When it comes to security training and awareness, the prime objective of many organizations is to be able to demonstrate that all staff have completed security awareness training.
This, said John Curran, principal consultant at FTR Solutions and co-founder of Intrinsic Aware, is a mistake. In contrast, what organizations should be aiming for is to create a risk adverse culture.
“Unfortunately, many organizations have created a blame culture, and an environment where people don’t think of the information security function as good people to talk to when something bad happens.” People shouldn’t be afraid of reporting incidents, Curran said, “it’s not conducive to stakeholder engagement.”
All too often, organizations make the mistake of thinking that simply having policies and procedures in place for user awareness is sufficient. “This is not the same thing as engaging your staff and ensuring they understand the company’s security needs.”
Statistics suggest that “half of the bad things that go wrong happen as a result of human error –fundamental stuff like phishing and losing USBs.” Despite this, Curran said, there is a “dramatic under-investment in awareness and security training,” with only 3-5% of security budgets being spent in this space.
Making the Training Work
Having a training and awareness program in place, however, is only part of the battle. Ensuring the user absorbs that information is crucial, and more importantly, that the learning changes their behavior.
“Over time, people remember less of what they learnt. If you constantly reinforce learning, people are more inclined to remember it,” advised Curran, who set out the following training goals:
- Users should know what is expected of them
- Users should learn appropriate skills and behaviors for situations
- Users should ultimately be willing and able to discuss or report suspected incidents: “Having a culture in which people are open to the discussion of risk and that they feel safe and able to report incidents is core.”
When people ask questions, it improves their learning. Testing users, too, enables them to retain better knowledge. Curran offered the following advice for creating awareness training courses:
- Be careful with branding when you create training materials
- Create learning security pathways
- Offer immediate feedback during the test process
- Provide rationale at the end
- Trace performance, progress and levels of engagement
Curran referenced the Chimp Paradox Theory as the reason why people find changing their behaviors so hard.
“Our goal in the awareness process is to keep the monkey quiet while we are talking to the human and push as much of that into the computer as possible,” Curran said in conclusion.