Mimecast ranked among the fastest growing techno... » London, UK: Mimecast has been ranked on the Deloitte Technology Fast 500 EMEA 2014, a ranking of the... gateprotect once again awarded the quality label ‘... » Hamburg: gateprotect GmbH, the German IT security specialist and member of the Rohde & Schwarz Group... The U.S. and Cuba » The White House, Washington Yesterday, after more than 50 years, we began to change America's rela... Why is an integrated network health solution criti... » Networks have become a strategic business asset that glues together the data, the applications, and ... Nuix joins McAfee security Innovation Alliance P... » LONDON, UK: Nuix has joined the McAfee Security Innovation Alliance program. Nuix and McAfee are now... IGEL updates Windows Embedded firmware and expands... » Reading, UK: IGEL Technology has updated its firmware for its Windows Embedded Standard 7 thin clien... ForgeRock reveals 2015 technology predictions » Bristol: ForgeRock Inc. has revealed its 2015 technology predictions. The company expects to see inc... Lancope unveils newly enhanced, world-Class cust... » Company has increased its investment in customer success by 150 percent this year LONDON UK: Lanco... ANNUAL ARMED FORCES COVENANT REPORT PUBLISHED » THE Armed Forces Covenant Annual Report has been presented to Parliament today and details the progr... Opengear Continues EMEA Momentum » Slough UK:  Opengear has announced its most impressive year in EMEA with across the board growth. 2...

CLICK HERE TO

Advertise with Vigilance

Got News?

Got news for Vigilance?

Have you got news/articles for us? We welcome news stories and articles from security experts, intelligence analysts, industry players, security correspondents in the main stream media and our numerous readers across the globe.

READ MORE

Subscribe to Vigilance Weekly

Information Security Header

Think back to all of the corporate training you’ve sat through during your career. Chances are (especially if you’ve worked at a large enterprise), that some of that training had little relevance to your job duties. How much knowledge from those courses did you retain? Although you technically completed the training, would you have been able to apply any of the information you were given in real life?

 

For many employees, security awareness training falls into this category. It’s something they probably don’t care about, and that doesn’t help them do their jobs. This is why traditional awareness training has failed. Users will do what they have to do to get through the training, check the box, and get back to their regular jobs. Their security awareness training is now a distant memory buried in a pile of other dull corporate training they’ve been forced to endure over the years.

In previous blog posts in this series, we’ve advised you to think like a marketer and sell security to your users; we’ve also stressed the need for immersive training techniques. When done improperly, immersive training limits the effectiveness of a program (like driving a high-performance sports car in heavy traffic). Immersive training needs to be conducted in a way that engages participants and avoids the pitfalls.

With that said, here are ways to make your immersive security awareness engaging and maybe even (dare we say it?) fun for your users.

It’s YOUR responsibility to provide engaging and focused security awareness training.

Start simple: For the average user, security concepts are difficult to grasp, so start simple! Sending a beginner down a black diamond trail is a good way to turn them off of skiing forever (or worse, get them injured). It’s the same with security. Don’t trip up your users by starting them off with complicated concepts – get them on the beginner slope. With customers first using PhishMe, we advise starting with a basic scenario, usually an email with a link promising pictures of cute cats. As simple as it sounds, many people will still click. Any security pro can devise a fake phishing email that users will click on, but since our goal is to improve behavior, start simple and work up to more complicated scenarios.

Be Specific: Hollow platitudes will undoubtedly get your users to tune out (corporate training has never been guilty of this has it?). Avoid vague messages like “keep company resources safe”, instead give users specific, actionable information that will help them change behaviour.

Mix it up: How many of you pay attention to the airline safety demonstration prior to takeoff? That demonstration never changes, so consequently most people are checking out SkyMall instead of listening to the demonstration. Don’t make the same mistake with security awareness. Vary both the content and delivery method of your security awareness to continually engage recipients. PhishMe offers training content in video form, HTML templates, and an interactive game to ensure our customers appeal to different learning styles and personality types.

Keep it going: Why is it so easy to forget what you learned in a boring class? After the final exam, you don’t need the information, so there’s no need to retain it. We do know that security is a constant and changing threat; therefore, security awareness needs to be continuously reinforced. Despite this, 54% of industry pros we polled this year at Black Hat said their organizations conducted training only on an annual basis. By continuously training users at different times throughout the year, safe security behaviour becomes a habit, and not something forgotten as soon as training is over.

Be Positive: It might be tempting to expose the users who are security risks, but in our experience the negative backlash this generates will quickly undermine your security awareness program. Keep things positive by measuring the results of your program and recognizing people and departments who have done well. Educate and support those that need additional help.

Maybe it’s a stretch to think that security awareness will ever be fun, but if you follow these guidelines, you’ll keep your employees engaged and ultimately improve their security behaviour.