My son once had a teacher in middle school who thought teaching was all about quizzes and tests. This teacher spent classroom time telling stories of days gone by and then giving the students a quiz on a topic that he'd barely mentioned. Needless to say, none of the students did well in this class. As for us, I engaged a tutor to work through the actual curriculum material with my son, focusing on one topic at a time until we were certain he understood the subject and would not continue making the same mistakes again and again. I became confident that the tests and quizzes were now measuring my son’s knowledge. This was knowledge that we invested in through time and tutors.
I’m not sure why this simple lesson hasn’t translated into the world of cyber security.
I was at a conference not long ago that focused much of its time on simulated phishing attacks as a way of training. With pride, I heard a vendor say it takes approximately 12 to 18 months using simulated attacks throughout an organization to see a decline in the number of people who fall for phishing attacks. All I could think of was, 12 to 18 MONTHS?! I would NEVER want to leave my organization exposed to that kind of risk when clearly the users did not understand what risky behavior is when it comes to email. I had deja vu from my son's days in middle school. Companies are using simulated attacks (tests and quizzes) as a vehicle to train users or to force them into an on the spot type of training which has proven to be ineffective for various reasons. Much like my son, how can users be expected to change their behavior and learn from their mistakes if their "educators" are not investing in their users and teaching them the concepts they are being tested on?
Don’t get me wrong, simulated phishing attacks are a key component to any cyber security education program -- but they cannot be the only component. They are necessary to baseline your organization, measure the effectiveness of the education you provide to your users, and monitor your organizations’ exposure because of risky behavior. But if you want to change your users’ behavior you must offer them education:
Teach them what to look for in emails.
Educate them on the bait and hooks criminals use.
Use a teaching method that is engaging, relevant, and interesting.
You will not be disappointed. You will see a change in behavior throughout your user base and you will see these changes almost immediately, not in 12 to 18 months.