Guest Blog Written by Ira Winkler
Considered one of the world’s most influential security professionals, Ira Winkler, President of Secure Mentem & Expert on Technology and Information Security, shares a personal story and opinion regarding the state of security awareness training, and the key role automation plays in making it more effective.
Every so often, I have to take security awareness training…
It might be because of a contractual requirement. I might be testing out training for a client. On one occasion, I saw the person next to me on an airplane taking their mandatory awareness training, and I asked to take it for them to see what it was like. All of these occasions had one thing in common: the training felt like a complete waste of time. More importantly, it alienated me from the content and didn’t make me implement the learning or change my cyber behavior whatsoever.
Security awareness training as an insult
I don’t say that because I believe I know everything, but I always try to look at it from a typical employees‘ perspective. Many of those employees are reasonably security-aware, and while there may be an occasional nugget they pick out of training, 80-90% will learn little, if anything at all. In talking with many employees, I’ve understood they feel some training is an insult to their intelligence, especially when it comes to phishing training.
CBT modules and training videos follow the same mistakes: content is generic and random, training is inconsistent and doesn’t meet employees where they are throughout their learning journey. The general experience is long, tedious, and disengaging, often creating friction between infosec teams and employees, and frustration for all involved.
Of course, there are also compliance issues that might not make a lot of sense, but they need to be addressed. But if you want to do anything better than checking a box, it won’t happen by sending out generic content or running annual campaigns with nicely designed emails and posters.
The case for context-based training
Sending out the same low-sophistication phishing messages might get almost all your employees to recognize basic attack vectors and feel very good about themselves. It would also allow you to claim how awesome your awareness is because only a small percentage clicked on a message. But what does it really mean in terms of employee learning progress?
The reality is that this says very little and does not improve your security posture in any way. The same goes for passwords: a best practice in choosing passwords is not only about the complexity of the password, but keeping it complex and diversified across different accounts. If your employees use the same corporate password when logging in to their social media accounts, it is a risk you better consider.
People need to have continuous training opportunities with a diversity of content and increasing challenges for optimal learning. This should be a major principle that security teams follow.
When it comes to identifying fraudulent emails, once that some primary data has been collected on employees‘ varying skill levels, you need to change the context of your phishing simulations. But first, you need to identify who is a „repeat offender“ failing on multiple occasions and then provide them with specialized training. Beyond this, you should strive to adapt to the majority of employees that are ready for more extensive learning triggers that adequately match their learning pace.
Learning abilities can be mapped on a continuum, and ideally, you would provide tailored training at the appropriate pace for each unique individual. While some self-paced courses exist, it requires enormous motivation and time commitment for those involved and is often not well received. Security awareness programs are often ‚pushed‘ on employees and enforced by HR, seldom resulting in damage to organizational culture and overall cybersecurity attitude. The key is to embed the learning in employees’ daily routine without making it feel like a big burden.
Personalization at scale with the help of automation
Incorporating artificial intelligence into security awareness training platforms allows corporations to conduct customized awareness training at scale and doesn’t aggravate their employees. Such training can be adapted to the corporate context while being delivered at an optimal frequency to match. Think of how a personal trainer coaches each client at their own fitness level and pace. Just like that, security awareness training should equate to employees‘ performance levels and resilience changes.
There has been a legitimate reason for employees to contend that security awareness training has been a waste of time and resources. Luckily, artificial intelligence and advanced automation are providing security awareness training programs and managers a way to be more relevant and effective in creating „awareness fitness“ for everyone in your organization.