8:40 am - 9:00 am
CT
1:40 pm - 2:00 pm UTC | Opening Remarks |
9:00 am - 9:20 am
CT
2:00 pm - 2:20 pm UTC | Table Top Introductions - Get to know your neighbor |
9:20 am - 10:00 am
CT
2:20 pm - 3:00 pm UTC | In Person Speakers Keynote | |
10:00 am - 10:20 am
CT
3:00 pm - 3:20 pm UTC | Break |
10:20 am - 10:55 am
CT
3:20 pm - 3:55 pm UTC | Virtual Track Game On! Building a Winning Cybersecurity Culture Through Gamification Encouraging your workforce to actively engage with cybersecurity awareness content can be a challenge. Employees often perceive information security as daunting, technical, and restrictive—making it difficult to spread awareness beyond the surface level. So how can we deepen user engagement and build trust by showing information security as approachable, digestible, and fun? Through games.
Leveraging tools our company already has (PowerPoint and PowerApps), we create completely customized games catered to current company needs and security trends. Since “leveling up” our gamification efforts, we’ve seen a significant increase in audience participation. Users report they are better able to retain information, feel more secure in their cybersecurity decision-making, and actively seek out our other content.
At the conclusion of this presentation, attendees will be able to:
• Think creatively about resources that might already be available at their company.
• Learn strategies for selecting a topic and theme.
• Design themed graphics.
• Develop a marketing plan to distribute their games.
• Gather metrics and feedback to demonstrate learning and effectiveness.
Show More
|
10:20 am - 10:55 am
CT
3:20 pm - 3:55 pm UTC | In Person Speakers How Boola the Cyber Bee Transformed Yale's Awareness Program: Building Buzz to Boost Engagement Branding isn't just for marketing—it's a powerful tool for driving cybersecurity awareness and engagement. At Yale University, we developed Boola the Cyber Bee as a recognizable figure to promote cybersecurity best practices across campus. This session will explore the process of building and evolving a cybersecurity awareness brand, leveraging partnerships, and using innovative marketing strategies. Attendees will learn practical steps to establish or enhance their own programs, making security awareness fun, engaging, and memorable. Expect interactive discussion, creative ideas, and actionable takeaways to boost your institution’s cybersecurity culture.
Show More
|
11:00 am - 11:35 am
CT
4:00 pm - 4:35 pm UTC | Virtual Track Reeling in the Right Vendor: A Project Manager's Guide to Security Awareness Platform Selection This session will provide actionable insights and practical tools to help security awareness professionals confidently navigate the vendor selection process, ultimately leading to stronger security awareness programs and a more resilient organization. We're solving the problem of unorganized and ineffective vendor selection by applying project management principles to the process.
Navigating the crowded marketplace of security awareness and phishing simulation vendors can feel like traversing a minefield. Many security awareness professionals find themselves overwhelmed by the sheer volume of options, leading to rushed decisions and ultimately, suboptimal platform selections. This presentation aims to empower attendees with a structured, project management-driven approach to vendor evaluation, ensuring they select the right tools to bolster their organization’s security posture.
We’ll delve into the crucial phases of a successful Proof of Concept (POC), transforming the often-chaotic vendor selection process into a streamlined and effective project. Starting with the foundational Functional Requirements Phase (figuring out what you actually need), we’ll explore how to meticulously define your organization's unique needs, ensuring alignment with potential vendor capabilities. This involves crafting detailed requirement documents and prioritizing features based on risk and impact.
Next, we’ll move into the Demo Testing Phase (trying out the demos), where we’ll dissect the art of evaluating vendor demonstrations. Attendees will learn how to ask the right questions, identify red flags, and assess the user-friendliness and administrative efficiency of each platform. We’ll emphasize the importance of hands-on testing and tailoring demonstrations to your specific use cases.
The User Acceptance Testing (UAT) - POC Phase (letting your users test it out) is where the rubber meets the road. We’ll uncover how to design effective UAT scenarios, involve key stakeholders, and measure the platform’s performance against predefined metrics. This phase is crucial for validating the platform’s real-world effectiveness and identifying any potential gaps.
Finally, we’ll address the Acquisition Phase (getting the platform), providing practical tips for negotiating contracts, managing implementation, and ensuring a smooth transition. Attendees will learn how to leverage the insights gained during the POC to secure favorable terms and maximize the return on their investment.
Key Takeaways:
• Structured Methodology: Attendees will be taught a clear, repeatable process for evaluating security awareness and phishing vendors, and receive an evaluation grid template.
• Requirement-Driven Selection: Attendees will understand how to define and prioritize functional requirements to align with organizational needs.
• Effective POC Execution: Attendees will learn how to master the art of conducting thorough demonstrations and user acceptance testing.
• Risk Mitigation: Attendees will be able to reduce the risk of selecting an unsuitable platform by implementing a robust evaluation process.
• Project Management Skills: Attendees will gain practical project management skills applicable to vendor selection and beyond.
Show More
|
11:00 am - 11:35 am
CT
4:00 pm - 4:35 pm UTC | In Person Speakers From Mismatched to Mastery: Crafting the Perfect Fit for Cybersecurity Awareness Casie Clark, Cybersecurity Manager, Governance, Outreach & Awareness, Whirlpool Imagine trying to fit every employee into the same pair of shoes — uncomfortable, right? The same happens when organizations apply a ‘one-size-fits-all’ approach to cybersecurity awareness. As our environments evolve and our adversaries become increasingly sophisticated, doubling-down on this outdated and rigid approach is no longer a match for the complexities we face in modern security threats.
Join us for an enlightening session where you'll discover how to revolutionize your cybersecurity awareness program. Learn from your security awareness peers on how you can ditch your generic human risk mitigation plan and tailor your approach to fit the unique needs of your organization and audience.
We'll explore:
* Why customization is key: Understand the pitfalls of generic strategies and the benefits of a personalized approach, considering your industry, job functions and high-risk roles.
* Evolving beyond the old ways: Gain practical tips on how to transition from outdated methods to innovative, effective practices.
* Measurable success: See the tangible outcomes of a tailored strategy, from increased leadership buy-in and reduced risk to improved KPIs.
Don't miss this opportunity to transform your cybersecurity awareness efforts and make a lasting impact on your organization's security posture.
Show More
|
11:40 am - 12:20 pm
CT
4:40 pm - 5:20 pm UTC | Virtual Track People are not the "weakest link in Cybersecurity". Our understanding of people is. Inge Wetzer, Principal Social Psychologist Cybersecurity & Compliance, Bureau Veritas Cybersecurity “Humans are the weakest link in cybersecurity.” A statement frequently made in the field of security, and taken for granted by many. What has gained less attention however, is the (lack of) understanding of people that exists in the field of cybersecurity. Attempts to tackle the human factor have mainly focused on increasing awareness from cybersecurity specialists’ point of view. However, cybersecurity experts have a different motivation and different interests in this specific topic. Therefore, they tend to set up campaigns from their own point of view; sending knowledge to their target audience on what they think is important, and more dangerously, based on their own assumptions. Interestingly, ‘people’ is as much an expertise as is ‘cybersecurity’. Strangely enough, the tendency exists to ask security experts to take care of the people part. Nevertheless, people, and more specifically their behavior, is the expertise of psychologists. How hilarious we would find the idea of asking a psychologist to build a firewall, the normal we find the idea to ask a IT specialist to influence people’s behavior.
The fact that not the people are the weakest link, but our understanding of them is, is hopeful. It gives us some control back! The solution is to be found in our understanding of the employees. This presentation focuses on insights from psychology, and how they can be applied into the field of cybersecurity. It highlights the most interesting perspectives from psychology and shows how these can be translated into an effective awareness and behavior program.
Show More
|
11:40 am - 12:20 pm
CT
4:40 pm - 5:20 pm UTC | In Person Speakers Lightning Talks 11:40 - 11:50 am | Deepfake diaries: The latest AI-based attacks and how to help your employees detect them, Kerry Tomlinson What are the newest AI-fueled attacks your employees face at work and at home? You'll see real-life video and audio deepfakes that attackers are currently using to try to trick people into giving up passwords, data and money. Learn how and when cyber criminals are deploying this AI-generated content, the latest methods on how to unmask the fakes, and strategies for sharing these skills with your employees.
Award-winning reporter Kerry Tomlinson shares her collection of real-world deepfake attacks and provides practical tips for people to protect themselves, from employees and CEO's to their families at home. She'll lay out a game plan for incorporating this essential information into your awareness program now and in the future as AI continues to evolve. 11:50 - 12:00 pm | Designing Globally Relevant Awareness Campaigns, Angel Jordan Creating effective security awareness programs for global workforces requires more than just translation—it demands an understanding of cultural context. This session will demonstrate how to design security campaigns that respect cultural differences while enhancing engagement and behavior change. Key Takeaways: Attendees will learn actionable strategies to build globally relevant security programs using a step-by-step approach: - Conducting a Cultural Audit: Learn how to assess cultural norms, communication styles, and regional priorities through employee feedback, focus groups, and cultural ambassador partnerships.
- Tailoring Messaging for Impact: Discover how to adapt security messages to align with cultural values. Examples include using competitive gamification for U.S. teams, storytelling for Indian audiences, and regional customs for Latin American campaigns.
- Building Collaborative Partnerships: Understand how to engage employee resource groups (ERGs), local leaders, and cultural ambassadors to co-create content that feels authentic and respectful.
- Avoiding Cultural Missteps: Gain practical tips for identifying and addressing unintentional stereotypes or assumptions while celebrating cultural identity in your campaigns.
12:00 - 12:10 pm | From NGO to Cyber: The Psychology of Doing More With Less, Anna Pieczatkowska I spent half my career running grassroots campaigns for nonprofits where budgets were tight but creativity thrived. Then I stepped into corporate information security and realized that the same inventive approach—plus a background in psychology—could transform how we tackle human risk. In this session, I’ll show you how to borrow from the nonprofit playbook with practical strategies for planning cost-effective yet high-impact events, unearthing hidden talent, and proving to leadership that imagination can outperform big spending. If you’re tired of hearing “we can’t afford that,” learn how to turn budget limits into powerful opportunities that truly engage employees and elevate your security culture. Expect rapid storytelling, hands-on tips, and a refreshing perspective on why the best way to ignite real change might just come from the nonprofit world. 12:10 - 12:20 pm | Collaboration and Competition: Leveraging School Spirit, Cindy McKendallPersuading faculty and staff to care about security awareness at an educational institution is often challenging. Budgets are small, attention spans are short and responsibilities such as teaching take precedence. Being secure can be a low priority, and cybersecurity can even conflict with educational ideals like openly sharing research data. This is as true for small colleges as it is for large universities such as those in the Big Ten.
When you think of Big Ten universities, you may picture them clashing on the football field, the basketball court or the soccer pitch. But Big Ten institutions can and do work together outside of sports arenas! In this presentation, participants will learn how different universities of the Big Ten (which now comprises eighteen institutions of higher education) came together to motivate employees at each institution. Representatives from each university cooperated and collaborated to plan a cybersecurity game show event that was the culmination of Cybersecurity Awareness Month. By harnessing the power of school spirit and friendly competition, faculty and staff from across the Big Ten learned about cybersecurity, increased their security awareness and had fun doing it.
In this presentation, we’ll demonstrate how we were able to harness a natural competitive spirit to deliver security awareness in a fresh, new way via gamification, while delivering cost savings to our institutions through collaboration. Participants will come away from this presentation with ideas on how to incorporate competition into their own security awareness programs, as well as ways to reach and involve disengaged employees in security awareness.
Show More
|
12:25 pm - 1:30 pm
CT
5:25 pm - 6:30 pm UTC | Lunch |
1:30 pm - 2:45 pm
CT
6:30 pm - 7:45 pm UTC | Workshops Workshop | Hidden Gems: Free & Cheap Tools to Level Up Your Training Tired of dry, lecture-based cybersecurity training? Join me for a hands-on exploration of free and budget-friendly tools that transform learning into engaging games and interactive experiences. In this demo-packed session, we’ll ditch the static slides and dive into practical applications of readily available software, proving that effective training doesn't have to break the bank.
We'll journey through a curated selection of tools, showcasing how to build compelling cybersecurity games, interactive simulations, and dynamic training modules. Discover how to leverage free game engines, accessible graphic design platforms, and collaborative online tools to create immersive learning experiences. You’ll witness real-time demonstrations of how these resources can be combined to teach complex cybersecurity concepts in a fun, digestible way.
Attendees will learn:
* How to utilize free and low-cost game engines to create interactive cybersecurity scenarios.
* Practical techniques for designing engaging visuals and graphics without needing advanced design skills.
* Methods for building collaborative learning environments using accessible online platforms.
* Strategies for incorporating gamification elements into training to boost learner engagement and knowledge retention.
* Actionable steps to immediately implement these tools into your own training programs.
Leave this session with a toolkit of practical skills and resources, ready to transform your cybersecurity training from mundane to masterful. You’ll gain the confidence to create captivating learning experiences that empower your audience to master critical cybersecurity skills through play and interaction. Come ready to play, learn, and build!
Show More
|
1:30 pm - 2:05 pm
CT
6:30 pm - 7:05 pm UTC | In Person Speakers Challenges and solutions for building a cybersecurity culture in a complex organization As the Cybersecurity Culture and Competence Manager at KONE, a global organization with over 65,000 employees, including factory workers and operatives, I face a significant challenge in implementing and embedding a strong cybersecurity culture. While cybersecurity is a top priority for our leadership, and there is strong engagement from the highest levels, we encounter recurring obstacles in translating this commitment into tangible change. The complexity of our organization—spread across multiple countries, languages, cultures, and business units—presents unique challenges when it comes to reaching every employee and driving real behavioral change.
In this session, I will explore these challenges and offer practical solutions for building a sustainable cybersecurity culture in large, diverse organizations. I’ll share the key lessons learned from our efforts, including the communication barriers faced when working with a global, multilingual workforce and the difficulties in creating consistent cybersecurity awareness across varied employee segments, from office-based professionals to factory operatives.
Despite strong organizational support, the reality is that implementing a culture change is not as simple as setting goals and expecting results. We will dive into why initiatives often fall short, even when leadership buy-in is evident, and how to address the gap between strategy and execution. I’ll provide actionable insights into how organizations can:
-Leverage innovative tools and platforms to overcome cultural, language, and accessibility barriers.
-Establish effective communication channels that resonate with diverse employee groups.
-Measure and track the success of cybersecurity culture initiatives, despite the complexities of a global organization.
Through real-life examples, I will explain what has worked and what hasn’t in our journey.
Show More
|
2:10 pm - 2:45 pm
CT
7:10 pm - 7:45 pm UTC | In Person Speakers Hacking Minds & Shaping Behaviors: How to drive habit changes in you cybersecurity awareness program through Neuroscience & Behavioral Psychology? Leandro Rocha, Security Awareness Officer, Clube de Regatas do Flamengo Building a lasting security culture is a big challenge, especially when many users lack the motivation to change their habits.
In this presentation, I will explore how principles of neuroscience, behavioral psychology, and practical learning can enhance engagement, improve knowledge retention, and drive lasting behavioral change within cybersecurity awareness programs.
This approach is grounded in real-world practice, developed and implemented during my role as Security Awareness Officer at Flamengo, one of Brazil’s largest soccer clubs, with over 40 million supporters.
We’ll break down three of the most common hurdles faced by cybersecurity awareness managers—and the science-backed techniques to overcome them.
1. Knowledge retention: How to prevent information from being forgotten?
One of the greatest challenges in any security awareness training program is ensuring that knowledge is retained over time rather than quickly forgotten. The human brain learns more effectively when information is delivered in a spaced, interactive format rather than through a single, intensive training session. In this session, I will explore how neuroscience-based learning techniques—such as spaced repetition, short and frequent simulations, quizzes, prior knowledge activation, multisensory learning (Visual, Auditory, and Kinesthetic), and gamification—can enhance information retention and elevate your program from a simple compliance requirement to a truly impactful experience for your users.
2. Behavioral change: how to turn knowledge into action?
Knowing is not the same as doing. To drive meaningful behavior change, applying BJ Fogg’s behavior model to the security awareness training program can be highly effective. We will explore the importance of understanding your audience, identifying their motivations and expectations, providing immediate feedback and positive reinforcement, setting progressively challenging goals, and leveraging social recognition. These strategies are essential for making secure behaviors become second nature.
3. Emotional engagement: How to get users to care?
Traditional training programs fail because they lack emotional connection. True engagement occurs when employees feel like an integral part of the process. I will explore how techniques designed to create stimuli and encourage interaction—such as gamification, storytelling, and social dynamics—can cultivate authentic involvement, spark curiosity, and reinforce each individual’s role as a key player in the organization’s defense, making awareness initiatives more dynamic, engaging, and rewarding.
In addition to addressing the challenges mentioned, I will share lessons learned and present key metrics and KPIs to evaluate the impact of the mentioned techniques, such as phishing report rates, training participation rates, and engagement rates.
Key Takeaways
Regardless of their organization’s size or maturity level, by the end of the presentation, participants will gain practical insights and tools to:
- Apply neuroscience and behavioral psychology methodologies in information security programs;
- Make the program more attractive and engaging, increasing user participation and engagement;
- Improve knowledge retention and content assimilation;
- Promote lasting and effective behavioral changes by encouraging the adoption of secure habits in daily routines, empowering users to actively assist the company in mitigating real-world risks; and
- Measure the program’s impact using concrete metrics and data.
Show More
|
2:50 pm - 3:10 pm
CT
7:50 pm - 8:10 pm UTC | Break |
3:10 pm - 12:35 pm
CT
8:10 pm - 5:35 pm UTC | Workshops Workshop | Human-Centric Security: Enhancing Security Awareness Programs through Design Thinking In today's rapidly evolving threat landscape, traditional security awareness programs often struggle to design engaging, effective initiatives that truly meet the needs of their user population. This session will introduce attendees to the transformative power of Design Thinking/Human-Centered Design in developing and enhancing security awareness and human risk management programs. Design Thinking is a creative problem-solving approach that balances user needs with technical feasibility and business viability. By fostering innovative thinking and challenging traditional assumptions, Design Thinking ensures that security initiatives are not only effective but also engaging and sustainable. During this session, participants will gain a comprehensive understanding of what Design Thinking is and why it is crucial for modern security programs. We will explore the key phases of Design Thinking—Empathize, Define, Ideate, Prototype, and Test— and provide simple techniques for applying each phase to security awareness and human risk management. Attendees will learn how to: Empathize: Conduct user research to understand the needs, motivations, and pain points of their target audience. Define: Identify and articulate problem statements and objectives based on insights gathered during the empathize phase. Ideate: Generate innovative ideas and solutions through brainstorming sessions and collaborative workshops. Prototype: Develop tangible representations of ideas to test and refine concepts. Test: Evaluate prototypes with real users to gather feedback and iterate on solutions. By the end of this session, attendees will be equipped with practical strategies to evolve their security awareness programs from mere compliance exercises to dynamic, user-centered initiatives that effectively mitigate human risk. Join this session to discover how Design Thinking can drive meaningful change and foster a culture of security within your organization.
Show More
|
3:10 pm - 3:45 pm
CT
8:10 pm - 8:45 pm UTC | In Person Speakers Transparency Over Secrecy – How We Built a Security Scorecard That Drives Accountability Without Fear Gina Andrews, Senior Information Security Program Manager, Rocket Security awareness programs often stop at training and phishing simulations, but that’s just scratching the surface. Real culture change happens when employees understand their security behaviors and feel empowered to improve them. What if every employee had their own Security Score?
At our organization, we broke from industry norms by designing a Security Scorecard to empower employees, engage leadership, and create transparency around human risk. Many companies hesitate to show employees their security scores, fearing resistance or punitive associations. However, we found that the key to cultural change isn’t secrecy—it’s visibility.
In this session, we'll share how we built a Team Member Security Scorecard that engages employees, empowers leadership, and makes human risk more transparent and how we accomplish this without creating fear or finger-pointing. We’ll break down:
Securing Leadership Buy-In: How we partnered with executives, risk leaders, and HR to position the scorecard as an awareness tool, not a punishment.
Building the Scoring Model: How we weighed different security behaviors, like phishing simulations, MFA usage, and password hygiene to reflect real-world risk.
Messaging That Engages, Not Alarms: How we introduced the scorecard through onboarding, leader huddles, and champions programs to foster education and ownership.
Driving Culture with Transparency: How we integrated the score into performance conversations, executive dashboards, and company-wide business goals.
Lessons Learned: The challenges we faced (and how we tackled them). From gamification to data privacy concerns to internal politics.
Since its launch, our Security Scorecard has become a core part of how we talk about security. It sparks conversations in teams, influencing leadership decisions, and helping employees see how their individual actions impact the company’s overall risk.
Whether you're starting from scratch or looking to evolve your employee engagement program, you'll leave this session with practical steps, pitfalls to avoid, and lessons learned to help you bring transparency and accountability to your security culture.
Show More
|
3:50 pm - 4:25 pm
CT
8:50 pm - 9:25 pm UTC | In Person Speakers Beyond Click Rates: Using Holistic Metrics to Drive Security Awareness Success Security awareness programs often default to measuring success through phishing click rates, but true effectiveness requires a more comprehensive approach. This talk will explore how to build a robust security awareness metrics strategy that goes beyond surface-level engagement and creates a feedback loop for continuous improvement.
Attendees will learn how to:
• Identify and Track High-Risk Groups: Not all users pose the same risk. We’ll discuss why you should leverage metrics to track high-risk user groups—such as those with privileges access, frequent security violations, or those traveling to higher risk regions—and tailor education accordingly.
• Set and Measure Long-Term Training Goals: Measuring awareness requires a multi-year approach. This talk will outline strategies for setting meaningful security training goals over a 2–3 year period, including tracking improvements in user behavior, reporting rates, and secure decision-making.
• Develop Holistic Security Metrics: A strong awareness program integrates multiple data points—such as phishing simulation results, training completion, engagement with the security team, and security tool usage—to paint a clearer picture of a security awareness program. We’ll discuss how to aggregate these metrics into meaningful insights.
• Use Metrics as a Feedback Loop: Security awareness should not be a one-and-done effort. We’ll cover how to use metrics to refine content, adjust approach to engagements, and drive the direction of your security awareness program. By continuously analyzing metrics, teams can identify trends, adapt training approaches, and demonstrate measurable security improvements over time.
By the end of this session, security awareness professionals will walk away with a practical framework for tracking engagement metrics that truly reflect behavioral change, risk reduction, and the long-term impact of their awareness programs.
Show More
|
4:30 pm - 4:45 pm
CT
9:30 pm - 9:45 pm UTC | Wrap Up |