As we come back to the Security Awareness Training Evolution series after our two-week hiatus, let’s revisit some of the key issues described in the introduction. We made the case that for liability, compliance, and even security reasons you can’t really decide not to train your users about security. Of course you could, but it would be counterproductive – you need to be realistic, and accept that you cannot reach every employee and employees do stupid things. But you can reach some, if not most, and reaching those folks will minimize the number of issues you have to clean up.
Of course balancing how much to time and effort to spend on security awareness training is a company-specific decision which depends on the sophistication of your employee base, the kinds of adversaries you face, and your organizational culture. Regardless of how much time and effort you spend and which techniques you use, if your security awareness training content is poor it will be wasted effort. This post will tackle the issues around developing (or buying) great content – as they say, “Content is king!”
Let’s start by defining great content. Here is a list of some key requirements:
- Behavioral modification: The training content needs to work. You should be managing to outcomes, and your desired outcome for training is that employees learn what not to do (and subsequently don’t do it), so if behavior doesn’t change for a reasonable percentage of employees, the content is ineffective.
- Current: Security is a dynamic environment, so the training materials need to be kept up to date. Yes, you still need to tell the employees about vintage 2009 attacks because you will still see those. But you also need to train them to defend against the latest and greatest attacks, because those are what they are most likely to see.
- Comprehensive: Captain Cliche reminds you that security is only as strong as the weakest link. Employees need to be prepared for most everything that will be thrown at them. It is neither realistic nor feasible to turn normal employees into security professionals, but they can understand the major attack vectors and develop a ‘Spider-Sense’ so they are aware of attacks as they happen. They won’t be able to defend against attacks you don’t train them on.
- Compelling: Most employees don’t really know what’s at stake, so they don’t take the training seriously. We are not fans of trying to scare employees or playing Chicken Little, but they need to understand the consequences of data breaches. It’s really just a matter of integrating a few stories and anecdotes into the training materials to make the attacks a bit more real, humanizing attacks and taking them from theory to reality.
- Fun: Boring content is boring. If employees don’t enjoy the training materials they will shut down and do just enough to pass whatever meaningless test you put them through. They will forget what they learned as soon as they leave the room. As corny as it may seem, no fun usually means no (or little) learning.
Most folks have short attention spans. Optimize your content in small chunks, typically 3-5 minutes for some kind of lecture, or an exercise that can be completed in that kind of timeframe. The gluttons for punishment in your employee base may want to blast through 5-10 chunks at a time, but give folks the option to get through a lesson during a quick break. That way they don’t have to totally disrupt the flow of their day to get training.
Weigh the effectiveness of video compared to a presentation deck with a talking head. Stories are more effectively told through video, and your training materials need to tell a story about the importance of security and how to defend against attacks.
Two of the key requirements for better content are compelling and fun, so the shiny new concept of ‘gamification’ should come into play. Maybe it’s not actually new – many of your younger employees were probably taught to type by Mavis Beacon. Now academia is catching on, and a number of studies show that adding competition and gaming concepts to learning dramatically increases retention and value.
One organization we have worked with pits its business units against each other for the fewest infections per quarter. The BU with the lowest number each quarter gets possession of a $100 trophy, and the company takes the contest very seriously. It turns out business leaders want to win, whatever the game is. To be clear, this isn’t really an educational ‘game,’ but it is competition to get the right outcome for the organization, thus minimizing infections. And nothing gets everyone on board faster than senior management making it clear they want to win.
In terms of structuring content within the context of a game, here are a couple ideas to ponder:
- Levels: Humans love to achieve things and to feel that sense of accomplishment. If your training involves multiple levels of content within the materials, and employees need to qualify to proceed to the more advanced lessons, they will be pushed to advance their skills to attain the next level.
- Points: Depending on the nature of the training you can award points for better or faster results/performance. Again, human nature is to collect an increasing amount of things for that sense of accomplishment.
- Scoreboard: If you will award points for proper outcomes, you might as well highlight the best performers to recognize employees doing exceptionally well, and to drive others to compete.
- Penalties: No one likes to lose what they have gained, so you could take points away from an employee if they don’t complete the next level (or at least go through the next lesson) within a certain amount of time. Knowledge erodes over time, so you want to have the employees complete the materials as quickly as possible and then reinforce the material soon after.
And that’s just the tip of the iceberg. You could design (or license) a curriculum using an offensive mindset. Basically a simple capture the flag type simulation, where employees try different tactics to compromise devices, move laterally, obtain the targeted content, and exfiltrate. By understanding the methods and processes attackers use, they become better prepared to defend themselves. And it’s fun. Just ask any pen tester. As you can see, the possibilities are endless, but it has become clear that gamification will become a key part of security awareness training.
Above we discussed how training content depends at least partially on organizational culture. The same goes for social engineering your own employees. When hacking your employees you risk offending some when they fall for an internal phishing simulation or insert that found USB stick into their computer. Folks don’t like to be called out on their mistakes – especially in a public forum. But that doesn’t mean you shouldn’t do it. The folks who are pissed off are likely to be your best students. They are very unlikely to make the same mistake again. Just understand you might need a flack jacket to handle the ire.
Using social engineering tactics to train your employees is critical to any security awareness training effort. For a simple reason: adversaries use social engineering tactics. Adversaries are gaining presence on your networks by sending phishing email to unsuspecting employees. They call your help desk to reset passwords, and use a variety of other tactics for reconnaissance and to stage attacks.
Your only defense against these tactics is to show employees how they work, and you cannot do that effectively with static training content. You cannot get enough feel for how well employees get the message from whether they fell asleep during the lesson. But social engineering attacks lend themselves particularly well to simulation. If you actually stage a phishing (or other social engineering) simulation in your environment, you will learn very quickly how effective your training efforts have been.
But handle employees duped by the simulation with grace. There is no need to publicly embarrass employees or call out their mistakes during a company all-hands meeting. Instead use mistakes as a catalyst for impactful training to educate employee about what they did wrong and should do differently next time.
Also be sure to check with the general counsel and human resources to get them into the loop before the simulation. This isn’t about asking for permission, but make sure they are aware, and hopefully they can suggest how to handle the inevitable friction. If you are going to social engineer your employees, here are a couple requirements to keep in mind:
- Deliverability: Step 3 of the Kill Chain is all about deliverability. The best exploit in the world isn’t effective if the targets don’t get it. So whether you are dropping USB thumb drives or sending phishing messages, you need to make sure your simulated attack gets through.
- Flexibility: Today’s attackers don’t just use one tactic. So your simulation environment needs to be able to launch a variety of attacks at employees, not limited to email delivery, but covering other web-based and application-centric attacks. The attackers will use whatever means are necessary to break in so you need to simulate those same tactics.
- Metrics and tracking: First make sure to grab a baseline to figure out how your employees do with limited training. Then by tracking the success of your employees in detecting attacks over time you can start identifying trends and isolating weak links in the organization: employees. These metrics also provide a way to justify the ongoing investment in awareness training – assuming the results are positive.
- Integration with existing training platforms: If your organization already has a corporate training platform it makes sense to leverage that. Anything you would build should use the existing platform, and security awareness training content you buy should be integrated with the existing platform – typically via a standard like SCORM.
Buy or Build
We don’t want to make any snap judgements about your capabilities, but you probably aren’t a world class video director, game designer, or phishing attack simulator. Or else you should be doing that instead of reading about awareness training. So developing this kind of content on your own may be beyond your skills and most likely your interest. So you should probably look for commercial training content. How do you find and buy these kinds of services?
It is a fast-moving market so you can start with a quick web search. Find 5-10 providers of security awareness training content and check out their sites. Remember that this content will most likely be delivered online. Watch their demo videos, play their demo games, and get a feel for how their system works. Much of this decision is subjective. Do you like it? Is it entertaining and current? Would your employees like it, and therefore be much more likely to participate?
Once you make your short list of potential providers you will want to run a test group through the training or simulation, and do a focus group of sorts to gauge effectiveness and fit with your culture. Many of these services are now delivered via a subscription-based SaaS-type offering, so you should apply the same discipline as when buying any other kind of service. You need to negotiate service levels, understand the providers data security (your employee data will be in their system), and ensure you can get out of the agreement if the curriculum isn’t kept up to date.
Now that you understand compelling security awareness training content, we will put it all together and go through a Quick Win scenario in the next post to wrap up this series.