Overcoming Resistance to Your Security Awareness Training Program
Posted by Mark Chapman—President & CEO of PhishLine • 3/30/2016
Some organizations struggle to gain user acceptance of an IT security training program. Reasons provided might include the training is too boring, technical, childish, cartoonish, ominous, or any number of other subjective measures. Perhaps you have been told the training is incomplete, inconsistent, or contradictory. Complaints could include that training users to mouse-over a link is of limited use to mouseless mobile device users who need to use the click-hold method. Some users just don’t take training requirements seriously. There are ways to overcome these issues and achieve acceptable participation levels.
As an example of contradictory training content, it used to be standard advice to tell users to always unsubscribe from spam emails. However, social engineers often use the “unsubscribe” option in lures to validate email addresses. Remnants of those out-of-date guidelines can show up in hypothesis based testing (See our March 15 blog about hypothesis based testing).
A lot of training simply fails to function as planned. Reasons for this might include:
- Training that does not work on the various types of devices in the work environment.
- A lack of computer speakers or the inability to use them in an office without disturbing co-workers.
- Insufficient bandwidth for multi-media training.
- A lack of plugin support for tablets and mobile devices, with similar issues for obsolete desktop hardware.
The solution to all of these technical challenges is to plan ahead, test on a representative cross-section of users, and provide multiple versions of training to accommodate various technical limitations.
Poorly translated multi-media materials can be frustrating, especially for languages with strongly divergent regional dialects. Be sure to have users in each region review the materials before deploying your program. The subtle nature of many security awareness training concepts can easily get lost in translation.
Some people fundamentally believe training does not work. They eagerly cite examples like, “If training worked, then there would be no car accidents because we all passed driver’s education.” Of course, training is not a 100% solution, but can you imagine if all drivers had never taken drivers education? In the information security awareness context, you can measure the effectiveness of training by performing pre- and post-tests, potentially using the results of those tests to improve people’s perception of the value of training. All of the above objections should be addressed during the formal planning process, with checklists to guide the process. Look for other successful training programs at your organization to provide a foundation for how to run your program.
It is important to let your users know that your organization takes the security awareness program seriously. The best way is to have a member of senior management address the requirement for completion.
The security awareness team at one of our larger customers decided to leverage the “tone at the top” to encourage people to be more aware. They produced a professional video of the CEO talking through what phishing is, why it is a threat to the organization, and what he expected people to do about it. He specifically stated that mock phishing tests would be performed by PhishLine, and while he could not expect perfection, he made it very clear that users would not want to get on the repeat offender list.
The “before” and “after” picture was a dramatic improvement on a sustainable basis because of a clear, consistent, strong “tone at the top”, advising that security is critically important to this organization and to the CEO. This one simple video had a bigger measurable impact than all the prior announcements, threats, rewards, and prizes. Your organization can benefit from a simple email “from the top” addressing the situation in a similar manner.
A proactive stance, mirroring existing successful training methodology, and engaging senior management will help you develop a progressive program that will educate your users and protect your data.