Community Manager at Infosec!
Who we are | What we do
Everyone else is doing it! Social Proof Security Awareness

https://elevatesecurity.com/social-proof-superpower/
I came across this super interesting article about applying peer pressure to your security awareness program. I think if it's done correctly, it could be extremely effective! I mean, I sure wouldn't want to know that everyone else is more educated than I am! What do you think about comparing your users to the rest of the company?
I came across this super interesting article about applying peer pressure to your security awareness program. I think if it's done correctly, it could be extremely effective! I mean, I sure wouldn't want to know that everyone else is more educated than I am! What do you think about comparing your users to the rest of the company?
Tagged:
Comments
Who we are | What we do
We have security awareness weeks where we make it a fun competition, so the different groups can compete. But really only from a positive standpoint, there isn't shaming of the people who don't do as well. Now, within each team I think they can see points, so if someone gets a bunch of negatives for failing phishing tests during the game window, someone in their team might see that and say something.
Who we are | What we do
Of course we still did annual compliance training, but taking a risk-based approach is easier for the business to get their heads around.
Phishing University is a small group, hands-on interactive phishing training that we make mandatory for those who click two times in a specified period. First they have to go through a recap of the "how to identify phishing" basics. Then we give them iPads and they to go on the web, research a company, and build a custom phish message based on their findings. You can see people's faces light up when they realize how easy it is to find info on random top executives and craft hooks based on that. This has been wildly successful and some people even voluntarily go through the program.
On the "negative" side we also implemented a repeat offenders programs. We have left the door open to serious consequences up to and including termination but like Lisa said, so far most people who made it through get the message after HR has a friendly talk with them.
The only thing we really haven't ironed out yet is the HR side, they like to be very hands off so tying almost anything to any sort of consequence is really difficult here.
Security Engineer/Analyst/Geek, Red & Blue Teams
OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs?
I will say, it was very refreshing to see the number of tickets that would come in when we would send out a phish, though! It felt like the talk of the town for a few days, which was obviously a great sign.
Who we are | What we do