ENTERPRISE MANAGEMENT ASSOCIATES®
I just released a new research report called Security Awareness, It's Not Just for Compliance. In analyzing the data, I found some pretty scary results. A number of the findings were so unexpected, it is obvious that the personnel working in the security, risk, and fraud areas need help getting their message out and, in some cases, they need help realizing they need to have a message.
There have been a number of headlines about the research announcing the first and most egregious issue. Fifty-six percent (56%) of study respondents indicate they have not received any security awareness training from their employer. If management is expecting people to not be the weak link in security but aren't training them, they are setting unrealistic expectations that are not founded in any other aspect of education. It's like giving the calculus final the first day of the semester and basing the semester grade off that one experience. Remember, the definition of insanity is doing the same thing repeatedly and expecting a different result. If you are not providing training, START!
Getting past that, we still have a number of other issues to address. If we are putting time, effort and money into training, great! However, we could be throwing good after bad if we are not providing appropriate methodologies and measurements for training. If program leaders cannot demonstrate improvement, funds will not be allocated. Here is how you can knock out a couple of those birds with one stone.
First, if you are making the investment, choose a partner that will facilitate your end goals of better measureable knowledge. How do you do that? Well, I am going to give you a few pointers.
- Training is based on instructional principles that are effective.
- Remember the old adage, "Tell me and I'll forget; show me and I might remember; engage me and I will learn."
- Most people require regular repetition to remember something. More than 75% of respondents said they get training quarterly or less frequently which holds little chance of them remembering what they were told.
- Only 2% of programs provide post incident training. It is key for a program to have the ability to identify when an incident has occurred (a bad security decision has been made) and help the student discern why the choice was a poor one and provide timely and constructive feedback to make a correction. If the program can't show them how they are making bad choices and do it in a timely manner, they will not learn.
- Because games are engaging, learning through "games" has long been recognized as a strong teaching tactic. Forty-seven percent (47%) of respondents being trained recognized that the training must be interactive or engaging. When evaluating the <=30 age group that number rose to over 65%. To make training engaging it should be: interactive, easy to apply to real life, easy to understand, and fun & enjoyable. Respondents indicated that these were all important but significantly lacking in their programs. Engage personnel; don't just lecture at them if you need them to learn.
- Programs should accurately assess not only the collective group performance over time but also individual comprehension, so those with weaker understanding can be assisted as early as possible.
- Fifty-two percent (52%) said that some portion to all of their training program effectiveness was not measured, or they did not know if it was measured. This number moved to 56% for line of business personnel. The report indicates that over 61% of programs are being measured, but program administers are not getting the word out. If so few programs are effectively measuring their performance, it is no wonder that so many programs are going underfunded or unfunded.
- Of the programs that were being measured, 62% of respondents said that completion or attendance was the most common method of measuring training. This is another program management failing. What we do not measure, we do not improve. The best way for organizations to determine whether training is effective and providing a return on investment (ROI) is to use training methods that allow the employee to demonstrate measurable understanding and progress. When conducted in the proper manner or environment, testing of this nature is very effective and can be repeated to track results on similar data sets.
- Content must address current threats and be expandable for new threats or business requirements.
- Security awareness is not so much about teaching a finite set of knowledge but proper discernment and decision making to facilitate the greatest possibility for success. The program must use current threats in various approaches to help students identifying the methods behind those attacks, not just the instantiation of a single attack.
In my view, engaging a Security Training partner is key to significantly advancing your security awareness program. It is no different than engaging a good forensics consultant post breach or a certified penetration tester to find controls gaps before an audit. It's getting the best help you can to achieve an objective.
Companies such as Wombat Security Technologies are experts in the training delivery field, and they specifically provide a market leading solution for continuous security education that creates employee behavior change. Select a training partner, like Wombat, that dedicates research time and money to identifying current and emerging threats that will be encountered and in delivering scalable solutions that make it easy for training program administrators to assess areas of user knowledge weakness and then target education programs to the subjects and people most at risk. This is a great way to get a quality program started, show a quick ROI, and then grow the program over time.
Your training partner should offer security education tools that make it easy to manage a continuous education program that assesses, trains, and measures knowledge all year long. The tools should capture user interactions to provide detailed information about topics where users are both strong and weak to provide not only a birds-eye programmatic view but also how to help individuals that need support. In many cases, the person managing the security awareness program has a different set of full-time responsibilities and should consider outsourcing management of the program for best results and value.
Security awareness should not be neglected as a cost cutting measure. In the vast majority of cases, the people are the first landing point of an attack and the first line of defense. If they can properly discern an attack before activating it, the battle is done with far less cost and productivity losses than if remediation is required.
The most telling statistic about how needed quality training is identified that 86% of respondents said they recognized that the training they receive at work helps them make better security decisions at home. That is how we know that organizationally provided security awareness training has an impact on the security of the Internet as a community, not just at work.