
Overview

The second section begins with Artificial Intelligence and how to leverage it to exponentially increase the impact of your program. We then cover how to identify the key behaviors that manage your top human risks, to include defining each behavior as a learning objective. We then cover how to change behaviors at an organizational level, starting with the fundamentals of engagement and motivating change, then how to adapt your program to different demographics, cultures and regions. Finally we go into the many different methods and modalities to train and engage your workforce.

Exercises
  • Identifying and prioritizing key behaviors
  • Leverage the AIDA Model to engage and promote behavior change
Topics
  • Resources for your long-term success
  • Latest in Artificial Intelligence / Gen AI and how to leverage it to accelerate your program and career.
  • Defining learning objectives and how they apply to learning theory and risk management
  • How to identify and prioritize the top behaviors that manage your key human risks
  • Fundamentals of engaging and changing human behavior
  • Introduction of the Golden Circle and the importance of “why”
  • How you can effectively create an engagement strategy leveraging marketing models
  • Creating a training strategy leveraging the ADDIE and Kirkpatrick models
  • Top tips for effective translation and localization
  • The effective use of imagery, with a focus on diverse or international environments
  • The two different training categories, primary and reinforcement, and the roles of each
  • How to effectively develop and provide instructor-led training (ILT), virtual live training (VLT) and computer-based training (CBT)
  • Different reinforcement methods, including newsletters, infographics, podcasts, micro-videos and video shorts, memes, hosted speaker events, hacking demos, scavenger hunts, virtual lunch-and-learns, and numerous other training activities.
  • How to put this all together for a specific training / risk management goal.
Overview

This section begins with culture, specifically defining your organization’s overall culture, what security culture is and how to embed a strong security culture into your organization’s overall culture. We then cover metrics, starting with why we want metrics and how to use them at a strategic level. We then do a deep dive into how to measure behavior and culture, then strategic metrics and then finally how to communicate the value of your program to leadership in business terms. We finish the class with how to put this all together into an actionable plan with key tips for success.

Exercises
  • How to understand, define and align security with your organization’s overall culture
  • Creating an action plan for when you return to your organization
Topics
  • We start the day with career development, a series of steps you can take to grow your credibility, position and compensation.
  • What organizational culture is and how to define your organization’s overall culture
  • We explain what security culture is, the value of a strong security culture and the most common indicators of both a weak and strong security culture.
  • How to align with and embed a strong security culture into your organization’s overall culture.
  • How to create a strong incentive program to sustain behavior change long-term
  • A deep dive into Ambassador Programs
  • Fundamentals of metrics, including why we collect them and how to leverage them strategically
  • The difference between compliance metrics and impact metrics
  • Walk through of the three types of impact metrics: knowledge, culture and behavior
  • What are your leadership’s strategic priorities and how to align your strategic metrics framework with those strategic priorities.
  • Putting an overall project plan together and executing it
  • Resources for success moving forward

What You Will Learn?

Learn the key lessons and the roadmap to build a mature awareness program that will truly engage your workforce, change their behavior and ultimately manage your human risk. Apply models such as the BJ Fogg Behavior Model, AIDA Marketing funnel, the Golden Circle, ADDIE training model and learn about the Elephant vs. the Rider. Concepts include how to assess and prioritize your top human risks and the behaviors that manage those risks, how to engage, train and secure your workforce by changing their behaviors, how to build a strong security culture and how to measure the impact and value of all that change.

The course content is based on lessons learned from hundreds of programs from around the world. You will learn not only from your instructor, but from extensive interaction with your peers. Finally, you will have the opportunity to earn the SANS Security Awareness Professional (SSAP), the industry standard in human risk management.

“Overall just fantastic. I would love for my whole team to attend this training – invaluable and eye-opening knowledge, that I think will enable lots of good changes and growth. There’s just SO MUCH amazing content here, and the delivery was fantastic.” – Luka Morkyte, JPMorgan Chase

Cyber threat actors have changed their attack methods, they no longer target technology but people. Human Risk Management (HRM) is the structured approach in how organization’s secure people, addressing for most organizations what is now their greatest vulnerability – their workforce.

  • Align your security awareness program with your organization’s strategic security priorities
  • Effectively identify, prioritize and manage your organization’s top human risks.
  • More closely integrate your security awareness efforts with your security team’s overall risk management efforts.
  • Make the most of your investment by sustaining your program long term, going beyond changing behavior to embedding a strong security culture
  • Communicate and demonstrate the value of the change to your senior leadership in business terms
  • Master how to map and benchmark your program’s maturity against your peers’.
  • Understand the Security Awareness Maturity Model and how to leverage it as the roadmap for your program
  • Ensure compliance with key standards and regulations
  • Implement models for learning theory, behavioral change, and organizational culture
  • Define human risk and explain the three different variables that constitute it
  • Explain the risk assessment processes
  • Explain and leverage the latest in Artificial Intelligence to exponentially increase your impact
  • Leverage the latest in Cyber Threat Intelligence (CTI) and describe the most common tactics, techniques, and procedures (TTPs) used by cyber attackers in today’s human-based attacks
  • Identify, measure, and prioritize your human risks and define the behaviors that manage those risks
  • Identify high risk roles and the required, specialized training for those roles
  • Define what security culture is and the common indicators of a strong security culture
  • Explain your organization’s overall culture and how to most effectively align cybersecurity with and embed security into your organization’s culture
  • Measure the impact of your program, track reduction in human risk, and how to communicate to senior leadership the value of the program in strategic terms.
  •  

A big part of the course is not only learning but applying what you learn working as groups with your peers. Not only does this provide you a far better understanding and application of course content but enables you to interact and learn from others. This three-section course has seven interactive labs. Each lab is approximately 30 minutes to complete as a team, with another 15-20 minutes of group discussion. In addition, most labs include elements of leveraging Artificial Intelligence to accelerate your program and impact.

  • Section 1: Determine Your Program’s Maturity Level, Partnering with Others, Identifying and Prioritizing the Top Human Risks
  • Section 2: Identify and Prioritize the Key Behaviors that Manage Risks, Leverage the AIDA Model to Sell MFA
  • Section 3: Defining Your Organization’s Culture, Creating an Action Plan for When You Return

“Just what I needed.” – Philippe Vaquer, Bureau Veritas

“Incredibly useful and supportive to the learning.” – William Edwards, HM Land Registry

“The labs presented an effective way to grasp the material and present to others for good feedback.” – Michael U., US Government

“I enjoyed learning from other attendees during the breakout session. It’s really good to hear about how other organizations implement their programs. Sharing best practices has been really insightful.” – Angela Childs

  • Section 1: Learn the fundamentals of managing human risk, to include gaining leadership support, partnerships and project charter, and how to assess and prioritize human risk.
  • Section 2: Learn how to leverage the latest in Artificial Intelligence in accelerating your program, prioritize the specific behaviors that most effectively manage your human risk, then how to engage, train and enable your workforce to change and exhibit those key behaviors.
  • Section 3: Learn how to build and embed a strong security culture, how to measure and communicate the value of your program and how to put a final plan together.

NOTE: This class is designed as a beginner to intermediate level course. Highly experienced security professionals or senior security leaders should consider the more advanced five-day LDR521: Security Culture for Leaders.

Course Details

Organizations seek proven leaders who have the expertise and skills to effectively manage and measure human risk. The SANS Security Awareness Professional (SSAP) provides not only this expertise, but also signifies, documents and certifies that the holder has met the requirements to elevate the overall security behavior of the workforce.

The first step to achieving your SSAP is taking the three-day SANS LDR433 course on building mature awareness programs. In this course, you’ll learn how to:

  • Gain and maintain leadership advocacy for your security awareness program. Identify and document target groups and deploy relevant training.
  • Effectively engage and communicate across the organization, addressing culture, role and generational challenges, nationalities and languages.
  • Sustain your security awareness program, including implementing advanced programs, such as ambassador programs.
  • Understand and use the five stages of the Security Awareness Maturity Model as a benchmark for your awareness program success.
  • Measure the impact of your awareness program, track reduction in human risk and communicate the program’s value to leadership.
  • Apply key models for learning theory, behavioral change and cultural analysis.
  • This is a management course designed for both new security professionals and experienced ones who looking to expand and grow their expertise in human risk management. While an understanding of cybersecurity risk and/or a technical background can help, it is in no way required.

“Having been actively involved in information security for more than 25 years, I have seen one constant factor: people are the number one attack vector for cyber attackers as organizations fail to properly invest in and secure them. Once engaged, trained and enabled, your workforce will become your greatest asset, not only to prevent incidents but also to quickly identify and report them, resulting in a far more resilient organization. I am extremely excited about LDR433, as it provides you with the skills, resources, and community you need to effectively manage and measure your human risk.” – Lance Spitzner

“That guy is just cool. I feel owe him some fine tacos and beer because of the great learning experience! He owns the material and the stories make it very fun. Great idea including real life examples and experiences. Also, he is very kind and answers each comment posted and clarifies any doubt you may have.” – Nelson Estrada, GoodFarms