Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Experience based training for improved security

PhishMe : 29 August, 2013  (Technical Article)
PhishMe's Rohyt Belani and Scott Greaux explain the role of immersive training in improving a workforce's ability to deal with cyber crime
Experience based training for improved security

When aspiring pilots go through flight school, they learn both in a conventional ground setting and using a flight simulator. On the simulator, new pilots are immersed in the experience of flying, and receive real-time feedback about their decision making. Not surprisingly, the simulator is seen as a more effective training tool than conventional classroom training.

One of the greatest challenges facing security awareness initiatives is providing employees with an experience they will actually remember and retain. Training users to avoid risky security behaviour is not nearly as complicated as teaching someone to fly a plane, but just like with pilots, immersive training that simulates the kind of attack methods employees face is a more effective way to conduct security awareness.

Immersing a human in an experience triggers the brain in a way that traditional training doesn’t – by drawing an emotional response. In complex vertebrates, the amygdala is the area of the brain associated with both memories and emotions. This is why hearing that old Van Halen song brings back memories of high school (at least for some of us!). An emotional experience sticks in our memory, making training techniques that elicit emotions more powerful. This is why posters and conventional computer based training fall short.

We observe the fleeting nature of email communication within our own customer base. Some of our customers choose to follow a PhishMe best practice and announce PhishMe campaigns before sending them out, while others do not inform their employees. While it would stand to reason that the employees who had been informed would be less likely to fall for the phish, there is no measurable difference in the end result of the campaigns. Simply sending a person an email informing them that a training exercise is going to be sent through email is not enough to change their behavior. You need to draw an emotional response as well. Those customers that do inform their employees, however, are able to fend off negative backlash as well as eliminate the perception that they are trying to pull one over on the users.

Equally important is providing feedback to participants, as simply simulating an attack won’t provide the meaningful information that triggers the emotional response. If users fall for a simulated phishing attack, but don’t know what they have done, it’s a missed opportunity to change their behavior. A great example of how feedback spurs behavioral change can be seen in the example of radar speeds signs. These are the signs usually placed near a construction site or school and display the speed we are driving just underneath the posted speed limit. These signs are effective at changing behavior positively because they provide us with instant feedback about our behavior, as well as a guideline for improving it. This technique leverages a concept called a feedback loop, discussed in greater detail in an article from Wired magazine.

Repeating immersive training exercises capitalizes on a neurological process called long-term potentiation, which is how the human brain forms memories and retains them. Memories form from similar synapses between neurons, and repetition of those synaptic processes cause us to learn and retain information. Conducting annual training will not lead to retention – even if the training itself is compelling – because it won’t be frequent enough to stick in employees’ minds. Whenever we are learning something new, whether it’s to play a sport, instrument, speak a new language, etc. repetition is crucial. By repeating his golf swing on the driving range thousands of times, Tiger Woods made that action become second nature. It’s the same with teaching email users safe email behavior, repeatedly conducting security awareness exercises will allow them to make safe email use a habit.

We’ve observed this first-hand with customers who purchase a PhishMe license and then only run one or two campaigns. They don’t see the improvement that customers who run consistent campaigns experience. Moreover, we’ve seen customers use PhishMe successfully to improve organizational resilience to phishing attacks, only to regress upon discontinuing PhishMe. Sporadically conducting training or discontinuing training altogether misses the opportunity to train new employees as well as update training to address emerging attack vectors.

Ultimately, immersing your employees in an experience will improve their behavior. Our experience training over 4 million unique users has shown that around 58% will fall for phishing emails prior to training, but after a few months of immersive training that number can be reduced to less than 10%.

Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo