Creating Cyber Security Training that Works

If you are not a computer security professional, you may have missed a recent debate surrounding the effectiveness of cyber security education. Some believe that attackers are so sophisticated that there is no way well-trained employees will be able to recognize their attacks. Others believe that well-trained employees can mitigate the risk of external and internal threats. We at Ashland Partners have experienced how effective well-designed cyber education can be, and we know that it is worth doing right.

In order to be effective, educational programs must take into account the needs of the intended audience. For example, adult learners require training that is meaningful and immediately useful to their lives. To show that something is immediately useful, an adult must see the training in a real-world context. This is where cyber education has an advantage over other subjects; it is relatively easy to incorporate interactive simulations to reinforce specific cyber training. Simulations create situational awareness by showing the person an example of what they were just taught. Simulations also provide teachable moments for when they fail to remember their training. This link between training and simulated reinforcement has to be well researched. For example, Kumaraguru (et al, 2009) in “School of phish: a real-world evaluation of anti-phishing training,” determined that multiple training events, followed by simulated phish tests, progressively reduced the likelihood that the students would succumb to a phishing attack. Ashland Partners has experienced this as well. For many years we have been giving our employees cyber security education. Nine months ago we started performing regular phish testing on all employees. As a result, our click rate on simulated phishing attacks has diminished from 14% down to 0%. This methodology can be applied to any subject, and can help increase your employee’s level of compliance.