Industry professionals agree that the most significant security threat to an organisation is its own employees. Controls can be implemented to help combat this problem and some would argue that such controls are sufficient on their own. However, the strongest security measures can be circumvented by a single incident of creative social engineering. Only by taking a balanced approach to technical control and employee training can organisations adequately secure themselves.
The best defense to human-based threats, such as social engineering and phishing is true understanding. Your environment is ever changing in terms of people, technology, and points of exposure and you need to manage these elements in a volatile landscape. Risk contro SANS Institute recommends organisations educate their employees about security issues and regularly test to ensure they retain what they learn. In recent years the Information Security industry has begun implementing automated training and testing facilities, known as Learning Management Systems (LMS), to accomplish this task. According to a recent study by Bersin & Associates more than 40 percent of all organisations and more than 70 percent of large enterprises have an LMS.
Building an effective training program where appropriate retention and understanding occur is challenging. Not only is the choice and development of the right content important, but its proper delivery is paramount to the program's success. This article aims to provide a renewed sense of purpose with regard to employee training.
Beyond WHAT and on to HOW While Information Security specialists consider many aspects in building and launching a complete training program, I will focus on those areas that are often overlooked, yet critical to a program's success. The key question is, "How can we turn the world of Information Security, an uninteresting topic for many, into an effective and enjoyable learning process?" In response, we will look not only at the raw content but also consider three additional strategies: expanding the framework for the LMS, emphasizing the relevance of the training material and creatively using humor where appropriate.
Raw Content: The foundation of any LMS is the content. Countless articles and white-papers are available that detail how to choose or develop content for your awareness program. Here are a few quick tips:
- Use rich content: Include as much rich content as possible, such as animation, pictures, video, and voice-overs. The more multimedia you add the more you will grab and hold your employees' attention throughout the learning process.
- Structure test questions: You can design test questions and answers in many ways. One approach is first to ask all the questions, providing no feedback in between, and then show students how they performed. Alternatively, you can ask a single question immediately followed by a slide containing an explanation of the answer and then proceed to the next question. The latter approach provides stronger reinforcement of the material, adding context and meaning to the topic. The goal is to ensure people understand the spirit of the material and how to apply it to their daily routines, rather than knowing the exact answers to specific questions.
- Keep the content fresh: Refresh content on a regular basis - outdated content that does not align with current trends and issues will seem out of place. This lack of credibility will negatively impact the program's ability to mitigate the security threat posed by your employees.
- Framework: Choosing the right content is fundamental but it is only the first step. Look beyond the content to consider the larger framework into which the content is placed.
An effective program offers much more than just training material and a follow-up mastery test. The framework of the LMS must allow for additional features and flexibility in order to become widely adopted and used on a regular basis. Here are some functions that can help to create a more complete LMS:
Welcome page: When employees/students log into the LMS, rather than landing at a menu system listing all the required courses, offer them a warm welcome. This page can have a few brief paragraphs explaining the goals and importance of the program. It should also display a clear endorsement from the highest level of the company - a letter from your CEO and your CEO's signature at the bottom of the page are ideal.
Policy affirmation: Similar to the notion of training courses, your LMS should give you the ability to upload corporate policy documents, employee handbooks, or other required reading materials. Once students have downloaded and reviewed these documents, require them to return to the LMS to affirm that they have read and understood the policies.
Policy engine: A good LMS gives you the ability to establish groups of students to whom you can assign the various courses and policy documents. You should be able to set optional recurrence requirements, such as requiring a group to become re-certified or reaffirm policy documents on a regular basis.
Monthly security reminders: To keep all forms of security training in one common system, an LMS will have a facility to enable regular security reminders. These reminders would be emailed to the entire employee base or specific groups. They should update employees on various topics relevant to information security and current day threats. This is an excellent form of learning reinforcement that contributes to the initial and ongoing education of your employee base.
Reporting: No LMS would be complete without reporting capabilities. Managers should be able to quickly see which employees are in compliance with the corporate training policy. These reports also should have the ability to sort by employee, group, course and policy, etc. An automated report should detail which employees are up for certification renewal so that reminders can be sent is also helpful.
Corporate policy enforcement: Consider the advantages of tying key network access privileges, such as remote user VPN and Web browsing, to each user's certification status. For example, when an employee becomes certified in "Remote Access Best Practices" that person's VPN account becomes activated. This same control could apply to web browsing and other network resources. Where this integration is not supported, a simple system may be employed to notify an administrator when an uncertified employee has performed some activity. Because of implementation complexities, these features have not yet been widely adopted. However, many companies have expressed interest in this type of functionality.
Relevance: It's extremely important to show the relevance of your program if you expect users to care about its benefits - they must be able to identify with the underlying story and associate its meaning with their own experience. Why is this important? You need to demonstrate the value of the training program. Your job is to help create in your employees a desire to go through the effort of becoming properly trained and certified. If they see the value and relate to what they read and learn, they will go beyond what is necessary to pass the test. To ensure this information sinks in and that employees truly exercise best practices and security-conscious behavior, you need to help guide them to a place where they can "see the light."
As an example, rather than requiring your employees to become certified in a course called "Introduction to Information Security," why not say, "You're going to learn how to protect yourself from SPAM, viruses, and hackers - great information you'll be able to use here and at home." This approach helps to bring significant meaning and value to your training. Carry this concept through to all aspects of the LMS. In addition to ensuring technical accuracy on the tests, structure the information in a way that will resonate with your employees' daily workflows and lifestyles.
Humor: The use of humor is essentially an extension of the previous topic, although it may be the most challenging yet beneficial factor to implement in a training program. As industry professionals you may find the world of Information Security really exciting, but it is likely your employees may not - the use of humor can be invaluable in addressing this issue. Even if employees can relate to the material and understand its relevance, they may still have a difficult time maintaining their focus as they proceed through page after page of content. Humor is a great way to help people stay engaged.
To what extent should humor be used? Since every environment has different tolerance levels for new and potentially radical ideas, there's no universal answer to this question. However, few would disagree that every organisation can benefit from additional laughter. Imagine if the landing pages for your various training courses showed a picture of a well-known character with a funny saying. For example, a course containing information on anti-virus concepts could feature Neo from the film'The Matrix' saying, "What are you trying to tell me? That I can dodge viruses?" Another course could show television character Mr. T saying, "I pity the fool who doesn't use complex passwords!" These examples may seem trivial, but what you're starting to do is "market" this information to your employees. After applying the same level of creativity throughout the coursework you may find that your employees actually enjoy taking the courses, earning you a front-row seat at "memory stadium!"
There are many ways to employ humor throughout your program. Use wacky analogies and provide crazy test questions and answers. Add well known one-liners related to your industry or quotes from around the office. Include funny photos or cartoons, rather than using standard clipart. Find some YouTube clips that poke fun at the material and add those links where appropriate. Here's a great tip - if you're having lots of fun creating the courses, then your employees will have fun taking them!
The Water Cooler Test According to the Bersin & Associates study, companies are considering the use of more sophisticated techniques to increase the quality of their learning programs. If you use these strategies and tools, you should be able to accomplish three important goals while establishing a security awareness training program: implement an LMS framework that will provide ongoing reinforcement of the learning process, help employees understand the relevance of the program and its content and keep people interested as they dive into the detailed coursework. Your objective is to get employees to a point where they look forward to the next course and test. What better way to help boost office morale than to turn a corporate requirement on a potentially dry topic into an engaging system that will result in competent, security-conscious employees - chatting around the water cooler about how they work for a really cool company!
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.