Guest Opinion: Security Training’s Ten Commandments
A year of historic breaches at RSA, Epsilon, Lockheed Martin and even the Sony PlayStation Network, demonstrates how ineffective the best security technologies can be when people are involved.
Many attackers today leverage the human factor, bypassing most security controls and using techniques such as social engineering to get the information they want by simply luring users to open an email, click on a link or download an attachment.
Information security people think that simply making users aware of security issues will make them want to change their behavior. However, a fundamental problem is that most awareness programs are created and run by security professionals – people who were not hired or trained to be educators.
These training sessions have traditionally consisted of long, monolithic lectures and boring slideware with no thought or research into what and how material should be taught. As a result organizations are not getting the desired results and no overall progress can be tracked.
Obviously, a holistic approach that embraces technology and training is required to effectively counter the escalating number of cyber attacks credit unions are facing today. However, training for the sake of training won’t necessarily yield the results your institution is looking to achieve.
By applying proven learning science principles and techniques, credit unions can yield superior results in training efforts and help fortify their organization against its potentially weakest link.
Bottom line, if financial institutions fail to implement effective and engaging security awareness training, the latest phishing scam is just as likely to fool the same people and the industry will continue to remain at risk.
To solve the security training puzzle, it’s important to step back and understand how people learn. In other words, are there training keys to help get an attention deficit society to sit through something as potentially boring as security training?
The answer is yes, but it’s all in the approach. The science of learning dates back to the early 1950s and the techniques have been proven over time and adopted in various circles as accepted learning principles. When applied to information security training, the results of these top training techniques can provide immediate, tangible and long term results for educating employees and improving your company’s overall security posture.
Small bites at a time. People learn better when they can focus on small pieces of information that the human mind can digest easily. It’s unreasonable to give someone 55 different topics in 15 minutes of security training and expect them to remember it all and then change their behavior. Short bursts of training are always more effective.
Reinforced learning over time. People learn by repeating elements over time. Without frequent feedback and opportunities for practice, even well-learned abilities go away. Security training should be an ongoing event.
Train in context. People tend to remember context more than they do content. It’s important to present security training in the context that the person will most likely be attacked.
Learning is influenced by existing ideas. Concepts are best learned when they are encountered in multiple contexts and expressed in different ways. Security training that presents a concept to a user multiple times and provides different phrasing helps that learning process.
Active involvement. It’s a proven fact that when we are actively involved in the learning process we remember things better, period. Ideally, if the trainee can actually practice identifying phishing schemes and creating good passwords, improvement rates can be dramatic.
Immediate feedback. If you’ve ever participated in sports, it’s easy to understand this one. Calling it at the point of the foul makes the impact of learning so much greater. If a user falls for a company-generated attack and receives training on the spot, it’s highly unlikely they’ll fall for the same trick again.
Character development, narratives and storytelling. When people are introduced to characters and narrative development, they often form subtle emotional ties to the material that helps keep them more engaged. Security training methods can leverage a story-based approach rather than listing facts and data with a non-engaging presentation format.
Reflection. People need the opportunity to evaluate and process their performance in order to take steps for better performance moving forward. Security awareness training should challenge users to use critical thinking to examine presented information, question its validity, and draw conclusions based on the resulting ideas.
Pacing. It may sound cliché but everyone really does learn at their own pace. A one size fits all security training program is doomed to fail.
Conceptual and procedural knowledge. Conceptual knowledge provides the big picture and enables a person to apply varying techniques to solve a problem. Procedural knowledge focuses on the specific actions required to ultimately solve the problem. Security awareness training requires a blend of both approaches.
Joe Ferrara is president/CEO of Wombat Security Technologies.
Contact 412-621-1484 ext.113 or firstname.lastname@example.org