Guest Blog Written by Ira Winkler
Considered one of the world’s most influential security professionals, Ira Winkler, President of Secure Mentem & Expert on Technology and Information Security, talks about the right way to conduct cyber awareness training.
Is ‘Awareness’ a sufficient goal for your organization?
Perhaps one of the most significant flaws in security awareness training is the lack of a clear and well-defined goal. While there are some exceptions, most awareness programs seem to have the goal of merely presenting awareness topics. That is intuitively obvious.
To use a more common example, does making people ‘aware’ that the way you lose weight is to eat less and exercise more actually produce good results?
When awareness managers approach me on how they plan to create and run their awareness programs, they typically discuss the types of tools they intend to use. They realize they need to focus on phishing training but are also very concerned about other ‘Expected Security Behaviors’ (ESB) – a term I’ve borrowed from my colleague Mike Polatsek at CybeReady.
They ask me about the best videos, an event, and usually phishing simulations. Those tools all make sense, but when I ask them what specific behaviors they are trying to change, they frequently don’t seem to know. Awareness professionals seem to be often unaware that their ultimate job is to change behaviors and reduce security related losses.
The best security awareness training programs use proven methods to change behaviors. It can be effective when applied properly. The trick is to apply it properly, which is not as easy as it may sound. Awareness, by definition, makes people ‘aware’ of an issue. In the cybersecurity field, there is a focus on telling people that there are bad hackers out there who will try to trick them to do bad things, often leading to security awareness programs that aggravate employees. This may leave people aware to a certain extent that there is a potential problem to be addressed, but it doesn’t mean people will permanently change their behaviors any more than them hearing that they need to eat less and exercise more.
What should Cybersecurity awareness training ultimately achieve?
When developing a security awareness program that effectively changes behaviors, there is a need first to recognize that it requires more than making people just aware of a problem. Security training needs to identify the ‘bad behavior’, and train employees in the moment of failure when it’s the most relevant and can generate effective learning. To reinforce the behavior, training needs cover multiple facets – present variety of scenarios and train people repeatedly. At the same time, you need to continually increase the level of learning. The ultimate goal here is to develop real instincts so the immediate response to a cyber attack would be the correct one (ignore and/or report a suspicious email).
For example, you can let people know about phishing and tell them that bad people will try to trick them. However, many people do not think it will happen to them. Even worse, while many people might fall for phishing simulations early on, as companies tout the success of their phishing simulation campaigns and decreased click rates, users develop a false sense of security as they think they have learned to recognize phishing attacks. The reality is that they learned to recognize some basic attacks, but have little readiness for more complicated attacks.
In one case, I received an insultingly simplistic, phishing simulation. The message was apparently from a bank that recently changed their name; but since I had no relationship with the bank and considering the fact I was using a brand new company email address that nobody at a “real” bank would know that I had, this email raised a red flag and I reported it immediately. The fact that I could easily recognize this as a phishing message in no way ensures that I will recognize even minimally sophisticated messages. Less experienced users may however take the congratulatory message you get for reporting the message as a sign of more than an introductory awareness level and feel they are now resilient to any scenario.
Cyber awareness training done right
For security awareness training to have a meaningful impact, you have to change security-related behaviors that reduce loss. In order to do this, you need to apply proven behavioral principles. This involves repetition at an appropriate level of learning. Awareness training is best approached in a way that gets a person to consider the information being presented and integrating it with other aspects of their knowledge.
I learn nothing when I am asked to log into my bank account at a bank I have no relationship with. However, if I have an account at the bank, such as if the company I work for uses the bank for corporate credit cards, it makes me think. If it asks me to confirm information for a corporate card, I then have to integrate that with other aspects of training. I then would have had to look for other indicators of phishing. Getting similar messages will then drive the practice of the information home to me.
At the end of the day, I don’t care if people know that a hacker might try to send phishing messages. I don’t care that people are not tricked into clicking a message that blatantly indicates it is from a phishing simulation company and purports to be from a bank that no longer exists. I care if people click on actual phishing messages. I care about changing their behaviors. To do this, you need to ensure there is a real challenge and actual engagement with the security awareness training program being delivered.