Does security awareness training even work?

If even well-educated security experts mess up when it comes to security, can we really educate average employees to be more security aware?

The other day, I was in a room full of CIOs, CTOs and CISOs who -- as an ice-breaking activity -- were asked to share a bad security habit. One after the other admitted to bad password hygiene, such as reusing passwords.

I was the only one in the room who used password management software, and that was only because I'd just written an article about it.

If even well-educated security experts mess up when it comes to security, can we really educate average employees to be more security aware?

In a Vanson Bourne survey this spring, IT employees were actually more likely than average to open attachments from unknown senders, download apps from outside the official app stores, click on links in social media sites -- even though they were also more likely to know that this was risky behavior.

Training costs money, and takes employees away from their jobs. If even the best-trained employees are still making bad security decisions, is training just a big waste?

Unfortunately, there's very little data available so far, but from the experiences of individual companies, training can make a difference, if it is done right. That means providing training in small, digestible units, following up with testing and reinforcement, and creating a corporate culture of security by engaging employees at all levels.

Bite-size pieces

Long, comprehensive training classes can create fatigue and cause employees to zone out during the lectures, and forget the content quickly afterwards.

"It's too easy to overburden people with too many security-centric things at once," said Jason Thomas, CIO and HIPAA security officer at Ruston, La.,-based Green Clinic.

But in a regulated field like healthcare, security training is a necessity, even if it annoys employees who'd rather spend their time saving lives.

"Training doesn't have to be classroom-style, eight hours a day," Thomas said.

The Green Clinic sends out short monthly notes about some aspect of HIPAA compliance.

"And then we do a short test on this," he said. "We're not trying to take them away from what they went to school for, which is treating patients, but it is part of being employed in a heavily-regulated organization."

These little educational tidbits are working, he said.

For example, a vendor recently complained about being denied access to equipment.

"A receptionist refused to provide him any details," Thomas said. Instead, she told him that he had to contact Thomas directly.

That's exactly what was supposed to happen, Thomas said.

SailPoint Technologies uses short, focused video segments produced by SANS Institute. They feature two- or three-minute real-life examples of, say, social engineering hacks.

"The key is how you package it to make it interesting and digestible," said Kevin Cunningham, SailPoint's president and founder. "They bring it back to what it means to you."

There are more than two dozen videos total, each covering a very specific topic and followed by a short quiz, accessible through the employee portal.

"If I have a spare five minutes, I can watch one of these vignettes," Cunningham said.

The company has just rolled out the program, but Cunningham says he's already seen a change in attitudes.

But he's not going by gut feel alone. After six months, SailPoint will do a round of retention testing. In addition, individual employees that violate policies will receive additional, more in-depth training.

"People are a key component of any security plan," Cunningham said. "The bad guys have figured out that the most vulnerable portion of the company is the people. There's lots to be gained there."

Simulated attacks

One easy target for security awareness training is teaching employees how to deal with phishing emails. According to the latest Verizon data breach report, phishing was implicated in a quarter of all data breaches. And according to Ponemon, the average 10,000-employee company spends $3.7 million a year on dealing with phishing attacks.

Ponemon recently calculated the effectiveness of anti-phishing training programs. The least effective training program still had a seven-fold return on investment, even taking into account the loss of productivity during the time the employees spent being training. And the average-performing program resulted in a 37-fold return on investment.

One company that's working hard to both improve and measure its effectiveness is  Wombat Security Technologies, which grew out of a research program at Carnegie Mellon.

"In my mind, videos and classroom-based training that don't engage users are doomed to failure from the beginning," said company CEO Joe Ferrara.

Wombat runs simulated phishing attacks against organizations, then delivers on-the-spot training modules.

One customer, Pennsylvania-based safety product manufacturer MSA Safety, started out their first year's training program with a 25 percent failure rate.

"Now we're in the 5 to 8 percent fail rate," said Steve Rocco, the company's global cyber security manager. "We have lowered our risk considerably, in my opinion."

Since first piloting the Wombat training program two years ago, the company has rolled it out to 50 sites around the world, in seven languages.

In addition to phishing training, there are also modules that cover how to classify data, what can be sent over email, what can be stored in the cloud. There's training for handling personal health information, for physical security, for social engineering, for social networks, and a variety of other topics. And it's customizable to meet MSA's specific requirements.

"These are all very important learnings for our end users," Rocco said. "And people love it."

It helps that the security training is also often applicable to employees' personal computer use, he added.

One effect of the security training is that employees are now reporting strange emails or other happenings. That means that if the company is being specifically targeted, even if some employees still fall for phishing emails, others will have spotted them and alerted the security team that there's something going on.

Rocco said that there's also been a a strong decrease in malware across the network.

Obviously, no system is perfect. In fact, there were two recent incidents in which two employees fell victim to CryptoLocker. When the company investigated, it turned out that one of the employees had not taken the training, and the other received a poor grade.

In addition to Wombat, several other vendors are happy to send simulated phishing attacks against your employees. They include PhishMe, which counts 35 of the Fortune 500 as customers. Others are ThreatSim, SynerComm, PhishingBox, and KnowBe4.

But this kind of simulation-based training is still new to the industry, said Seth Robinson, senior director of technology analysis at Computing Technology Industry Association

"I have talked to some companies who have done this kind of training, and that does tend to be one of the premiere examples of what security training should look like," he said. "Companies who have tried that show some success."

But comprehensive, ongoing simulation-based security training is rare.

"Our data shows that not many companies are doing serious training," he said.

Instead, he said, companies are still more likely to give a copy of a security policy to newly-hired employees and ask them to sign.

Creating a cultural shift

When security training means checking off a compliance box, it's hard to get people to pay attention, much less take it to heart.

"But if good security hygiene permeates a company, then it's something that can be successful," said Siobhan MacDermott, principal in the cybersecurity practice at Ernst & Young. "We work with a lot of boards and senior management in setting up security awareness programs. And we go back and see if there's a change in behavior."

The main factor that makes a difference is whether the behavior is modeled by the most senior executives, all the way down.

"It can't be just implemented from HR," she said.

Join the CSO newsletter!

Error: Please check your email address.

Tags educationsecurityphishingcyber security

More about Computing Technology Industry AssociationCSOMellonSANS InstituteTechnologyVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place