It is no secret that no matter how many layers of security you have, or how great your computer and network defenses are, the user is the weak link in the security chain. This being the case, effective training to make users aware of security concerns and security best practices is often a better investment than additional security devices or applications. The challenge is how to get the employees engaged and invested in the training so they actually retain and apply it.
Katrina Rodzon, a security awareness professional, presented a session at the 2014 RSA Security Conference titled “Making the Security Super Human: How to Effectively Train Anyone/Anything.” It was an enlightening session that highlighted the common problems with security awareness training and provided some guidance for how to improve employee engagement.
Rodzon pointed out that many security awareness systems are either based on rewards or consequences, but that neither really provides the right motivation. What companies need is a more consistent, ongoing approach to security awareness rather than a once-a-year mind dump.
When I was in the US Air Force we had to pass an annual physical fitness test. It basically consisted of running a mile and a half in 15 minutes or less, if I recall. It was a very poor measure of physical fitness because even moderately fit people can force themselves to run at the pace of a 10 minute mile for 15 minutes. They may end up with a sprained ankle, pulled hamstring, or bronchitis as a result, but they can pass the test and be deemed “fit.”
The annual fitness test in the Air Force was a very poor method of promoting health and fitness for the same reason that annual security training does little to promote more effective security. It’s too easy to just get through the test and then go back to your same old bad habits.
She stressed the need for content that motivates, captures attention, and is easily committed to or ingrained in memory. Security awareness content should be provided in chunks limited to five or ten minutes. Anything longer and you lose the attention of the audience.