0

I have read a lot on the topic of enforcing end-user security training, such as how to spot a phishing email for example. Even enforced training, such as conferences or videos that the end-user must watch can easily be neglected or not cared for by the end-user.

I keep hearing the use of "consequences" of not taking the training seriously, but I feel as though that is not the best course of action. My question here would be, what are your suggestions to improve the effectiveness of the training and keeping the audience (the end-user) with a true willingness to pay full attention to the training?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Derek Spampinato
  • 1
  • 1
  • 1
    This is not a small question. I wrote a whole book on the topic. You might need to narrow down your focus a little. – schroeder Nov 06 '16 at 19:13
  • If you are looking at something beyond "consequences" then you are looking at developing a security culture (the subject of my next book). You hit the nail on the head with aiming for "willingness", which means you need to trigger people to *want* to take and follow training. – schroeder Nov 06 '16 at 19:16
  • 1
    My buddy works for a security team at a credit card company and they have a whole team to social engineering and they perform "social engineering" on their own employees and if one of them opens a file or downloads something then they go and talk with the employee and teach them what they did wrong and what to look for. I think that's more effective than a lecture because you are actually putting the employee in a situation so next time they receive an email they will think twice – nd510 Nov 06 '16 at 20:00

2 Answers2

1

I do this very successfully using 2 methods:

  • Mix training with small 'escapes', moments that attract attention with a joke or something unrelated to the main (probably boring for them) subject. This is like hitting their refresh button.

  • Be interactive. Do not present your case like an advocate in a court of law. Ask them what they think, make them state their opinions on the matter and interactively explain why certain things have to be done in a certain manner.

As an intro on-top of those, you can use the Fear against them. Start your presentation by giving a disaster situation example (i.e. Dude 1 clicked on a phishing file and cause the company that many k/M$ in damage and he got fired).

Overmind
  • 8,779
  • 3
  • 19
  • 28
0

From what my experience in cyber seem to validate, the below recommendations have been really helpful in building a "culture of security", a culture where all employees understand their individual role in protecting company assets, and feel empowered to communicate security issues without fear.

Increase the visibility of the security function and rebrand as a partner

It is unfortunate that security folks like ourselves are often associated with a culture of no. We are seen (wrongfully) as adversaries to be feared / avoided and as opponents of change, rather than partners with the business to increase value. The cybersecurity function is often seen as "the police", only there to enforce laws, without understanding of user needs.

Therefore, I would suggest first rebranding the security function as a friend to the business. End users may not know what security does for a company or how it brings value, given we are often a cost center, not a profit center. They may just see the negative aspects of security manifest, if not implemented well and thoughtfully, or implemented excessively (i.e: security nazi) Find ways to interact and get to know your end users and really listen to what their needs are. Show them you actually care about what the cost of new security controls are to their job.

Ensure end users understand the purpose of corporate security training

Unwillingness of the end users to adhere to security training might be due to them not understanding why certain processes / procedures are the ways they are. E.g: We, as cybersecurity professionals, may understand the role of DLP in mitigating data leakage, but a non - technical end user may just be annoyed when an email they sent is blocked, and they are forced to use alternative (and possibly unfamiliar) means to communicate. As to how to communicate to end users, this answer raises several excellent points, two that will highlight below.

  • Target the security training to end users based on specific, relevant security risks to their job duties, in addition to providing a foundational level of training that all users get

  • Recruit colleagues to form a cybersecurity advocacy / champion team. Rather than management enforcing training from above, now a continuous message about security is coming from their peers, who also serve as a source of support when end users have questions about IT security processes / expectation of them.

Anthony
  • 1,736
  • 1
  • 12
  • 22