Security awareness training is broken. Read the news any day of the week and you can find articles talking about breaches, ransomware attacks, and countless records stolen resulting in identity theft victims. Our users are continuing to click suspicious links, open attachments they weren’t expecting, and falling for the call to action. Attackers know that our users are the weakest link in the security chain.
In 2014, Gartner calculated the market space for security awareness training at $1 billion dollars with a double-digit annual growth percentage. Gartner is predicting the market space will be $10 billion sometime between 2024 and 2027. With the rapid increase in security awareness training spend, why are we continuing to see so many breaches? What are we missing ineffective security awareness programs?
1. Executive Buy-in
I recently presented on security awareness at a local trade show and found about 30% of organizations had some type of executive buy-in for their security awareness program. For as many companies that claim to say cybersecurity is a priority, why such a low percentage of support from the C-suite?
Get your executives to promote the security awareness program and encourage all employees to participate. Without the official nod of approval, we find ourselves with limited traction in the organization.
2. Meaningful Metrics
Metrics and Key Performance Indicators are one of the missing or poorly setup components of a security awareness program. Metrics for security awareness usually come packaged such as:
- How many people took the training?
- How quickly did people complete the training?
- How many people passed/failed the quiz at the end of the training module?
When you were in grade school, you didn’t get a grade on your assignment based on the number of questions completed or if you turned in the piece of paper. You were graded based on the number of questions answered correctly! Your grade was based on the output of your learning, not the input. Too many times to we see security awareness programs set up to measure the inputs and not the resultant output behavior. So, what’s an example of an output metric?
- Number of reporting phishing messages
- Increase/decrease in the number of security incidents
- Decrease in security incidents by poorly performing individuals/departments after completing training
- Incident avoidance rate
With the incident avoidance metric, take the estimated cost for downtime and convert it to an hourly rate. The hourly rate should be multiplied by the average number of hours of downtime for an individual or department during a cybersecurity incident. Track the number of cybersecurity incidents your organization responds to on a monthly and annual basis. Once the incident avoidance rate exceeds your annual spend on security awareness training, you’ve just offset the cost of your training program! This is an excellent way of quantifying the effectiveness of your security awareness program.
Step 1: Create metrics
Step 2: ???
Step 3: Profit!
3. Active Learning
Make it fun. Make it engaging. Make it memorable. The worst type of training is a boring PowerPoint with narration. Edgar Dale, an American educator who developed the Cone of Experience, tells us that only 10-30% of what we see and hear, also known as passive learning, is actually remembered. 70-90% of your security awareness spend is wasted with passive learning techniques!
When we engage active learning techniques, like using quizzes during training, phishing simulations, tabletop exercises, or having employees present about their security awareness experiences during a company lunch and learn, the percentage of recall jumps to 70-90%! An amazing increase in effectiveness with just a small change.
4. Distributed Practice
A 1978 study, “The Influence of Length and Frequency of Training Sessions on the Rate of Learning to Type”, showed that postal workers were able to learn how to more effectively use a new typewriter system faster when the practice was spaced instead of when a longer instruction session was given. We can exploit this method of learning by giving shorter periods of security awareness training spread throughout the year. In today’s age of constant interruptions from push notifications, emails, phone calls, and your boss stopping by the cubicle to see how things are going, it’s hard to dedicate an extended period of time to anything. Breaking training into 15-30 minute easily understandable topics is a quick win to get training completed.
With distributed practice, we also need to space our phishing simulations. Setup a schedule with intervals randomized from every 3 to 7 weeks. With a predictable schedule, users are on the lookout for a phishing campaign. Using the same template, or a limited group of templates, results in the prairie dog effect. Once a single user spots the phishing test, they notify their friends and coworkers what to be on the lookout for skewing metrics for the test.
5. Don’t Focus on Just the Phish
While phishing is the most prominent and publicized means of attacking the user, other avenues are gaining in popularity and effectiveness. USB Drops, Voice phishing (Vishing), SMS Phishing (SMShing), and physically accessing a location are additional ways for an attacker to load malware, get a user to give up their password, or find one written on a sticky note under the keyboard (or taped to the side of the monitor). Physical security is often left out of the curriculum, and goes untested by security groups, as our penetration testers have strolled through hallways unchallenged.
Ensure user awareness programs educate them on the dangers of devices founds on the ground and enable them to challenge unknown callers asking for sensitive information or unfamiliar employees without a badge or escort. Many user awareness products include pieces for testing a user’s susceptibility to dropped USB sticks, but never underestimate the insight gained by calling the helpdesk or having a friend try to walk in and grab a seat at an unoccupied desk. (See #3 — This is the best active learning technique!)
In closing, setup meaningful metrics tracking the output of the security awareness program. Implement changes and track their effectiveness. Engage your users with more meaningful content and active learning techniques and watch the increase in the effectiveness of your security awareness program.
by Brendan Dalpe | Senior Security Consultant
August 15, 2018