April 2017 Digital Edition
March 2017 Digital Edition
Feb. 2017 Digital Edition
January 2017 Digital Edition
Nov/Dec 2016 Digital Edition
Oct 2016 Digital Edition
Ten Commandments for effective security training
A year of historic breaches from RSA, Epsilon and Lockheed Martin to the Sony PlayStation Network, demonstrates how ineffective the best security technologies can be when people are involved.
Many attackers today leverage the human factor, bypassing most security controls and using techniques such as social engineering to get the information they want, simply by luring users to open an email, click on a link or download an attachment.
Information security people think that simply making users aware of security issues will make them want to change their behavior. But security pros are learning the hard way that awareness rarely equals change.
A fundamental problem is that most awareness programs are created and run by security professionals -- people who were not hired or trained to be educators. These training sessions have traditionally consisted of long, monolithic lectures and boring slideware -- with no thought or research into what and how material should be taught. As a result, organizations are not getting the desired results and no overall progress can be tracked.
Bottom line, if companies fail to implement effective and engaging security awareness training, the latest phishing scam is just as likely to fool the same people, and government agencies will continue to remain at risk.
To solve the security training puzzle, it is important to step back and understand how people most effectively learn subject matter of any type. In other words, are there training keys to help get an attention deficit society to sit through something as potentially boring as security training?
The answer is Yes, but it’s all in the approach.
The science of learning dates back to the early 1950’s and the techniques have been proven over time and adopted in various circles as accepted learning principles. When applied to information security training, the results of these top training techniques can provide immediate, tangible and long term results for educating employees and improving your company’s overall security posture.
1. Small bites at a time: People learn better when they can focus on small pieces of information that the human mind can digest easily. It’s unreasonable to give someone 55 different topics in 15 minutes of security training and expect them to remember it all -- and then change their behavior. Short bursts of training are always more effective.
2. Reinforced learning over time: People learn by repeating elements over time. Without frequent feedback and opportunities for practice, even well-learned abilities go away. Security training should be an ongoing event, not a one-off approach.
3. Train in context: People tend to remember context, even more than they do content. In security training, it’s important to present training in the context that the person will most likely be attacked.
4. Learning is influenced by existing ideas: Concepts are best learned when they are encountered in multiple contexts and expressed in different ways. Security training that presents a concept to a user multiple times and provides different phrasing enables the trainee to be more likely to relate learning to past experiences and create new connections.
5. Active involvement: It’s a proven fact that when we are actively involved in the learning process, we remember things better. Ideally, if the trainee can actually practice identifying phishing schemes and creating good passwords, improvement rates can be dramatic. Ironically, hands-on learning still takes a back seat today to old school instructional models, including the dreaded lecture.
6. Immediate feedback: If you’ve ever participated in sports, it’s easy to understand this one. “Calling it at the point of the foul” creates teachable moments and makes the impact of learning so much greater. If a user falls for a company-generated attack and receives training on the spot, it is highly unlikely that he or she will fall for the same trick again.
7. Characters development/narratives/story-telling: When people are introduced to characters and narrative development, they often form subtle “emotional” ties to the material that helps keep them more engaged with what is being taught. Security training methods can leverage a story-based approach rather than listing facts and data with a non-engaging presentation format.
8. Reflection: People need the opportunity to evaluate and process their performance in order to take steps to achieve better performance moving forward. Security awareness training should challenge users to use critical thinking to examine presented information, question its validity and draw conclusions based on the resulting ideas.
9. Pacing: It may sound cliché, but everyone really does learn at their own pace. A “one size fits all” security training program is doomed to fail because it does not allow the user to control the speed learning optimized for each individual.
10. Conceptual and procedural knowledge: Often applied to mathematical learning, conceptual and procedural knowledge influence each other in mutually-supportive ways. Conceptual knowledge provides the big picture and enables a person to apply varying techniques to solve a problem. Procedural knowledge focuses on the specific actions required to ultimately solve the problem. Security awareness training requires a blend of both approaches. For example, a user may need a procedural lesson to understand that an IP address included in a URL is an indication that they are seeing a phishing URL. However, they also need the conceptual understanding of all the parts of a URL to understand the difference between an IP address and a domain name. Otherwise, they may mistake something like www4.google.com to be a phishing URL.
Obviously, a holistic approach that embraces technology and training is required to effectively counter the escalating number of cyber attacks that government agencies are facing today. However, training for the sake of training won’t necessarily yield the results your organization is looking to achieve.
By applying proven learning science principles and techniques, government agencies can yield superior results in training efforts and help fortify their organization against its potentially weakest link.
Joe Ferrara is President and CEO of Wombat Security Technologies. He can be reached at: