wombatsecurity | January 29, 2013

How do you change end users' behavior?

The current method of securing a network is to believe users will never understand why the IT team is throwing software and hardware at security issues. And yet security pros know there’s no magic bullet, and everything can be circumvented via user behavior, whether malicious or unintentional.

“You have to focus time and energy on users,” said Wombat Security Technologies President and CEO, Joe Ferrara. “The last 10 years of PowerPoint presentation, training, and video-based training isn’t teaching the right behaviors, nor is it training users in the right behaviors.”

Two of the founders of Wombat Security have launched a university program on privacy to examine methodologies, with a focus on end users.

How do you measure your end users’ security posture?
“When a person falls under attack, you humble that person, and they become distinctly aware of what happened, and open themselves up for training,” said Amy Baker, Director of Marketing, Wombat Security “We’ve seen anywhere from 25% – 60% of users fall for an attack, depending on how well it’s crafted and how difficult it is.”

For example using a campaign of phishing emails, or handing out memory devices that when inserted into a computer pop up security training videos, you can understand what type of attacks people fall for, and open that up for more discussion and training.

Afterwards those users are much more open to learning more.

Some education involves SBTM (software based training modules) – giving users a simulated email client and asking them to make decisions on what they think is safe to open.

“We’ve created modules, and simulated attacks, all housed in a SaaS,” Ferrara said. “At this point we have customers sized from SMBs to Fortune 10. The industry is starting to wrap its heads around the conclusion that you can’t keep throwing infrastructure at the problem.”

BYOD is a behind a lot of this, and we all expect more mobile attacks. The reality is users don’t understand the risks of a mobile device that has network, company, and personal data access.

As a result IT people struggle with needing to teach users and make them understand the risks.

“We give them the ability to track and measure knowledge levels through metrics,” said Ferrara. “People clearly don’t understand the permissions apps are asking for, whether its contact information or whatever it may be. Or that using work apps on a personal device can compromise the company.”

Data indicates a 60% reduction in openings from running one campaign with a phishing attack, and then running another 30 or 60 days later.

“We see 70% reduction after a second campaign,” Ferrara said. “For example, we saw 40% of users at one firm fall for an attack. We took those people through two training modules, and saw fewer than 10% fall for the second attack.”

The method applies teachable moments combined with feedback. That might be USB, email, or phishing attacks. They have to keep adding the latest attacks to the modules, and designing new ways of simulating new ones.  All modules are fewer than 10 minutes, designed to be digested and internalized in a short time period.

“Once you go longer – 30 minutes or more – you lose people, so we break it down in small quick studies to teach them what they need to know,” said Ferrara. “There’s always atrophy in learning, so you must reinforce the messages. That’s why you can continually train and assess, in an ongoing process.”

Attacks are replicated via software, so that learning is scalable for large organizations.

Training modules cover every software threat vector – including passwords, social networking, smartphones, SMS, social engineering, and compliance.

“They’ve been looking for a way to do this ongoing,” Ferrara said. “Customers see…
1. It’s a unique and research proven methodology
2. We provide a LOT of data. They understand strengths and weaknesses in the organization.
3. We take work off the Security Team and CISO, working on what is or should be top of mind for end users.”

A typical question is, “How do people react to this when they fall for an attack?”

“Overwhelmingly positive,” said Ferrara. “If there’s nothing to tie to it, then it appears like the company is looking over the users’ shoulders. When training is tied to it, the user thinks, ‘OK, I did something wrong, and we’re all trying to make sure that doesn’t happen again. Plus this training helps users at home – to protect their identities and bank accounts.”

Read the article at SecureBuzz