It is also a topic that seems a little out of place at the Hack in the Box conference in Amsterdam, but Bob Lord, Director of Information Security at Twitter, has raised some interesting points in his Thursday's keynote in which he shared his company's rather successful experiments regarding the matter.
He first pointed out that information security professionals tend to look for perfection, meaning that most often than not they tend to dismiss the whole concept of security awareness training just because a particular implementation of it has proved to be flawed.
Secondly, he shared his and Twitter's approach of not concentrating on raising awareness, but changing employee behavior, habits and actions to create a security culture. "How can we make doing things the right way become the default in our company?" they asked themselves.
His team sat down to think about a set of core values that would make it easier to create it, and came up with a number of "prescriptions."
When tackling the problem of effective security training, Lord and his team decided to select groups of new hires as perfect subjects to test their approach. Not only could they track their behavior from the very start of their company career, but they also had the opportunity to address a captive audience that is more likely to do what they are told before getting caught up in their day-to-day work.
Lord took it upon himself to give them the initial talk, demonstrating that the matter is important, and that he is willing to take the time to do it.
The training concentrates on password choice and use, phishing awareness, and physical access security and, according to him, employees aren't penalized for other types of mistakes. In fact, they are invited to share them with superiors and ask "dumb" questions in order to learn what is good practice and what's not.
At Twitter, everybody is required and strongly encouraged to use a password manager. Part of the initial presentation is dedicated to setting it up in order to change an assigned password, with the intent of setting them on the right way to using it daily.
They had some success with this approach, and learned that some of the users stopped using the password vault in the first few weeks after they started, but those who "survived" these three or four weeks became long term users. Ultimately, the overall adoption rate of this behavior ended up reaching over 75 percent, which is a great result.
But all this would not have been possible were it not for the team's constant evaluation of their results, making changes to make the training more efficient, and constant giving of feedback.
The feedback was also very important in the part of the training dedicated to phishing awareness. They set up a phishing alert mailing list and employees are encouraged them to alert and forward to the security of team of every actual and potential phishing attempt, and the team took it upon themselves to respond to each alert within hours.
They also had success with making themselves available to employees during office hours, inviting them to come and talk about anything - even non-security topics - that were unsure about. The intent was to build a rapport between the employees and the security team, and they knew that they succeeded when they started to hear "confessions" from employees about things they did, but now think they might have made mistakes.
When it comes to learning about physical access security, they did things like choosing a "mole" employee each week that would be instructed not to wear his or her access badge in order to see how many people would notice and ask them to show it. This way they would get into the habit of questioning deviations from the prescribed behavior, teach those who aren't wearing them that they should, and be rewarded with a gift card to a nearby coffee shop if they stopped and asked the "mole" why he or she aren't waring the badge. Again, it is the "carrot instead of the stick" approach.
By perfecting their training approach via constant feedback and evaluation, they accomplished a lot.
Still, they are looking into areas that could bring additional improvements: the measuring of effectiveness of the social engineering videos the employees are shown, adding more game elements to the training, measuring other factors (years that employees spent in the industry, their first language, and so on), and perhaps even by publishing personal/team security scores.
The most important thing in all this is never to give up on users (employees), says Lord. "It's never a lost cause until you believe it is."
He advises focusing on security culture, not training, and to constantly measure the effect of the training so that it can be repeatedly reshaped in order to be more effective - and here is where the feedback comes in handy.