We have long been fans of security awareness training. As explained in our 2013 paper Security Awareness Training Evolution, employees remain the last line of defense, and in all too many cases those defenses fail. We pointed out many challenges facing security awareness programs, and have since seen modest improvement in some of those areas. But few organizations rave about their security awareness training, which means we still have work to do.

In our new series, Making an Impact with Security Awareness Training, we will put the changes of the last few years into proper context, and lay out our thoughts on how security awareness training needs to evolve to provide sustainable risk reduction.

First we need to thank our friends at Mimecast, who have agreed to potentially license the content at the end of the project. After 10 years, Securosis remains focused on producing objective research through transparent methodology. So we need security companies which understand the importance of our iterative process of posting content to the blog and letting you, our readers, poke holes in it. Sometimes our research takes unanticipated turns, and we appreciate our licensee’s willingness to allow us to write impactful research – not just stuff which covers their products.

Revisiting Security Awareness Training Evolution

Before we get going on making an impact, we need to revisit where we’re coming from. Back in 2013 we identified the challenges of security awareness training as:

• Engaging students: Researchers have spent a lot of time discovering the most effective ways to structure content to teach information with the best retention. But most security awareness training materials seem to be stuck in the education dark ages, and don’t take advantage of these insights. So the first and most important issue is that training materials aren’t very good. For all training, content is king.
• Unclear objectives: When training materials attempt to cover every possible attack vector they get diluted, and students retain very little of the material. Don’t try to boil the security ocean with an overly broad curriculum. Focus on specific real threats which are likely in your environment.
• Incentives: Employees typically don’t have any reason to retain information past the completion of training, or to use it on a daily basis. If they click the wrong thing IT will come to clean up the mess, right? Without either positive or negative incentives, employees forget courses as soon as they finish.
• Organizational headwinds: Political or organizational headwinds can sabotage your training efforts. There are countless reasons other groups within your organization might resist awareness training, but many of them come back to a lack of incentive – mostly because they don’t understand how important it is. And failure to make your case is your problem.

The industry has made minor progress in these areas, mostly in the area of engaging content. The short and entertaining content emerging from many awareness training companies does a better job of engaging employees. Compelling characters and a liberal sprinkling of humor help make their videos more impactful and less reminiscent of root canal.

But we can’t say a lot of the softer aspects, such as incentives and the politics of who controls training, have improved much. We believe improving attitudes toward security awareness training requires first defining success and getting buy-in for the program early and often. Most organizations haven’t done a great job selling their programs – instead defaulting to the typical reasons for security awareness training, such as a compliance mandate or a nebulous desire to having fewer employees click malicious links. Being clear about what success means as you design the program (or update an existing program) will pay significant dividends down the road.

Success by Design

If you want your organization to take security awareness training seriously, you need to plan for that. If you don’t know what success looks like you are unlikely to get there. To define success you need a firm understanding of why the organization needs it. Not just because it’s the right thing to do, or because your buddy found a cool vendor with hilarious content. We are talking about communicating business justification for security awareness training, and more importantly what results you expect from your organization’s investment of time and resources.

As mentioned above, many training programs are created to address a compliance requirement or a desire to control risk more effectively. Those reasons make sense, even to business people. But quantifying the desired outcomes presents challenges. We advise organizations to gather a baseline of issues to be addressed by training. How many employees click on phishing messages each week when you start? How many DLP alerts do you get indicating potential data leakage? These numbers enable you to define targets and work towards them.

We recommend caution – you need to manage expectations, avoiding assumptions of perfection. That means understanding which risks training can alleviate and which it cannot. If the attack involves clicking a link, training can help. If it’s preventing a drive-by download delivered by a compromised ad network, there’s not much employees can do.

Once you have managed expectations it’s time to figure out how to measure employee engagement. You might send out a survey to gain feedback on the content. Maybe you will set up a game where different business units can compete. Games and competition can provide effective incentives for participation. You don’t need to offer expensive prizes. Some groups put in herculean effort to win a trophy and bragging rights.

To be clear, employees might need to participate in the training to keep their jobs. Continued employment offers a powerful incentive to participate, but not necessarily to retain the material or have it impact day-to-day actions. So we need a better way to connect training to corporate results.

The True Measure: Risk Reduction

The most valuable outcome is to reduce risk, which gives security awareness training its impact on corporate results. It’s reasonable to expect awareness training to result in fewer successful attacks and less loss: risk reduction. Every other security control and investment needs to reduce risk, so why hasn’t security awareness training been held to the same standard? We don’t know either, but the time has come to start thinking about it.

What does risk reduction mean in the context of security awareness training? It’s giving employees the necessary training, while understanding they won’t retain everything. Not the first time anyway. Learning requires repetition, but why repeat training for someone who already gets it? That’s a waste of time. So to follow up and focus on retention, you want to deliver appropriate content to employee when they need it. That means refreshing employees about phishing – not after an arbitrary or random time, but after they clicked a phishing message.

Contextual training requires integration with applicable security controls. For example you need a trigger from the email security gateway when an employee clicks a dangerous link in an email. You can also get triggers when an employee navigates to a malicious site via DNS and web security gateways which track where they browse. Finally, integration with DLP offers opportunities to revisit training on protected content after making a mistake.

We’ll dig deeper into Continuous Contextual Content in our next post.

Content Remains Key

We can slice and dice it many different ways, but we can’t get around it. Without the right content any security awareness training program will fail. Here are five keys for engaging and effective awareness training content.

1. Behavioral modification: The training content needs to work. You should be managing to outcomes, and your desired result for security training is that employees learn what not to do (and subsequently don’t do it), so if behavior doesn’t change for a reasonable percentage of employees, that’s an indication of ineffective content.
2. Current: Security remains a dynamic environment; your security training curriculum must keep pace. Yes, you still need to tell employees about vintage 2015 attacks because they will still see them. But you also need to train them to defend against new attack vectors like ransomware which they are likely to see in the short term.
3. Comprehensive: Employees need to be prepared for the most likely situations. It is neither realistic nor feasible for security awareness training to turn regular employees into security professionals. But they can understand the major attack vectors and develop some sensitivity, to help them detect attacks in progress.
4. Compelling: Most employees don’t know what’s at stake, so they don’t take training seriously. Don’t try to scare employees or play Chicken Little, but they need to understand the consequences of attacks. It gets back to helping them understand the organizational risk of screwing up. You do this by integrating a few stories and anecdotes into the training materials, making attacks and losses real and tangible; and humanize attacks, so they feel personally relevant.
5. Fun: Boring content is boring. If employees don’t enjoy the training materials, they will shut down and do just enough to pass whatever meaningless test you put them through. They will forget what they learned as soon as they leave the room. As corny as it sounds, no fun generally means no retention.

Of course content is also subjective. What you like might not interest the rest of the organization. So we always recommend a broad testing/PoC process to ensure the content works for your organization. We’ll get into procurement later in this series.

Buy-In

Clearly you want employees to have fun and find the training entertaining. But that’s not the only thing you need for a successful security awareness training program. You need senior management to understand the importance of security awareness training and buy into your vision of success, as well as how you plan to quantify risk reduction and measure the impact of your program.

Many security professionals don’t have a lot of experience in getting this kind of buy-in, so let’s map out a few steps:

1. Get facetime: As with any program you need to sell the benefits, which means getting off your butt and talking to business leaders.
2. Sell the business value: As mentioned above, you need to communicate value and clearly define success.
3. Identify risks: Make sure they also comprehend the risks of not training successfully. They may involve system downtime, data loss or breaches, or compliance fines. It’s not about mindless fear – you need a realistic and pragmatic assessment of the downside.
4. What do they have to do: Finally, internal leaders need to understand the requirements on them and their teams. Are you asking for money from their budget? How much time will employees need to devote to the program?

Once you help the leadership team understand what’s in it for them, the risk, and what they need to do, you should be positioned to enlist their support. You don’t need senior management to push the program, especially if it’s required for compliance. But it certainly helps, so spend time to line up support before you launch.

Quantifying the effects of training on risk is key to successfully selling the program and getting employees engaged, so we will focus on that in our next post.