An article from Dark Reading came out earlier this month that is still getting a lot of traction in the news. What’s the big band wagon that everyone is scrambling to jump on? It’s simple. Train employees on social engineering tactics. The article points out that more than half of security professionals say that social engineering tactics work so well because employees are not educated enough to combat them.
Why is everyone quoting this simple and yet suddenly poignant fact? Because in the last couple of months the number of “big” hacks have gone from a couple a year to a couple a month and now a couple in a week (Snapchat, Kmart, Target, Staples, Home Depot). Are attacks escalating, is there better accountability, or is the media just reporting it more? Interesting question. We will look into it and get back to you on that one next month.
If you scroll through some of the comments on the Dark Reading article or others that are quoting it, you will find that a significant portion of the security professionals out there are stuck on what constitutes effective training. Is anyone in IT still surprised that compliance does not equal protection? No, we didn’t think so. Let’s break down what makes training effective according to learning theorists and social psychologists.
- Connect and Interact: You can hire someone to come in to preach or show pretty Powerpoint slides but a straight lecture format has been proven to produce lower retention in the students (Beers & Bowden, 2005). You have to make a connection with your audience before they will care. Canned presentations don’t work as well as personal interaction. Professionals in marketing have been using this since the 1980’s (Weitz, Sujan & Sujan, 1986). Does this up the cost of training? Yes. Is it worth it to pay for training you actually get some measure of protection out of? Yes. We need to stop checking the box and start educating.
- The right motivation: Training by itself is only a temporary patch because enough people want to believe it can’t happen to them. Many of the professionals commented on the Dark Reading Poll that people can tune out because they think they are too smart to fall for social engineering tactics. Social-Engineer does not subscribe to user blaming methodology, but instead believes that if you want to motivate someone to change in the long run you have to get people to believe it is the right thing to do. This form of motivation doesn’t require external punishments or rewards but is a change in attitude to achieve internalization of new beliefs which will in turn change behavior (Aronson, 2011). You want employees to act on the training they received? Target attitudes, not platitudes.
- Lather, rinse, repeat: At the most, studies indicate that a phishing campaign with an educational message if “hooked” is only effective for about six months (Purkait, 2012). Anecdotally, this protection appears to not be widely generalized to multiple forms of phishing; for example, if they get hooked on an e-card phish they learn the lesson for what to look for when getting an e-card but not an internal-looking whale phish (however studies are needed to confirm this). Lessons need to be repeated and generalized. Rotate the types of phishing emails going out and give up-to-date education advice.
- Policy: It’s the ugly word that no one likes to talk about, but at some point it’s going to have to be addressed. If any employee consistently fails social engineering pentests despite education and mentoring, it is a good time to look at the effectiveness of your education program and the role that employee is allowed to play with regards to company data. Now, this has to be balanced with individual employee rights but responsibility isn’t a dirty word. Accountability works (Workman, 2008).
Training can be a touchy subject because not everyone learns best from a single format. Some people do better with visual materials and others need a hands-on experience to cement the lesson in their memory. Finding training that can incorporate multiple methods of communicating the lesson is obviously a nice feature to have, but it isn’t always possible to apply this to a large employee population. Probably one of the best take-aways we can all get out of this is that finding the right training takes careful thought and planning. Consider your organization’s size and employee level of education and even perform testing which can be directly applied to building a curriculum that meets your needs.
Given the usual audience for this blog, it might be that we’re preaching to the choir. We hear a lot of the current training out there isn’t getting the job done. Well, here is a chance to flex some of those influence-muscles and see if we can’t help change that. The social sciences are our friend in this fight and we can use studies like those presented above to help advocate for social engineering training that teaches the critical thinking skills that employees need to make good decisions. Changing the status quo is hard but in today’s climate of big data breaches the organizations who look beyond compliance and strive for something better are going to be the ones who come out ahead. Be the change you want to see.
Aronson, E. (2011). The social animal (11th ed). New York, NY, Worth Publishers.
Beers, G, & Bowden, S. (2005). The effect of teaching method on long-term knowledge retention. Journal of Nursing Education, 44(11), 511-4. Retrieved from http://search.proquest.com/docview/203961259?accountid=8289
Purkait, S. (2012). Phishing counter measures and their effectiveness - literature review. Information Management & Computer Security, 20(5), 382-420. doi:http://dx.doi.org/10.1108/09685221211286548
Weitz, B. A., Sujan, H., & Sujan, M. (1986). Knowledge, motivation, and adaptive behavior: A framework for improving selling effectiveness. Journal of Marketing, 50(4), 174-191. Retrieved from http://search.proquest.com/docview/227818292?accountid=8289
Workman, M. (2008). A test of interventions for security threats from social engineering. Information Management & Computer Security, 16(5), 463-483. doi:http://dx.doi.org/10.1108/09685220810920549