Is Your Security Education Program an Epic Fail?

October 24, 2013
Abaker

A recent article published in BuzzFeed criticized the quality of the security education created for the U.S. Army. The article pointed out some pretty interesting characteristics about the training modules that the U.S. Army deploys to their soldiers during Cyber Security Awareness Week. According to the BuzzFeed article, “Whether or not the information is good...or the presentation is effective is immaterial: in total these videos have been viewed only about 7,000 times.” Findthedata.org indicates that there are more than 561,000 active-duty personnel in the U.S. Army; if we do the math, 7,000 views indicates a 1.2% training penetration rate.

So why were the training views so low in an organization where people are accustomed to doing what they’re told and completing quite a bit of training?

We think there are a couple of common reasons for a low training take rate:

  • People think they are knowledgeable so they don’t take training. This can be resolved with simulated attacks, which prove vulnerability and motivate end users to learn.
  • Word gets out quickly that the quality of the content and the presentation methods are poor, and initial trainees let the others know not to waste their time.

Following are a few ways for you to size up your security training approach and determine if it is a Win or an Epic Fail, plus some ideas for improving your approach at the same time.

Signs Your Program Is an Epic Fail

  • Doesn’t have a motivational element such as simulated attacks or rewards for completion
  • “Talks at” the learner instead of engaging them through hands-on practice
  • Is theoretical and doesn’t provide real world examples or actionable steps
  • Takes longer than 30 minutes to complete and covers several topics/lessons at once
  • Doesn’t provide an avenue for measurement other than showing completion of the lesson
  • Delivers lessons with a “textbook like” tone without creativity, or with so much creativity so that the message is overpowered by the format
  • Uses examples that might be offensive to a particular group of people

Signs Your Program Is a Win

  • Engages and motivates the user by showing them that they are vulnerable to attack
  • Explains why the end user should care about the lesson being delivered
  • Delivers actionable and practical advice that the end user can immediately apply
  • Provides teachable moments that gives the learner context around a concept that they can easily remember, relate to, and repeat to others
  • Covers a small number of topics in short education sessions
  • Enables the learner to practice what you teach them as they are learning
  • Delivers education using stories, simulation techniques (think pilot flying simulation) and game theory concepts to engage and enable learning
  • Provides relevant and actionable measurements to track knowledge and training effectiveness

Winning vs. Failing

If your security education program follows the Win approach you are likely seeing favorable results and having a great Cyber Security Awareness month. However, if your security program is more in line with the Epic Fail list, you might want to reconsider your approach.

One thing to consider is that the effort to follow either approach is probably the same; however the results will be wildly different.

We have customer examples where training completion rates have quadrupled using some of the approaches listed in the Win category. More importantly, we’ve also seen employee susceptibility to attack drop by more than 80%.

We encourage you to take a hard look at your current security education program because a knowledgeable workforce is your best defense.

Click here for more information on the Wombat Security Continuous Training Methodology or contact us to learn more about our security education offering that changes employee behavior and reduces risk.