Organisations are investing an increasing amount into cyber security education but it's not always clear if it is making any difference to users ability to recognise and respond correctly when a cyber threat, such as a phishing attack, manifests itself.
To understand whether or not security education is working we need to be in a position to measure how users behave, or are likely to behave, on a day-to-day basis. Many security education training approaches miss the mark because:
- Traditional "tell & test" training merely tests the short term retention of facts delivered by the training content. This is no indication of how users are likely to behave "in the real world".
- Simulated phishing attacks provide distorted metrics that focus only on failure. They don't provide any real indication of the organisations overall threat recognition capability.
To obtain a reliable indication of the effectiveness of security education we need to deliver education differently:
- By interactively coaching users to develop threat recognition skills, enabling them to see their progress and provide InfoSec specialist with the ability to measure user threat recognition skills
- By monitoring and measuring day-to-day threat response behaviour in the user community
How do we do this?
1. Introduce experiential learning techniques into the educational process. Don't just tell users what a phishing email looks like and then set a multiple choice question. Show them, walkthrough an example and then have them identify the "red flags" interactively - giving instant feedback
2. Create a "learning lab" of examples so that you can vary the subtlety of the tests, so that they become more challenging. This develops users skills in a way that the users themselves can see their progress
3. Adopt a "no-one fails" approach". Capture metrics based on the difficulty levels and users who needed support and coaching and those who were right first time. This is the first step in understanding your organisations overall vulnerability to user targeted cyber attacks.
4. If you do use simulated phishing attacks, concentrate on "catching them doing something right". Count the reports made to InfoSec (indicating that the users have recognised the threat and acted to accordingly). This is the strongest indication that your training is getting through.
5. Adopt an intelligence led approach to building your experiential learning lab and use this for micro-learning interventions, advising users of new threats and letting them practice their skills in a positive and supported environment. This approach also has a useful relationship building benefit - it sends the message that InfoSec is supporting and helping their colleagues
All this and more is covered in my Cybrary course "Creating Effective User Awareness Training", available for free here (the topics above are covered in more detail in Module 2)