Imagine this: As part of an exercise to teach security awareness, employees enter a room. An actual, physical operational security “escape room,” which at first looks like a regular office room. But as people look closer, roleplaying as criminal social engineers that broke into the building, they start to spot information they can use for nefarious purposes.
For example, there’s a password in a trash can. And there’s a video conference meeting left unclosed. All around the participants are clues that could help them exploit the business. The hope is this experience helps them see through the eyes of a criminal — and leaves them understanding the importance of physical security. Once they are done, the goal is to have them remember the need to keep things like whiteboards clean, laptops locked, and documents hidden or shredded to protect the company.
This is the kind of security awareness training that Kim Burton, head of trust and compliance with Tessian, has used to make sure training leaves its mark on employees.
Awareness training that sticks is still desperately needed as human error is responsible for many breaches and data loss events. In fact, the most recent Verizon Data Breach Investigations Report found that 74% of breaches involved the human element, which includes social engineering attacks, errors, or misuse.
Figures also reveal many companies still fall short in their delivery of awareness training. New data from Hornetsecurity found that 33% of companies are not providing any cybersecurity awareness training to users who work remotely, a common arrangement in a post-COVID world. And those organizations that do provide awareness training — whether to on-site or remote employees — often administer it only annually. This is far from effective, according to Lisa Plaggemier, executive director at National Cyber Security Alliance, who has a long history of developing and running security awareness programs.
It’s time, she says, for organizations to get it together when it comes to effective awareness.
“Short but frequent; no more of this once-a-year nonsense,” she says.
Go Beyond Compliance
But more frequency is only one of many ways that modern security awareness training needs to improve. In a constantly evolving threat landscape, what does an effective security awareness training look like?
“At the National Cybersecurity Alliance, a lot of the behaviors we’re trying to influence are the same, so the advice is the same — using MFA, reporting phishing, etc. — but we deliver them through unique messages over time,” says Plaggemier. “Those messages use different approaches: storytelling from a victim’s perspective, storytelling from the defender’s perspective, leveraging current events in the headlines.”
Compelling, timely, engaging, and memorable. It sounds simple, right? But it’s not. They key problem holding many companies back, is attitude, says Dr. Jason Nurse, director of science and research at CybSafe and associate professor in cyber security at University of Kent.
“Many security awareness programs still fall flat because the organization views the training as a box that must be ticked,” he says. “Organizations often focus on compliance and meeting the basic requirements, which may result in training that lacks depth and engagement.”
Create ‘Sticky’ Awareness
How can security leaders put together a program that moves far beyond compliance mandates and shape training into something people not only remember, but actually use when faced with risk-based decisions?
One way is to deliver the content through a communication channel that works for them, says Nurse. Research by CybSafe earlier this year found that 79% of office workers are likely to act on security advice provided on the platforms they use daily, such as Slack and Teams. And 90% of respondents thought security nudges on instant messaging platforms would be valuable. Similarly, people who received cyber information daily and weekly were twice as likely to remember all of their training as those who received it monthly, quarterly, or annually.
“While a base-level understanding of cyber hygiene is essential through regular, engaging training, it’s equally crucial to help employees when they need it in a helpful format,” says Nurse. “Training should go beyond just conveying information; it should guide individuals on how to behave securely in their day-to-day activities. Furthermore, it should ensure people know where to seek help when needed.”
Another way to make it mean more is to make training role-based. One-size-fits-all is “necessary to a degree for compliance,” says Plaggemier, “but once you’ve fulfilled your compliance obligation, people should be receiving training that is appropriate for their role and the specific risks that affect them.”
Tessian’s Burton says in addition to making it too generic, many organizations fail to consider the culture and big picture when devising training.
“The programs fail to take into account the holistic experiences of employees, such as the current culture of the organization, the current signals from leadership about the importance of secure practices, and where the general employee is being asked to use most of their time and energy,” she says. “Security awareness programs may neglect non-engineering employees, and engineers may lack mentorship to integrate the material into their practice.”
“There is no one right way to train people to be cyber secure. There is only the right way for your organization, department, or team,” adds Nurse.
Play to the Room
Another important factor to sticky awareness is knowing your audience, says Burton. Like a good stand-up comedian, you need to understand who you are playing to if you want them to remember what you’re telling them.
“The first step is empathy,” she says. “The security educator needs a deep understanding of the people they are teaching. Repetition over a longer period of time while introducing content in a variety of ways will also ensure recall. And finally, don’t forget to have fun. Organizations frequently lose interest and engagement because of a fear of being too weird. However, people are more likely to retain unique content. Weird is good! Be funny, be creative, find joy!”
Burton, in addition to the escape room, has also had employees take part in a story contest that asked employees to write out a “spooky Halloween tale” of how they would attack the company. She has also created narratives that put people in the position of a security analyst at the company, in which they have to evaluate the security of external vendors.
The most effective security training, she says, covers core risks the business is concerned about; it is tailored to the audience; the concepts are presented over time and in a variety of ways; and the material is memorable due to its unique delivery, humor, or creative experience.
“The key component has been, and always will be, a focus on the people themselves.”
HOW TO MOVE FROM FORGETTABLE TO MEMORABLE SECURITY AWARENESS
Sticky security awareness training can be elusive for many organizations. And with 74% of security events directly tied back to human error, it is important to find ways to reach employees and help them understand cyber risks. Kim Burton, head of trust and compliance with Tessian, uses a variety of awareness training techniques in her programs. Here are the important tenets she says to keep in mind when creating a program at your own company.