Ted Plumis, Vice President of World Wide Channel... » London, UK: Imperva Inc. has announced that Ted Plumis, vice president of World Wide Channels for Im... PixAlert launches integrated OCR capability to str... » PixAlert has introduced integrated, optical character recognition (OCR) capability to their portfoli... Blesma Chief Executive leads team to scale ne... » This summer, former Brigadier and Blesma Chief Executive, Barry Le Grys, will be leading a team of a... Championship teams unite in support of injured s... » Nottingham Forest and Bolton Wanderers players and fans pulled out all the stops on Saturday in supp... AdaptiveMobile launches SS7 Protection to sec... » DUBLIN & DALLAS: AdaptiveMobile has launched SS7 Protection – a new product that secures mobile oper... Portal wins 2015 IBM Beacon Award for Outstandin... » UK: Portal was named a winner of a 2015 IBM Beacon Award for Outstanding Solution for Midsize Busine... Moxa's new EDR-810 Firmware to support transpare... » Munich: Moxa has released a new firmware for the EDR-810 industrial 8+2G multiport secure router to ... Cubic receives additional $2.9 million training or... » SAN DIEGO, Calif.: Cubic Corporation has been awarded a contract modification valued at more than $2... Defence Secretary hails UK military for mission in... » Photo: MoD DEFENCE Secretary, Michael Fallon, has said that UK personnel have made a vital contribu... Quantum's Stornext cuts complexity with workload s... » SAN JOSE, Calif.: Quantum Corp. has announced a video surveillance solution certified with Milestone...

CLICK HERE TO

Advertise with Vigilance

Got News?

Got news for Vigilance?

Have you got news/articles for us? We welcome news stories and articles from security experts, intelligence analysts, industry players, security correspondents in the main stream media and our numerous readers across the globe.

READ MORE

Subscribe to Vigilance Weekly

Information Security Header

Think back to all of the corporate training you’ve sat through during your career. Chances are (especially if you’ve worked at a large enterprise), that some of that training had little relevance to your job duties. How much knowledge from those courses did you retain? Although you technically completed the training, would you have been able to apply any of the information you were given in real life?

 

For many employees, security awareness training falls into this category. It’s something they probably don’t care about, and that doesn’t help them do their jobs. This is why traditional awareness training has failed. Users will do what they have to do to get through the training, check the box, and get back to their regular jobs. Their security awareness training is now a distant memory buried in a pile of other dull corporate training they’ve been forced to endure over the years.

In previous blog posts in this series, we’ve advised you to think like a marketer and sell security to your users; we’ve also stressed the need for immersive training techniques. When done improperly, immersive training limits the effectiveness of a program (like driving a high-performance sports car in heavy traffic). Immersive training needs to be conducted in a way that engages participants and avoids the pitfalls.

With that said, here are ways to make your immersive security awareness engaging and maybe even (dare we say it?) fun for your users.

It’s YOUR responsibility to provide engaging and focused security awareness training.

Start simple: For the average user, security concepts are difficult to grasp, so start simple! Sending a beginner down a black diamond trail is a good way to turn them off of skiing forever (or worse, get them injured). It’s the same with security. Don’t trip up your users by starting them off with complicated concepts – get them on the beginner slope. With customers first using PhishMe, we advise starting with a basic scenario, usually an email with a link promising pictures of cute cats. As simple as it sounds, many people will still click. Any security pro can devise a fake phishing email that users will click on, but since our goal is to improve behavior, start simple and work up to more complicated scenarios.

Be Specific: Hollow platitudes will undoubtedly get your users to tune out (corporate training has never been guilty of this has it?). Avoid vague messages like “keep company resources safe”, instead give users specific, actionable information that will help them change behaviour.

Mix it up: How many of you pay attention to the airline safety demonstration prior to takeoff? That demonstration never changes, so consequently most people are checking out SkyMall instead of listening to the demonstration. Don’t make the same mistake with security awareness. Vary both the content and delivery method of your security awareness to continually engage recipients. PhishMe offers training content in video form, HTML templates, and an interactive game to ensure our customers appeal to different learning styles and personality types.

Keep it going: Why is it so easy to forget what you learned in a boring class? After the final exam, you don’t need the information, so there’s no need to retain it. We do know that security is a constant and changing threat; therefore, security awareness needs to be continuously reinforced. Despite this, 54% of industry pros we polled this year at Black Hat said their organizations conducted training only on an annual basis. By continuously training users at different times throughout the year, safe security behaviour becomes a habit, and not something forgotten as soon as training is over.

Be Positive: It might be tempting to expose the users who are security risks, but in our experience the negative backlash this generates will quickly undermine your security awareness program. Keep things positive by measuring the results of your program and recognizing people and departments who have done well. Educate and support those that need additional help.

Maybe it’s a stretch to think that security awareness will ever be fun, but if you follow these guidelines, you’ll keep your employees engaged and ultimately improve their security behaviour.