Effective and Realistic Security Training?



  • I recently came across an article on eWeek that talked about Malware attacks shifting back toward the end user.

    One of the quotes that really resonated with me was the following...

    He also said that he was disappointed that education didn’t work as well as it should and that the only thing that seemed to work was after people had been the victims of an attack. This means that companies need to perform more realistic training, he said.

    What does "more realistic" training look like? Does anyone have any examples of effective security training? What can you do to make security training "more realistic?"



  • I would have to say "more realistic training" would be paid penetration and phishing attempts.

    That actually result in something like "you've put your self / company at risk" page etc.



  • @DustinB3403 So you're saying companies should essentially try to bait the employees into "mock phishing" attacks on their emails to prepare them for the real thing? Do you know if that is something that some companies are currently doing?



  • I know for a fact that many large companies do already perform this.

    I can't recall who it is here on ML, maybe KnowBe4, but there are providers who offer this.

    Obviously any successful attempts get logged, whom, IP, time etc etc, which a comprehensive list is then built at the end, and training delivered.



  • @DustinB3403 This is great. Thanks!


  • Service Provider

    So this is very specifically something that we tackled when I was working in the big hedge fund world where security truly was job one and they did everything possible to train people for it. It meant many things, but in the context of "realistic" they did things like:

    • Internal phishing email attacks
      • They reported to the whole company which people fell for the scams and what they did (give away info, respond, etc.)
      • They made every person sit through a peer and management review of them to see if they should be allowed to keep their jobs or not following the breach.
      • Their failure was added to their permanent records.
      • This was compared against previous potential exposures, breaches and failures to think in a secure manner.
    • They did physical penetration testing on video.
      • Real people broke into the offices using social engineering.
      • The video was shared with the entire company and required to be watched.
      • Every person that let the person in, didn't notice a stranger in the office, failed to report them, etc. was captured on video and similar circumstances as with the email were applied AND the entire company watched them on video as it happened.
    • Regular "traditional" training with explanations, theory, etc.
      • Users were required to participate, not just view.
      • Users had to provide feedback
    • Secure Thinking
      • Peers and managers constantly watch each other and report and record on security-mindedness

  • Service Provider

    @GlennBarley said:

    @DustinB3403 So you're saying companies should essentially try to bait the employees into "mock phishing" attacks on their emails to prepare them for the real thing? Do you know if that is something that some companies are currently doing?

    That's exactly what the highest security companies do. It's an established practice and I've had it done to me (and I passed, thankfully.) I've been a peer reviewer for someone that failed.



  • @DustinB3403 I like this approach a lot. It actually sounds a lot like the Chaos Monkey tool that is used in the testing/QA world to find failures in cloud-based software.



  • There's a company called KnowBe4 that does the email Phishing stuff... Not sure what else they do.


  • Service Provider

    @dafyre said:

    There's a company called KnowBe4 that does the email Phishing stuff... Not sure what else they do.

    And their CEO is here @stus



  • @scottalanmiller that seems like some extreme training.



  • @mlnews You would think, but if you read into the article that I linked above, it seems like people don't REALLY get the risk until they have become a victim.


  • Service Provider

    That's why they really drove that home. If you fell victim to it they made it clear that you screwed up and you were now considered a vulnerability in the organization and they made it clear that you let the company down and were not up to par.



  • @scottalanmiller Unfortunate that those measure are necessary for users to really see the risk. But, at least for now, that seems to be the case...


  • Service Provider

    @GlennBarley said:

    @scottalanmiller Unfortunate that those measure are necessary for users to really see the risk. But, at least for now, that seems to be the case...

    Yes, if you want security to really be driven home you need to make people realize that they are accountable. It is way too easy to feel like the security and the risks belong only to the company and to not care about them. You have to find a way to make people realize that all security falls on them including the risks.



  • Agreed, you have to get the onus onto the user. SMBs will almost never do this. So the training itself ends up being more of a waste of time and money.

    You're better off removing as much access as possible from users, killing internet access, killing email, etc so they can't be tricked. Those seem like a better spend of your dollars.


  • Service Provider

    @Dashrender said:

    You're better off removing as much access as possible from users, killing internet access, killing email, etc so they can't be tricked. Those seem like a better spend of your dollars.

    Read: Your best bet is to fire insecure staffers.



  • @scottalanmiller said:

    @Dashrender said:

    You're better off removing as much access as possible from users, killing internet access, killing email, etc so they can't be tricked. Those seem like a better spend of your dollars.

    Read: Your best bet is to fire insecure staffers.

    when you pay only 12/hr none of them care.


  • Service Provider

    @Dashrender said:

    when you pay only 12/hr none of them care.

    Read: when you pay only $12/hr you don't care either :)



  • @scottalanmiller said:

    @Dashrender said:

    when you pay only 12/hr none of them care.

    Read: when you pay only $12/hr you don't care either :)

    Ok, at what point do you? $15? $20/hr?


  • Service Provider

    @Dashrender said:

    Ok, at what point do you? $15? $20/hr?

    At the point where you are able to start hiring staff that cares. It's that simple. If you determine that $12 cannot get you secure staff, then paying $12 means you don't care. If paying $18/hr gets you staff that cares, that's how much you need to pay if you care.

    That $12 means you don't care was based on the foundation of your statement.



  • OK that makes sense.

    The the larger problem is making the company care in the first place. Most places, including huge corporations wouldn't fire people over this. Until that trend changes, the other doesn't matter.



  • @Dashrender said:

    The the larger problem is making the company care in the first place. Most places, including huge corporations wouldn't fire people over this. Until that trend changes, the other doesn't matter.

    I agree with the problem of making the company care... but that doesn't mean we shouldn't train the end users... Even if 1 person learns something, we've don our job.


  • Service Provider

    @Dashrender said:

    The the larger problem is making the company care in the first place.

    Is it? If the company doesn't care, you shouldn't either. Making it not a problem at all.



  • @dafyre said:

    @Dashrender said:

    The the larger problem is making the company care in the first place. Most places, including huge corporations wouldn't fire people over this. Until that trend changes, the other doesn't matter.

    I agree with the problem of making the company care... but that doesn't mean we shouldn't train the end users... Even if 1 person learns something, we've don our job.

    To what end though? Spending the money but effectively getting zero security gain on the company to me is just wasting money. Even if you get 50% to sit up an listen and care, the other 50% can/will bring your company to it's knees.

    This must start with the company caring first.
    Unless I'm missing something?


  • Service Provider

    @dafyre said:

    Even if 1 person learns something, we've don our job.

    If the company doesn't care, what makes this our job? I think the core thing here is not feeling that things are our jobs that the company has not made our jobs. It's less of an issue that a company doesn't prioritize this, but that we often prioritize it on our own.



  • @scottalanmiller said:

    @Dashrender said:

    The the larger problem is making the company care in the first place.

    Is it? If the company doesn't care, you shouldn't either. Making it not a problem at all.

    You're right I said that wrong...

    The larger problem is that the company needs to care first. If they don't, nothing else matters.


  • Service Provider

    @Dashrender said:

    This must start with the company caring first.

    Or with IT not caring. The first step is aligning IT's desires to match the corporate desires. A mismatch there will never go well. Sure, it sounds great for the company to care about security, so IT can try to drive that if they want. But remember, nothing is a need until the company needs it. If the company doesn't care about security, security doesn't matter. It's that simple (until someone is breaking a law.)



  • @scottalanmiller If the company doesn't care, would we be doing security training to start with?



  • @scottalanmiller said:

    @dafyre said:

    Even if 1 person learns something, we've don our job.

    If the company doesn't care, what makes this our job? I think the core thing here is not feeling that things are our jobs that the company has not made our jobs. It's less of an issue that a company doesn't prioritize this, but that we often prioritize it on our own.

    How many times have you (well Scott would never stand for this, so he's exempt from this question) have you (IT folks) been blamed for a problem like this..


Log in to reply
 

Looks like your connection to MangoLassi was lost, please wait while we try to reconnect.