Culture vs. User Training
At RSA Conference Europe recently I did a joint session entitled ‘Training Employees to Recognize and Avoid Advanced Threat’
No matter what security technologies are implemented, every organization’s greatest vulnerability is its people. Social engineering is a predominant aspect of advanced threats and finding ways to increase the effectiveness of user training has become imperative. Traditional training methods, including courses and videos, don’t involve the user in active defense. Training mechanisms need to make the threat real for the user, engage them in actively defending the organization, and drive home the message that users could be personally responsible for a major information breach. Innovative training mechanisms, including simulated phishing and gaming, are widely being trialed and deployed by organizations to help users understand how advanced threats work.
One of the issues that was raised was one that most global organisations are probably familiar with but need to get better at and that is – Culture! While in some countries employees may be motivated enough to complete the mandatory training and may voluntarily want to excel and become a certified ‘human firewall’ or obtain a gold badge in the relevant training. However, it was clear from the audience that in some cultures obtaining an extra certification or a gold badge would definitely not be a motivation to complete the security user training.
So, the debate goes on – How do you get a global organisation to have a consistent level of security training?
Twitter: @knowlesRashmi
If you deliver your security training via CBT, you’re ticking a box, not actually trying to educate people. I have never, in my life, retained information from CBT longer than needed to pass the quiz at the end. I can recall details from lectures 20 years ago without checking my notes. I can’t recall anything from the security training from my last employer other than 1) as a security professional I had to give several answers I considered wrong to pass the course and 2) I felt it was a waste of time.
If you actually want to educate, you have to get passionate, articulate InfoSec practitioners out into the field, talking to people, and getting them interested in protecting themselves.
No-one wants to listen to some talking head (or senior exec reading a script) waffle on about enterprise risk and compliance. Talk to people about stealing their data, their money, their livelihood. About hacking into and owning their personal systems, their employer’s systems, and their bank’s systems.