In the first two posts of this series we suggested that any security awareness training program needs to be focused on the proper outcomes and driven by great content. Let’s not forget the unassailable truth that the success of any security initiative is based on building momentum and making demonstrable progress early in the deployment cycle. This is not only the case for projects that involve implementing shiny boxes to block things. With a program as visible as security awareness training, with success criteria not necessarily directly attributed to training efforts, the need for a Quick Win is more acute. Especially given the likely pushback from employees duped by attack simulations. But let’s not put the cart before the horse.
You don’t get to roll out new and updated content without getting the organization to buy into the need to revamp any security awareness training initiatives. Selling the training program internally involves making a case for the payback of the investment in training curriculum, services, and employee time.
The best way we have found to make this case involves leveraging attack and breach data that is reasonably plentiful. Start with data on the types of attacks that result in compromised devices (available from the myriad of breach reports hitting the wires weekly), and position the value of the training around the reality that the majority of delivery methods for weaponized exploits involve social engineering. From there you can look at the potential economic impact of those attacks – in terms of lost data, compliance fines, and direct incident response and/or disclosure costs. Compare to the costs of improving training, and the case for investing in training should come clear.
Don’t stop justifying with direct cost savings from reducing successful attacks – point to operational benefits as well. These include an improved malware detection as well as accelerated incident response from having employees versed in security and attack vernacular. Security-savvy employees can tell you what they clicked on, which websites they visited, and why they believe they have been compromised – facilitating triage and root cause analysis.
And don’t be bashful about using information from your own organization. If any of your employees have been compromised due to tactics directly taught in the awareness training (such as phishing messages), you can make the case that the impact of attacks (including clean-up costs) could be reduced by more effectively training employees.
Once the organization is on board you should be able to demonstrate the ongoing value of the program. So you need to figure out where you are right now. You should run a relevant sample of your employees through the qualification tests and/or simulations to gauge where they are before the training starts. This will provide a baseline for comparing future results and tracking metrics against.
Of course there is always the fortuitous happenstance that your sample of employees could perform exceptionally well in the baseline tests, reducing the urgency for better security awareness training content. This would be a good problem to have. But we have been doing this a long time, and we cannot pinpoint many (or any) examples of being pleasantly surprised by employee security knowledge, but there is always a first time, right?
More likely you will see the seriousness of your situation, and get a renewed understanding of the importance of moving the training program forward decisively and quickly.
Low Hanging Fruit
The good news is that in the absence of a formal (or effective) security awareness training program, initial improvement is likely to be obvious and significant. You can pretty much count on employees starting with very little security knowledge, so a little training normally makes a big difference. Getting the quick win is about making sure you take the baseline and improve upon it right away. That’s not a particularly high bar, by the way. But it builds momentum and gives you some leeway to expand the program and try new techniques.
Be careful not to squander that momentum, or leave ongoing improvement up to chance. You know the old adage: failing to plan means you are planning to fail. So you should think about a broader and more strategic program to deliver on your security awareness training program.
The Virtuous Cycle of Training Success
Your program needs to acknowledge and address the fact that most students (of anything) rarely understand and retain key concepts during initial training. Don’t simply assume that security awareness will be any different. So let’s consider a logical process which provides a number of opportunities to expose employees to the material, to increase the likelihood of retention.
- Initial Training: As we described in the last post on content you are looking for great content that will be current, compelling, comprehensive and fun, while providing a catalyst for behavior modification.
- Competition: A good way to get the most value from the initial training and ongoing efforts is to establish contests and other means to get your employees’ competitive juices flowing. Awarding prizes, using incentives to reward employees for doing the right thing and competing effectively, gives them a reason to practice their new security skills and awareness.
- Reinforcement: Whether it is a matter of additional training based on the results of a periodic simulation or test, re-qualification required every quarter or bi-annually forcing re-engagement with the content, a monthly newsletter, or all of the above, you want security to be top-of-mind (at least not out-of-mind), which requires a number of opportunities to reinforce the training content with employees.
- Updates: The dynamic nature of security, with its constantly changing attack vectors, isn’t normally viewed as a positive, but when looking for opportunities to reinforce the messages of security training that dynamism provides an important opportunity. You need to retrain employees on new attack vectors as they develop. This provides another opportunity to go back to the fundamentals and hammer again on security basics.
- Lather, rinse, repeat: We pointed out in the Introduction that the only way to fail at security awareness training is to give up. Build a process to stay in front the employees, reward them for good outcomes, and reinforce the training materials on an ongoing basis – together these techniques position your program for ongoing success.
Trending and Ongoing Success
You have the baseline and a repeatable process to ensure employees get the most value from the security awareness training program. What next? Go operational, which means tracking the success of the program over time and adapting based on what’s working and what isn’t. Remember – there is no place for ego when trying to get employees to do the right thing. If an aspect of the training program isn’t measuring up, either tune it or jettison it. If your employees reach a plateau of success and improvement levels out, you might need to look at more individual training options to work directly with the ones making the same mistakes over and over again. Whatever it takes to keep trending in the right direction.
As with every other security control, you should be constantly evaluating effectiveness and tuning the program to optimize its value to the organization. By taking a baseline and showing quick improvement you buy yourself some time, but the sustainable success of awareness training requires consistent improvement to justify continued effort and funding. So you need to be open to evolving the program as needed.
With that we wrap up our Security Awareness Training Evolution series. As we said throughout this series, employees are clearly the weakest link in your security defenses, so without a plan to actively prepare them for battle you have a low chance of success. It is not about making every employee a security ninja – instead work to prevent most of them from falling for simplistic attacks. You will still be exploited, but make it harder for attackers, so you suffer less frequent compromise. Security-aware employees protect your data more effectively, it’s a simple as that – regardless of what you hear from naysayers.