Security Awareness Training - people are your greatest asset

Improving layer 8 - People are your greatest asset!

I was reading the annual State of the Phish report from Proofpoint recently and some areas just jumped out of the page to me. I’ve always said that people can be your greatest asset and how approaching awareness campaigns holistically is something we could improve on.

Most organisations shape their awareness campaigns in the context and environment of corporate themes and assets, however to improve behaviours, and ultimately culture we need to widen the scope to the personal space. There is increasing complexity in this space, with an alarming number of users using their corporate devices for personal use, such as downloading and playing games. This use also extends to friends and family members.

People will behave differently when using personal and work devices; you could call these profiles almost, where they might be more or less inclined to click that email or visit that potentially malicious site to download their favourite game. Taking a systems theory approach, their behaviours are directly influenced by the environment they’re in. With the decentralised model of working we now find ourselves in this is our homes, in most cases.

Looping back to an awareness campaign, I remember reading some insightful statistics some time ago around knowledge retention which shocked me. Be prepared:

• After one hour, people retain less than half of the information presented.

• After one day, people forget more than 70 percent of what was taught in training.

• After six days, people forget 75 percent of the information in their training.

Some objective data above and this is why an awareness program should be constant, and not merely an annual exercise.

To make learning from an awareness campaign stick, or retain more effectively it’s helpful to include an emotional aspect. People might be more inclined to feel that with personal content which is aimed at guiding them in their everyday lives from a security perspective. It also helps build trust in the information security program by demonstrating that you’re not only interested in corporate assets; that you care about each person in your company. By improving the soft power of human factors, this then might help the overall security of the system, with people more inclined to support security activities and efforts, report potential incidents and build security champions.

Human factors affect the operating effectiveness of an information security program, and are by themselves a control when acting as a defence, or a point of attack when lured by nefarious actors. Often, the focus is on just getting content out there and ticking that box, but if we can further tailor this content and the approach it will pay dividends to the overall security state of the system.

Resources

https://www.proofpoint.com/uk/resources/threat-reports/state-of-phish

https://www.getbridge.com/blog/10-stats-about-learning-retention-youll-want-forget/