How We Can Start Fixing the Broken Link in Security Awareness Training

“Wikipedia: Forgetting Curve”​​ – [2]

Bridging the Gap

By consistently reinforcing the CBTs with a custom built awareness program, one that includes repetition, you increase the end user’s skills and boost the organization’s immunity to phishing and social engineering threat factors. Repetition has proven successful in bridging the gap of compliance, teaching our users real life skills, and helping secure the infrastructure that we are responsible for protecting. This is best implemented with a comprehensive hands-on security phishing and awareness rewards program.

A full program design will provide a maturity that the CBTs have not. While they are valuable additions and reinforcements of real life scenarios, relying on them as the primary means of security awareness training will not provide the essential insight to the first line of defense.

Building Your Own Program

Building a mature and strategic program from the ground up is achievable with executive support and cultural alignment. Your organization does not need to spend thousands of dollars on flashy presentations, catered luncheons, and draw big crowds, in order to have a strong awareness program. Teaching by example and rewarding for good behavior is what will improve your users’ awareness.

“The point has never been to make everyone experts in security, it has always been to arm the employees with basic knowledge so that in the event something out of the ordinary occurs, it may help notify the security team.” – BenOxA: Security Awareness Education – [3] –

An important takeaway is that it is not the employee’s responsibility to know the difference between a legitimate phish and spam, or that they should be hovering over links in emails before clicking. Instead, it is our job to have a program that is open and easy enough to empower and equip them to report when something is not quite right.

So, what to do?

1. Establish Objectives

A sturdy security awareness program should have a tailored focus to the organization and also be periodically re-assessed and evaluated. With the constantly changing threat landscape, maturity of user understanding, and progressing industry, the program objectives should be thought of as a moving target. An objective one year of decreased malware removals on desktops may mature past that to increased reporting of phishing/vishing attacks. However, establishing an aggressive set of objectives can result in a failed or unrealistic program. Concentrating on one or two achievable objectives at the beginning of a new program will allow you to accomplish a more specific goal. The target can then be adjusted periodically to reflect the organization’s and program’s maturity.

2. Establish Baselines

Many organizations do not have formal security awareness training. If this is the case with your organization, it is recommended that you establish a baseline by having a live fire exercise that tests the real world skills and knowledge of a subset of your users. Having a realistic outlook on where your security posture stands in relation to, not only technical baselines, but also cultural norms should be standard practice. It is important to know how the users currently respond to threats and irregularities. Establishing an engagement with a certified and skilled penetration testing company can help you baseline these responses. A third party, that assess the skills of your users with professional phishing campaigns and so forth, will enable you to gain valuable insight that you may currently not have.

3. Scope and Create Program Rules and Guidelines

When the user or employee is being treated essentially as a customer, rules and guidelines should be well-strategized. Miscommunications will only impede the learning process and challenge the success of the program. Align the rules to be consistent with the organization’s culture to have a higher adoption rate. Having multiple levels of input will enable easier implementation, as you will have more clarity and precision in your program instructions and rules.

4. Implement and Document Program Infrastructure

You are taught in driver’s education to wear your seat belt, adjust the mirrors, and look both ways. The first time you have a close call or worse a real accident, the real world experience of that incident is something that your mind reflects upon each time you make a decision. Same with security awareness. The shock of the “accident” now gives the employee pause when future emails show up that may look a little odd and out of place. Afterwards the training teaches them what could possibly be at risk when they click through the illegitimate link. Setting up the phishing attacks to automatically redirect to a website that aligns with the program theme will create a connection between real life events and the message being presented for education.

5. Positive Reinforcement

One of the most important parts is letting employees know that it is okay that they fell victim to the attack. This must be a consistent message throughout the education material. The more comfortable the user feels reporting the incident, the more cooperation and adoption you will witness. Assure the user that it will always be better coming from an internal training attempt than a real phishing attack, and practice makes perfect. The training should include what to look for, and more importantly how to report something abnormal. With a great first line of defense and solid Incident Response (IR) procedures, your organization will be far better off securing the human element – the weakest link in the security chain.

6. Gamification

“Gamification is actually a scientific term that roughly means applying game principles to a situation. The simplest definition of those principles is: 1) Goal establishment, 2) Rules, 3) Feedback, and 4) Participation is voluntary.” – CSO Online: How to create security awareness with incentives – [4] –

Rewarding for good behavior is an essential part of the program. Employees should not feel ashamed to come to the right people for help, or fear being reprimanded for mistakes. Gamification works well in many aspects of life, why should this be any different? Turn the low budget program into something catchy and it will not only satisfy your expectations, but exceed them. Making a lottery of gift cards, discounted services, and other items to enforce the program brand and put something in the user’s hand that will reinforce the message.

7 . Define Incident Response Processes

Incident response (IR) varies in every organization. If you have a current proven method of IR you are already well on your way to integrating an awareness program into your current structure. Use the newly created program as a case study for testing procedures and policies. This will allow you to flush out inconsistencies, inefficiencies, or unplanned situations. Assessing each step of the process will give the needed information to adjust policies to fit the organization’s needs around certain types of attacks.

Gaining Meaningful Metrics

“Successful metrics programs include well-defined measurements and the necessary steps to obtain them.” – Building an Information Security Awareness Program – [5] –

Measurements

There are numerous measurements to take into consideration when it comes to a security awareness program. Depending on your program and goals you may have to take some more tailor fit measurements.Here are some common totals to track:

• E-mails sent
• Emails opened
• Links clicked
• Credentials harvested
• Reports of phishing attempts
• Emails not reported on
• Hits on training sites

Tracking success rate and progress

Keeping track of click percentages, phishes reported, and incidents reported, is a good and necessary start. Utilizing structured data to chart your gains and losses over time will give the organization a deeper understanding of your progress. Successful education and retained knowledge will be apparent with the increase and decrease of certain measurements and the success of goals set for metrics. Periodic assessment of shifts in metrics should be performed to assist with guidance of the education program’s goals and other possible implementations or changes in the current environment’s security structure.

Important Metrics

“Measures are concrete, usually measure one thing, and are quantitative in nature (e.g. I have five apples). Metrics describe a quality and require a measurement baseline (I have five more apples than I did yesterday).” – CIO.gov: Performance Metrics and Measures – [6] –

The metric of how much your security posture has increased in reference to your baseline is the key goal and quality control. Seeing increased reporting changes in suspicious activity on your network should align with a lower amount of malware, DNS queries to blocked sites, or other activity on the network that would lead an analyst to believe the possibility of a targeted attack has been blocked.

The ability to link key metrics back to specific departments, buildings, or roles provides the information you need to scope more directed education.

References

1. “TrustedSec: The Debate on Security Education and Awareness”
2. “Wikipedia: Forgetting Curve”
3. “BenOxA: Security Awareness Education”
4. “CSO Online: How to create security awareness with incentives”
5. Building an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats
6. “CIO.gov: Performance Metrics and Measures”