Are bad analogies killing your security training program?

Humans make irrational decisions under pressure. Security training needs to focus on changing behavior, not just raising awareness. Using effective analogies can help.

security training ts

What we have here is a failure to communicate.

Security training and awareness campaigns too often fail to change user behavior in any meaningful way, putting both the user and the organization at risk. The solution, experts say, is better security analogies.

Information security is an abstract and unintuitive discipline that frustrates and baffles non-technical humans. Attempts to train lay audiences in security best practices commonly involve security analogies that either do not engage and motivate, or that users take too literally.

"The assumption we make is that if we give people information, if we educate people on their roles and responsibilities, people will process that information in a logical way," says Bruce Hallas, the founder of the Analogies Project, which collects useful security analogies. "This isn't the the heat of the moment, in a situation they are not familiar with, they will make an irrational choice even though they know they should be complying [with policies and procedures]."

Red teamers know that hacking the human is the easy way in, and a targeted, well-crafted spear phishing campaign is almost guaranteed to succeed. Security trainers on blue team duty need to play the same game in reverse, experts suggest, and use targeted, well-crafted security analogies to build those internal mental defenses. That way strong security habits will kick in when users are under pressure.

Better security analogies can improve training outcomes

The worse the security news, the more infosec pros tear their hair out, the more the muggles yawn and wonder what the fuss is all about. This failure to communicate results in bad outcomes for the enterprise, for society, for politics, for everyone. The stakes are high, and the solution, John Pollock says, almost certainly lies in better analogies.

"Analogies matter," he says. "The analogies we use have a big impact on outcomes, both positive and negative." Pollack, a former presidential speechwriter for Bill Clinton, is the author of Shortcut: How Analogies Reveal Connections, Spark Innovation, and Sell our Greatest Ideas.

To continue reading this article register now

7 hot cybersecurity trends (and 2 going cold)