Be The Change – Education, is it working?

9655121634_41fb8b120a_z

An article from Dark Reading came out earlier this month that is still getting a lot of traction in the news. What’s the big band wagon that everyone is scrambling to jump on? It’s simple. Train employees on social engineering tactics. The article points out that more than half of security professionals say that social engineering tactics work so well because employees are not educated enough to combat them.

Why is everyone quoting this simple and yet suddenly poignant fact? Because in the last couple of months the number of “big” hacks have gone from a couple a year to a couple a month and now a couple in a week (Snapchat, Kmart, Target, Staples, Home Depot). Are attacks escalating, is there better accountability, or is the media just reporting it more? Interesting question. We will look into it and get back to you on that one next month.

If you scroll through some of the comments on the Dark Reading article or others that are quoting it, you will find that a significant portion of the security professionals out there are stuck on what constitutes effective training. Is anyone in IT still surprised that compliance does not equal protection? No, we didn’t think so. Let’s break down what makes training effective according to learning theorists and social psychologists.

9655121634_41fb8b120a_z

  1. Connect and Interact: You can hire someone to come in to preach or show pretty Powerpoint slides but a straight lecture format has been proven to produce lower retention in the students (Beers & Bowden, 2005). You have to make a connection with your audience before they will care. Canned presentations don’t work as well as personal interaction. Professionals in marketing have been using this since the 1980’s (Weitz, Sujan & Sujan, 1986). Does this up the cost of training? Yes. Is it worth it to pay for training you actually get some measure of protection out of? Yes. We need to stop checking the box and start educating.
  2. The right motivation: Training by itself is only a temporary patch because enough people want to believe it can’t happen to them. Many of the professionals commented on the Dark Reading Poll that people can tune out because they think they are too smart to fall for social engineering tactics. Social-Engineer does not subscribe to user blaming methodology, but instead believes that  if you want to motivate someone to change in the long run you have to get people to believe it is the right thing to do. This form of motivation doesn’t require external punishments or rewards but is a change in attitude to achieve internalization of new beliefs which will in turn change behavior (Aronson, 2011). You want employees to act on the training they received? Target attitudes, not platitudes.
  3. Lather, rinse, repeat: At the most, studies indicate that a phishing campaign with an educational message if “hooked” is only effective for about six months (Purkait, 2012). Anecdotally, this protection appears to not be widely generalized to multiple forms of phishing; for example, if they get hooked on an e-card phish they learn the lesson for what to look for when getting an e-card but not an internal-looking whale phish (however studies are needed to confirm this). Lessons need to be repeated and generalized. Rotate the types of phishing emails going out and give up-to-date education advice.
  4. Policy: It’s the ugly word that no one likes to talk about, but at some point it’s going to have to be addressed. If any employee consistently fails social engineering pentests despite education and mentoring, it is a good time to look at the effectiveness of your education program and the role that employee is allowed to play with  regards to company data. Now, this has to be balanced with individual employee rights but responsibility isn’t a dirty word. Accountability works (Workman, 2008).

 

Training can be a touchy subject because not everyone learns best from a single format. Some people do better with visual materials and others need a hands-on experience to cement the lesson in their memory. Finding  training that can incorporate multiple methods of communicating the lesson is obviously a nice feature to have, but it isn’t always possible to apply this to a large employee population.  Probably one of the best take-aways we can all get out of this is that finding the right training takes careful thought and planning. Consider your organization’s size and employee level of education and even perform testing which can be directly applied to building a curriculum that meets your needs.

Given the usual audience for this blog, it might be that we’re preaching to the choir. We hear a lot of the current training out there isn’t getting the job done.  Well, here is a chance to flex some of those influence-muscles and see if we can’t help change that. The social sciences are our friend in this fight and we can use studies like those presented above to help advocate for social engineering training that teaches the critical thinking skills that employees need to make good decisions. Changing the status quo is hard but in today’s climate of big data breaches the organizations who look beyond compliance and strive for something better are going to be the ones who come out ahead. Be the change you want to see.

References

Aronson, E. (2011).  The social animal (11th ed).  New York, NY, Worth Publishers.
Beers, G, & Bowden, S. (2005). The effect of teaching method on long-term knowledge retention. Journal of Nursing Education, 44(11), 511-4. Retrieved from http://search.proquest.com/docview/203961259?accountid=8289
Purkait, S. (2012). Phishing counter measures and their effectiveness - literature review. Information Management & Computer Security, 20(5), 382-420. doi:http://dx.doi.org/10.1108/09685221211286548
Weitz, B. A., Sujan, H., & Sujan, M. (1986). Knowledge, motivation, and adaptive behavior: A framework for improving selling effectiveness. Journal of Marketing, 50(4), 174-191. Retrieved from http://search.proquest.com/docview/227818292?accountid=8289
Workman, M. (2008). A test of interventions for security threats from social engineering. Information Management & Computer Security, 16(5), 463-483. doi:http://dx.doi.org/10.1108/09685220810920549

DerbyCon 4.0 – Family Rootz

DerbyCon

“This is DerbyCon” where the final words echo’ed in a very emotional closing video that David Kennedy put together for the ending of the DerbyCon 4.0 Conference. Its a con… why would it affect anyone so strongly?  Don’t we all just go to these things to see new hacks, spend some quality time with beer Continue Reading >

The Social-Engineer Polygraph Challenge

lie-detector-test

Lots of questions have been coming in regards our DerbyCon Contest to be held at our Social-Engineer, Inc. sponsor booth.  So let me take a few moments to answer the questions and outline the competition. We wanted to have something fun, challenging and also unique.  Chris reached out to the National Institute of Polygraph Examiners and Continue Reading >

DerbyCon 4.0 & Social-Engineer

slide0

Social-Engineer is on the road again! This time you’ll see our friendly faces popping up in Louisville, KY at DerbyCon, 24-28 September. In true SEORG style, we’ll be hitting the ground at 150 mph leaving secret decoder rings and lock picks in our wake. You’ll have plenty of chances to say hello to Chris and meet Continue Reading >

DEF CON 22: The SEVillage 2.0

55-Sunday-CrewwithJohnny

The sweat has finally dried and we are back to the normal swing of things here at Social-Engineer. I scoff at my own ridiculous self as I write that sentence and say, “What is normal?” But never-the-less, we wanted to give you a small glimpse of the craziness that was DEF CON 22 and the Continue Reading >

Winning the SECTF – DEF CON 22

TheWinnerandChris-Webv2

As written by Stephanie Carruthers The Social Engineering Capture The Flag (SECTF) is a competition that is held at DEF CON. The competition is comprised of two parts, an information gathering phase and live call phase. A target company is randomly assigned and the information gathering stage begins with research of the company (by only using Continue Reading >

DEF CON 22 – Are You Ready?

DEF-CON-20-Hacking-Conference-Pictures-from-Viss-Closing-Ceremonies

Are you ready for blistering 115-degree heat, the never-ending press of black t-shirts, and fast-talking social engineers? Then you, my friend, are ready for DEF CON 22! Social-Engineer.Org have so much goodness to tell you about. First, let’s start with the Social Engineering Village. This will be our second year at running SE fun and Continue Reading >