Awareness training: How much is too much?

Security awareness training is one of the most effective ways to strengthen what is generally known as “the weakest link in the security chain.” The key is to make employees skeptical without paralyzing them with paranoia

1 2 Page 2
Page 2 of 2

“That would be like saying wearing a seat belt takes away the enjoyment of driving. Or locking your car makes people drive poorly,” he said. “You wouldn't blame the manufacturer if someone left his keys in the car and a thief drove off with the vehicle. The driver would be responsible.

“In the world we live in, security precautions become second nature and people adapt.”

That said, there is general agreement that security training does need to take into account how people do their jobs, and can’t be so stringent that it stifles their productivity.

Hawthorn calls it, “being realistic. User security policies are like diets. If they aren’t sustainable and you have no way of enforcing them, either using technical controls or firing the person, you end up with something that fades away or people cheat on,” he said.

“So yes, giving users realistic guidance is powerful because it’s both sustainable and relatable, which makes the training stick with the user.”

Spitzner also said it is a mistake to, “focus on perfect security, and forget that real people are involved.

“Passwords are a great example. Security researchers talk all the time about what the ‘perfect’ password is, only to come up with a solution that no one can remember or follow," he said. "Human security is all about behavior – the more difficult the behavior the less likely it can be done."

Belani said that for training to be effective, it has to go beyond awareness to “behavioral conditioning.” He cited the work of Nobel Prize winner Daniel Kahneman, author of “Thinking Fast and Slow,” who said when people are doing repetitive tasks, the brain tends to operate in a version of autopilot that does not require deep thought – what he called “System 1.” With more complex tasks, it uses a more deliberate process that requires more effort – or “System 2.”

The key, Belani said, is to train employees, “proactively to use the System 2 deliberate-thinking process to recognize when something is out of the norm, by paying attention to certain details that normally our System 1 set of thinking would ignore.”

This kind of conditioning, he said, actually helps workers to sort the legitimate from the malicious and makes them more productive.

And Shelley said while it would not be practical to offer every employee customized training, it is possible to tailor training to various employee groups, based on things like their department and technology profile.

stacy shelley

Stacy Shelley, vice president and chief evangelist, PhishLabs

“What technologies do they use? What threats are they likely to encounter? The more relevant the training is to how the user operates day-to-day, the better it will resonate and be retained,” he said.

There is general agreement that any generally good thing – physical fitness, diets, working – can be overdone. Still they say regular security training is not overdoing it.

Regular fake spear phishing tests, rather than sowing distrust, should, “help the organization know who are the biggest offenders and how to better train them,” Loomis said.

Shelley suggested thinking about awareness training, “as conditioning, in which an individual’s susceptibility to attack will increase over time without frequent training to keep them sharp.”

But, it is also important to be realistic about what can be accomplished.

“Training can absolutely reduce the chance and percentage of those who fall victim,” Spitzner said. “Most organizations can reduce failure rate to less than 5 percent. Can they make it 0 percent? Absolutely not. Can any control reduce risk to 0 percent? Absolutely not.”


This story, "Awareness training: How much is too much?" was originally published by CSO.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2016 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
SD-WAN buyers guide: Key questions to ask vendors (and yourself)