I attended an FBI/DHS cyber summit today which helped to promote cyber security awareness. One topic of discussion surrounded user-awareness training. Some believe that it’s a waste of money – you’ll simply always have people as the weakest link; accept it. Another viewpoint, strongly shared by a panelist at the event, is that user-awareness training is mission critical to supporting the governance of their security program and risk reduction. What’s your take? Does user-awareness training make a difference?
4D5A Security takes the stand that user-awareness training is mission critical and must be included in any well governed security program. Putting on my MTE hat and multiple years of award winning instruction at all levels of education 7-12, adjunct university professor, military and corporate trainer I have a few strong opinions:
- Make it fun. If it’s not fun it’s demotivational. Yes, I love those images online but that’s another story 🙂 Be creative and think of things like a reward program for figuring something out or discovering something or meeting certain milestones in your assessments of user-actions, etc.
- Make it meaningful. If it doesn’t resonate with your audience they’ll tune out before they even being such training. How is it relevant to them? One good angle is to consider things like personal computer hygiene and parenting topics, which is often highly relevant, where and employee also absorbs training that is directly applicable to the work environment just as it is the more motivational home environment.
- Short, sweet, to the point (unlike my blog :)). Focus on one minor topic, but do such training regularly to cover a broader range of topics.
The above are just three anecdotal points in crafting such training. More advanced topics involve weaving into the training intentional areas of focus to help lower risk. Take for example spam with attachments or links that may lead to phishing or malware attacks. That dreaded “click on everything Chris” – will he ever learn his lesson? (sorry Chris’s in the audience! :)). IT can implement a technical control to mark all subjects of any external email as exactly that “[EXTERNAL]”. A simple short training crafted to be fun, fast, and meaningful can help educate users on why external addresses are high risk and how to look for mismatches, like something marked [EXTERNAL] that claims to be from another employee but clearly is not. This should fit within a larger security context of governance and risk management for optimal effectiveness; and it’s a process not an endpoint.
Our users are our greatest asset, not our technology. Invest in them; rely on them; your people are the key to your success.