Security awareness and training programs are mostly ineffective and a waste of time and money, according to a panel of experts speaking at Infosecurity Europe in London today.
Experts agreed that the way to address these problems is to make programs more relevant to their audience in a way which will help to build an organization-wide culture that makes security second nature to employees.
Angela Sasse, director of the UK Research Institute in Science of Cyber Security (RISCS) at UCL, argued that it was “very doubtful” that most programs had any value at all and said government-led efforts aimed at educating the populace were “pitiful” and sent out mixed messages.
The focus should be on changing people’s behavior rather than raising awareness, as the latter does little to improve information security, according to Andrew Rose, CISO in the UK transport sector.
He said program managers could take a leaf out of the marketer’s book in looking at new ways to influence behavior in smaller, bite-sized chunks – in an almost subliminal way that doesn’t require hour-long training sessions.
Rose said his team inform all infosecurity training via a simple three-point framework: “motivation,” ie what are the consequences of a specific policy; “ability,” ie can employees practically comply with any new rules; and “triggers” – what will remind them to do the right thing?
Uber’s security awareness and education program manager, Samantha Davison, argued that training has to be as relevant as possible to employees so as to avoid wasting everyone’s time by resulting in programs that don’t work.
The taxi hailing firm builds its programs on the back of feedback from staff, and is currently developing a training app which will produce different content depending on the location and role of the individual user, she explained.
“Build a program they want, not the program you want as an information security professional,” she advised.
Publicis Groupe CISO, Thom Langford, added that building a corporate culture around security best practice is the goal.
“Culture is great; it’s also really difficult to build, but once it’s built it lasts a long time,” he argued.
This will ensure security is maintained almost subconsciously by staff, and one of the ways to get there is by creating “visceral experiences” through new approaches to training, he said.
UCL’s Sasse concluded that although improvements to training programs are a necessity – not least because the “attackers are getting more persistent and smarter” – they won’t be a cheaper option.
To be most effective, training programs must be built on the back of the right corporate technology “which wastes people’s time as little as possible,” she argued.