Skip to main content
PhishingSecurity AssessmentVishing

4 Keys for Successful Training

As cyber-attacks are on the rise, companies are becoming ever more aware of the need to implement security awareness programs to train their employees against these attacks. Routine training is essential, but is the security training employees receive as effective as it could be? Most of us have gone through training programs (the dreaded PowerPoint presentation) at work that we had to complete for compliance purposes. However, a couple of weeks later we forget all about it because it had no impact on us personally. It was just another procedure we completed, and we move on with life. What if the training appealed to us personally? Standard training may require implementing new tools or procedures, but effective training goes beyond that. There are 4 keys for successful training that will make all the difference for employees as well as corporations.

4 Keys for Successful TrainingHave Metrics and Measure Training Effectiveness

How can metrics improve training? Metrics enable you to objectively assess the effectiveness of your training. Having accurate data points to quantify and validate the effectiveness of a training program is achieved by implementing realistic testing. This will enable you to identify not only the number of employees who successfully complete training, but also the rate of behavior changes as a result of training. Analyzing the results of the tests in relation to the training can help determine if your training program is having the desired effect. It can also reveal any deficiencies and areas where employees struggle the most. Executing a training program without measuring its effectiveness would be like playing darts blindfolded. The clearer your focus on the target or goal, the better your chance of success.

Add Layers

Offering just one form of training, repeated over and over again, may not be effective for all users. In addition to training via the company’s intranet, including newsletters and splash pages featuring current topics could increase the interest of the employees. Others may enjoy learning at in-person events such as lunch and learns. In this relaxed group setting, employees can feel more connected to the information given in the training. Also, many corporations find it beneficial to send some of their employees to conferences that offer training on the different aspects of security awareness. Adding layers to the training will ensure that the information reaches more people.

Humanize Your Training


It is common to blame the recipient when training doesn’t yield the desired results. But could there be a deficiency in the training method? Focusing on the human aspect of security training will help identify any gaps in the training. Many companies give the same training to all employees, regardless of their job duties. However, “one size fits all” training is not effective. Security awareness will vary from one department to the next. The risk for someone who works in accounting will differ from that of an executive. The training they receive could have nothing to do with their job. If the training seems irrelevant to the employee, it will not provide effective teaching.

For security awareness training to be effective, it needs to be interactive and multifaceted. The different facets of the training should have sections that speak to the different styles of learning, whether audio, visual or hands on. This will keep employees engaged in the training and thus will be more effective.

Care About Your Users

Communication is vital for information security training. To develop good communication with employees, a corporation needs show that they don’t just care about what happens at work, but also how the training they’re providing benefits the employee as a person. If an employee’s personal computer is compromised and they’re worried about losing pictures of their loved ones, can they really be productive at work? To keep employees interested in the training, it’s important to pick topics that are relevant. If we’re to invest our time and attention, we need to know: what’s in it for me? The focus should be not only on how to protect the company, but also how the information given will help employees protect their personal information, as well as their family & friends.

In the business world, great importance is given to building relationships with clients by establishing trust. It is just as important to build a relationship of trust with our employees. Therefore, we need to consider the employees’ feelings when launching a security awareness training. Sadly, there have been instances where corporations tested their employees by sending phishing emails that promised them an end-of-year bonus, only to find out, it was not real. What lessons do employees learn when they are left feeling demoralized? Tests that elicit a visceral fear response are not effective. Instead, we need to humanize our fellow employees so they can view the training/testing as a tool for them, not as an adversarial attack.

Summary

It’s not just about giving training but measuring how effective the training is. Assessing our training can help to identify any gaps. Then, we can re-evaluate the delivery and make it relevant by including topics that people care about. Security awareness training should focus not just on the end goal, but also on how it will affect the people that serve that business. A point to remember is we’re not only training our employees, but we’re also building trust. We do this by implementing empathy in our testing. Any type of training whether, phishing, vishing etc., should not be fear-based. Employees need to see their IT departments as advocates, not adversaries.

When influential information security practitioner Kate Mullin was a guest on the Social-Engineer podcast, she said, “Part of employee engagement is, you need to care about them, and it can’t be fake. It has to be real.” Implementing a security awareness program that takes into account not just the business’ needs but that of the employees, can create a partnership that results in everyone being more secure.

Want to Humanize Your Training?

Social-Engineer provides custom managed services to assist organizations in the assessment and education of their human network. We take a personalized approach to training and testing. Our team of expert social engineers focus on the tactics hostile attackers use to influence and manipulate people via phishing, vishing, and impersonation. We will assess your organization’s vulnerability to a social engineering attack. Then we will provide customized training and guidance to make your company more secure. For detailed information about the services we offer, please visit Social-Engineer.com/Services.

Sources:
https://trainingindustry.com/articles/measurement-and-analytics/how-to-use-employee-training-metrics-to-measure-training-effectiveness-and-impact-spon-eidesign/
https://www.social-engineer.org/podcasts/ep-164-security-awareness-series-metrics-and-empathy-the-answer-to-cyber-breaches-with-kate-mullin/
https://www.social-engineer.com/the-role-of-empathy-in-ethical-social-engineering/

Images:
https://elearningindustry.com/value-of-employee-training-why-company-needs
https://tlt.cofc.edu/2016/12/20/de-2-0-workshop-humanizing-your-online-course/

Tags:

Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now