Valuing the Police Report » Her Majesty's Inspectorate of Constabulary (HMIC) has rated the Metropolitan Police Service (MPS) as... Fonix Mobile selects Alert Logic to extend its s... » London: London-based SMS messaging and mobile payment billing company Fonix Mobile has chosen Alert ... Attenda positioned for Cloud-enabled managed hosti... » London: Attenda Limited today has been positioned by Gartner Inc., in the Challengers quadrant of th... Downing of Malaysian jet: UN calls on parties t... » [The UN Security Council holds a moment of silence in honour of the victims of crashed flight MH17. ... How foreign security firms are treating Nigerians ... » ...With introduction by JOHN ODEY ADUMA, EDITOR AND BRITISH CHEVENING SCHOLAR The Presi... Bill Butler happy with key survey findings » Boss of the SIA Executive Bill Butler welcomes the key findings of the recently published IFSEC Glob... Mighty Mitie is over £3.75 million richer as it... » Mitie was recently awarded three contracts in its award-winning painting business. Combined, the thr... Panasonic lit Eurovision 2014 » Although the earthshaking event has come and gone, but it will be interesting to know who kept darkn... MoD appoints the BigWorld to provide interpreting ... » The Ministry of Defence has appointed the technology-enabled language solution provider, thebigword,... Royal Navy's new multi-million pounds missiles to ... » The Royal Navy’s new Wildcat attack helicopters are to be fitted with next generation precision miss...

CLICK HERE TO

Advertise with Vigilance

Got News?

Got news for Vigilance?

Have you got news/articles for us? We welcome news stories and articles from security experts, intelligence analysts, industry players, security correspondents in the main stream media and our numerous readers across the globe.

READ MORE

Subscribe to Vigilance Weekly

Information Security Header

Think back to all of the corporate training you’ve sat through during your career. Chances are (especially if you’ve worked at a large enterprise), that some of that training had little relevance to your job duties. How much knowledge from those courses did you retain? Although you technically completed the training, would you have been able to apply any of the information you were given in real life?

 

For many employees, security awareness training falls into this category. It’s something they probably don’t care about, and that doesn’t help them do their jobs. This is why traditional awareness training has failed. Users will do what they have to do to get through the training, check the box, and get back to their regular jobs. Their security awareness training is now a distant memory buried in a pile of other dull corporate training they’ve been forced to endure over the years.

In previous blog posts in this series, we’ve advised you to think like a marketer and sell security to your users; we’ve also stressed the need for immersive training techniques. When done improperly, immersive training limits the effectiveness of a program (like driving a high-performance sports car in heavy traffic). Immersive training needs to be conducted in a way that engages participants and avoids the pitfalls.

With that said, here are ways to make your immersive security awareness engaging and maybe even (dare we say it?) fun for your users.

It’s YOUR responsibility to provide engaging and focused security awareness training.

Start simple: For the average user, security concepts are difficult to grasp, so start simple! Sending a beginner down a black diamond trail is a good way to turn them off of skiing forever (or worse, get them injured). It’s the same with security. Don’t trip up your users by starting them off with complicated concepts – get them on the beginner slope. With customers first using PhishMe, we advise starting with a basic scenario, usually an email with a link promising pictures of cute cats. As simple as it sounds, many people will still click. Any security pro can devise a fake phishing email that users will click on, but since our goal is to improve behavior, start simple and work up to more complicated scenarios.

Be Specific: Hollow platitudes will undoubtedly get your users to tune out (corporate training has never been guilty of this has it?). Avoid vague messages like “keep company resources safe”, instead give users specific, actionable information that will help them change behaviour.

Mix it up: How many of you pay attention to the airline safety demonstration prior to takeoff? That demonstration never changes, so consequently most people are checking out SkyMall instead of listening to the demonstration. Don’t make the same mistake with security awareness. Vary both the content and delivery method of your security awareness to continually engage recipients. PhishMe offers training content in video form, HTML templates, and an interactive game to ensure our customers appeal to different learning styles and personality types.

Keep it going: Why is it so easy to forget what you learned in a boring class? After the final exam, you don’t need the information, so there’s no need to retain it. We do know that security is a constant and changing threat; therefore, security awareness needs to be continuously reinforced. Despite this, 54% of industry pros we polled this year at Black Hat said their organizations conducted training only on an annual basis. By continuously training users at different times throughout the year, safe security behaviour becomes a habit, and not something forgotten as soon as training is over.

Be Positive: It might be tempting to expose the users who are security risks, but in our experience the negative backlash this generates will quickly undermine your security awareness program. Keep things positive by measuring the results of your program and recognizing people and departments who have done well. Educate and support those that need additional help.

Maybe it’s a stretch to think that security awareness will ever be fun, but if you follow these guidelines, you’ll keep your employees engaged and ultimately improve their security behaviour.