Here’s a hot take that, deep down, you may already know: Security awareness trainings don’t really work. Most IT pros are required to conduct annual awareness trainings to comply with regulatory requirements, but it seems that simple “awareness” isn’t actually hardening up human endpoints. Awareness doesn’t change behavior.
Statistically speaking, 4 percent of people in any given phishing campaign will click—despite what they were told at security awareness trainings—and incredibly, the more phishing emails someone has clicked, the more likely they are to do it again. From a psychological perspective, it comes as no surprise that training alone doesn’t create any lasting change in behavior. “Ask any behavioral psychologist whether having more information causes people to make better decisions, and you know what they’ll say? Absolutely not,” writes phishing researcher Dane Boyd.
In the “Insights from NSA’s Cybersecurity Threat Operations Center” session at RSA 2018, Dave Hogue, Technical Director of the National Security Agency, stated that 90 percent of security incidents the NSA responded to in the last year were due to human error. The fact that phishing and smishing are still main points of discussion in 2018 may seem inane, but the truth is everyone in the industry needs to reconsider how to make security awareness trainings more effective.
5 smarter suggestions from RSA 2018
The recent RSA Conference drew 45,000 security professionals to downtown San Francisco for a week to shine a spotlight on the latest in cutting-edge security. There were loads of heated discussions about blockchain, diversity, AI, and more—and there was even an on-site security operations center.
Between futuristic tech displays and nerdy pub crawls, the human element in security was a strong focal point. Several expert suggestions for security awareness trainings that actually work emerged. Here are some of their tips:
1. Treat security like UX
Advocacy Manager of Duo Security, Zoe Lindsey, argued that “the system is people.” In other words, by applying user experience (UX) principles to your security program, you’ll be better positioned to create system-wide change.
The first step to doing so is to stop trying to take a one-size-fits-all approach to security awareness. Instead, create personas—similar to agile methodology user stories—describing how groups of users interface with security. Your historical help-desk data likely has a lot of insight into where groups of users find friction in your security processes. Once you’ve grouped users into personas, you can begin to understand security from their perspective. From there, you can improve your security UX and training materials to meet their needs.
2. Adopt gamification
There’s nothing motivating about awareness. But earning points and beating your coworkers at a little healthy competition can feel deeply satisfying. In “You Cannot Live on Phish Alone,” CEO and President Marie White of Security Mentor, Inc. called for organizations to adopt gamification to create trainings with real impact.
The collision of game theory and behavioral psychology gets pretty complex, but the following e-learning techniques offer some ways to motivate people to complete digital security coursework:
- Provide progress indicators, such as points, badges, or awards
- Award competence by creating levels, certifications, or leader boards
- Support autonomy by allowing learners to choose courses or self-pace learning
3. Measure, for phish’s sake
You can’t know anything about the impact of your security education investments if you don’t measure awareness among your users before and after training. In “Phishing Simulation and Security Awareness Training: Equivalent or Not?”, White called for using measurement to understand the success of security awareness initiatives.
Here are three ways to measure how successful your security awareness initiatives are:
- Employee reaction: Training engagement, completion, and satisfaction
- Knowledge: Measurable change in employee knowledge before and after training
- Behavior change: Whether insecure behaviors, such as opening dummy phishing emails, have actually sunk in
4. Create an ambassador program
According to SANS Institute Director Lance Spitzner, the next step toward security maturity is creating cultural change by building a security awareness ambassador program. Social marketing with ambassadors is a time-tested concept in everything from software implementations to workplace safety initiatives. Studies show up to 15 percent better success rates when “normal” employees are turned into project champions to evangelize to their peers. Peer resources for security questions could be key to changing beliefs, values, and behaviors.
Spitzner also recommends your ambassadors come armed with passion, not tech skills, and commit around 4 hours a month to their new gig. What’s in it for them? Recognition and the opportunity to put valuable cybersecurity knowledge on their resume.
5. Harden the perimeter
Unfortunately, human error is inevitable, even with the best programs in place. That’s why there’s still a need for super secure tech that won’t make mistakes even when your users do. In Dave Hogue’s talk, he focused on ways office IT pros can improve their security posture beyond security training. His tips included:
- Reducing attack surfaces with stronger endpoints
- Improving visibility into all parts of the network—gateways, midpoints, and endpoints
- Updating software and hardware
- Using comprehensive threat intelligence technologies
- Thinking like the adversary—constantly curious to discover new threat vectors
People may make mistakes, but no one wants to cause a data breach. It’s time for security awareness training to transform from dull classroom sessions to engaging programs that create lasting change. Humans will never be perfect, but there’s a great deal of room for improvement. Some more creative training techniques, like persona-driven training and gamification, can go a long way toward making security concepts a part of workplace culture.
Of course, training has to exist alongside stronger security technology, like connected devices with embedded security features and increased network visibility. However, investing in end-to-end security while fostering a culture of collaboration will help keep even the most persistent hackers at bay.
Hungry for more RSA highlights? Check out our initial coverage here: “RSA 2018: 3 diversity lessons from the special forces” and click subscribe at the top of the page to stay tuned for more IT insights from Tektonika.