Tips for how do make security awareness training engaging?
chickenlicken09
Member Posts: 537 ■■■■□□□□□□
Just wondered how you go about doing this in your current role, any tips?
Comments
-
LonerVamp Member Posts: 518 ■■■■■■■■□□Some may say that security awareness training isn't about being engaging. I could go either way that.One example I think sets an interesting tone is PagerDuty's awareness training that was made public (sudo.pagerduty.com, I believe).I also prefer to try not to talk down to the audience. I know we probably have the hardest time trying to get the lowest 10% pulled up and understanding things, but ... Try to instead give real insight for those that already know a little, and try to improve their own awareness and security even beyond the business.
Security Engineer/Analyst/Geek, Red & Blue Teams
OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs? -
Meggo Registered Users Posts: 197 ■■■■■□□□□□Hey eddo1! Lisa Plaggemier recently joined our team here at InfoSec and specializes in this area (formerly ran the security training and awareness program for CDK Global).
I think you'll find this presentation from her helpful:
-
JDMurray Admin Posts: 13,101 AdminWhat I try to do is make information security personal first and then show how it related to the employer's business.
- Show people how to protect their PII, PHI, PFI, etc. and relate it to the same types of business information they control in their jobs.
- Discuss how to recognize and deal with spam, phishing, and vishing in their personal life and then expand that to encountering the same on-the-job.
- Explaining about malicious (wateringhole) Websites, careful use of social media Websites, and configuring Internet router security, anon VPNs, host security, etc. are all personal protection issues that can be expanded in to an employee's business activities.
-
stryder144 Member Posts: 1,684 ■■■■■■■■□□A few things that I do and/or suggest:
1. I have noticed people pay attention when there is an immediate reward. I carry candy (both sugar and sugar-free). I will ask the class a question, usually not security related, at the beginning and the first person to answer gets a candy. After that, most people get competitive (some even get hyper-competitive...which is amusing), thus they remain engaged.
2. Don't think of security awareness training as an annual "one and done" process. I highly encourage people to consider "security through walking around". Since most people never see the security folks, having them periodically walk through the facility and engage their coworkers in conversation helps to build rapport. They can steer the conversation toward security and ask questions, make statements, etc. Much more effective when your coworkers see you as a member of the team instead of someone with a mall cop mentality.
3. Celebrate it when your coworkers do the right thing. For instance, let's say someone gets a suspicious email and forwards it to your phishing/security inbox. Buy the entire team/department lunch, bring several of the security folks, and congratulate the person and let their team know why they get a free lunch. I don't know of too many people who would be pissed to get a free lunch, especially if they didn't have to do anything to warrant it.
By using carrots instead of sticks, we get further. By rewarding publicly, others start to get it. I would rather spend $100 on a lunch or $20 on a bag of candy than have to spend the money necessary to remediate a data breach (averaging north of $3.6 million).The easiest thing to be in the world is you. The most difficult thing to be is what other people want you to be. Don't let them put you in that position. ~ Leo Buscaglia
Connect With Me || My Blog Site || Follow Me -
chickenlicken09 Member Posts: 537 ■■■■□□□□□□LonerVamp said:Some may say that security awareness training isn't about being engaging. I could go either way that.One example I think sets an interesting tone is PagerDuty's awareness training that was made public (sudo.pagerduty.com, I believe).I also prefer to try not to talk down to the audience. I know we probably have the hardest time trying to get the lowest 10% pulled up and understanding things, but ... Try to instead give real insight for those that already know a little, and try to improve their own awareness and security even beyond the business.
Haha i know what you mean by the either way comment.
-
LonerVamp Member Posts: 518 ■■■■■■■■□□Meggo said:Hey eddo1! Lisa Plaggemier recently joined our team here at InfoSec and specializes in this area (formerly ran the security training and awareness program for CDK Global).
I think you'll find this presentation from her helpful: [snipped]
https://www.youtube.com/watch?v=qmo6M3aNb7A
Security Engineer/Analyst/Geek, Red & Blue Teams
OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs? -
Meggo Registered Users Posts: 197 ■■■■■□□□□□She's a super great resource. She doesn't have her own page but is in the process of launching a new podcast. I also asked her to hop on TE and help mod this category so you can ask her questions directly.
-
chickenlicken09 Member Posts: 537 ■■■■□□□□□□LonerVamp said:Some may say that security awareness training isn't about being engaging. I could go either way that.One example I think sets an interesting tone is PagerDuty's awareness training that was made public (sudo.pagerduty.com, I believe).I also prefer to try not to talk down to the audience. I know we probably have the hardest time trying to get the lowest 10% pulled up and understanding things, but ... Try to instead give real insight for those that already know a little, and try to improve their own awareness and security even beyond the business.
Haha i know what you mean by the either way comment.
-
chickenlicken09 Member Posts: 537 ■■■■□□□□□□Is powerpoint still the go to software for presenting slides to an audience?
Are there any other tools that you would recommend? I had seen Prezi recommended but have not tried it.
-
LisaPlaggemier Member Posts: 17 ■■■□□□□□□□@LonerVamp I actually had no idea that was on YouTube! Thanks for letting me know. Would be interested to know if you watched it and what you thought.
@eddo1 As far as making security training engaging, I'm a big fan of campaigns that are entertaining or funny and maybe even not obviously about security at the outset - just to get people's attention. People are super busy, bombarded with messages, social media, email, etc. all day...we need to make our message stand out and pull people in. I'm not a big fan of using scare-tactics because even though that can get people's attention in the short-term, it's not sustainable. It doesn't make people want tune in for more.
I also think segmenting your audience is important. There are people that are inherently interested in security so awareness content for them should be different from content for people who don't care. At the end of the day, the "people who don't care" demographic is really our target audience, right? It's about engaging them.
Thoughts? -
LisaPlaggemier Member Posts: 17 ■■■□□□□□□□eddo1 said:Is powerpoint still the go to software for presenting slides to an audience?
Are there any other tools that you would recommend? I had seen Prezi recommended but have not tried it.
I've also seen PowerPoint animation that looks super slick. This agency does PPT animation that you won't believe is PPT: https://modicum.agency/services-events-presentations/ Even if you don't have budget, it's cool to look at the samples on their site for inspiration.
I also recommend Garr Reynolds' books on creating awesome presentations. https://www.presentationzen.com/
Remember, people can read your slides or listen to you, they can't do both at the same time! Keep text to a minimum. -
JDMurray Admin Posts: 13,101 AdminHow do you reach people who have a negative reaction to anything security, usually because the idea that they are being purposely targeted to be scammed, robbed, or taken advantage of in some other way is a very fearful thing to them?
-
LisaPlaggemier Member Posts: 17 ■■■□□□□□□□JDMurray said:How do you reach people who have a negative reaction to anything security, usually because the idea that they are being purposely targeted to be scammed, robbed, or taken advantage of in some other way is a very fearful thing to them?
-
FluffyBunny Member Posts: 245 ■■■■■■□□□□LonerVamp said:No joke, a talk from Lisa on YouTube was one of the things I had in mind in my first post! I had originally planned to mention talks from SANS or Defcon on security awareness, but couldn't find what I had seen. Then I recognized that name!
Wonder if @LisaPlaggemier has any more of those stickers lying around.
Lisa, your take-aways from the DYDN campaign are very interesting. The one about the viewers who had never completed security trainings could tie in with JDMurray's comment about people sticking their heads in the sand. Perhaps it's not that they didn't care, it's that they couldn't deal with the potential of them being targeted.
-
LisaPlaggemier Member Posts: 17 ■■■□□□□□□□@FluffyBunny Could be! Maybe the fact that they were more compelled to watch Pavel than to take CBT's says something about the state of most CBT's...<yawn>
I actually do have leftover stickers...If anyone wants one, send your snail mail address to me at Lisa.Plaggemier@infosecinstitute.com.
One of my big projects in the next few months will be working with the agency that did DYDN to create a video series for our clients. I'm so excited; it's going to be a blast. I really enjoy making security this much fun for people. When people tune in because they want to see the next episode, and you get them to engage with security in a positive way, it's awesome. You're no longer the Dept of No - you're that clever & fun department that they want to engage with.
The agency that scripted, cast, and filmed Pavel is super talented...the director also directed the "Imported from Detroit" Chrysler commercials from the Super Bowl a few years' ago, and the script writer was the guy who wrote the "New Old Spice" campaign when it first ran. Why shouldn't we have super talented creative folks helping us solve the problems of security? At the end of the day, it's more important than selling cars or after shave, right? -
FluffyBunny Member Posts: 245 ■■■■■■□□□□LisaPlaggemier said:One of my big projects in the next few months will be working with the agency that did DYDN to create a video series for our clients.
-
LisaPlaggemier Member Posts: 17 ■■■□□□□□□□@FluffyBunny Yes, for our clients, and they'll be in English for now but maybe we should look at subtitling. I'll keep that in mind while we're writing scripts; the humor would have to translate well.
I've seen some really well-done videos by Airbus that didn't use any script at all - just visuals - so they completely avoided the translation problem. That'll be the next series I'll want to do after this first set. I'd love to meet the challenge of producing something truly global.