Center for Cybersecurity and Data Intelligence

Cyber-mindfulness is more than the awareness that cyber threats exist. It's an attitude of alertness to threats and an expectation that threats will evolve. It's a sense of stewardship for both personal and community information resources. It's taking responsibility to stay informed, share knowledge, report concerns, and actively take steps to reduce risk and increase defenses. It's a commitment to the ongoing development of knowledge, skills, and communication.

At the University of Dayton, faculty, staff, and students are demonstrating that cyber-mindfulness has meaningful impact in reducing risk and increasing effective defenses against cyber threats. More importantly, awareness, knowledge, and ongoing practice are proving a powerful combination for increasing people's confidence to participate as cyber citizens in a community effort.

In 2016, UD employees were invited to engage in a year of becoming cyber-mindful. Through thought-provoking newsletters, hands-on training exercises, face-to-face classes, and incentives for participation, employees embraced the opportunity. Not only did they learn fundamental practices for protecting University information resources, but they also learned practical skills for home computing safety.

Eight months into the program, survey comparison results demonstrated the changes in attitudes, confidence, and efficacy that becoming cyber-mindful can achieve:

• 13% increase of employees who said that they would be able to recognize a suspicious email message (for a total of 77%).
• Increase to 94% of end-users who agreed with the statement that "everyone has a responsibility to protect their computer from hackers."
• Decrease to 9.6% of employees who feel that central IT is solely responsible for computer security.
• Decrease to just 6.0% of employees who felt that if hackers wanted access to their computer, there was little that they could do so stop them.

The Center for Cybersecurity and Data Intelligence will use the success of the UD employee cyber-mindful training as a springboard for community outreach.

Educators and professionals alike can utilize the Range through developing access, use and assessment processes and practices for the cyber range, support reporting and continuous improvement outcomes, sharing in the collaborative development of relevant educational exercises, assignments and practices and assisting with industry-focused outreach efforts for both continuing education and community demonstration exercises.

As we integrate the Dayton Regional Cyber Range into classes, courses, workshops and institutes, assessment will be enhanced to capture cyber range-relevant data as part of the larger assessment and continuous improvement process already mandated by the Ohio DHE and our institutional accrediting agencies.

The Dayton Regional Cyber Range will allow both individual users and teams to engage in simulated cybersecurity training exercises, supporting the growth of workforce-ready professionals.

While located in UD's Center for Cybersecurity and Data Intelligence, this infrastructure is a multi-institutional resource. Member schools and industry partners can engage in shared training and cooperative scheduling.

With its robust experiential exercises, the Cyber Range will serve as an effective training tool, benefiting students, our community, and the information security industry as a whole.

This virtual simulation will apply textbook concepts to workplace realities. As an immersive tool, the Cyber Range will provide students with cybersecurity threat detection and mitigation practices that parallel real-world experiences.

Specifically, the Dayton Regional Cyber Range will offer capabilities that directly reflect the skills and experiences most desired by industries seeking cybersecurity talent, including:

• Virtual cybersecurity training environments with varying levels of skill-building
• Support of cybersecurity teams to engage in collaborative problem-solving and effective teaming practices
• "Real-world, on-the-job" cybersecurity threat-vector experiences
• Robust competitions and exercises, such as "capture the flag"
• Simulated industry incident management and response exercises
• Rich reporting and tracking for performance validation and post exercise reviews

These skill-building experiences are critical to developing a qualified cybersecurity workforce, and they also provide continued learning opportunities for those individuals already in the industry.

Cybermindfulness is more than the awareness that cyber threats exist. It's an attitude of alertness to threats and an expectation that threats will evolve. It's a sense of stewardship for both personal and community information resources. It's taking responsibility to stay informed, share knowledge, report concerns and actively take steps to reduce risk and increase defenses. It's a commitment to the ongoing development of knowledge, skills and communication.

Interested organizations may adapt this toolkit to develop their own Cybermindfulness programs.

The UD-CCDI has developed a library offering videos on a wide variety of cybersecurity topics:

• Short-form public service announcement-style messages on a wide range of cybersecurity awareness topics such as phishing, choosing good passwords, protecting personal information, backing up personal machines, etc. These videos are shorter and make cybersecurity topics approachable for non-technical audiences
• Long-form instructional videos on topics such as Social Engineering, the Artificial Intelligence and Blockchain. These run up to twenty minutes and are more in-depth and instructional in nature

Led by John Wolfe, and using AT&T's AlienVault Open Source Security Information and Event Management (OSSIM) tool, the UD-CCDI has built a SOC simulator. A key feature is that we use the Open Source Carnegie-Mellon Ghosts traffic generator to target specific traffic at the SOC so that students may be assessed on how well they identify patterns of malicious traffic appearing on the simulated network environment.

The best way to help your personnel avoid being phished is to phish them yourself as a training tool. Several companies provide this service, but it may be prohibitive for smaller organizations.

Developed by John Wolfe, and employing the GoPhish open source phishing framework, UD-CCDI has taken the tool provided by GoPhish and developed a set of instructions (.pdf) that small organizations may use to configure this framework for use on their network.