Types of Training - Building an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats, First Edition (2014)

Building an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats, First Edition (2014)

CHAPTER 9. Types of Training

Valerie Thomas Securicon, Lorton, VA, USA

Abstract

Many delivery methods exist for your selected training material. This chapter outlines basic types of formal and informal training along with advantages and disadvantages of each method. The listed types are not exhaustive, but contain the most popular methods to date.

Keywords

Lecture

Video

Computer-based training (CBT)

Web-based training (WBT)

Awareness poster

Training Types

Several options exist for presenting your training material. In this chapter, we'll discuss various training techniques and their pros and cons. This chapter presents a high-level overview of training techniques. In chapters to come, we'll discuss how to package or blend these techniques to suit your environment.

Formal Training

We'll begin with types of formal training. Formal training is a controlled and structured approach, which typically involves material based on written regulations or standards, policies, or a set of requirements [1]. The content development process is usually labor-intensive, as most programs require development of courseware. Evaluations, such as quizzes, are usually completed after content delivery to assess the employee's understanding and retention of the presented material.

In-Person Training

In-person training, or instructor-led training, is considered a traditional approach in training techniques. Typically, this includes the use of slideshows that are custom-built for the target audience. However, it does not need to be limited to slideshows alone. Other delivery methods can be used to convey material including the following:

■ Video: Including short video segments breaks the monotony of a lecture by providing the audience with a visual focus point. This method is best for demonstrating a threat, such as tailgating.

■ Storytelling: Storytelling is a great way to put a personal spin on a lecture. It enables the instructor to provide examples of situations where employees followed procedure or sought guidance from their security division. Storytelling also enables the instructor to provide an example of material covered previously in the course to reaffirm the message [2].

While the main delivery method of the session is lecture from the instructor, other methods can be used to incorporate audience interaction. The discussion method usually begins with a short lecture including basic information and is followed by open discussion or questions (from the instructor or the audience) to provide clarification on the material. Asking the audience to identify indicators of a phishing e-mail is an example of the discussion method [3].

Advantages

■ Instructor-led training is effective for presenting a large amount of material to a large group of people.

■ Sessions can be recorded and replayed at a later time, for example, new employee orientation. These recordings can also be used for remote offices.

■ Slideshows can be archived on the security department's website for on-demand viewing.

■ The instructor can address questions from the audience immediately.

■ There is an opportunity for follow-up discussion with the instructor and other members of the audience.

■ If led by a member of the security department, it provides a person for employees to associate to the security department. If presented properly, this can depict a two-way communication path that encourages employees to interact with the security department, as opposed to dictating rules.

Disadvantages

■ The success of the session is highly dependent on the skill level of the instructor.

■ Audience members may not have the opportunity to ask questions if the assigned time window is too short or if the session is being played from a recording.

■ Scheduling a classroom sessions for large groups is often difficult in terms of available space and employee schedules.

■ It can be difficult for employees who speak English as a second language to retain material at the speed of the instructor.

■ Hiring an instructor can be costly, especially if they are visiting multiple locations

■ Employees may become overwhelmed from attempting to retain a large amount of data presented in a short amount of time

■ It can be difficult for employees to search through an entire training session to locate one specific topic [4].

Computer-Based Training

The use of computer-based training (CBT) has grown rapidly over the years, in some cases replacing in-person training altogether. CBT is delivered through a computer and can utilize a magnitude of delivery options such as text, audio, video, interactive quizzes, and many more. However, CBT material is stored locally on a hard drive or distributed via CD-ROM. Material is often created solely for the organization to fit their requirements at a certain point in time [3].

Advantages

■ On-demand viewing. Employees can review material at a time that's convenient for them.

■ Material can be completely customized for the organization.

■ It can be produced in-house but is commonly outsourced.

■ Distributing via CD-ROM is ideal for remote locations with limited bandwidth, such as a military base.

■ Courses are self-paced so employees can learn at a speed that's best for them.

Disadvantages

■ These distribution options can be difficult to modify or update to reflect current security threats or policy changes.

■ Content modification can be expensive if an outside company produced the material.

■ Content medication can be complicated if the material was developed in-house by an employee who is no longer with the organization.

■ Redistribution can be logistically difficult, especially for remote locations.

■ If the material is poorly designed, employees may lose interest quickly and not retain any of the presented material.

Web-Based Training

Web-based training (WBT) is similar to CBT but is housed online via a company web server or by an external training provider. Because the content is stored in a small number of locations, it is easy to update. Courses can be integrated into a training portal that enables the organization to offer multiple courses and electronically track each employee's progress. This delivery vehicle makes it easy to create targeted training for different audiences such as the help desk or marketing. WBT is a great method for delivering material small, focused sessions, such as phishing awareness. Many of the advantages are similar to CBT in addition to others.

A note about quizzes

Quizzes are fantastic for measuring the employee's learning progress in web-based training. However, if the employee answers a question incorrectly, it is crucial to provide a follow-up page to explain why the answer was incorrect.

WBT has the flexibility to feature video segments from industry professionals in addition to slideshow material. The combination of delivery methods divides the material into segments, making it easier to comprehend. Employees can also replay video segments if they were not able to keep up with the pace of the speaker.

Interactive segments and quizzes can assess the knowledge retained from the presented material with the option of follow-on training based on the employee's answer. Some commercial product vendors are Symantec, KnowBe4, and SANS.

Advantages

■ Access to highly specialized trainers and course developers at a lower cost than hiring for a one-time in-person session. [5].

■ On-demand viewing. Employees can review material at a time that's convenient for them.

■ Ideal for specialized training, such as regulatory requirements.

■ Material can be completely customized for the organization.

■ Content can be integrated into a training portal, which enables progress tracking for each employee.

■ It can be produced in-house but is commonly outsourced.

■ Content can be easily updated.

■ A combination of slideshow, video, and interactive content can effectively communicate material.

Disadvantages

■ Employees may have questions that are not addressed by the frequently asked questions (FAQ).

■ If the training session is too long or uninteresting, employees will likely click through the content without retaining the material.

■ Browser and/or bandwidth limitations may restrict the ability to use video or interactive sessions [6].

■ If outsourced, initial development cost can be high [7].

Video Training

Video training is viewed stand-alone from other forms of training requiring no interaction from the employee. These segments cover one or two topics in a short amount of time, such as the use of removable media. Video training is most effective when incorporated into a video campaign. A video campaign consists of a set of videos and other supporting materials such as posters, preview videos, announcement e-mails, and a reference sheet to accompany each video.

Advantages

■ Puts a new spin on security content, which peaks the interest of employees.

■ Allows the employee to focus on learning as opposed to stressing over a quiz on the covered material.

■ Commercially produced material is available for immediate use.

Disadvantages

■ Readily available commercial products cover general security topics. Customized segments would come at an additional cost.

■ Some employees may not find the video entertaining, and therefore not watch the complete segment

Informal Training

Informal training is designed with an overall objective, but without the standards and procedures of formal training. While formal learning is usually required of employees, informal learning is voluntary. Essentially, informal learning provides the means for education, but the employee must decide to pursue the material. While informal learning environments are ideal for some employees, they are not meant to replace formal training programs. Informal learning acts as an additional layer of support to a formal training program [8].

Lunch and Learn Sessions

Usually, short (about 30 min or less) and voluntary sessions lunch and learn presentations or discussions can cover a variety of topics. The key to successful voluntary sessions is selecting topics and titles that will appeal to employees. A few examples are

■ keeping your children safe online

■ mobile safety tips and tricks

■ tap and pay credit cards: what you need to know

■ online safety while traveling

Anyone can lead a lunch and learn session. Ideally, members of the security team should rotate sessions so that employees are familiar with all team members. This helps to place a face to the security team and reinforces a two-way dialog. If the budget allows, inviting guest speakers is a great way to increase attendance.

Not all informal sessions need to be intended for a general audience. Consider coordinating with department heads to create lunch and learn sessions that appeal to technical employees as well. Some example topics include

■ the top 5 coding mistakes you're making (and how to fix them)

■ why developers are a social engineer's favorite target

■ whether your LinkedIn profile is saying too much

■ advanced routing techniques

Although none of the above titles directly address security, it is possible to include it in the overall message. We'll discuss how to effectively package security training in future chapters.

Homemade Video Campaign

Online video websites such as http://YouTube.com have dramatically changed the way that the world views video content. Short, homemade videos are the new norm in today's society. From dancing cats and giggling babies to software installation procedures and cooking instructions are available to anyone with just a few clicks of a mouse. Like most topics, security awareness training can also use this video craze to its advantage.

Producing short, informal videos for the organization's internal website can reinforce material that has been previously covered in formal training. This virtually no-cost technique can also incorporate the workforce into the education process by featuring the Chief Information Security Office (CISO) forgetting sensitive documents at the printer. Other employees can be featured following procedure, such as challenging someone who is attempting to tailgate into the building.

Things to consider when developing your own video campaign:

■ Keep the videos short and entertaining. Less than two minutes is best for retaining the viewer's attention.

■ Be sure to reinforce the intended message at the end. If the video featured an employee reporting a suspicious e-mail to the security team, then include the e-mail address for reporting these e-mails.

■ Include a short preview of the next video.

■ Create an e-mail account for employees to submit ideas for future videos.

Posters

Security awareness posters are a low-cost method to reinforce good security practice principles between formal sessions. The two most important factors of a successful poster campaign are content and placement. Content should have very few words and deliver a clear message. Prime examples of security awareness posters come from the “loose lips sink ships” campaign during World War II. Designed by the War Advertising Council, the campaign was a reminder to all Americans to be discrete with the information they shared to prevent unintentional data leaks to the enemy [9].

Placing the posters in the correct area is the second step to success. Ideally, posters should be placed in areas where employees have idle time. A few examples are as follows:

■ In elevators. If the building has more than one elevator, place a unique poster in each elevator car.

■ By the copy machine. This is an ideal spot for reminders about securing sensitive data.

■ The break room or cafeteria, especially by the microwave.

■ Close to the exit door. This can be a final reminder for employees to put their ID cards away and out of plain sight.

Several websites offer free awareness posters for use within your organization. A quick search on the Internet can provide enough free material to support your campaign for months.

Notes

[1] 8 Benefits of Formal and Informal Learning. http://www.langevin.com/blog/2012/05/10/8-benefits-of-formal-and-informal-learning/ [accessed on 2.12.2013].

[2] The Most Effective Training Techniques http://trainingtoday.blr.com/employee-training-resources/How-to-Choose-the-Most-Effective-Training-Techniques [accessed on 8.01.2014].

[3] Training Delivery Methods http://www.referenceforbusiness.com/management/Tr-Z/Training-Delivery-Methods.html [accessed on 12.01.2014].

[4] In-Person Versus Online Training Advantages and Cost Comparison Table. http://www.elearncampus.com/online_training/comparisontable.aspx [accessed on 12.01.2014].

[5] 7 Reasons Why Organizations Use Online Training http://www.knowbe4.com/resources/7-reasons-why-organizations-use-online-training/ [accessed on 27.01.2014].

[6] Web Based Training Advantages and Disadvantages http://www.webbasedtraining.com/primer_advdis.aspx [accessed on 27.01.2014].

[7] Web-based Training Overview http://www.etc.edu.cn/eet/articles/webbtraining/start.htm [accessed on 30.01.2014].

[8] Formal Training Vs. Informal Training: Which Makes More Sense? http://www.mindflash.com/blog/2012/03/formal-training-vs-informal-learning-which-makes-more-sense/ [accessed on 31.01.2014].

[9] Security of War Information - Loose Lips Sink Ships (1942–1945) http://www.aef.com/exhibits/social_responsibility/ad_council/2175 [accessed on 3.02.2014].