How long does it take for employees to be security conscious?

How much security awareness training is enough?

The U.S. Postal Services received some frustrating news in early October from the Office of the Inspector General on the effectiveness of its security awareness training program.

An internal USPS phishing simulation campaign found that more than 25 percent of the 3,125 employees who were tested clicked on a phony link. What’s more, 93 percent of the baited employees didn’t report the incident to the USPS Computer Incident Response Team, according to the report.

The testing came less than a year after a USPS data breach that compromised the personal information of 800,000 employees, as well as some customers who contacted the government. The November 2014 cyber intrusion appeared to be caused by a phishing email attack, according to the report. USPS already had annual security awareness training available to all employees with network access.

Such discouraging results beg the question: How much security awareness training is enough before employees actually get it?

Malcolm Gladwell contended that 10,000 hours was the magic number for achieving mastery of a skill in his book “Outliers,” but who has that kind of time?

Sports psychologists suggest that motor memory for a new skill can be achieved with about 15 repetitions, but detecting sophisticated and often subtle phishing scams is much more complicated than memorizing plays.

“With motor memory skills, perfect practice makes perfect, and every repetition improves things, but when it comes to changing behavior, such as trying to keep people from being snookered by phishing scams, it’s a whole different kettle of fish,” says Dr. Gregg Martin, a cognitive-behavioral practitioner and a board certified neuropsychologist in Canton, Ohio. “If you tell a professional something more than two or three times, they tend to tune you out.”

The answer to how much repetition is needed before employees can consistently identify phishing scams and other online threats lies somewhere between once a year and constant reinforcement to the point of paranoia, according to researchers and security professionals.

A starting point

“I wish the answer was ‘five times,’” says Tom Pendergast, chief strategist for security, privacy and compliance at MediaPro, which provides security awareness training. “But in reality, it’s more about repeating training and phishing simulations until you’ve raised the general level of awareness, and sometimes even paranoia, to where people are really, really looking out for these [scams].

For starters, once-a-year security awareness training is probably not enough, psychologists say. Humans tend to halve their memory of newly learned knowledge in a matter of days or weeks unless they consciously review the learned material.

Carnegie Mellon University’s CyLab studied 500 people who where sent fake phishing emails one month apart. Those who clicked on the first email scam were immediately identified and given training on what to look out for in the future. One month later, the number of people who fell for the simulated phishing email dropped by 50%. Over three months, the failure rate was cut in half each time the test was given. The study, conducted in 2009, did not look at retention beyond three months.

CyLab professor Jason Hong, an author of the study, believes the research findings still hold true today. “The only thing that’s really new is that there are a lot more communication channels [besides email.] Now people try phishing attacks on Facebook or Twitter, but the general theme is still essentially the same. We haven’t seen any major new innovations in phishing attacks, other than the attacker may have more information about you.”

While phishing simulation does provide that “Aha!” moment for many employees, it doesn’t solve all their security awareness issues, says Joe Ferrara, president and CEO of Wombat Security Technologies. “You have to follow that up with in-depth education.”

Pendergast recommends starting off by providing security education on a quarterly basis. Once you determine how many repeat offenders are out there, then “tailor your phishing exercises to your audience,“ Pendergast says. For instance, if the sales team is shown to be more susceptible to phishing lures, then send phishing simulations and reminders on a monthly basis.

He also recommends a quarterly refresh on other security awareness methods. “Maybe you’ve got a fun video about phishing that you put out in the first quarter. Then maybe do something on incident reporting in the second quarter. We know that reporting a phishing incident is just as important as not replying to them, so IT can identify where the threat is coming from and go after it,” he adds.

Employees learn faster with ‘conditions’

Famous American psychologist B.F. Skinner taught mice how to push a lever in a single try – when the lever dispensed food. He called it a “conditional relationship.” Companies use that same psychology today to reward employees who detect and report phishing scams, or sometimes even to penalize them for phishing blunders.

One company that is looking to drive down phishing incidents to below 1% has gone as far as to tie phishing failures into its compensation system, Ferrara says, referring to a customer. “When people do fall for the simulated attacks, they are actually looking at it as part of the methodology in their bonus formula,” he says.

[ ALSO ON CSO: Does security awareness training even work? ]

Rewards (even small ones) are more common for employees who can detect real phishing scams. At safety science company UL LLC, when employees detect and report a phishing scam the security team gives them validation by sending them a thank-you note and copying their supervisors, the head of the business unit and occasionally the CEO. “That goes a long way,” says Steve Wenc, senior vice president and chief risk officer.

Insurance provider XL Group created several videos around protecting company information, including from phishing scams, and issued a challenge to employees -- for every view of the video, the company would donate a dollar to Doctors Without Borders, an international medical humanitarian organization that provides aid in nearly 70 countries. The campaign exceeded its goal of 10,000 views, raising $10,000 for the organization.

Human nature is tough to change, and the constant threat of cyber attacks will keep security awareness training on companies’ agendas, but how often to train and test will depend on the desired results, Ferrara says.

“It’s a constant battle,” Ferrara says. “Just like anything else, nothing is 100%, but you’re always trying to reduce your risk.”

Join the CSO newsletter!

Error: Please check your email address.

More about BordersCSOFacebookMellonTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stacy Collett

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts