Ten techniques for effective security training
By Joe Ferrara
Information security people sometimes think that simply making users aware of security issues will make them want to change their behaviour. But security pros are learning the hard way that awareness rarely equals change. A fundamental problem is that most awareness programs are created and run by security professionals — people who were not hired or trained to be educators.
By Joe Ferrara
These training sessions have traditionally consisted of long lectures and boring slideware, with no thought or research into what or how material should be taught. As a result, organizations are not getting the desired results and no overall progress can be tracked. The bottom line is, if companies fail to implement effective and engaging security awareness training, the latest phishing scam is just as likely to fool the same people, and businesses will continue to remain at risk. To solve the security training puzzle, it’s important to step back and understand how people most effectively learn subject matter.
Small bites at a time:
People learn better when they can focus on small pieces of information that the human mind can digest easily. It’s unreasonable to give someone 55 different topics in 15 minutes of security training and expect them to remember it all — and then change their behaviour.
Reinforced learning over time:
People learn by repeating elements over time. Without frequent feedback and opportunities for practice, even well-learned abilities go away. Security training should be an ongoing event, not a one-off approach.
Train in context:
People tend to remember context, even more than they do content. In security training, it’s important to present training in the context in which the person will most likely be attacked.
Learning is influenced by existing ideas:
Concepts are best learned when they are encountered in multiple contexts and expressed in different ways. Security training that presents a concept to a user multiple times and provides different phrasing enables the trainee to more likely relate learning to past experiences and create new connections.
It’s a proven fact that when we are actively involved in the learning process we remember things better. Ideally, if the trainee can actually practise identifying phishing schemes and creating good passwords, improvement rates can be dramatic. Ironically, hands-on learning still takes a back seat to old-school instructional models.
If a user falls for a company-generated attack and receives training on the spot, it’s highly unlikely they’ll fall for the same trick again.
Character development/narratives/story telling:
When people are introduced to characters and narrative development, they often form subtle “emotional” ties to the material that helps keep them more engaged with what is being taught. Security training methods can leverage a story-based approach rather than listing facts and data with a non-engaging presentation format.
People need the opportunity to evaluate and process their performance in order to take steps for better performance moving forward. Security awareness training should challenge users to use critical thinking to examine presented information, question its validity and draw conclusions based on the resulting ideas.
It may sound cliché, but everyone really does learn at their own pace. A “one-size-fits-all” security training program is doomed to fail because it does not allow the user to control the pace of learning.
Conceptual and procedural knowledge:
Often applied to mathematical learning, conceptual and procedural knowledge influence each other in mutually supportive ways. Conceptual knowledge provides the big picture and enables a person to apply varying techniques to solve a problem. Procedural knowledge focuses on the specific actions required to ultimately solve the problem. Security awareness training requires a blend of both approaches.
A holistic approach that embraces technology and training is required to effectively counter the escalating number of cyber attacks businesses are facing today. However, training for the sake of training won’t necessarily yield the results your company is looking to achieve. By applying scientific, proven learning principles and techniques, companies can yield superior results in training efforts and help fortify their organization against its potentially weakest link.
Joe Ferrara is president and CEO of Wombat Security Technologies (www.wombatsecurity.com).