If you are reading this in the hope that there is an elegant equation like e=mc2 to unlock the secret of achieving end user cyber security competence, you’re going to be disappointed. Einstein was also a bit of a philosopher and delivered some very insightful quotes, including this one:
“Learning is experience. Everything else is just information”
This observation leaves a few question marks over many approaches to corporate training, including cyber security, where content is served up to participants and then followed by a series of multiple-choice questions – the “Tell & Test” approach. All this does is introduce a topic with a test of short-term memory – it does not develop real capability. In the field of Cyber Security, some organisations have turned to measures such as simulated phishing attacks to bolster end-user threat recognition capability. However, organisations have experienced negative outcomes from simulated phishing tests: users often interpret them as entrapment, resulting in antipathy and bad feelings towards the IT Security function and misleading metrics.
So where does this leave us? First let’s consider why we do user awareness training: in the Cyber Security industry, end-users are often referred to as “the human firewall” – in other words they are an integral part of our cyber defences and we should recognise that we need to go beyond “Tell & Test” training and “evaluation by stealth”. The ultimate goal is to go beyond education to build threat recognition capability. This means moving on from the current techniques used to deliver cyber security awareness content.
Developing capability requires practice and coaching and for the participant: they need to feel supported during their development process and see their own progress. In many respects, end-user cyber security training is now “behind the” curve when compared to approaches currently being applied in the IT sector. Take for instance training in cloud computing principles where the technology itself is used to create a virtualised training environment. Cyber security “techies” are also being trained in this way, where participants in training courses can apply security architectures and receive feedback on their efforts. Both approaches underline the concept that “there is no learning without doing”: if we want capable users we need to apply these concepts to our end-user education and training initiatives.
To build real threat recognition capability, end-user cyber security training needs to include “learning by doing” opportunities by using technology to create an experiential learning environment. Early adopters of experiential learning for developing the threat recognition capabilities of end users has included
· Interactive environments that invite users to find “Red Flags” in phishing emails If they don’t recognise them all, they can ask for guidance. so the user is being coached – not duped;
· Display a list of urls and ask the user to evaluate whether a URL is safe by choosing one from several examples, again giving feedback and guidance on their efforts;
· Simulate signing the sign-on process to an external Wi-Fi connection, asking the user to follow secure connection processes
The good news is that the majority of the above techniques can be developed with straightforward tools and integrated into existing training content and learning management tools: so, the only barrier now is your own creativity!