For many organizations computer security training does not appear to impact the user population in a manner that protects the company assets and confidential data as intended. It is a tough balance to deliver enough information to explain the organization’s security stance, and have it succinct enough to be retained by employees.
One story that really helps solidify this point is the University of East Anglia (UEA) data breach that was repeated twice in one year due to the same flaw in their processes. During the investigation into the data breaches, it was revealed that the university’s security training culminated in an 8-question multiple choice quiz, which is not nearly enough of a motivator for employees to take seriously. The flip side of that is too much training, which runs the risk of paralyzing the userbase in a state of paranoia, which can negatively impact work relationships and productivity.
It is a tough balance to achieve, and it requires the people who make policy decisions and training materials understand the motivators of their userbase when falling for social engineering attacks. This understanding helps to more accurately tailor the training to where it is needed instead of basing it on industry “norms” and general, vague top 10 lists found in numerous articles and blogs.
When money is spent on training and associated material, and there is little thought on how it affects a particular population of individuals, a disconnection occurs. Either, the information is too complicated for the users to understand so they ignore it, or it does not apply to their daily lives, so they ignore it. The rare cases where it does apply directly to the individual is the moment that should be leveraged to instill secure computing behavior.
It is not all smooth sailing from there. That moment can be easily lost through a lack of follow-up testing and acknowledgement of proper behavior, which cause the targeted user to feel their actions are unappreciated, and they stop behaving in the expected, secure manner. How can we change this?
Make it Personal
Making training personal to the targeted user group bridges that gap. There are simple things that can be done to personalize training to engage the population so that they, first, understand the need for secure computing habits and, second, feel a direct personal connection to their role as part of that process. Without both of those elements training can be easily ignored and forgotten, which defeats the entire purpose of the exercise and money spent.
Security educators within an organization have the most access to the motivators of the population. Surveys can be conducted to get base line information about how users perceive threats to the company and data they have access to. That information can then be used to tailor training to address those gaps that may exist. An example is the sales department likely doesn’t have access to employee personal information, so having training telling them how to protect that information likely won’t be absorbed as well as training tailored to how to protect clients’ data.
Couple targeted training with open acknowledgement within the company of top performers during the security testing, by giving rewards of varying kinds and distributing that list to all employees, can motivate those who are not performing as well to step up in an effort to be publicly recognized as protecting the company and its data. These strategies personalize the critical thinking, which makes the message stick more effectively than getting training virtually anonymously and the results kept close to the vest of the tester, so no one talks about security around the water cooler. When users begin saying things like, “Great job, Sally. I saw you did really well on the security test this past week, what tipped you off that it was a scam,“ you have created a culture of sharing personal stories that will teach others in a manner computer-based training or hour-long lectures just can’t compare to.
It may seem like more work to tailor training to the specific user population, but as companies spend more money on training than ever before and reports of data breaches continue to increase, it is clear there is a gap that needs to be filled with a different solution. Spend some of that money on effective user population research, and the positive results will be seen quickly. Once you get users openly talking to each other about threats and taking ownership of the data they have access to, they will protect it more vigilantly to create a company culture that secures its data better than ever before.