By Rob Medley
June 6, 2016
Mention deadlines for completing yearly security awareness Computer Based Training (CBT) and you will undoubtedly get the eye-roll from staff. “It’s boring”, “it’s the same thing every year”, “employees have more important things to do”, and “how about those deadlines” are the excuses you will encounter in attempting to teach security to your organization. Worse, you may run into the invariable excuse that it’s not their job to practice security; rather, it’s your job to protect them. This attitude often leads to an adversarial relationship between IT staff and operations; impacts security, unit cohesiveness and the bottom line.
In 2015, Kaspersky Labs, an antivirus solution vendor, detected 121,262,075[i] malicious threats, e.g. viruses, scripts, exploits, etc. The number in itself, 121 million, is staggering, but let’s put it into perspective – that’s one antivirus vendor. I can think of at least six others off the top of my head, and conducting more research would triple that figure; adjusting for overlapping discoveries by the different vendors. A vast majority of these threats come from phishing and emailed malware (links, documents, or programs). What’s the common thread here? That’s right – people.
So what can we, as IT managers, do to increase success outcomes of our yearly training? How do we prevent the very things that operational staff seems hell-bent on doing? Or are we doomed to failure? Fortunately, there are things that we can do in order to spice up our programs and on-board the requisite knowledge to reluctant learners. Heck, if we do it right we can even make security awareness training fun!
Don’t Throw Out the Bath Water – Add More Bubbles!
First and foremost, our CBT’s can’t be boring or tedious. Ask staff why they roll their eyes at you when you ask if they’ve completed the training, and they’ll say it’s too academic or robotic. If you must use CBT’s, some things you can do to mitigate this apathy are to change the content each year. Don’t have a voice-over, which you can’t disable, reading a slide saying the same thing. Through reading, the brain can process this information much faster. A better choice would be to have that voice-over giving information that is not on the slide. This technique increases the complexity of the teaching, and engages the learner’s multi-tasking capabilities. After all, we’re not first-graders. Next, challenge the learner’s ego by giving them a test-out option at the beginning of each module. Let them know that if they’ve got a firm grasp on the information, they can bypass the module, thereby completing the training faster, and being able to get back to making that sale; or surfing the Net. As a rule, however, make the test-out option hard; you must make sure they really know the information.
Moving beyond the CBT, there is a world of creative ways to excite employees to practice better security hygiene.
Storm the Bastille – Replace the CBT
Have you thought about replacing the CBT altogether? One way of doing this is to have brown bag lunches, out of office lunches and / or coffee dates with groups of employees. This requires the IT training team to become effective facilitators and storytellers. Step one in this approach is to use a scaffolding technique[ii] wherein the facilitator holds an informal talk highlighting the security issues that most impact the organization. He or she then gradually facilitates the other members of the group to share their experiences within the context of the discussion; thereby reinforcing the information, using their experience as a basis to teach[iii], and showing them the respect they deserve as adult learners.
Don’t Be the Boring IT Guy
People hate things that aren’t exciting, and people too. They’ll tune out and move on in their head as to what they’ll eat for lunch or who they’ll meet for Happy Hour. A way to not be boring is to tell stories. Storytelling techniques[iv] are the most effective teaching and learning strategy a person will encounter. Effective storytelling will help your audience categorize and retain the information you are providing, as well as incite them to action. Using humor along with storytelling techniques can help a person retain that information for even longer. Literally, it’s the difference between watching an ‘Austin Powers’ movie and ‘C-Span’.
Here’s a Mountain – Compliments of Management
A powerful motivation tool is to give someone something. If you stimulate their natural competitiveness and desire for free stuff, you can motivate them to learn. A cheap way an organization can do this is by holding monthly security trivia contests – with prizes, such as free movie tickets or a dinner for two. “What?” you say, “Give them something for something they should be doing already?” Sure. If you publish the security topics you wish to stress each month in trivia form, thereby making security an ongoing, relevant topic; and make it worth their while by moving the mountain to them, employees will respond positively to the initiative. In fact, they will look forward to the next month’s topic, maybe even engaging in research on their own, to win those prizes. At the least, $360 a year in free stuff is better than a $60,000 dollar incident clean-up.
No, Really It’s Your Job – How Security Affects Them
You will always have the intractable staff-member who believes it really isn’t in their job description to practice security hygiene. To break through to this employee, it is essential to relate to them how their behavior impacts their performance, their reputation, and the company bottom line. It’s necessary to do this in a way that won’t alienate the employee – as we’ll talk about in the next section – but to appeal to their need to do a good job. Everyone wants to be good at what they do, right? It’s a basic tenet of Maslow’s Hierarchy of Needs[v]. By engaging in security best practices, they fulfill their basic need for a job (proving shelter, food, and stability), their need for belonging to something (the group, their team-mates & co-workers), as well as esteem and self-actualization needs (doing a great job, not costing the company tons of money to fix an incident).
On Trust and Alliances – and Burning Tires
A critical step in the process is to eliminate the perception that non-IT staff are threats, and telegraph that to them. By patronizing staff and reprimanding them when they click on that link or do something otherwise regrettable, we IT staffers must make it known that there won’t be reprisals. The worst thing one can do is to establish a culture of fear in the organization. By doing this, employees will be more reluctant to mention that they made a mistake, or that they noticed something weird when they opened that PDF or Word document. By embracing a forgiving policy, employees are no longer considered part of the threat environment; rather, they are a layer of defense. Of course this attitude requires your IT staff to be on top of their game, which they already should be, in order to investigate and mitigate any reported activity that bears out an actual threat. Think of your security environment like it’s Mogadishu in the early 1990’s, when the Somali warlords used a network of spies to let them know when the Americans were coming to the Bakara Market district[vi] – your users are your spies burning tires in the streets to alert you to malware intrusions.
What have you done besides gaining an ally when you treat users with respect and tolerance? You get employees curious. Curious employees ask questions, asking questions sparks the fires of learning, resulting in deeper engagement[vii]. When you give constructive feedback to a user that fell victim to the phishing email or clicked on that link, you get them asking the questions:
“Why did I make this mistake?”
“What is working well in training and what could be better?”
“What can I do better in the future?”
“How does this mistake impact the team?”
Parting Thoughts
As an IT manager and training staffer, you have to think out of the box. Traditional techniques of conveying security awareness are faltering in the face of increasing malicious activity on the triple ‘W’. Keeping your non-IT staff engaged, proactive, and learning about emerging exploitative techniques and their countermeasures, you directly impact the bottom line of your organization. By selling the C-Suite and investors on your efforts and results, you also improve your rock-star image in the enterprise.
[i] Namestnikov, Y., Ivanov, A., Makrushin, D., Van Der Wiel, J., & Garnaeva, M. (2015, December 15). Kaspersky Security Bulletin 2015. Overall statistics for 2015. Retrieved June 06, 2016, from https://securelist.com/analysis/kaspersky-security-bulletin/73038/kaspersky-security-bulletin-2015-overall-statistics-for-2015/
[ii] Successful Strategies for Teaching Students with Learning Disabilities. (2013, October 14). Retrieved June 06, 2016, from http://ldaamerica.org/successful-strategies-for-teaching-students-with-learning-disabilities/
[iii] Strang, T. (2014, August 20). Teaching Techniques that Motivate Adult Learners. Retrieved June 06, 2016, from http://blog.cengage.com/teaching-techniques-motivate-adult-learners/
[iv] Franconeri, S., Choy, E., & Buck, M. (2015, October 12). Podcast: The Power of Persuasive Storytelling. Retrieved June 06, 2016, from http://insight.kellogg.northwestern.edu/article/the-power-of-persuasive-storytelling/?utm_source=lal
[v] McLeod, S. (2014). Maslow’s Hierarchy of Needs. Retrieved June 06, 2016, from http://www.simplypsychology.org/maslow.html
[vi] Alexander, P. (2013, October 3). Fallout from Somalia still haunts US policy 20 years later. Retrieved June 06, 2016, from http://www.stripes.com/news/fallout-from-somalia-still-haunts-us-policy-20-years-later-1.244957
[vii] Rose, C. (n.d.). 10 habits of successful learners. Retrieved June 06, 2016, from http://acceleratedlearning.com/ali/10-habits-of-successful-learners/
Rob Medley 