Making Security Awareness Training More Engaging and More Effective

Making Security Awareness Training More Engaging and More Effective

A scavenger hunt. A Jeopardy-like trivia game. A well-known guest speaker. A movie about espionage. Some good ideas for your institution’s party? Sure.

But they’re also possibilities in a security awareness training program, according to some experts in the field. “Most people think training has to be boring and dry,” says Rebecca Herold, an information security and privacy consultant, instructor and author. “It’s really only limited by your imagination.”

Among the ideas she’s used successfully in security training programs is bringing in a guest speaker with firsthand knowledge of a real-world, high-profile security breach. Another time, she showed “The Billion Dollar Bubble,” a commercial movie dramatizing one of the largest insider frauds ever at a financial institution in the U.S. “They could relate to how those computer systems were misused--it showed the power of the computer and programmers,” she says.

Today no one would dispute that better security awareness training is a priority in financial institutions, particularly with the proliferation of types of fraud and regulations to prevent it. Imagine having the customer call desk staff alert your security team whenever they receive a “less than normal” phone call. Or getting tellers and officers to be able to spot the “shady” identification. To be sure, having an aware workforce makes the chances of appearing in the latest statistics on data breaches less likely.

The challenge is making training programs more attractive to employees and managers—and therefore more effective. “All the compliance and governance regulations say roughly ‘Users should be made aware’,” says Winn Schwartau, president of The Security Awareness Company. “Now you have a choice: Do you do it right, or do you do ‘check-box’ compliance--putting a sheet in the HR package or a poster saying ‘Thou shalt be security aware’?”

The best first step, according to him, is to find out what your employees already know about your security policies and procedures. This pre-assessment can be done using online software packages. Then different methods can be used to train different types of users.

But the key, according to Schwartau, is in making training an ongoing activity. “There are a lot of different tools—newsletters, screensavers, multimedia, gaming,” he says. He’s used online scavenger hunts and trivia games, with prizes like gift certificates to local retailers. “You have to repeat the message over and over--it’s brand recognition. It never stops, because you have employee turnover, new weaknesses, and new threats.”

For some types of training, online learning management systems (LMS) can be most effective, according to instructor and consultant Herold. “They’re easy to deliver and very interactive--not just a PowerPoint slide presentation or the typical quiz, but activities that engage the user, such as drop-and-drag items or lining up things in the correct way.”

Last year, Biddeford Savings in Biddeford, Maine, used a Web-based training product to teach its 70-plus employees how to identify elder abuse. “It worked out really well,” says Keith Gosselin, the bank’s Information Technology Officer. “Before Web-based training became readily available and affordable, we used to do it in person. But as you grow, it’s just not an option. With people’s schedules, Web-based is more flexible.”

Another hot-button topic today where online training can be applied is teaching about security risks inherent in mobile technologies. “It’s a huge threat—the large amounts of personal and sensitive information on Blackberries and laptops, smart phones and USB drives,” says Herold.

Gosselin agrees, noting that four years ago his job was primarily to prevent hackers from gaining entry into the system. Now it’s teaching staff about the risks inside the network, including from mobile technologies like memory sticks.

But “live” training isn’t dead yet. For example, role-playing is a good way to teach employees how to deal with social engineering threats, such as phishing scams, according to Herold. “It’s one of the best ways for targeted group training in customer service and call centers,” she says. “You can take them through different scenarios to see what they would do.”

At Biddeford Savings, the IT staff still addresses groups of 15-20 employees at a time to explain annual changes to the bank’s security policies. “I don’t mind going out and talking to them,” Gosselin says.

Finally comes the assessment stage: How good was compliance? Which parts of the institution supported or hindered the effort? Nowadays, online assessment tools allow sophisticated data mining. “They can tell you that the engineering staff waits until the last day to do the training, and then speeds through all the answers without looking at them,” says Schwartau.

Fortunately, there’s a silver lining to new laws and regulations that require more training and awareness programs: it makes initiatives easier to get funded, according to Herold.

And it also helps if there’s an insider “evangelist” for security training, says Schwartau, preferably someone in upper management or on the board, who can also be the contact with vendors and suppliers.

A successful security awareness program can do some impressive things--like making your customer information program your best deterrent for fraud. Employees can learn to “detect and respond,” becoming “human firewalls,” says Schwartau.

As important a purpose of such programs, however, is getting users to make fewer mistakes. “When you look at statistics on security-relevant issues, 40 percent are errors and omissions and user problems,” says Schwartau. “A significant part of the rest is users doing bad behavior. And what’s left is bad guys.”


About the Author

Paul Angiolillo

Paul Angiolillo is a writer and editor with 20-plus years of experience at newspapers, magazines and newsletters, private companies, and academic organizations. He has held positions at M.I.T.’s TechnologyReview.com, Global Insight (formerly DRI, Inc.), BusinessWeek magazine, The Boston Globe, and Data General Computer Corp. Paul is a graduate of Yale University, with a BA in English.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.