What is Security Awareness Training | EP 003
The episode "What is Security Awareness Training | EP 003" from Gone Phishing explains that security awareness training is a comprehensive program designed to educate employees on recognizing and mitigating social engineering and cybersecurity threats, aiming primarily to ensure regulatory compliance and reduce organizational risk by preventing breaches caused by human vulnerabilities.
Introduction
Welcome to Gone Phishing, a show diving into the cybersecurity threats that surround our highly connected lives. Every human is different. Every person has unique vulnerabilities that expose them to potentially successful social engineering. On this show, we'll discuss human vulnerability and how it relates to unique individuals.
What is Security Awareness Training?
Today we're talking about security awareness training, a topic I've dedicated several years of my life to. Security awareness training is a program filled with training and assessments that teaches people to recognize social engineering and other cybersecurity threats they might face during the course of their job or employment. Simply put, it is a program that should be put in place to arm an employee with all the information and ability they need to recognize risk so that it doesn't turn into a breach or something worse, like the theft of money, information, or access.
If you search online, you'll find definitions such as:
- A strategy used by security professionals to prevent and mitigate user risk.
- A process for educating employees and third-party stakeholders in a company.
- A corporate-wide initiative to help employees identify and avoid cyber threats.
Basically, it is education that helps people reduce the risk to an organization that a breach is going to occur because of behaviors they do or do not have.
Goals of Security Awareness Training
Compliance
Most companies use security awareness training programs to check compliance boxes. There is a certain amount of training and social engineering simulation that a company has to do to abide by their cyber insurance policy or regulatory requirements (such as CMMC, NIST 800-171, NIST 800-53, ISO 27001, etc.). The number one goal of a program is often to ensure compliance so the company doesn't lose insurance or government contractor accreditation.
Reducing Risk
The second goal should be to reduce the risk that a breach occurs because somebody doesn't know or is incapable of behaving in a secure way while doing their job. Security awareness training is like a scrimmage in sports—it's not the real game, but it helps people practice and identify information gaps. The act of doing this reduces the risk a company is exposed to by a significant amount.
Supporting Employees
The third goal is to support employees. When mistakes happen, employees shouldn't be blamed or punished. Some companies tie employee compensation to their performance in phishing campaigns, which can create insecurity and distrust. Instead, the goal should be to arm employees with the capability to recognize threats and support them when they make mistakes, as everyone is human.
Human Vulnerability Management and Security Awareness Training
Security awareness training has existed for about 25 years and has the goals mentioned above. Human vulnerability management goes a step further by:
- Accurately mimicking real-world attacks, not just creating programs and measuring results.
- Creating programs that adjust based on what is seen in the wild and on employee responses.
There are two specific responses measured:
- 1.Engagement with Content: Did users actually engage with the training content, or did they just let it play in the background?
- 2.Behavior During Simulations: When users are targeted with simulated social engineering (emails, business email compromise, spear phishing, SMS phishing, voicemail phishing, etc.), what kind of behavior do they exhibit? Was it the type of attack, the action required, brand impersonation, or domain impersonation that led to the response?
The goal is to understand why individuals fall for social engineering and to evolve the industry so that humans are not the primary reason for breaches.
Good vs. Bad Security Awareness Programs
Many measure the success of their program by the default phishing rate (e.g., 6% of people clicked last month). However, this is not a complete measure. The difference between good and bad programs is effectively measuring progress, which involves more than just phishing rates. It includes how supported people feel and whether the program is actually changing behavior.
If training is delivered as an hour-long session once a year or quarter, employees may not engage with it meaningfully. Employees want to do great work and be safe, but overly complicated or excessive training can lead to disengagement.
Conclusion
There is much more to unpack around awareness training and human vulnerability management. In future episodes, we'll dive into why security awareness really matters and why you should care about it.
Thanks for tuning in to Gone Phishing. If you want to find out more about high-quality security awareness training campaigns and how to launch them in ways that actually engage employees to change their habits, check out Phin Security at phinsec.io.