Week 6 - Security Awareness: To Train or Not

An ongoing battle in the security awareness training arena is around the effectiveness of this training.  Is there a benefit for companies to provide this training or would the money be better spent in other information security areas?  Many companies require employees to take security awareness training once a year, often as part of other annual compliance training.  Naysayers on the effectiveness of this training believe this is a wasted effort due to the time span between iterations and the "check it off and move on" format that is often used to present this content.  While not a recent article, Fahmida Rashid wrote on this subject in April of 2013 for SecurityWeek online magazine.  Her discussion focuses on the specific area of phishing and spear-fishing attacks as these are likely weak points in endpoint security.  As purveyors of these attack methods have become more sophisticated it has become more difficult for the average user to resist clicking a link, especially if it happens to be from a company that they do business with.  Many e-mails are unrecognizable as fakes from communications that would come from a valid source.  This has been especially true in the banking industry and this also affects electronic payments as gaining access to an account online through one of these attack methods could potentially lead to a number of illegal transactions taking place.  So is the best answer to give up or is there a different type of training method that would be more effective?  The method proposed in Ms. Rashid's article is called simulated attack training.  To use this the company creates phishing or spear-fishing e-mails to send to employees.  If the employee falls for the fake e-mail they are then enrolled in "just-in-time" training to recognize this type of attack and to respond appropriately.  This allows identification for focused training in this area to address this threat.  An unnamed Fortune 50 company quoted in this article had 35% of their staff that received a simulated attack the first time respond inappropriately.  By providing immediate feedback the next time this simulation was run only 6% responded inappropriately.  This method provides metrics on the effectiveness of one aspect of security awareness training and avoids the annual repetitive nature that many training efforts unfortunately fall into.  The exciting aspect of this type of training is to consider what other areas this could be successfully applied to.