Securing the Human takes more than a single (CBT) exam.
A tenet of the security community is that users are the weakest link. For those trying to protect, mitigating this weak link often translates into a security training effort, structured much like other training courses. It’s often computer based training, with some kind of test; and the periodicity is approximately once a year. Which is all well and good, but if it were effective that way, why do we still have a problem?
Lots of long term studies show that there are some limitations to this one and done textbook approach to training, but that you can still get some benefits if you optimize the way the once happens. There are some good articles about how to structure inside the traditional training model to realize those benefits. An interesting occurrence is that, those articles rapidly start to expand outside the once a year classroom model; into something more regular and interactive. Red teaming and audits come up, as do “Tip of the Day” style models. Those recommendations are good, but don’t seem to fully address the situation. I believe that to solve a problem you must understand it, and those articles rarely discuss why those once yearly trainings need more support, so we have to go deeper.
One of the underlying ideas is that once a year is too long for most people to retain all the details of a few hours’ worth of content. Even if it was fantastic content delivered well. For example, name a movie you went to one year ago that you were particularly fond of – and try and remember every single detail of the plot. Chances are, you’ve lost some pieces; and if you were to put that same movie on right now, there would be whole plot points that escaped retention in the intervening year, let alone details.
In the last few years, research in this area focused on improving that long-term retention of that one and done method has had some successes – and there are some really interesting approaches. Examples that are coming from this research include game based and human interaction driven training for the once a year element. A strong parallel effort is to create ongoing touch points, with the use of scheduled audits and other assessment methods. These regular assessments are supported by the growth of internal attack simulation tools such as PhishGuru. These new tools help tackle two things at once, both making the material more consumable and more regular than once a year.
These approaches solve the specific problem or retention and regular assessment, but still leave the fundamental questions about why all this training isn’t apparently working. Why are we still falling prey to phishing and spear phishing? Per the latest research, this ongoing chase of attackers getting in through users; and security professionals trying to harden users is rooted in something fundamental to the average human psyche. This week, Wired wrote an article highlighting that higher-level issue. A hypothesis is that we continue to do things that aren’t optimized for security in our current environment, regardless of training volume. As a species we aren’t 100% logical and infallible. This translates into policies, procedures and systems that aren’t 100% logical or infallible. The study of how we really operate (as opposed to the logical cost benefit approach we often assume) is called behavioral economics. It’s a fascinating topic; and it’s just starting to look into how we learn and respond to security.
Today, we can take some of the general best practices and what we can learn from the behavioral studies in general and try to apply them to our current problems in security training. In a few years’ time, with the help of security vendors, the combination of the behavioral economics with user interaction design will probably give us come compelling security solutions that go way beyond the one and done classroom approach. While we wait for that insight, we can still drive to improve the average state and value of security training. Start by framing training like any other business activity that has to have a regular return on investment.
- Identify the goals of the training. Do you want more secure passwords? People to be aware of strangers in the environment? No clicking on suspicious URLs?
- Once you know what the goal is, what measure will tell you if they are improving or not? For each goal you have, you will likely need a measure, and a minimum periodicity to that measurement.
- Has an ongoing investment been occurring? If so, how does that investment match to your stated goals? If not, what is the single most important goal? How will you align the investment to the goal?
- What training styles will work for your corporate culture and employee learning styles? Games? In classroom training with a human? Computer Based Training? Can you mix it up?
- How will you assess understanding during the training? Again, this should be rationalized against your corporate culture / employee learning styles.
- How will you assess retention, and post training adherence? How often?
All these bullets above are the standard tropes in the employee security training business. Take it to the next level by trying to apply some of the behavior economics research inside your company. If people are better at thinking that their future self will make better decisions, how can you use that to your advantage?
- Will people commit after training to have a secure password by a certain date? The IT group can certainly set up password expirations to support that approach.
- What about some kind of incentive policy for good security hygiene? Can there be rewards, whether game or real world that accrue as users make better decisions? (Password length, time to screen lock, unauthorized applications installed and suspicious web sites clicked in a month seem like interesting potential inputs.)
- Competition – Along the lines of incentives, if gamification is a style of training that would work in your organization, it could keep the knowledge fresh if there was a regular competition across departments / business units to see who can accrue the highest security scores. If there’s a real monthly reward for it, say lunch; combined with people being able to submit new ways to measure improvements, this could be a great way to turn that once a year training into a strong upward curve or organizational security improvement.
I’m sure there are people who’ve implemented things like this, and been able to prove their increasing positive impact on user awareness. I’d love to hear them, and I’m sure others would too so please share!