Making Security Awareness Training More Engaging and More Effective
A scavenger hunt. A Jeopardy-like trivia game. A well-known guest speaker. A movie about espionage. Some good ideas for your institutionâ€™s party? Sure.
But theyâ€™re also possibilities in a security awareness training program, according to some experts in the field. â€œMost people think training has to be boring and dry,â€ says Rebecca Herold, an information security and privacy consultant, instructor and author. â€œItâ€™s really only limited by your imagination.â€
Among the ideas sheâ€™s used successfully in security training programs is bringing in a guest speaker with firsthand knowledge of a real-world, high-profile security breach. Another time, she showed â€œThe Billion Dollar Bubble,â€ a commercial movie dramatizing one of the largest insider frauds ever at a financial institution in the U.S. â€œThey could relate to how those computer systems were misused--it showed the power of the computer and programmers,â€ she says.
Today no one would dispute that better security awareness training is a priority in financial institutions, particularly with the proliferation of types of fraud and regulations to prevent it. Imagine having the customer call desk staff alert your security team whenever they receive a â€œless than normalâ€ phone call. Or getting tellers and officers to be able to spot the â€œshadyâ€ identification. To be sure, having an aware workforce makes the chances of appearing in the latest statistics on data breaches less likely.
The challenge is making training programs more attractive to employees and managersâ€”and therefore more effective. â€œAll the compliance and governance regulations say roughly â€˜Users should be made awareâ€™,â€ says Winn Schwartau, president of The Security Awareness Company. â€œNow you have a choice: Do you do it right, or do you do â€˜check-boxâ€™ compliance--putting a sheet in the HR package or a poster saying â€˜Thou shalt be security awareâ€™?â€
The best first step, according to him, is to find out what your employees already know about your security policies and procedures. This pre-assessment can be done using online software packages. Then different methods can be used to train different types of users.
But the key, according to Schwartau, is in making training an ongoing activity. â€œThere are a lot of different toolsâ€”newsletters, screensavers, multimedia, gaming,â€ he says. Heâ€™s used online scavenger hunts and trivia games, with prizes like gift certificates to local retailers. â€œYou have to repeat the message over and over--itâ€™s brand recognition. It never stops, because you have employee turnover, new weaknesses, and new threats.â€
For some types of training, online learning management systems (LMS) can be most effective, according to instructor and consultant Herold. â€œTheyâ€™re easy to deliver and very interactive--not just a PowerPoint slide presentation or the typical quiz, but activities that engage the user, such as drop-and-drag items or lining up things in the correct way.â€
Last year, Biddeford Savings in Biddeford, Maine, used a Web-based training product to teach its 70-plus employees how to identify elder abuse. â€œIt worked out really well,â€ says Keith Gosselin, the bankâ€™s Information Technology Officer. â€œBefore Web-based training became readily available and affordable, we used to do it in person. But as you grow, itâ€™s just not an option. With peopleâ€™s schedules, Web-based is more flexible.â€
Another hot-button topic today where online training can be applied is teaching about security risks inherent in mobile technologies. â€œItâ€™s a huge threatâ€”the large amounts of personal and sensitive information on Blackberries and laptops, smart phones and USB drives,â€ says Herold.
Gosselin agrees, noting that four years ago his job was primarily to prevent hackers from gaining entry into the system. Now itâ€™s teaching staff about the risks inside the network, including from mobile technologies like memory sticks.
But â€œliveâ€ training isnâ€™t dead yet. For example, role-playing is a good way to teach employees how to deal with social engineering threats, such as phishing scams, according to Herold. â€œItâ€™s one of the best ways for targeted group training in customer service and call centers,â€ she says. â€œYou can take them through different scenarios to see what they would do.â€
At Biddeford Savings, the IT staff still addresses groups of 15-20 employees at a time to explain annual changes to the bankâ€™s security policies. â€œI donâ€™t mind going out and talking to them,â€ Gosselin says.
Finally comes the assessment stage: How good was compliance? Which parts of the institution supported or hindered the effort? Nowadays, online assessment tools allow sophisticated data mining. â€œThey can tell you that the engineering staff waits until the last day to do the training, and then speeds through all the answers without looking at them,â€ says Schwartau.
Fortunately, thereâ€™s a silver lining to new laws and regulations that require more training and awareness programs: it makes initiatives easier to get funded, according to Herold.
And it also helps if thereâ€™s an insider â€œevangelistâ€ for security training, says Schwartau, preferably someone in upper management or on the board, who can also be the contact with vendors and suppliers.
A successful security awareness program can do some impressive things--like making your customer information program your best deterrent for fraud. Employees can learn to â€œdetect and respond,â€ becoming â€œhuman firewalls,â€ says Schwartau.
As important a purpose of such programs, however, is getting users to make fewer mistakes. â€œWhen you look at statistics on security-relevant issues, 40 percent are errors and omissions and user problems,â€ says Schwartau. â€œA significant part of the rest is users doing bad behavior. And whatâ€™s left is bad guys.â€