Tips for how do make security awareness training engaging?

chickenlicken09

Just wondered how you go about doing this in your current role, any tips?

LonerVamp

Some may say that security awareness training isn't about being engaging. I could go either way that.

One example I think sets an interesting tone is PagerDuty's awareness training that was made public (sudo.pagerduty.com, I believe).

I also prefer to try not to talk down to the audience. I know we probably have the hardest time trying to get the lowest 10% pulled up and understanding things, but ...  Try to instead give real insight for those that already know a little, and try to improve their own awareness and security even beyond the business.

Meggo

Hey eddo1! Lisa Plaggemier recently joined our team here at InfoSec and specializes in this area (formerly ran the security training and awareness program for CDK Global).

I think you'll find this presentation from her helpful: 

https://infosecinstitute.wistia.com/medias/e7x30pch3a

chickenlicken09

great thanks does Lisa have her own page also?

JDMurray

What I try to do is make information security personal first and then show how it related to the employer's business.

• Show people how to protect their PII, PHI, PFI, etc. and relate it to the same types of business information they control in their jobs.
• Discuss how to recognize and deal with spam, phishing, and vishing in their personal life and then expand that to encountering the same on-the-job.
• Explaining about malicious (wateringhole) Websites, careful use of social media Websites, and configuring Internet router security, anon VPNs, host security, etc. are all personal protection issues that can be expanded in to an employee's business activities.

If a business is being specifically targeted, its employees will be targeted outside of the business environment, so non-business-context employee security education has tremendous ROI for a business.

stryder144

A few things that I do and/or suggest:

1.  I have noticed people pay attention when there is an immediate reward.  I carry candy (both sugar and sugar-free).  I will ask the class a question, usually not security related, at the beginning and the first person to answer gets a candy.  After that, most people get competitive (some even get hyper-competitive...which is amusing), thus they remain engaged.
2.  Don't think of security awareness training as an annual "one and done" process.  I highly encourage people to consider "security through walking around".  Since most people never see the security folks, having them periodically walk through the facility and engage their coworkers in conversation helps to build rapport.  They can steer the conversation toward security and ask questions, make statements, etc.  Much more effective when your coworkers see you as a member of the team instead of someone with a mall cop mentality.
3.  Celebrate it when your coworkers do the right thing.  For instance, let's say someone gets a suspicious email and forwards it to your phishing/security inbox.  Buy the entire team/department lunch, bring several of the security folks, and congratulate the person and let their team know why they get a free lunch.  I don't know of too many people who would be pissed to get a free lunch, especially if they didn't have to do anything to warrant it.

By using carrots instead of sticks, we get further.  By rewarding publicly, others start to get it.  I would rather spend $100 on a lunch or $20 on a bag of candy than have to spend the money necessary to remediate a data breach (averaging north of $3.6 million). 

chickenlicken09

LonerVamp said:

Some may say that security awareness training isn't about being engaging. I could go either way that.

One example I think sets an interesting tone is PagerDuty's awareness training that was made public (sudo.pagerduty.com, I believe).

I also prefer to try not to talk down to the audience. I know we probably have the hardest time trying to get the lowest 10% pulled up and understanding things, but ...  Try to instead give real insight for those that already know a little, and try to improve their own awareness and security even beyond the business. 

Haha i know what you mean by the either way comment.

LonerVamp

Meggo said:

Hey eddo1! Lisa Plaggemier recently joined our team here at InfoSec and specializes in this area (formerly ran the security training and awareness program for CDK Global).

I think you'll find this presentation from her helpful: [snipped]

No joke, a talk from Lisa on YouTube was one of the things I had in mind in my first post! I had originally planned to mention talks from SANS or Defcon on security  awareness, but couldn't find what I had seen. Then I recognized that name!
https://www.youtube.com/watch?v=qmo6M3aNb7A

Meggo

She's a super great resource. She doesn't have her own page but is in the process of launching a new podcast. I also asked her to hop on TE and help mod this category so you can ask her questions directly.  

chickenlicken09

LonerVamp said:

Some may say that security awareness training isn't about being engaging. I could go either way that.

One example I think sets an interesting tone is PagerDuty's awareness training that was made public (sudo.pagerduty.com, I believe).

I also prefer to try not to talk down to the audience. I know we probably have the hardest time trying to get the lowest 10% pulled up and understanding things, but ...  Try to instead give real insight for those that already know a little, and try to improve their own awareness and security even beyond the business. 

Haha i know what you mean by the either way comment.

chickenlicken09

Is powerpoint still the go to software for presenting slides to an audience?

Are there any other tools that you would recommend? I had seen Prezi recommended but have not tried it.

LisaPlaggemier

@LonerVamp I actually had no idea that was on YouTube!  Thanks for letting me know.   Would be interested to know if you watched it and what you thought.

@eddo1 As far as making security training engaging, I'm a big fan of campaigns that are entertaining or funny and maybe even not obviously about security at the outset - just to get people's attention.  People are super busy, bombarded with messages, social media, email, etc. all day...we need to make our message stand out and pull people in.  I'm not a big fan of using scare-tactics because even though that can get people's attention in the short-term, it's not sustainable.  It doesn't make people want tune in for more.

I also think segmenting your audience is important.  There are people that are inherently interested in security so awareness content for them should be different from content for people who don't care.  At the end of the day, the "people who don't care" demographic is really our target audience, right?  It's about engaging them.

Thoughts?

LisaPlaggemier

eddo1 said:

Is powerpoint still the go to software for presenting slides to an audience?

Are there any other tools that you would recommend? I had seen Prezi recommended but have not tried it.

I've had people tell me Prezi makes them motion sick.  I don't disagree.  If you use it, don't get out of control with it.  It can definitely make you seasick if it's too fast and uses too much motion.

I've also seen PowerPoint animation that looks super slick.  This agency does PPT animation that you won't believe is PPT:  https://modicum.agency/services-events-presentations/    Even if you don't have budget, it's cool to look at the samples on their site for inspiration.

I also recommend Garr Reynolds' books on creating awesome presentations.  https://www.presentationzen.com/

Remember, people can read your slides or listen to you, they can't do both at the same time!  Keep text to a minimum.

JDMurray

How do you reach people who have a negative reaction to anything security, usually because the idea that they are being purposely targeted to be scammed, robbed, or taken advantage of in some other way is a very fearful thing to them? 

LisaPlaggemier

JDMurray said:

How do you reach people who have a negative reaction to anything security, usually because the idea that they are being purposely targeted to be scammed, robbed, or taken advantage of in some other way is a very fearful thing to them? 

@JDMurray What I find really interesting about your question is the idea that people tune out security stuff because it's scary, yet so much of the communications out there try to use fear as a motivator.  Seems like a losing proposition, doesn't it?  I like using humor, or at least keeping it light-hearted. Think about the best teachers or professors you had in your life - I had one that was so interesting and entertaining, you didn't even realize how much you were learning until you got to the exam and it seemed so easy.  It's a high bar; that's why I think we need more soft-skilled people and creatives in security.  Or we should at least find ways to leverage people with those skills to help with our programs.

FluffyBunny

LonerVamp said:

No joke, a talk from Lisa on YouTube was one of the things I had in mind in my first post! I had originally planned to mention talks from SANS or Defcon on security  awareness, but couldn't find what I had seen. Then I recognized that name!

It could be that I'm easily amused, but Pavel had me crying That acting's right up my alley! "I vill pray for your soul..."

Wonder if @LisaPlaggemier has any more of those stickers lying around.

Lisa, your take-aways from the DYDN campaign are very interesting. The one about the viewers who had never completed security trainings could tie in with JDMurray's comment about people sticking their heads in the sand. Perhaps it's not that they didn't care, it's that they couldn't deal with the potential of them being targeted. 

LisaPlaggemier

@FluffyBunny Could be!  Maybe the fact that they were more compelled to watch Pavel than to take CBT's says something about the state of most CBT's...<yawn>

I actually do have leftover stickers...If anyone wants one, send your snail mail address to me at Lisa.Plaggemier@infosecinstitute.com.

One of my big projects in the next few months will be working with the agency that did DYDN to create a video series for our clients.  I'm so excited; it's going to be a blast.  I really enjoy making security this much fun for people.  When people tune in because they want to see the next episode, and you get them to engage with security in a positive way, it's awesome.  You're no longer the Dept of No - you're that clever & fun department that they want to engage with.  

The agency that scripted, cast, and filmed Pavel is super talented...the director also directed the "Imported from Detroit" Chrysler commercials from the Super Bowl a few years' ago, and the script writer was the guy who wrote the "New Old Spice" campaign when it first ran.  Why shouldn't we have super talented creative folks helping us solve the problems of security?  At the end of the day, it's more important than selling cars or after shave, right?

FluffyBunny

LisaPlaggemier said:

One of my big projects in the next few months will be working with the agency that did DYDN to create a video series for our clients.  

Is that a series of videos new clients could sign up for? I'm in the EU so pitching non-native language training materials can be iffy, but it's certainly worth a shot. 

LisaPlaggemier

@FluffyBunny Yes, for our clients, and they'll be in English for now but maybe we should look at subtitling.  I'll keep that in mind while we're writing scripts; the humor would have to translate well.

I've seen some really well-done videos by Airbus that didn't use any script at all - just visuals - so they completely avoided the translation problem.  That'll be the next series I'll want to do after this first set.  I'd love to meet the challenge of producing something truly global.