Security Awareness Training is Boring
Last Updated: 2008-11-19 15:19:47 UTC
by Lenny Zeltser (Version: 2)
I love the directness of Marcum Ranum's perspective on security awareness training. "If it was going to work, it would have worked by now," he wrote. Indeed, whenever I perform social engineering testing, too many people willingly give up sensitive data, click on a link or launch that fateful attachment.
Maybe the problem with many security awareness programs is that they are borning. Come up with something unusual and personally-relevant to the attendies, and I bet the audience will remember your message. Below are some tips and a video clip.
Select a Different Format
Call your annual security awareness session a "Security Awareness Session," and you're guaranteed to hear sighs and excuses for not being able to attend. How about something in a less standard format? Thinking out loud here:
- Add a security "commerical" interruption to an unrelated meeting or a conference call.
- Create a challenge for people to report unsafe IT practices they observe. Without identifying the offenders, but with prizes.
- Sponsor a bagels and donuts breakfast with a 10-minute data security discussion.
- Create a drawing for a prize. The cost of entry is a tip on improving IT security.
Of course, the format will depend on your corporate culture, but the idea is to take a less ordinary approach to spreading your message.
Make the Message Personally-Relevant
People tend to care about their well-being more than the well-being of their company. To make your message heard, make it useful for your colleagues as individuals, be it in the context of phishing for email credentials, on-line financial fraud, or spyware. By helping them protect their personal data on-line, you will show them how to act when corporate IT assets are threatened.
Example: A Video Clip
How about peaking the employees interest in your program with a short video clip? I found a service called Animoto that will let you upload a bunch of photos, and automatically generate a nice-looking videos from them. (30-second videos are free.)
Here's an example I created using generic photos I found via EveryStockPhoto. For best results, use the photos specific to your company or industry. (For attribution purposes, here's the list of the Creative Commons images I used from Flickr: 1, 2, 3, 4.)
My video clip attempts to entice the audience to sign up for a hypothetical security awareness session. Of course, you can also use a more specific video to spread your particular security awereness message.
For additional tips about security awareness training, see the summary of the diaries we published about a year ago on this topic.
If you don't feel like making your own video, you can find some you can use on YouTube. For instance, Mike wrote in to point out the security awareness video "Duhs of Security" created by the Commonwealth of Virginia. It's available on YouTube and as part of an information security toolkit. I like that the video has goofy characters--they make it more fun. I would prefer if it were shorter, but longer videos are useful for some training forums.
Fellow ISC handler Andre Ludwig also pointed out a few fun security awarenes videos, available from Antispam.br. These are in Portuguese with English subtitles.
Security Consulting - SAVVIS, Inc.
Lenny will be presenting at the SANS D.C. conference in December.