Industry View

Industry View: Security Training With Style

Perimeter eSecurity VP Jason Miceli offers some tips on how to give employees a true understanding of security

By Jason Miceli

September 03, 2008 — CSO —

Industry professionals agree that the most significant security threat to an organization is its own employees. Controls can be implemented to help combat this problem and some would argue that such controls are sufficient on their own. However, the strongest security measures can be circumvented by a single incident of creative social engineering. Only by taking a balanced approach to technical control and employee training can organizations adequately secure themselves.

The best defense to human-based threats, such as social engineering and phishing is true understanding. Your environment is ever changing in terms of people, technology, and points of exposure and you need to manage these elements in a volatile landscape. Risk control processes must be enforced to prepare your employees for the threats that target them as vulnerabilities. The SANS Institute recommends organizations educate their employees about security issues and regularly test to ensure they retain what they learn. In recent years the Information Security industry has begun implementing automated training and testing facilities, known as Learning Management Systems (LMS), to accomplish this task. According to a recent study by Bersin & Associates more than 40 percent of all organizations and more than 70 percent of large enterprises have an LMS.

Building an effective training program where appropriate retention and understanding occur is challenging. Not only is the choice and development of the right content important, but its proper delivery is paramount to the program's success. This article aims to provide a renewed sense of purpose with regard to employee training.

Beyond WHAT and on to HOW
While Information Security specialists consider many aspects in building and launching a complete training program, I will focus on those areas that are often overlooked, yet critical to a program's success. The key question is, "How can we turn the world of Information Security, an uninteresting topic for many, into an effective and enjoyable learning process?" In response, we will look not only at the raw content but also consider three additional strategies: expanding the framework for the LMS, emphasizing the relevance of the training material and creatively using humor where appropriate.

Raw Content: The foundation of any LMS is the content. Countless articles and white-papers are available that detail how to choose or develop content for your awareness program. Here are a few quick tips:

Use rich content: Include as much rich content as possible, such as animation, pictures, video, and voice-overs. The more multimedia you add the more you will grab and hold your employees' attention throughout the learning process.
Structure test questions: You can design test questions and answers in many ways. One approach is first to ask all the questions, providing no feedback in between, and then show students how they performed. Alternatively, you can ask a single question immediately followed by a slide containing an explanation of the answer and then proceed to the next question. The latter approach provides stronger reinforcement of the material, adding context and meaning to the topic. The goal is to ensure people understand the spirit of the material and how to apply it to their daily routines, rather than knowing the exact answers to specific questions.
Keep the content fresh: Refresh content on a regular basis - outdated content that does not align with current trends and issues will seem out of place. This lack of credibility will negatively impact the program's ability to mitigate the security threat posed by your employees.
Framework: Choosing the right content is fundamental but it is only the first step. Look beyond the content to consider the larger framework into which the content is placed.