Posted under: Research and Analysis
We’ve long been fans of security awareness training. As evidenced in our 2013 paper Security Awareness Training Evolution, employees remain the last line of defense, and in a lot of cases, those defenses have failed. We pointed out many challenges facing security awareness programs, and we have seen modest improvement in some of those areas. But to be clear, not many organizations rave about their security awareness training, and that means we’ve still got work to do.
In this new series, Making an Impact with Security Awareness Training, we will put the changes over the last few years into the proper context and document our thoughts on how security awareness training needs to evolve to provide sustainable risk reduction to organizations.
First, we need to thank our friends at Mimecast who’ve agreed to potentially license the content at the end of the project. Even after 10 years, Securosis remains focused writing objective research through a transparent research method. As such, we need security companies that understand the importance of our iterative process of posting content to the blog and letting you (our readers) poke holes in it. Sometimes our research takes unanticipated turns and with gratitude, we appreciate our licensee’s willingness to allow us to write impactful research, not stuff that covers their products.
Revisiting Security Awareness Training Evolution
Before we get going on making an impact, we need to revisit from where we’ve come. Back in 2013, we identified the challenges of security awareness training as:
- Engaging students: Researchers have spent a lot of time discovering the most effective ways to structure content to teach information with the best retention. But most security awareness training materials seem to be stuck in the education dark ages and don’t take advantage of these insights. So the first (and most important) issue is that training materials aren’t very good. For any training content is king.
- Unclear objectives: When training materials attempt to cover every possible attack vector they get diluted, and students retain very little of the material. Don’t try to boil the security ocean with an overly broad curriculum. Focus on specific real threats that are likely in your environment.
- Incentives: Employees typically don’t have any reason to retain information past the completion of the training, or to use it on a daily basis. If they click the wrong thing IT will come to clean up the mess, right? Without either positive or negative incentives, employees forget the course as soon as they finish.
- Organizational headwinds: Political or organizational headwinds may sabotage your training efforts. There are countless reasons other groups within the organization might resist awareness training, but many of them come back to a lack of incentive — mostly because they don’t understand how important it is. And failure to make your case is your problem.
The industry has made small progress in these issues, mostly in the area of engaging content. The short and entertaining content emerging from many of the awareness training companies does a better job of engaging employees. With compelling characters and liberally sprinkling humor into the videos makes watching the videos more impactful and less like a root canal.
We can’t say a lot of the softer aspects of the program, like incentives and the politics of who controls the training, have improved a lot. We believe improving the perception of a security awareness training program comes back to defining success and getting buy-in for the program early and often. Most organizations haven’t done a great job of selling the program, instead defaulting to the typical reasons for security awareness training, like a compliance mandate or a nebulous objective of having fewer employees click on malicious links. Being clear about what success means as you design the program (or update an existing program) will pay significant dividends down the road.
Success by Design
If you want your organization to take security awareness training seriously, you need to plan for that. If you don’t know what success looks like, you probably won’t get there. The first step in defining success involves a firm understanding of why the organization needs to do it. We don’t mean because it’s the right thing to do or because your buddy in town found a cool vendor with hilarious content. We mean communicating the business justification for security awareness training, and more importantly what results you expect from your organization’s investments in time and resources.
As mentioned above, a lot of training programs initiate via a compliance requirement or the desire to control risk more effectively. Those reasons make sense, even to business people. But quantifying the desired outcomes presents some challenges. We advise organizations to gather a baseline of issues addressed by the training. How many employees click on phishing messages each week? How many DLP alerts do you get indicating potential data leakage? Having these numbers allows you to define a target and track to it.
Although we do recommend some caution, or managing expectations about perfection. That means understanding the risks training can favorably impact and more importantly, which it cannot. If the attack vector involves not clicking on a link, training can help. If it’s preventing a drive-by download delivered by a compromised ad network, there’s not a lot your employees can do about that.
Once you’ve adequately managed expectations, it’s about figuring out how to measure employee engagement in your organization. Maybe it’s sending out a survey to gain feedback on the content. Maybe it’s setting up a game where different business units can compete. Games and competition can provide interesting incentives for participation as well. You don’t need to offer expensive prizes as part of the game. Some groups would put in herculean effort to win a trophy and bragging rights.
To be clear, employees may need to participate in the training to keep their job. Continued employment provides a powerful incentive to participate, but not necessarily to retain the material or have it impact their actions. Thus, we need a better way to connect training to corporate results.
The True Measure: Risk Reduction
Ultimately the most impactful outcome remains reducing risk, which presents the linkage between security awareness training and corporate results. It’s reasonable to believe that awareness training results in fewer successful attacks and less loss. Put in other words, risk reduction. Every other security control and investment needs to reduce risk, so why hasn’t security awareness training been held to the same standard? We don’t know either, but the time has come we started thinking about it.
What does risk reduction mean within the context of security awareness training? It’s giving employees the necessary training, understanding they won’t retain everything. Not the first time anyway. Learning requires repetition, but why repeat training to someone that already get it? That’s a waste of time. Thus to follow up and focus on retention, you want to deliver appropriate content to the employee when they need it. That means refreshing the employee about phishing, not at a random time, but after they’ve clicked on a phishing message.
Contextual training does require integration with applicable security controls. For example, you’ll need to get a trigger from the email security gateway when an employee clicks a dangerous link in an email. You can also get triggers when an employee navigates to a malicious site via DNS and web security gateways which track where they browse. Finally, integration with DLP would provide opportunities to revisit the training regarding protected content when making a mistake.
We’ll dig deeper into this concept of Continuous Contextual Content in the next post.
Content Remains Key
We can slice it and dice it in many different ways, but we can’t get around it. Without the right content, the security awareness training program will fail. Here are five keys for engaging, effective awareness training content.
- Behavioral modification: The training content needs to work. You should be managing to outcomes, and your desired result for security training is that employees learn what not to do (and subsequently don’t do it), so if the behavior doesn’t change for a reasonable percentage of employees, that’s probably an indication of ineffective content.
- Current: Security remains a pretty dynamic environment. Your security training curriculum must keep pace. Yes, you still need to tell employees about vintage 2015 attacks because they will still see those. But you also need to train them to defend against new attack vectors like ransomware, which they will likely see in the short term.
- Comprehensive: Employees need to be prepared for the most likely situations. It is neither realistic nor feasible for security awareness training to turn regular employees into security professionals. But they can understand the major attack vectors and develop a sensitivity, so they detect attacks as they happen.
- Compelling: Most employees don’t know what’s at stake, so they don’t take the training seriously. We don’t advocate trying to scare employees or playing Chicken Little, but they need to understand the consequences of the attacks. It gets back to helping them understand the organizational risk of screwing up. You do this by integrating a few stories and anecdotes into the training materials making the attacks and losses real and tangible, as well as humanizing attacks, so they understand it can happen to them.
- Fun: Boring content is boring. If employees don’t enjoy the training materials, they will shut down and do just enough to pass whatever meaningless test you put them through. They will forget what they learned as soon as they leave the room. As corny as it sounds, no fun generally means no retention.
Of course, content is also subjective. What you like may not represent the rest of the organization. Thus we always recommend a broad testing/PoC process to ensure the content works for your organization. We’ll get into procurement later in the series.
Clearly, you want employees to have fun and find the training content entertaining. But that’s not the only thing you’ll need for a successful security awareness training program. You need senior management to understand the importance of security awareness training and buy into your vision of success, as well as how you plan to quantify risk reduction and measure the impact of the program.
Many security professionals don’t have a lot of experience in getting this kind of buy-in, so let’s map out a few steps:
- Get facetime: Like any other program, you need to sell the benefits, and that means getting off your butt and talking to business leaders about the program.
- Sell the business value: As we mentioned above, you need to communicate the business value and be clear in defining success.
- Identify the risks: Make sure they also comprehend the risks of not doing training successfully. It may involve system downtime, data loss or breaches, or compliance fines. It’s not about fear; it’s about a realistic and pragmatic assessment of the downside.
- What do they have to do: Finally, they need to understand the requirements on them and their team. Are you asking for money from their budget? How much time will the employees need to devote to the program?
Once you help the leadership team to understand what’s in it for them, the downside risk, and what they have to do, then you should be in a position to enlist their support. To be clear, you don’t need senior management to push the program, especially if required for compliance. But it sure helps, so spend the time lining up support before you launch the program.
Given that quantifying the effects of the training on risk is key to successfully selling the program and getting employees engaged, we’ll focus on that extensively in the next post.
*** This is a Security Bloggers Network syndicated blog from Securosis Blog authored by firstname.lastname@example.org (Securosis). Read the original post at: http://securosis.com/blog/making-an-impact-with-security-awareness-training-structuring-the-program