Joe Ferrara | December 01, 2015

Marrying Technology and Education Science to Evolve Security Awareness and Training

At Wombat Security, cyber awareness and training initiatives are central to our mission of changing employee behaviors and reducing risk to organizations. Education is one of the foundational elements of our unique methodology, and our approach is based on proven learning science principles. Using our SaaS-based platform, we can apply key techniques such as repetition, learning by doing, immediate feedback, and storytelling--which are prevalent in our training--and educate users around the world.

But the delivery method is just one way and we're using technology to advance the cyber security landscape. We strive to make awareness and training initiatives easier for CIOs and CISOs because we recognize that CEOs, CFOs, and board members ask tough questions about security. Our answers come in the form of innovative educational programs that enable information security teams to turn employees into security assets and improve an organization's line of defense--with measurable results. Following are a few of the initiatives that have made us a leader in this space.

Interactivity

Some will argue that virtually any advancement in technology is a benefit to educators. Though this may be true, it does not mean that all technical innovations enrich the learning experience and enable knowledge retention. From our perspective, you must understand the nature of learning itself in order to effectively advance educational technology.

PowerPoint presentations and streaming video are excellent examples of advancements that have found application in classroom and organizational training programs. Many will claim that these tools have improved the effectiveness of training. We disagree, because we feel these types of media are informational, not educational.

What is the distinction? For us, it comes down to interactivity. Videos and simple slide shows are passive; they "talk at" viewers rather than engaging them. Telling someone how to do something is not nearly as effective as guiding them through a process and having them make their own decisions. In essence, it's the difference between "awareness" and "education". Knowing that a problem like phishing exists is not the same as being able to recognize and appropriately deal with a phishing email when it arrives in your inbox.

Interactivity significantly improves the effectiveness of education because it leads to engagement, and an engaged user is more likely to retain knowledge. As we know, retention is the sweet spot of any and all training initiatives.

Automation

Changing behaviors and reducing risk should be the end goals of cyber security education. But sometimes, the first step is the hardest. We are keenly aware of the obstacles CIOs, CISOs, and program administrators face on a day-to-day basis. While many voice concerns about budget, time and personnel resources seem to be the most universal concerns.

We've worked--and will continue to work--to streamline the administrative process for our customers. To that end, automation is a prime focus. The more functions we can automate within our platform, the easier it will be for our customers to execute their programs.

But automation is not just an administrative benefit; it also helps to drive program success. We've seen that clearly through one of our key initiatives: linking assessments and training. Simulated phishing attacks are a great example of this. While we've always provided a real-time "teachable moment" to users who fall for a simulated attack, we don't believe in delivering full-fledged training at the point of failure. Why? Because in that moment, users are likely to feel one or more emotions: fear, embarrassment, anxiety, even anger. Those emotions can get in the way of receptiveness--and interrupting people in the midst of their daily work routine can compound the problem. It's more effective (and practical) to create a space between that "just-in-time teaching" and more in-depth education about a topic.

So how does automation come in? Within our platform, administrators can opt to automatically send a training assignment to any user who falls for a simulated phishing attack. This assignment is delivered after users have had time to process what happened--and to recognize that, yes, seemingly simple actions can have big consequences. As to the overall program benefit, our experience has shown that up to 90 percent of users who fall for a simulated phishing email will complete training--even voluntary training. Completion rates are generally far lower for those who don't engage with a mock attack. By creating a direct correlation between assessments and education, we enable administrators to automatically reach those users who are most in need of and (following that teachable moment) most receptive to training.

Endpoint Triggers

At Wombat, we've always regarded endpoints--users and devices--to be the biggest threat to cyber security. That's only become more obvious to us with the advances in mobile communications and the explosion of IoT. Users and devices are on the move, and the number of devices that connect to data, networks, and systems is continuously rising.

To date, our awareness and training focus has been on the user side of the endpoint equation. But we've always been interested in bringing devices into the mix. It has long been our strategy to be able to trigger training not just through an administrator-designed program but as a result of sensed user behaviors on devices themselves.

We're excited to be realizing that vision today through technology partners, including Bit9 + Carbon Black, an advanced endpoint threat detection and response solution. This partnership enables organizations to turn real-life negative actions (i.e., employees' risky behaviors) into teachable moments. Here, it's not hypothetical or simulated attacks that trigger training for employees, but actual threats that are detected and flagged for remediation.

This integration is a 360-degree approach to endpoint protection: the Bit9 + Carbon Black component remediates devices while the Wombat component remediates users. Our goal is to get as close to real-time as possible in delivering just-in-time teaching in response to an incident and assigning follow-up education. This, we feel, is the future of awareness and training and the most robust example of how technology and learning science principles can be merged to create the most effective approach to cyber security education.

Read the article on the November edition of CIO Review (Page 81 and 82)