Information Security Awareness (ISA) training is a painful topic for many employees. Each year, organizations force standardized ISA “training” materials on their employees in an attempt to either educate or to simply comply with frameworks. Coincidentally, each year cleaver employees figure out how to hit the “next” button quicker!
The human problems in security are well known. We know - through both anecdote and empirical evidence – that users really are the weak link in security. Look no further than the spear phishing attack that allegedly kicked off the RSA breach in 2011 (yes, it was that long ago). This is a people problem…
As security professionals, we have to understand that not everyone has a passion for security. In fact, most people don’t. Given that we know “they” don’t share our passion, and we know they are the most vulnerable attack vector, why do we continue to bore them with homogenous and irrelevant training?
This is where things get a little tricky, though. What is irrelevant to me, may be necessary and critical for someone else. For example, I don’t need to hear about the dangers of opening attachments from unknown senders, but there were some folks at RSA who obviously did need that training. So what do we do?
I propose that we take the time to focus on the human system. A lot of academic research has been published in recent years talking about exactly that: applying psychological theory to ISA training programs. In my own research, I’m investigating how to train ISA in such a way that users’ don’t simply “understand” the material, but that they also develop an appreciation for the topic area.
(Without going too deeply into the social psychology underpinnings, most models on human behavior and technology adoption agree on this: Attitudes predict Intention, and Intention predicts Behavior. In context, if we can change attitudes about computer security, we can ultimately change behaviors…to varying degrees.)
So how do we provide engaging training to positively affect attitudes? The literature is pretty clear on this: educational presentations and group discussion. Posters, emails and newsletters are part of the long term solution. Read-and-sign training is NOT the solution!
In my research on attitudes towards security, I’m exploring the idea of automatically adapting computer-based educational presentation videos to the needs of individual users. By gathering profile data about users and intelligently stitching presentational together, it’s possible to create cohesive training materials that are relevant, stimulating, and provide for a greater levels of appreciation of information security.
Until we get to that point, I propose we take a critical look at our ISA training. Focus on the humanistic side of training. Engage your users in conversation during presentations, not just through email or in a canned CBT course. And ask: (1) Do your users care about security? And (2) how would you know if you don’t ask?
Lee V. Mangold is an information security researcher, author, student, entrepreneur and self-professed INFOSEC evangelist. He currently a senior researcher and network operations manager for a US Department of Defense contractor.