The Funny Face of Information Security Education

When one thinks of security awareness and compliance training, humor is perhaps the last thing that comes to mind
When one thinks of security awareness and compliance training, humor is perhaps the last thing that comes to mind

Humans are the weakest link in the information security chain – it’s a cliché that the industry’s practitioners have been barraged by on a seemingly endless loop. Yet, this axiom continues to ring true.

The errors committed by the human elements of an organization remain a major contributor to data loss incidents worldwide, and its prevalence only continues to rise year over year. "Eight years of research on data breach costs has shown employee behavior to be one of the most pressing issues facing organizations today”, comments Larry Ponemon, founder of the non-profit Ponemon Institute.

The research firm’s ‘2013 Cost of a Data Breach Study’ revealed that human errors and system problems accounted for 64% of data breaches during the previous year. An even larger concern for the health of data security comes from an October 2012 research study on intellectual property conducted by the Ponemon Institute, which showed that half of all employees who left or lost their jobs over the previous 12 months took with them confidential corporate data; 40% of them planned on using this data as part of their subsequent employment. The report identified deficits in security awareness training as a major contributor to this trend, as 56% of employees were unaware that taking this data with them to their new job was a crime or a violation of company policy.

Undoubtedly, many employees are aware that such conduct violates any number of established policies, but research shows that gaps do exist when it comes to data security awareness. When one thinks about the supremely boring compliance training exercises pushed out by many organizations, it’s not hard to see why this would be the case. Often unremarkable, these cookie-cutter programs of PowerPoint slides are often neglected and lack effectiveness beyond an organization’s ability to tick another box on the roster of employees who have endured the training.

Security Education ‘Goes Hollywood’

“Our objective is to help organizations change their culture to be more security conscience”, says Larry Hurtado, CEO of Digital Defense. The San Antonio-based company, according to its chief executive, does this by providing security risk assessments, security intelligence and, of course, security awareness education.

It was this last part – and the firm’s approach to awareness education – that grabbed my attention. The program is called SecurED, and it’s everything that a typical PowerPoint or slide-based online education/compliance training regime is not.

Hurtado tells me that SecurED is the result of customer feedback his firm received after its clients saw the results of social engineering tests conducted on their users. These clients wanted to know what they could do to better educate their employee population.

“Because we didn’t want to do just another PowerPoint or computer-based training program, we had our team come together”, to formulate an alternative approach to security education with more tangible effectiveness, Hurtado recalls. The solution came from a family tie, by way of Patrick Shannon, the firm’s VP of sales.

Shannon’s brother, T. Sean Shannon, is an Emmy Award-winning comedy writer whose credits include The Tonight Show with Jay Leno, Saturday Night Live, and the 2008 film Harold. This Hollywood connection gave Hurdato’s firm an opportunity to create an employee education program unlike any other on the market today.

“We created 12 video modules…where we combined comedy vignettes with industry best practice information security training techniques”, he relays with noticeable hints of excitement. “We’ve coupled humor with this training, and we are rolling these videos out to our enterprise clients”, Hurtado remarks, adding that the feedback from clients has been “extremely favorable”.

The goal of this program, he continues, is not just to provide the training to security or IT staff, but rather to create them in such a way that they can be deployed across an entire organization for all staff to consume – “with the objective of simply raising awareness and helping [them] increase the guard for their employees”.

The Lighter Side of Awareness Training

When one thinks of security awareness and compliance training, humor is perhaps the last thing that comes to mind. It leads me to ask Hurtado, what is so funny about information security training, and how can it be cast as such?

Seeing is believing, he tells me, as Hurtado directs me to an online trailer of the SecurED training module that’s freely available to the general public – along with information on how those interested in the program can view free demo modules. “No matter how I describe it to you, it won’t do it justice”, he says amusingly.

I took Hurtado’s advice, and checked out the videos for myself. The first thing that strikes me is the professional polish they exude, mixed with hints of sarcasm. Featured prominently is an executive who apparently doesn’t know the first thing about the information security threats that face organizations – one who openly embraces the possibilities of being socially engineered and the ‘free press’ that accompanies a data breach.

The situations may be a bit absurd, for dramatic effect of course, but they are not out of the realm of possibility. The star character of the SecurED series was inspired by the “Bear City” skits T. Sean Shannon wrote for SNL, and highlights the poor use of “honey” as the bear’s network password. A bit campy, perhaps. But this snippet is certainly more entertaining and memorable than your average online awareness training, which is the point of the program – a different approach to security education that promotes increased retention of its content.

The video modules explain security concepts in a simple-to-follow manner, with the bonus entertainment of being narrated by a gentleman sporting a blue short-sleeve dress shirt reminiscent of a Burger King manager. It almost says to the viewer, ‘If I can grasp these concepts, then so can you”.

To quote the SecurED product tag line, “Security training doesn’t have to be boring”. Having personally viewed some of the videos, I would say Digital Defense has accomplished this mission. Even for a harsh critic like myself, there were a few laugh-out-loud moments.

Show Me Numbers

Professional appearances and corny humor aside, what I want to know is what’s the value to organizations when considering the SecurED approach over more traditional awareness training programs. Hurtado contends that it comes down to effectiveness, and that evidence supporting the Digital Defense training strategy is beginning to emerge.

“The feedback we have received”, he relays, “has been that it’s very, very effective. In fact, one of the organizations that rolled it out was telling us they saw a marked increase in improvement for scores as it relates to social engineering testing.” Hurtado is happy to tell me that, in this client’s view, “the [SecurED] program is working”.

The organization Hurtado spoke of was People First Federal Credit Union, a non-profit, member-based financial institution. The company engaged in a social engineering test in autumn 2012, comprising authentic-looking remote emails sent to employees that were designed to gauge awareness around phishing scams. Employees were sent emails purporting to come from People First’s VP and CIO and directed them to a link that would request their network login credentials to test password strength.

The test results – coupled with a separate onsite assessment – showed the financial institution’s employees were susceptible to penetration by skilled social engineering. People First’s CIO, Susan Phillips, researched available security training programs, with an eye toward increased effectiveness and an approach that would not be viewed by employees as “tedious or boring”, according to a case study on the project.

Phillips and People First opted for the more entertaining and engaging SecurED offering, and following its implementation, found it to be vastly more effective in helping raise awareness around security-related issues for its employees. A second social engineering assessment was conducted after the new training was rolled out, and People First’s results soared, rating overall as “excellent”. This meant that “no weaknesses were found in employee information security awareness controls, and employees appear to be following information security best practices. An attacker would find it difficult to socially engineer employees into disclosing sensitive information.”

To support this anecdotal evidence with a more scientific approach, Digital Defense enlisted the Ponemon Institute to perform an independent evaluation of SecurED’s effectiveness. First off, the “enjoyability” factor of the training videos received high marks, with 88% of test respondents saying they enjoyed the SecurED training approach (vs. 36% for the alternative used in comparison). The Digital Defense approach outperformed the alternative at nearly every opportunity, especially regarding information retention. The data showed SecurED exhibiting a 65% short-term learning gain (vs. 35% for alternative training), and a 60% long-term learning gain (vs. 15% for alternative training).

“Employees who do not understand their responsibility in safeguarding confidential and sensitive information are putting their company at great risk”, noted Larry Ponemon in announcing the results. “As revealed in this research, quality security training programs that are relevant and engaging can make a tremendous difference in reducing the threat and likelihood of a data breach.”

The comments and results are certainly music to the ears of Larry Hurtado, and they are an important first step in validating his company’s willingness to offer a new – if not riskier – approach to security education and training. “There is a general recognition that the once-a-year PowerPoint package designed to educate on security principles is not effective”, he tells me. “It’s rare for me to encounter an organization that doesn’t consider this to be the case.”

Hurtado insists that organizations are searching for better answers to their training questions, “and we believe what needs to happen is more of a campaign orientation” that is embraced by senior leadership. It’s an approach, he continues, that does not prevent employees from being helpful in providing information where appropriate, but at the same time raises awareness about when and where information should be guarded. “Many organizations”, he says in parting, “are looking for those alternatives”.

What’s Hot on Infosecurity Magazine?