In part one of this blog, we reviewed the most common Security Awareness misconceptions, revealed the truths you need to know, and ways to expand your awareness efforts. If you haven’t already, be sure to read that first and come back for more misconceptions and how to move towards a more effective awareness program.
To start, let’s go back to an integral component: phishing tests.
Phishing TESTS are not training.
The problem: There are several good software packages for creating phishing campaigns that are enacted against your own employees to measure how well they respond to email-based social engineering attacks. While these are valuable tools for obtaining metrics, they are not tools for training.
Try instead: First train employees on how to recognize phishing attacks, report them, and understand that having this skill is not only valuable to the organization but also in their personal lives. These tools are best for the intent of honing skills, improving future training sessions, and identifying areas of vulnerability within the organization.
Security Awareness Training is not a Security Awareness PROGRAM.
The problem: Contrary to popular belief, when human adults learn new information, we do NOT change behavior. Behavior change requires not only learning new information or skills but also, we must associate that new knowledge or skill with personal values.
Try instead: Align learning with values with the intent of changing behavior and culture requires creating a program that the organization will follow typically for a year or more. These programs must include adult learning principles that are aligned with the values of typical employee roles within the organization.
An Informal Risk Assessment can guide the creation and implementation of a good Security Awareness Program and as the program progresses, metrics and feedback can optimize it further.
Phishing remediations should not be punitive.
The problem: An all-too-common scenario goes like this: an employee repeatedly fails a phishing test so an IT manager calls out the employee and might even call into question the employee’s future employment status. These kinds of scenarios are almost always damaging and rarely achieve the desired outcome. Typically, IT Managers are not trained in human psychology nor in related Human Resource issues.
Singling out employees or enacting almost any kind of punitive actions for failing to recognize social engineering attacks will likely result in a psychological condition known as “Learned Helplessness.” This means the employee will “shut down,” and the chances of the employee improving their skill set has now dropped to near zero.
Try instead: There are forms of remediation that can mitigate poor employee performance on recognizing social engineering attacks, and none of them require punitive actions. In many cases, a fault chain analysis will find that the reason for the poor performance is not entirely the fault of the employee if at all.
Security Awareness programs require skills and experience which few people in IT have, and they should not be expected to have these skills. Presuming people with classic IT experience can successfully design and implement these programs is no different than being surprised that an award-winning chef can’t fly a multi-engine jet airplane. Most organizations will need assistance from an experienced trusted advisor who is knowledgeable in adult learning, risk analysis, course design, and cyber security.
Want more on Security Awareness? Need a hand implementing a program? Click here for everything you need to know.