Brian Prince | January 15, 2015

Getting Employee Security Awareness Training Right

Time after time, attackers seem to find ways to get users to open an attachment.

Throwing technology at this is one way to address the issue. Another is through securityawareness training – but depending on who is being asked, that may be either a panacea or an undersized Band-Aid. Training employees right, experts said, takes a mix of clearly-defined goals, executive support and understanding of employees roles and the target audience.

"The number one problem in the typical security awareness program is a lack of well-defined, measurable objectives for the program," said Gartner analyst Andrew Walls. "Well-defined objectives enable the design, development/acquisition of effective security education and training that produces measurable improvements in security."

In general, Walls said, there are four types of objectives in security awareness programs: disciplinary baselines meant to establish justification for disciplinary actions when an employee breaks policy; regulatory compliance; establishing, diminishing or maintaining certain behaviors and the development of knowledge among employees in regards to security and risk management. It's critical, he added, that organizations define and gain executive support for a set of learning objectives.

The other two areas were security awareness programs often fail is in not understanding the intended audience and pushing awareness topics and content that are not selected based on an assessment of risk, Walls said.

"The organizations that remedy these three factors have effective awareness programs that produce measurable results," he said.

In a recent report with Wombat Security Technologies, the Aberdeen Group argues that if businesses can figure out a way to use training to change employee behavior, an organization's cyber-risk can drop dramatically. According to the Aberdeen Group, an analysis of 29 independent benchmark studies involving more than 3,500 enterprises found that leading performers were 70 percent more likely than the lagging performers to have invested in awareness programs for their end-users.

"Mock attacks should be handled with great care and should include communication with appropriate management stakeholders, and often even the end users," said Joe Ferrara President and CEO Wombat Security Technologies, which specializes in security training programs. "Before the first mock attack campaign is started, the security officer should meet with the management team to discuss the purpose of the exercise and assuring them that this is not meant to trick anyone or make them feel badly. A company-wide communication can be sent a week or more in advance of the attack to share the same sentiment that the purpose of any mock attack program is to assess vulnerability to attacks from the wild, provide brief information about how to recognize and avoid attacks."

"Security officers should select a mock attack that is relevant to their environment and is likely to appear from cyber criminals themselves to get the best evaluation of end user susceptibility to real attacks," he added. "Once they have notified all parties and allowed enough time for people to forget about the program it is time to initiate the attack and then collect the results."

Not everyone is completely sold on the idea of security education dramatically impacting the security of an organization however.

"While security awareness training is one part of a comprehensive information security program, its effectiveness is somewhat negated by the simple fact that it only takes one human to click on something bad to jeopardize the entire enterprise," said Norm Laudermilch, COO of Invincea. "So even if 99 out of 100 employees paid attention in class and learned what not to click on, the one employee that was home sick that day would put the company at the same level of risk as if no awareness training was done at all. In addition, today's malvertising threats make any awareness training useless because the user doesn't even have to click on anything to execute malicious code and create an infection.  The mere act of browsing to a reputable website owns the entire enterprise."

Security awareness training cannot be a once a year event and still be effective, said Elise Yacobellis, director of global development at (ISC)², which provides security education and certifications for IT professionals.

"There needs to be continuous training as well as communications and marketing involvement to keep the messages fresh in the minds of the employees," said Yacobellis. "The entire program needs buy-in from upper management to incorporate this learning into the daily life of employees. The awareness messages must be pertinent to each individual’s area of responsibility. In others words, the message needs to be simple and trackable to the tasks that each individual performs."

A campaign should also be developed with marketing, communications and human resources with timely reminders about security awareness concepts, she said.

"In today’s world of training, an organization’s internal Learning Management System (LMS) should be utilized to track progress of employees’ training sessions, testing of concepts, and answering knowledge-based questions that allow an individual to retain the information," she said. "These efforts should be supported by managers of the employees and considered part of an individual’s performance objectives. By having all departments working together, this will send a cohesive message to employees regarding the high importance of security and their role in that effort."

Read Article on Security Week