Users as Assets, Not Liabilities

Candice Moschell
| 8/31/2017
Users as Assets, Not Liabilities

Security awareness training should be an integral part of an organization’s cybersecurity road map. We’re constantly reminded of the importance of security awareness training as we read in the news about new security and data breaches with more and more frequency. The Office for Civil Rights (OCR) recently issued new guidance on Health Insurance Portability and Accountability Act (HIPAA) security awareness training requirements. The OCR Cyber Awareness Newsletter, Issue 17, describes the guidance and reinforces the need for a mature, engaging, and responsive security awareness training program.

Engage Your End Users

You’ve probably heard, seen, or said that users are the weakest links within cybersecurity. The numbers back up that claim. According to the Verizon 2017 Data Breach Investigations Report, 43 percent of breaches originate from social attacks, and 90 percent of those take the form of phishing.

But what if we took a step back and imagined the users as assets instead of as liabilities? What if we approached security awareness training in a way that engaged users and got their buy-in?

Limitations of traditional training include the inability to connect with the user, treating the user as the problem, and thinking a one-size-fits-all program exists. Users are human, and as humans, we often seek social interaction and the ability to find relatability in our everyday lives.

One thing is certain: Slide deck and slide deck-driven computer-based training (CBT) is neither engaging nor lasting. When developing or improving security awareness training programs, organizations should focus on offering programs that connect with the end users in substantive ways. Training needs to be interactive, fun, and memorable. These qualities can be accomplished through a few different approaches.

  • Change agents. One way to infuse a security awareness training program with relatability is through the use of a change agent. A change agent is an overall theme, mascot, or tagline – something that the user can connect with in the work environment as well as on a personal level. The most effective change agents are simple yet memorable.
  • Gamification. Increasingly, organizations are moving away from classic slide decks and CBT to using electronic games, or gamification, for training. Games tap into intrinsic physiological responses that motivate us, so they are the perfect medium for e-learning. Trivia, mystery, or action games that have built-in security twists can make training fun. If gamification seems like it might be a fruitful approach for your organization, it’s a good idea to consider what motivates your specific group of users. For example, an article from the Interaction Design Foundation describes four types of players in gaming. Some of your users might be drawn to particular types of games based on some of these player types.
  • Multiple mediums. Effective training programs use different mediums, such as email, social media posts, or videos. The end goal of using various mediums is getting the message through to your users. Emails can be personalized and come from the user’s regional security awareness advocate or ambassador as opposed to a generic security inbox. Change agents can be posted on social media or message boards. Security awareness videos can use humor, relevant content, and management buy-in.
  • Translation to the real world. Connecting security awareness training to your end user’s “real world” is another way to engage them. To prompt users to consider the importance of cybersecurity in their personal and family lives, training can include components and topics such as best practices on social media, good password habits, and keeping children safe online. Cybersecurity is everywhere, so why not tap into its universality by incorporating it into your security awareness training program?

Tailor Your Training

One size does not fit all when it comes to training. Some individuals learn best by being challenged, while others learn better through reading independently. Understanding that users have different learning styles is key in setting up an effective security awareness training program. Though it’s not possible to tailor a single training program to every single learning style, organizations can still develop training programs based on shared characteristics.

  • Risk level. Some users – for example, those in accounting – are at a greater risk of being targeted by cybercriminals because of their access to financial information. Others are targeted based on their higher level of access to intellectual property and sensitive data. Identifying levels of risk among users or departments will help shape the focus of their security awareness training program. Higher-risk users or departments should receive training more frequently.
  • Generational differences. Groups of users include individuals from different generations who respond differently to specific learning styles. For example, millennials might prefer personalized, informal learning such as games or social media posts, but baby boomers might be more comfortable in a traditional classroom setting. Incorporating multiple types of learning styles in your security awareness training program is an effective way to include various types of learners in the organization.

Focus on the End Goal

Keep in mind that the end goal of security awareness training is to educate your end users and to turn liabilities into assets. If you can connect with your users in a meaningful way through an engaging, impactful program, you’ve accomplished your goal.