Security Awareness Training: We’re Doing it Wrong!

This article originally appeared on RSA Conference blog on March 3, 2015. Join the conversation!

It’s a relentless mantra in information security community: “People are the weakest link.”

The success of email phishing, watering hole attacks, and over-the-phone social engineering tactics proves that attackers just have to target people in order to sidestep several layers of defense in depth measures.

Most security professionals agree that user awareness is the key to mitigating these people-centric attacks. Unfortunately, we’ve denigrated awareness training to something along the lines of annual fire safety training.

In a survey of ISACA members, Dr. Karen Quagliata compared organizations that “strongly agreed” that their organizations secured data effectively to those that were less confident to determine what aspects of user awareness were important. The study also found the majority of organizations used more than one delivery method when it came to user awareness. This makes sense because not everyone absorbs information the same way. However, the fact that organizations were not measuring the effectiveness of these training methods was a revelation. Organizations were just collecting signatures from employees affirming they had read and understood the policies.

Even though this research was back in 2011, the results are still relevant. Compliance drives this behavior and does not help management improve the content or delivery of the training.

The effective group had a user awareness program that conducted training at least annually, if not more. Compliance programs require annual training, and it’s quite likely that compliant organizations believe they are more secure. While the effectiveness of compliance vs. risk-driven programs is under debate, the research findings clearly support the value of a continuous security training regimen.

How to Fix Security Awareness Training
So how do we fix security awareness training so that we are doing it right? Annual training should address the policies and procedures for acceptable use and how to use resources that support the security of the organization. Security awareness training should be measured by efficacy. Analyze the results of training questionnaires, security incidents, web proxy logs, and IDS logs to evaluate their effectiveness.

• Present the user with a quiz before content delivery: This will allow advanced users to test out of the prescribed training, while testing the efficacy of continuous training. Remedial users will be engaged to understand why an answer they gave was incorrect. Ask about your policy. This is not the time to test users on generic security principles. Questions to ask include how users should report suspicious emails or computer activity, and how to encrypt sensitive information to send to an authorized recipient. Make sure users can answer who is in charge of information security. (Hint: We all are.)
• Incentivize training by offering rewards upon completion: The first 10 users that complete the training will be entered into a drawing for $100. For the next four weeks, select a user each week to receive a $100 gift certificate. Make the incentive meaningful to an individual and I guarantee it will be the best $500 security investment you have ever made.
• Train to the risk: Do not let privileged users off the hook with an annual training, as they’re usually the biggest threat to an organization. Information security personnel should attend department meetings and be prepared to give an inservice on appropriate security topics. Email users, remote users, BYOD users, database administrators, and web developers all present unique risks to your organization. We have different training and testing requirements to obtain operator licenses for motorcycles, cars, trucks, and aircrafts. Why should privileges to systems and data be any different?
• Start a campaign to improve security awareness: Get an email newsletter or posters inside your organization and keep training materials in an accessible place. These steps reinforce the organization’s information security policies and the acceptable use policy. We need to address security awareness as a continuous process if we want to rely on it as an effective control.
• Security Awareness should be a continuous improvement process: As policies are reviewed and updated, so should training documents. Whenever there is a new threat to the organization, it should be addressed by the awareness program. Security incidents should be used as feedback for training as well.

User awareness is like any other security practice. You’re going to get out of it what you put into it.