[FTC: ID theft again tops consumer concerns]
AY: If every employee knew how to respond to those ten scenarios, our overall security would go way up. The fact is, every employee walks in the door every morning and might experience a tailgating situation. And that's true whether you're a hard-core systems developer or the VP of Sales or an administrative assistant. We all get emails, some of which are dangerous. We all surf the Web and need to know which sites are safe. So we set out to find those common denominators that speak to every employee. And only with that baseline established can we really begin to introduce the more advanced concepts, which we do throughout the year. Again, people don't care about regulatory compliance, per se; they simply want to know what's in it for them—and that was another key aspect we wanted to build into the course. One way we approached that was to arm people with the kinds of security awareness information that they can also use at home, whether it's identifying phishing emails or knowing that a website is encrypted before they submit their credit card information. That's valuable information they can apply at work and at home, making it even more relevant to a wider audience.
Another "radical" step you took was to eliminate the test at the end of the course. Why did you do that?
KH: There was definitely a conscious decision to eliminate the test at the end. The notion of the test comes from that traditional "check the box" mentality. Our objective is not only to drive completion from a compliance standpoint–which obviously is important–but retention of the information that ultimately leads to a change in behavior. When the course is fun and engaging not only do you get a better completion rate, but better retention, as well. So, with the guidance of MediaPro, our training solution provider, we designed our course to test and reinforce their knowledge in a more natural manner as they progress through the various scenarios.
AY: The knowledge checks occur throughout the course, which provides a more organic context. It's also at those points that we want people to be engaged—that's really where they "get it." There's no need to test them twice. We apply techniques within the course where, for each of the ten scenarios, a little bell goes off, alerting them to a new security moment. For example, there's a scene where a character finds a flash drive in the parking lot and wonders what he should do with it. In real life when someone finds a flash drive, maybe that little bell will go off in their head and they'll realize that this is in fact an actual security moment. And the decisions they make will either strengthen or weaken our overall security just that much. As Kim mentioned, the employee taking the test in a traditional sense also has this "check the box" mentality. But by doing the training this way it becomes something bigger than that.
Did you have to work to get management support to create such a new approach to training?
AY: We really didn't have to push too hard. Everybody knew that the traditional training was not optimal, but there was a certain "wait and see" attitude. People naturally wondered, is it going to work, is it going to be too corny, too silly, too soft? But everyone was definitely open to a new approach.
[Why mere compliance increases risk]
KH: The fact is, we and the management were all in the same boat, and so they were supportive.
AY: There are still departments doing training the old fashioned way, but they're getting feedback from users that this is how they want to be trained. Still, it is hard for a lot of groups who are used to that traditional approach, and it does check the box. So to move away from that is a bit of a leap. Seeing others do it makes it easier, though, especially when they're successful. There's a lot of good information in the dictionary but no one reads the dictionary. You've got to find new ways to deliver the content. The reason people like this course is that it's relevant to their jobs. The situations that we portray in the course are the ones they encounter on a daily basis. And we made it fun. Those two components made it successful. And as someone who has to take training courses, I know what I like, and what I don't like. We really worked hard to incorporate the perspective of the user. The management appreciated that, as well.
Was there ever a fear that you might fall short in terms of the regulatory requirements?
AY: It's important to emphasize, our goal is not to check a box; we're actually going above and beyond mere compliance. The only requirement I've ever seen is that you conduct annual security training for all employees. The regulations don't really tell you how to do that or what subjects to cover. But our goal is to change behavior, not just satisfy some regulatory requirement.
KH: At the same time, though, we are meeting those requirements. We're not about to jeopardize that in any way. If anything, our approach to training strengthens our compliance profile because we actually take it to heart, and in ways that benefit everyone involved.
How did you go about finding a partner to develop the training?
AY: As we were looking at the companies that provide awareness training, we were referred to MediaPro by one of our colleagues, Chris Gunias, who is Director, Records Information Management. Chris had just completed a new course, and we were impressed with what he did. He took a very novel and engaging approach to privacy training, which can be pretty dry. We also knew we wanted something different.
[6 essential components for security awareness programs]
KH: We hadn't really set out to do a custom course from the outset, but after looking at our options, it seemed to be the way to go.
AY: The pitfall you run into when you partner with a training vender, and start with their off-the-shelf course, is all this prewritten language and all these boring security facts that you just want to start stripping away. By establishing a collaborative environment with the solution provider, it allowed us to maximize the creative aspects and really hone in on the core message we wanted to deliver.
What was the process for building out the course concept?
AY: We really just started with this idea of simulating a day in the life of a Western Union employee. Once we locked that in, everyone got excited and could see the vision, and that helped build the momentum.
KH: The process itself began with creating story boards for the various scenarios. That was a very different process from what we were used to, but as we went along, MediaPro helped us to visualize what the finished product would look like. There was a lot of exchange of ideas as we settled on the various sequences. From the simple things to the more complex features, whatever we wanted to have happen in the course actually made it into the course. On the knowledge checks for example, some are simple Q&A events; others are more complicated in identifying phishing emails or other scenarios that required fairly sophisticated interactivity.
Reinforcement of the annual training event is also a key component of your program. How are you approaching that aspect?
AY: We do quite a variety of things from a reinforcement standpoint. We're presently working on a security awareness calendar that will reinforce twelve key concepts: one for every month. We also publish a blog to share bite-sized security awareness information, and we conduct regular phishing exercises, which reinforce the specialized phishing part of the course. We've actually customized all components of our program; we don't use anything out of the box. And yet, we've standardized the content across all departments and geographies. We're a pretty small team, so to provide a lot of differentiation is a challenge. We're really focused on broader tools that we can share with the entire organization.
KH: We also conduct quizzes throughout the year that provide the means to measure the results, but they have the effect of reinforcing the information, as well. We get a double benefit there.
Tell me more about how you're tracking the effectiveness of the program. Have you seen tangible results?
KH: Of course you always wonder if you're making an impact, if your efforts are paying off. So to gauge and quantify that we started conducting these 20-question quizzes, sent to a different sampling of the employee population every month. We trend the scores over time to see if, as an organization, we're getting better. And we have seen improvement since we launched the new security course, with quiz scores now averaging 89%. It is definitely raising awareness and changing behavior. We expect to see the scores continue to climb as more people take the Day in the Life course.
[Security awareness: Is there a magic formula?]
AY: And I would add, with confidence, the odds of people remembering this course are much higher than the odds of them remembering anything from our previous courses!
Were you surprised by the way A Day in the Life has played out?
KH: We did wonder how it was going to fly. We think it's pretty clever; we chuckle when we review it, but we also wondered whether it would be received "out there" in the same way, if would it translate all over the globe. And yet, the positive feedback came from all over the globe, not just the US colleagues. The feedback came from Lithuania, Argentina, Canada, all over. It came from different departments, different levels–the whole hierarchy–including even hardcore IT security people.
AY: We've been doing security training for years now, and none of our previous courses got any feedback from the users—positive or negative. But we received immediate feedback from users saying they loved the course, they loved this new style, it was relevant to them, they learned something, and still today, almost every day we get an email from someone complimenting us on the course. So it's nice to be able to add that qualitative feedback to the measured results.
KH: I think the key thing is simply wearing the hat of the user taking it versus the teacher teaching it, which is another aspect of the overall strategy. We're just thrilled with the results. We figured there would be some people who didn't like the new style, but we haven't heard from any of them.
AY: At the end of the day I was just hoping most people wouldn't hate it. That was my criteria for success! And we blew that away.
John Schroeter is Director of Marketing at MediaPro, a provider of security awareness training solutions.