We tend to "hang our hat" on this concept that by developing some training material and then having our users sit through this training once or twice a year, this awareness session will help to keep them (and the organisation) safe from threats that target end-users as the attack vector. But is: "awareness" enough - "awareness" is "know-that" it is not "know-how".
Knowledge related to "know that" is knowledge such as "we have a policy on [subject]. To comply you should...." "Know that" knowledge is fine for things that we just have to remember - like policies and what we have to do to comply with them. Generally, they apply to things we already have the skills and know how to do, they just determine the standard to which they have to be done.
"Know-how" is completely different and is created by the acquisition of NEW skills. As we all know, skills are acquired with support, coaching and, above all, practice. Look at this way: could you become a cyber security specialist by completing an online course, getting a pass grade from a multiple choice question, going off to do something different for 6 months and then still expect to return to work as a competent cyber security specialist? I think we know the answer to that one - but in many cases isn't that what we expect from our colleagues! It's OK to apply and require password standards and to set policies for these - we've been using them for years and we are all familiar with a variety of logon processes. (so there's absolutely no excuse for not following policy guidelines in this area)**
But threats like phishing and social engineering attacks are different - we need our users to develop the skill to recognise AND respond to these threats when they manifest themselves. That requires Know How - and it can't be developed in the same way: we can't TELL them to be competent.
So in order to give our colleagues the capability to recognise the types of cyber attack that are most likely to target them, security education in this area needs to travel in a different direction. As InfoSec professionals we need to accept that we need to transfer some of our expertise (our know how) to our colleagues and we need to do this in an environment of coaching and ongoing development, giving the people in our organisation the skills they need to recognise threats when they show up and respond to them correctly. That can't be done just by telling them using traditional content or by sending phoney emails that "reward" those who click on them with the same training that has clearly failed in the first place.
Over the coming weeks I'll be sharing with you some approaches and techniques that we have applied that result in the development and retention of intrinsic threat recognition capability
** Yes, I know we still we have BIG problems with password policies being ignored. But this is not because people don't have the skills to apply password policies - they just choose to ignore them!
Remember, you don't need more training content or simulated phishing attacks: real resilience is created by developing and measuring the threat recognition capabilities of everyone in your organisation