The Human Factor: Enhancing Security Awareness Training Effectiveness

Over the last 15 years or so, we have greatly improved network security. We started by beefing up network perimeter security, and then moved on to improve internal network security and resistance to malware. So why are the number of network infiltrations and data breaches greater and more damaging than ever? I think the main reason is because cyber-attackers are employing alternate techniques such as phishing attacks to gain their primary entry to networks. And unfortunately, susceptibility to phishing attacks is primarily a human problem, not a technological one.

So, what can we do to fight such an insidious threat? We can make sure that we are doing all we can to turn personnel from our number one security risk into our number one security asset. And to do that, we not only need to make everyone in the organization aware of modern attack techniques, we also need to enlist their aid in detecting and reporting suspected cyber-incidents. Why not employ real, human intelligence to the problem rather than artificial intelligence?

The first stage in this process is to ensure that all your personnel receive comprehensive security awareness training and continuous security reminders. Personnel need training to understand how networks are compromised and what common network attacks look like. They also need to know how to react to suspected security attacks, and who and how to report these issues to. In addition, you need to make sure that your help desk, IT and security personnel are open to these questions and reports and do not look on them as a pain. You should also ensure that your personnel receive continuous updates on the latest attacks and techniques being employed by attackers.

To get your personnel to become security assets, it helps to be innovative in your approach to information security and awareness training. Right now, you are probably employing web-based security training modules to make your personnel aware of security issues, and there is nothing wrong with that. However, going through these modules is not usually viewed as a fun time by most personnel, and retention and buy-in is going to suffer. So why not supplement or replace part of this online training with group security training and/or awareness meetings? For example, you could have quarterly security lunches where your personnel not only receive up-to-date security information, but are provided with a good meal in the bargain. People always react well to events where food is involved!

Another technique that could be used to get personnel on your side in this effort is to provide them with incentives for good security performance. You could reward personnel for catching and reporting security events or for coming up with good suggestions for improving security in your organization. These incentives do not have to be costly either. People react just as well to public praise as they do to monetary incentives. There’s nothing like a good pat on the back! Put their pictures up on the bulletin board or on the website. Other incentives could be a special parking place they get to use for a week, or an afternoon off with pay; anything that might make other employees want to do well and get the same rewards.

Once you have put a good security training and awareness program in place, you need to have techniques in place for judging its effectiveness. One way to do this is to test personnel on their retention of the security issues they have been taught. I personally recommend not performing these tests immediately after the training session. I would quiz personnel on the information after a day or two had passed. This will help you determine how much long-term retention you are liable to get. In addition, you could perform security tests on your personnel, such as phishing tests. You could send personnel suspicious emails messages or could text or call them with suspicious requests. You should track how personnel do on these tests as well. This will help you identify persons that are more susceptible to cyber-attacks and give you the opportunity to provide them with extra training or incentives as needed. Whatever you come up with, remember that in this environment security and awareness training are at least as important as any other security measures you are employing to protect your private systems and information.