It seems everyone has an opinion about security awareness training, and most of them are negative. Security luminaries have largely panned awareness training as ineffective and a waste of time and money. They use weird analogies, claiming things like we cannot train folks not to eat fast food, so training never works. Are they wrong? We have all sat through endless PowerPoint slides telling us what we can do and cannot do on the Internet. They threaten you with termination unless you follow the rules specified in the 15-page Acceptable Use Policy, without any context for why they matter. It is not much different than your parents telling you that you cannot do something “because we said so.”
But regardless of the specific situation, security awareness training occurs for a few reasons, some more productive (and strategic) than others:
- Limit Corporate Liability: If an organization doesn’t make very clear to employees what they can and cannot do using corporate technology assets, they cannot terminate employees for doing the wrong thing. Too much of today’s awareness training content is built as a warning to justify termination. This kind of training is built by lawyers expressly to enable them to prosecute employees if needed. That gives you a warm and fuzzy feeling, doesn’t it?
- Compliance Mandate: This is in play in many government organizations, who are expected to follow NIST 800-50 to comply with FISMA and build a security training program. We applaud the mandate – we all know it wouldn’t happen otherwise. But compliance requirements rarely create sufficient urgency to excel or address the original goals behind the regulation.
- Protect Information: Before our cynicism gets the best of us, some organizations perform security awareness training to actually train employees about security. Imagine that. In this case they need to know what not to click and why. They need to learn who to call when they think something is wrong. How to protect their mobile devices, which increasingly contain sensitive data and access. This content is typically built by the security team (or under their watch).
If your current awareness program is controlled by Human Resources with a heavy influence from the General Counsel, you have some work to do. If you are in charge of an awareness training program, at least you can roll out some content to achieve your objectives. That doesn’t mean you understand the latest and greatest training techniques. Nor does it mean you actually have the time to build effective training materials. But at least you can make some decisions about the training program, and that’s a start.
So we are excited to start a new blog series: “Security Awareness Training Evolution.” Adversaries have gotten better, so you need to prepare employees more effectively to be the first line of defense. Obviously they are an imperfect line of defense, but a human control is better than no control at all. As with all our blog series, we will write this one using our Totally Transparent Research methodology, which means we will post everything to the blog first and let you have an opportunity to provide feedback to make sure we are on target.
Before we get started, we would like to thank the fine folks at PhishMe for potentially licensing the paper when we finish. We use the term ‘potentially’ because with our research process there is no commitment on either side until the research is done. That allows us to write what needs to be written, and for each licensee to verify that the content meets their needs (objectively, of course) before they actually license anything.
Pragmatic Security Training
It’s not like a focus on security awareness training is the flavor of the day for us. We have been talking about the importance of training users for years, as unpopular as training remains. The main argument against security training is that it doesn’t work. That’s just not true. But honestly it doesn’t work for everyone. Like security in general, there is no 100%. Some employees will never get it – mostly because they just don’t care, but they do bring enough value to the organization that no matter what they do (short of a felony) they are sticking around. You need to accept that those folks will do what they want and you will clean it up. You also need to realize that some of your employees will be targeted by advanced attackers. No amount of security training will protect them if they are targeted. To clean that up you will need some-high end forensics, and if that’s in play you probably should consult our CISO’s Guide to Advanced Attackers.
Then there is everyone else. Maybe it’s 50% of your folks, or perhaps 90%. Regardless of the number of employees who can be impacted and influenced by better training content, wouldn’t it make your life easier if you didn’t have to clean up after them too? Obviously it depends on the organization, but we have seen training reduce the amount of time spent cleaning up easily avoidable mistakes.
Yet, far too many organizations lose interest when they don’t see immediate results. Like any program, security awareness training requires patience and persistence. This is covered in Mike’s Pragmatic CSO book. Here is an excerpt on this point:
The easiest thing to do regarding security awareness is to give up. Most organizations (and CSOs) are impatient. It’s hard to make a consistent effort when it is not clear that progress is being made. There really is a “tipping point” in security awareness, and until you get there, it’s hard to justify the time and investment required by the program.
Thus the most critical success factor for security awareness is CONSISTENCY and PERSEVERANCE. It takes months and years of consistent effort to make security awareness second nature. Your employees have to overcome years of bad habits, like opening attachments and clicking links in emails.
How hard could it be to teach folks what not to do? You know, don’t click that link. Don’t open that email. Duh. If your machine doesn’t work well and seems slow, call the help desk. Easy, right? Not exactly. Building effective training content is hard. You have to engage the student and provide more practical information and examples to keep them participating. Many researchers have spent a lot of time discovering the most effective ways to impart information. But most security awareness training materials don’t take advantage of these insights. So the first (and biggest) issue is that the training materials just aren’t very good. For security awareness training, content is king.
Another issue is unclear objectives for the training. Is the training’s purpose to check a box and get an auditor off your back? Are you trying expressly to get employees not to click things? Perhaps you don’t want them to pick up USB sticks in the parking lot and plug them in? Are you trying to get them to understand the physical threats from an intruder gaining access to your facilities? When training materials attempt to cover every possible attack vector they get diluted, and students retain very little of the material. Don’t try to boil the security ocean with overly broad materials. Focus on specific real threats.
What about incentives? Clearly employees need to complete the training. Maybe they need to pass a test to get corporate-issued computing devices, but what then? As a rule employees don’t have any reason to retain the information past course completion, or to use it on a daily basis. If they click the wrong thing, IT comes and cleans up the mess, right? Without either positive or negative incentives employees will forget about the course as soon as they finish it.
Finally, political or organizational headwinds may sabotage your training efforts. If you approach HR to improve the training materials, they may not cooperate because they don’t want to disrupt their carefully scripted first-day orientation schedule. Or business users may not want to take employees out of their jobs for some crappy security training that doesn’t help them make their numbers. There are countless reasons other groups within the organization may be resistant to awareness training, but a lot of it comes back to lack of incentive – mostly because they don’t understand how important it is. And failure to make your case is your problem.
New Training for a New Day
There are many problems with existing security awareness training approaches. But pointing our problems is much less useful than solutions. Let’s list some high-level ideas to improve the value of security awareness training:
- Proper Outcomes: The objective of any security awareness training program must be to favorably impact the security of the organization. Focus on that outcome – not on checking a box for compliance or any other justification. That means you need to develop metrics and incentives in the context of the business problem of protecting information, rather than for anything else.
- Better Content: Security awareness training content clearly needs to be better, so we need modern training methods. Education has changed, and your training materials need to be current. It is also a good idea to integrate video as appropriate – especially because some modern tactics need to be seen to be believed. Simulated attacks on employees have proven effective – typically phishing because it is one of the most common vectors for gaining presence on your network.
- Reinforcement: If your training program starts and ends with the training class, your chances for success are limited. It usually takes 4-5 impressions for anyone to really absorb any lesson, so make sure any training program involves ongoing reinforcement.
- Gamification: We talked about the lack of incentives above, and one type of incentive is a game or contest that focuses on results, in the form of a reduction in successful attacks. This engages the competitive instincts of most business leaders, who hate to lose – even if it is just a security contest.
- Organizational Buy-in: The rest of the business takes its lead from the executive suite. So you need to sell security awareness training in a language senior executives understand: dollars and cents. You might position training as a way to improve the effectiveness of security controls which you are already paying for.
This series will first tackle the challenges of developing better training content. Then we will use our Quick Wins approach to show how to get things moving quickly and effectively, by moving decisively to get organizational buy-in, and then building that into a successful security training program. Don’t blink – this will be a quick series, but better security awareness training makes your security program more effective.
Artwork courtesy of The Pragmatic CSO.