Mandatory Annual Security Training Is Not Going To Save You

Very recently we discussed our thoughts about cybersecurity training. TL;DR: training people to not do something is ineffective (hello Adam & Eve!) and annual security training is not keeping up with current threats, but it does shift liability to employees from managers.

Annual cybersecurity security compliance training is kind of like managers using a Princess Leia approach: "Help us, annual security training, you're our only hope."

Some key points about training in general are important for your consideration in terms of mandatory annual cybersecurity training.

First, all training regimens are understood to target any one of these three aspects of the human psyche: affect (how we feel emotionally about things), behavior (what we do), or cognition (what we know). A, B, or C. 

Let's review: Does your cybersecurity training try to make your employees hate cyberattacks? Do you want your employees to do something about cyberattacks? Is its goal to make people smarter about cyberattacks? 

Consider these aspects in terms of cybersecurity.

Affect: Almost certainly you don't care about how people feel about cyber attacks. Thus, training to "like or hate cyberattacks" is pointless.

Behavior: Nearly as certainly you want employees to do something that is good cybersecurity behavior, such as using multifactor authentication (MFA), updating passwords, taking their employee badge with them so that sessions are not left open without the person there.

Question for you: what is the base rate now in your company of people not following these procedures? Oh wait, got ahead of things -- do you have MFA, do you lock accounts where passwords are not updated regularly, etc.? If not...well, training to "do something" is pointless.

Cognition: And again nearly as certainly you want employees to understand why you have strong cybersecurity and what you're protecting.

Do they know? Do you know?

Second, all training must be (a) based on a needs analysis and (b) must have an evaluative component. 

A cybersecurity needs analysis is a systemic, careful review of what systems can be affected by a cyber attack, what processes are in place to deter an incident, and what employees are expected to do or know. It's about the white box. In our paradigm this is a part of the NIST framework. As we constantly state, it's not that employees outside of IT need to become techies, it's instead important that they understand what is being protected and why, and that they understand what criteria of cybersecurity processes are being tested and validated.

A widely used even if creaky evaluative rubric in training is frequently known as a Kirkpatrick training analysis. There are four Kirkpatrick evaluation levels:

*The first level of a training evaluation is what are known as "smile sheets": did the person like the training? 

*Second comes learning: did the person learn what was intended to be trained? (Presumably you administer a test of some sort). 

*Third comes behavior: did the person do something different after training? This might be measured with a follow-up self-report survey a few months post-training.

*Fourth, did the training result in a change in outcomes? This is not the same thing as change in individual-level behavior; change in outcomes would be at the unit level and above.

In brief you evaluate the training aspects, A or B or C, in terms of Kirkpatrick levels.

Our recommendation:

Training should support and function as an extension of your cybersecurity process. Train people on what good cybersecurity is and why it's important (i.e. treat employees like adults). Create motivation for people to do the secure thing, not only to avoid a bad thing.

When you fly on a commercial airline, before each flight there is mandatory review on using seat belts, life vests, etc. It's compliance training. It's not safety training per se. By the same token "don't click on suspicious links" is not bad or wrong direction, it's compliance training and not cybersecurity training. And it's based on a model of cyberattack from the 1970s. Sure, those still happen, but that's not how cybercriminals are extending the litany of the hacked by bringing down municipalities, banks, etc.

Ask us how we can help you calibrate your training to anticipate and address your evolving cybersecurity needs within a white box framework.