Last Updated on February 1, 2024
Security awareness training is widely viewed as essential to averting runaway cybersecurity risks.
But even in the top-performing organizations with the strongest security awareness programs—who may be running phishing simulations as often as weekly—about 4% of users still click the link.
In short, current security awareness training models don’t work well enough and never will. It’s only a matter of time before an attack succeeds and your business is compromised. This is why traditional, phishing-based attacks remain so popular with hackers.
This post explores a revolutionary new view on security awareness training, as related by Kevin Paige on Episode 130 of The Virtual CISO Podcast. Kevin is CISO and VP of Product Strategy at Uptycs.
2 key training principles that work
Two principles of awareness training known to be effective for changing human behavior are:
- Consistent repetition. Think of the safety briefing everyone gets before takeoff on any commercial aircraft. Because it’s repeated often and consistently, we all have it memorized.
- Immediate feedback. Whether positive or negative, immediate feedback on one’s actions makes a direct connection between cause and effect. There’s nothing like it for shaping desired behaviors, whether in humans or goldfish.
Kevin uses his dogs as an example: “When I train my dogs, I give them immediate feedback on what they do, either positive or negative. If I don’t, then I’m wasting my time.”
What security data can help with training users?
Feedback-based training must incorporate real-time, real-world data from security tools users are already interacting with. Kevin calls this “telemetry data.”
We don’t need repetition and immediate feedback on all our security actions—just our mistakes.
Examples of available data that a security awareness training system could interpolate include:
- The websites you’ve visited
- The servers you’re logging into
- The files you’re downloading
- Whether or not you’re using a secrets management tool
When users are doing good things, like using a secrets management tool, that would be the ideal time to give them positive feedback.
Or, say someone is reusing the same, four-character password. “Catching them in the act” would be the best way to impact behavior and increase awareness. Providing relevant details on the actual risk they’re creating for themselves and the organization would increase the impact.
“We need to figure out how to use these positive and negative reinforcements together based on the data that we already have in our CNAP tools, in our secrets management tools, and other sources,” Kevin believes.
What might a repetition/feedback-based training program look like?
Bringing a range of these “signals” from security tools together to give users real-world, helpful feedback on how they’re doing their jobs, should effectively encourage secure choices without making the process painful. People would be watching well-timed snippets of video about what just happened, versus periodically grinding through a conventional training video.
Backing up education with automation to facilitate a new behavior would be even more impactful.
“Nothing is impossible, even securing humans,” quips Kevin. “We just have to think about the root cause and stop treating the symptoms. And stop trying to be compliant, where we all watch this video once a year so we can pass our compliance mandate. Let’s focus instead on being secure.”
For more guidance on this topic, listen to Episode 130 of The Virtual CISO Podcast with guest Kevin Paige, CISO and VP of Product Strategy at Uptycs.