I was speaking this week at the local chapter of the Information Systems Security Assocation (here in Ottawa) on the topic ofsocial engineering. The presentation was entitled: “Fool Me Once: How Attackers Use Social Engineering to Exploit Human Vulnerabilities“.
As the talk progressed, I came to my main message: It’s important to educate employees about this type of threat, among many other important security topics that employees need to understand.
At this point, one attendee commented that, while awareness is important, it seemed to him that most security awareness training programs are not very engaging, and as a result, do not seem to be very effective. It’s sad, but I tend to agree. It’s not that most awareness training presentations or online programs don’t cover the right topics. The problem is really one of engagement. It’s very hard to design a program that will effectively hold everyone’s attention long enough to get the message across.
Based on my own experience in teaching live courses and also preparing online courses, here are my top 3 ways to make security awareness training programs more engaging and effective:
1- Set the context for topics using relevant stories that are composed with non-technical terminology and are told from the perspective of employees. Who was the victim of the attack? What did they encounter? What did they do? What did they observe? Then describe what happened, and what the impact was on the organization or the individual. This will engage people into a human situation and guide them into feeling as if they are involved. If a little bit of emotion can be evoked, that’s even better. Then, they are usually ready to not only hear the guidance, but provide their thoughts – which are very valuable for everyone to hear! One story can often be used as the rallying point for a module, or even the entire course.
2- Tailor the content to a specific audience. Organize the training content so that there are no red herrings or concepts that are irrelevant to the target audience. If the course is aimed at the general staff, don’t include any details that only apply to a portion of the employee population. Nobody has the time or energy to figure out what they should skim and what’s important to their job. They need to feel like the entire module is important to them, or you will lose them. I find that having a set of modules for general awareness is an easy way to do this. Then have a number of special modules tailored to just the people who need to know that content. I typically address IT administrators, software developers and executives in different, specialized modules.
3- Focus significant effort on making sure the review content at the end of each module is concise and actionable. For computer-based training (CBT) programs, create review pages that people who really “get it” can skip to and make sure they haven’t missed anything. You can have a sample review quiz of True or False questions, followed by a real, scored quiz. For live training, spend a few minutes summarizing the main points and asking some live review questions to the open audience, followed by some discussion of each one.
Most organizations, no matter how much they believe in security awareness training, don’t want their staff to spend more than about 90 minutes on a course. Some don’t want them to spend more than 30 minutes. You may feel that this is not enough (and I wouldn’t argue with you). But it’s all you’re likely to get. So, you have to find ways to present engaging and informative experiences with memorable messages.
Let me know what you’ve seen in security awareness training programs that you either liked or didn’t like. I’m always looking for ways to make training more effective and enjoyable.
The Streetwise Security Coach