The Training Cycle - Building an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats, First Edition (2014)

Building an Information Security Awareness Program: Defending Against Social Engineering and Technical Threats, First Edition (2014)

CHAPTER 10. The Training Cycle

Valerie Thomas Securicon, Lorton, VA, USA

Abstract

Many items factor into the training cycle for an organization such as budget, management support, regulatory compliance, and amount of material. If your organization must perform training activities to satisfy regulatory compliance, use this to deliver meaningful training material, as opposed to the absolute minimum required. Determining or adjusting the training cycle for your organization depends not only on the security division but also on the support of the management. Work closely with the senior management as you plan your training; they will provide guidance in terms of budget, training frequency, and methods. Effective information security programs have the support of the senior management, and in the long term, it's better to deliver a scaled back program that has the support of the senior management and then spend all of your time struggling with the people whose support you need.

Keywords

New hire training

Embedded training

Continual training

Biannual

Compliance

The Training Cycle

In order for employees to retain knowledge, they'll need to be trained more than once. True education is not a one-shot process. A training cycle should consist of short- and long-term training instances. In this chapter, we'll discuss various options for creating your own training cycle. While reviewing the options, keep in mind that you don't need to implement all of them, just what makes sense for your organization.

New Hire

We've all heard the phrase “You never get a second chance at a first impression.” This also applies to awareness training. New hire training is an employee's first glimpse into the inner workings of the organization. If security training is disorganized or incomplete, it can convey that security isn't a priority for the organization or its employees. At a minimum training should

■ describe the purpose for security training

■ highlight key areas of security policy

■ detail the largest threats to the organization

■ highlight physical security threats

■ teach users how to identify and report suspicious e-mails or activities

New hires should leave this training with an understanding of the listed items above and copies (or locations) of the covered information and security policies for future reference. Additionally, training should be completed prior to granting access to organizational assets.

Quarterly

Every employee needs a refresher course; this is occasionally referred to as people patching [1]. Keeping your computer's security up-to-date requires constant vigilance; people require the same level of maintenance or people patching. Although new hire training is essential, in order for employees to retain the concepts long-term, they require periodic refreshers.

Why Quarterly?

Many industry standards require quarterly security awareness training. If your organization is required to comply with these regulations, use it to your advantage. Quarterly training is a fantastic opportunity to update employees on the latest threats and trends. Was the organization targeted with a phishing e-mail? If so, include the message in the training and highlight the suspicious portions. Don't forget to include the procedure for reporting suspicious e-mails.

This is also an ideal vehicle to announce policy changes with details on what has been added or removed. Including an article or two about current attacks will provide real-world application of the covered material.

Biannual

If your management does not support quarterly training, biannual training should be considered the minimum required time frame. Expecting employees to remember something after being taught one time will leave your employees unprepared and frustrated. If training can only occur twice a year, ensure that the content is focused on critical topics to your organization's security. While every organization's priorities are different, a few examples are

■ laptop safety and how to report a lost/stolen laptop

■ identifying phishing attempts and how to report them

■ proper handling of sensitive information

■ preventing tailgating

You'll notice that this information appears to be similar to new hire training. The purpose of biannual training is to reinforce the fundamentals described in new hire training without detailing each policy.

Continual

In Chapter 9, we discussed several variations of informal training. These low-cost programs can reinforce concepts taught in other required training events throughout the year. Implementing continual training keeps security on the minds of employees. A few examples are

■ posters with a company laptop forgotten in a public place and the phone number to report security incidents

■ e-mail newsletters with on-line safety tips for home use

■ implementing log-on banners for employee workstations with a security tip of the day [2]

■ lunch and learn sessions about social media safety

Point of Failure

Point of failure, also known as embedded training, refers to training administered when an employee fails a simulated phishing attack. There are mixed opinions of the effectiveness of point-of-failure training in the industry. Some industry members claim this method of training is ineffective [3] because employees aren't retaining the information presented. Other industry members claim this method of training is extremely effective [4] if implemented properly. If your management does not support quarterly training for everyone, point-of-failure training can educate employees that need it the most.

The key to properly implementing point-of-failure training is frequency of testing. Employees who failed a simulated attack should be tested again within weeks of the failure. This process reinforces the presented material by requiring them to apply learned concepts. However, the simulated phishing attack should not look identical to the failed attack. In Chapter 11, we'll discuss creating your own simulated phishing attacks.

Targeted Training

Training by department should be included in the annual training cycle. For maximum effectiveness, present this training separately from the general employee training. Presenting the material separately enables the employees to absorb and retain the information long term. Ideally, this targeted training should be conducted quarterly and should focus on no more than three key messages or threats that are unique to each department. Highlight the unique threats facing each organization. Accounts receivable and marketing are at a high risk for macro viruses and malicious PDF documents, because opening documents received from outside the organization is a common activity. The help desk is a prime target for attackers to gain information about computer accounts, corporate policies, operating system details, and organizational structure via fake phone calls to the help desk. Create a list of top threats for each department, and then create training segments that address no more than three specific threats.

Sample Training Cycles

If your awareness program is new and there is no current cycle in place, it is best to plan a robust training cycle. Gaining approval from management to implement a new training cycle may be easier than gaining approval to modify an existing one. New hire training isn't repeated, so it is not included in the examples below.

Minimal

This cycle is designed to include the recommended minimum training intervals. Integrating the targeted biannually is even more crucial with a minimal training cycle, as it reinforces best practices for those in public-facing positions more than twice per year:

■ Biannual training sessions for all employees

■ Continual training in the form of newsletters and posters

■ Targeted training biannually for public-facing departments

Moderate

Designed for organizations that are able to address more than a minimal training cycle, this cycle incorporates additional elements:

■ Biannual training sessions for all employees

■ Continual training in the form of video campaigns, lunch and learns, newsletters, and posters

■ Targeted training biannually for public-facing departments

■ Biannual point-of-failure training for all employees

Robust

This training cycle incorporates multiple elements to expose employees to training roughly every sixty days:

■ Quarterly training sessions for all employees

■ Continual training in the form of video campaigns, lunch and learns, contests, newsletters, and posters

■ Targeted training biannually for public-facing departments

■ Quarterly point-of-failure training for all employees

Adjusting Your Training Cycle

If you have an existing training cycle in place and metrics indicate that training isn't meeting the targeted goal, it is likely the training cycle requires adjusting. Increasing continual training is a low-cost option. Combining new continual training with additional training type will yield a higher return on investment. Use the metrics to determine which areas of awareness are below average and adjust the training cycle to increase training in those areas. For instance, if phishing detection results were low, consider implementing point-of-failure training to provide instant training for employees who did not pass the phishing assessment. Program metrics are discussed at length in Chapter 13.

Notes

[1] People Patching: Is user education of any use at all? http://www.eset.com/us/resources/white-papers/People_Patching.pdf [accessed on 2.16.2014].

[2] Developing continual healthcare data security training http://healthitsecurity.com/2013/08/05/developing-continual-healthcare-data-security-training/ [accessed on 2.16.2014].

[3] Why Training Doesn't Mitigate Phishing http://www.govinfosecurity.com/interviews/training-doesnt-mitigate-phishing-i-2148? [accessed on 2.17.2014].

[4] SHOCKER: Point-Of-Failure Phishing Training Does Not Work http://blog.knowbe4.com/bid/371048/SHOCKER-Point-Of-Failure-Phishing-Training-Does-Not-Work [accessed on 2.17.2014].