Discussion About the 10 Commandments for Effective Security Training
Just recently Solution Providers for Retail published our 10 Commandments for Effective Security Training article which outlines Wombat's progressive training techniques for teaching employees to recognize and avoid cyber-attack.
There were a few comments to the blog post that we will respond to here to further explain our approach to effective security training.
don k commented that "Training can take you to a place but not to the exact destination. I feel giving them [employees] hands on experience on real situations will make them grow in confidence."
We completely agree. This is actually one of the unique things about Wombat's training approach. Employees are always placed in real-world situations and immediately asked to apply what we've taught them. We do this in two ways, the first way is through Social Engineering Assessments, such as simulated phishing attacks where employees receive phishing emails in their actual inbox from their employer. The employees who fall for the attack receive a brief training message telling them what just happened and a few tips to avoid real attacks. This approach provides the ultimate teachable moment when the recipient who falls for the attack realizes that they are susceptible and should take more training on the subject. Alternatively, the employees who don't fall for the attack may report the phishing email through the proper channels and feel more confident that they are aware of cyber threats.
The second way we apply real-world scenarios is through our interactive software training modules themselves. Right after we teach a lesson the learner is placed in a story-like scenario and asked to make the right decision by applying what they just learned.
consultbydigital commented, "We all become very busy with our roles in business but remember to apply these best practices as they can save the business from a lot of damage and promote security by making sure precautions are being handled."
Being too busy is one of the biggest challenges security officers face. They need to ensure training is high on the priority list which is difficult when you have so many fires burning in your department. This is even more difficult if you are creating your own internal training. It takes time to research the best practices and find the best way to roll out the training program to end users.
Wombat makes this easier by having a full library of content covering all of the cyber security threat vectors. We regularly update our content with the latest realistic attack scenarios. Our Security Training Platform provides tools that enable administrators to create and monitor assignment completion as well as understand the security knowledge strengths and weaknesses in the organization. These tools make the training initiative less difficult and gives the security officer more time to deal with other pressing issues.
anthonyd commented, "I like the points Train in Context and Vary the Message and totally agree on it but I have my doubts on Serve Small Bites point since we cannot allocate a pre-defined chunks right now since the requirements do change rapidly."
'Train in Context' and 'Vary the Message' have two different purposes, 'Train in Context' helps the learner relate the lesson to real-life situations which aids in retention. When you 'Vary the Message' during training, the learner has different messages they can relate to. Certain messages will make sense to some people and not to others. Using both of these principles leads to more effective training.
One of the biggest training challenges is setting aside time for training. The beauty of providing software-based training in a cloud-based platform is that employees can take the training at any time they can fit it into their schedule. There's no need to schedule classrooms or try to arrange schedules which take time away from completing objectives. Additionally, training modules that are 10-minutes or less make it easy to fit into schedules, for example just before a meeting or after a meeting that ends early. Also, short training segments ensure the lesson is complete before the learner loses interest.
We'd like to thank the Solution Providers for Retail readers for their comments. We know that security officers are tasked with security awareness training but aren't always comfortable with the task. We're happy to share what we think are the best approaches to effective training.
Click here for more information on Wombat's methodology for effective security awareness training.
Subscribe to the Proofpoint Blog