I recently went to the International Cyber Expo (ICE) for the first time and attended a talk by Dr Jason Nurse. The talk was on the study they conducted on the behaviours and attitudes towards Security Awareness Training.
I’m quite passionate about cybersecurity, the need to educate employees and have my own opinions about what ‘Good’ awareness looks like. I was pleased to find this study supported some of those thoughts!
In general, peoples attitudes were fairly positive, the majority (84%) considered being secure online was critical (the other 16% terrify me 😱) and overall those with access to training, used it and found it made them feel confident in spotting threats and keeping themselves and their organisations safe online.
However, 42% found being secure online was too hard and confusing. I wonder if there’s a correlation here. The majority of the 6,000 people surveyed, attended annual awareness training, this would have likely meant several hours of information being thrown at them. Don’t know about you but my attention span is not up to that at. the best of times.
Is it any wonder then, that 16% of those with access to awareness training don’t use it. Their chief reason being “they don’t have the time”.
So, what does ‘good’ security awareness training look like?
The study suggests that people like a mixture of self-paced online training and Just in Time (JiT) reminders. JiT reminders, if you’re not familiar with are where the apps you use prompt you that somethings up. This could be your Web browser warning you about a site’s certificate, weak protocol (HTTP vs HTTPS) or your e-mail client telling you that “messages from this person are unusual” or “from outside the business so take care with links and attachments”. Generally, giving you a sense that something is “not quite right” and be careful.
This re-enforces my own opinions that WE ALL need information delivered to us in bite sized chunks. Too much info in one hit is like trying to fill a shot glass with a bucket, yeah something will go in but most will spill out and never be seen again.
Delivering things little by little and introducing some repetition massively improves retention, it’s just like muscle memory.
The other thing that’s worth calling out is context (again we’re moving away from the studies findings specifically but), being aware of your audience, their preferred learning styles and the information that will best help them is key.
For example, the majority of cyber incidents start with a Phish (about 90%) and about 50% involve stolen identities (credentials). So lets make sure our awareness training cover these areas and deliver practical advice that we can all follow regardless of experience.
I’m a big believer that awareness information should be accessible to all and applied to our personal lives first and foremost. From there these habits naturally flow back into our places of work, where they can be supported through technical controls implemented by your IT team to plug any gaps and provide a safety net should something slip through.
And that’s probably the last piece of the puzzle. If someone does make a mistake they need to be supported, not chastised. Every single one of us (myself included) can fall foul of a security incident or a suitably crafted phishing email. All we can do is our best and know that when we do get a bit click happy, we can report the matter without fear.
Not reporting incidents will always make the situation worse and from an organisational perspective, it’s up to the senior leadership and IT/Security team to ensure there is a safety net and a safe reporting culture. ✌
You can download the full report from Cybsafe, you have to share some PII.
Russell Gower-Leech, Cybersecurity Manager
Being a Cybersecurity Manager, Russell doesn’t like us to share much information about him. All we can say is…. he wears a tin-foil hat, loves all things cybersecurity, actively hacked people at Business Vision Live and is a lovely chap.