• United States




Is your security awareness training program working?

Sep 13, 20167 mins
IT LeadershipROI and MetricsSecurity

An hour long lecture once a year doesn't do much for security awareness training

classroom training
Credit: Thinkstock

Employees at Axe Capital, the fictional firm of biollionaire Bobby Axelrod in Showtimes new series, Billions, were downright angry when they learned that the surprise SEC raid, in which they were peppered with questions about their trading transactions, was only a test. Axelrod, though, found the mock raid fruitful as it revealed the internal weak links of his organization.

These are metrics that enterprises should be using to evaluate the success of their security awareness programs. In order for awareness training to work, it has to keep everyone in the enterprise, well, aware. 

A recent Wombat report revealed that in addition to the ever growing problem of phishing, employees across industries struggle with oversharing on social media, unsafe use of WiFi, and company confidential data exposure. Those ubiquitous posts pose serious risks.

Chris Weber, co-founder, Casaba Security said “Phishing attacks are pretty measurable. You give folks a phishing workshop, then go and run a phishing testing campaign and see how many people fall for the lure and how many people report the attack or suspicious email,” Weber said.

Because many of the threats delivered by malicious actors often tie into phishing, these exercises can’t be overlooked, particularly in light of people’s inclination to overshare. “Most companies are embracing some type of annual or on-boarding training, letting folks know these are the things you should watch out for if you are trying to access company resources,” Weber said.

Training in and of itself is not enough. A successful awareness program will have training in conjunction with the testing. “Do the training to know what’s going on and the testing to keep it activated in people’s minds. Who falls for the bait?” Weber said.

“Each person in the organization should be tested monthly. It could be more frequent than that, but not to the point of annoying people. That’s measurable,” Weber said.

Because so many breaches are the result of human error, “Sometimes it’s easier to block access to it all and then grant access by request. Then anybody who requests access needs to install some type of device management software to help organizations keep track and monitor and have a little bit more control over the resources,” Weber said. 

Blocking access can get tricky, though, and establishing access controls doesn’t preclude the need for ongoing and meaningful awareness training.

Dave Chronister, founder, Parameter Security

Dave Chronister, founder of Parameter Security, said, “Awareness training is one of the most important things you can do to protect your network. You need to have a program and it needs to be effective.”

Effective means doing more than just a person talking about the things people do that are annoying.That vapid approach is sure to quickly cause the audience’s attention to drift–perhaps even to take out their phones and start posting on social media.

Chronister said that when he hears people tell him that they a security awareness training in which they have a single training once a year, he knows it’s not a program that is up to par.

“If it is not reinforced without movies, emails, media posters, and testing, the end users will only remember it for a couple days, then the concept will go away,” said Chronister.

One midsized company whose program really impressed him, though, held monthly company meetings. “Instead of an hour long once a year, it was a 30 to 45 [minute] company meeting. They would have 10 minutes to talk about security awareness, and at each meeting, they’d go over a current topic,” said Chronister.

[ RELATED: 9 tips, tricks and must-haves for security awareness programs ]

Rather than succumbing to the “we are going to fail” approach, the result was that over the course of a year, they had spent more time talking about security awareness. That combined with social engineering exercises allowed them to come up with the metrics they needed to see where they needed to improve.

Social engineering exercises are really tough to do because it requires security experts to deceive their employees. The intent ought to be to figure out what is going on, not to punish people for unintended mistakes. In order to know if people respond or contact help desk, the enterprise needs to institute consistent and varied testing.

Yes, phishing emails are a popular social engineering technique, but they also have to know if a stranger can easily walk in the door and get to where they want to go. “The metrics show them, this is how many people clicked the link, how many people then entered information. The goal then is what can we do to lower that?” said Chronister.

One issue organizations get into is hand picking from corporate politics to determine who gets hit, said Chronister. “A lot of people think, we can’t have the CISO click,” he continued but the CISO very well might. S/he is as likely to be deceived by social engineering as anyone else in the company.

“Social engineering doesn’t happen because you’re stupid. If you believe that, you are going to get socially engineered. I’ve seen a CISO who said that anyone who gets social engineered will be fired. By taking a tough stance, he’s made his security awareness program worse. If I made a mistake and realize it, I’m not going to tell anybody because I could get fired,” Chronister said.

Security awareness needs to be based on both the skill set and the industry sector. Josh Grunzweig, threat intelligence analyst, Unit 42 of Palo Alto Networks, said, “Many hospitality employees are using POS terminals as a normal computer—checking email, browsing the web, posting on Facebook. Those terminals should only be used for financial transactions.”

When assessing the success of security awareness training, it’s important to be realistic about expectations around changing human behavior. “A lot goes into putting technical controls in place so that attackers don’t get into where they shouldn’t be,” Grunzweig said.

Across all sectors of the industry, though, when people are permitted authorized access, there is only so much an awareness training program can prevent. “Hospitality has been hit for many years, so yes, employees need to be trained on what to look for, but controls need to be put in place,” Grunzweig said.

Enterprises are coming to understand that they can’t put all the burden on the employees because the sheer number of the attacks are vast. Companies large and small that have had success with awareness training are doing so because they are dealing with security both as a company and alerting employees to threats that they may be dealing with in their personal lives. 

Stan Black, CSO at Citrix, said that one of the challenges with security awareness is that folks need to receive some benefit beyond just knowledge. “For folks in many of the back office functions from finance to human resources, there are courses specific to certain roles. We tie them to a trend, and add components in as threats become more prevalent,” Black said.

Executive assistants are the gateway to executives, and Black said, “Put in place social engineering awareness specific to their role. The information they have is highly valuable, and we marry that in with another element that connect to their personal lives.”

In order to measure the success of a security awareness program, they need metrics, which requires frequent testing that is not only relevant to business but meaningful to the people working there.


Kacy Zurkus is a freelance writer for CSO and has contributed to several other publications including The Parallax, and K12 Tech Decisions. She covers a variety of security and risk topics as well as technology in education, privacy and dating. She has also self-published a memoir, Finding My Way Home: A Memoir about Life, Love, and Family under the pseudonym "C.K. O'Neil."

Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). Recently, The University of Southern California invited Zurkus to give a guest lecture on social engineering.

The opinions expressed in this blog are those of Kacy Zurkus and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author