Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Does security awareness training even work?

Maria Korolov | Oct. 1, 2015
If even well-educated security experts mess up when it comes to security, can we really educate average employees to be more security aware?

"The key is how you package it to make it interesting and digestible," said Kevin Cunningham, SailPoint's president and founder. "They bring it back to what it means to you."

There are more than two dozen videos total, each covering a very specific topic and followed by a short quiz, accessible through the employee portal.

"If I have a spare five minutes, I can watch one of these vignettes," Cunningham said.

The company has just rolled out the program, but Cunningham says he's already seen a change in attitudes.

But he's not going by gut feel alone. After six months, SailPoint will do a round of retention testing. In addition, individual employees that violate policies will receive additional, more in-depth training.

"People are a key component of any security plan," Cunningham said. "The bad guys have figured out that the most vulnerable portion of the company is the people. There's lots to be gained there."

Simulated attacks

One easy target for security awareness training is teaching employees how to deal with phishing emails. According to the latest Verizon data breach report, phishing was implicated in a quarter of all data breaches. And according to Ponemon, the average 10,000-employee company spends $3.7 million a year on dealing with phishing attacks.

Ponemon recently calculated the effectiveness of anti-phishing training programs. The least effective training program still had a seven-fold return on investment, even taking into account the loss of productivity during the time the employees spent being training. And the average-performing program resulted in a 37-fold return on investment.

One company that's working hard to both improve and measure its effectiveness is  Wombat Security Technologies, which grew out of a research program at Carnegie Mellon.

"In my mind, videos and classroom-based training that don't engage users are doomed to failure from the beginning," said company CEO Joe Ferrara.

Wombat runs simulated phishing attacks against organizations, then delivers on-the-spot training modules.

One customer, Pennsylvania-based safety product manufacturer MSA Safety, started out their first year's training program with a 25 percent failure rate.

"Now we're in the 5 to 8 percent fail rate," said Steve Rocco, the company's global cyber security manager. "We have lowered our risk considerably, in my opinion."

Since first piloting the Wombat training program two years ago, the company has rolled it out to 50 sites around the world, in seven languages.

In addition to phishing training, there are also modules that cover how to classify data, what can be sent over email, what can be stored in the cloud. There's training for handling personal health information, for physical security, for social engineering, for social networks, and a variety of other topics. And it's customizable to meet MSA's specific requirements.


Previous Page  1  2  3  Next Page 

Sign up for Computerworld eNewsletters.