There is no shortage of advice out there about the best ways to shore up your security posture. More and more studies are highlighting the benefits related to employee awareness and training initiatives -- but not all programs deliver the same results. Here are five key questions to ask as you shop for your security education platform:
1. Is it interactive?
Engagement is a critical component of effective education at all ages and all levels of learning. Interactivity leads to engagement, and engaged learners are much more likely to retain knowledge. This is why videos and slideshows cannot deliver the results that interactive, software-based training can.
First and foremost, think about the learning activities that keep you engaged. Personally, I have trouble enough staying awake through Hollywood blockbusters let alone check-the-box, compliance-related videos that rank somewhere between "Yawn-Inducing" and "Total Snoozefest." A training tool that forces me to connect, think, and take action is far more likely to hold my attention and stick with me.
2. Does it use Flash?
Just about everyone knows Adobe Flash...because Adobe Flash is in just about everything. OK, a bit of an exaggeration, but it's a highly used piece of software, particularly in video-based applications on the web. Unfortunately, the proliferation of Flash as a browser plugin has made it a major target for hackers -- and it is not holding up to the pressure.
According to a recent Bromium report, Flash was at the root of more exploits than any other popular software during the first six month of 2015. Information security professionals certainly recognize the threat: 90% of those surveyed by Bromium said their organization would be more secure if the plug-in were disabled. There is even a public movement to "rid the world of the Flash Player plug-in."
"Flash will never be secure," said Jeff Smith, Information Security Officer for Wombat Security. "There is very little money spent on testing it, and one of its primary risks is that it utilizes many other technologies within web browsers. So if Flash has permission to jump technologies and an exploit is written for it, the exploit has the same free reign in the browser to do bad things."
Unfortunately, disabling Flash is not necessarily easy (41% of organizations involved in the Bromium survey said that turning off Flash would disrupt productivity and even "break" critical applications). So if you can't turn it off, you should avoid it whenever possible. You certainly don't want to be in the ironic position of using a security awareness and training program that makes your organization more vulnerable to attack.
3. Can you measure progress?
This, to me, seems like a no-brainer: If you can't establish a baseline and regularly gauge progress, how will you ever be able to tell if your efforts are working? If your program doesn't provide these types of reporting features, it's not as robust as it should be. And don't confuse "training completion" measurements with more actionable analysis. Knowing whether or not someone finished an assignment isn't nearly as helpful as knowing how well they scored and the questions they had trouble with.
Effective measurement tools allow you to separate actual vulnerabilities from perceived vulnerabilities; evaluate understanding of specific topics; track improvements at the organization, department and employee levels; and course correct as necessary to address specific threats. They will also allow you to share improvements with your CEO and Board and justify your budget outlay.
4. Will your efforts reduce risks?
This may seem like an oddball question. After all, awareness and training programs are supposed to reduce risks, right? And they absolutely should. But given the continued debate about whether cybersecurity education is "worth it," it's clear that many programs are not delivering results.
What's also clear is that not all training is equally effective. If an approach is more "get 'er done" than "we've got this," you'll have no trouble checking the compliance box, but you will struggle to create measureable change in employees' behaviors. And if a program's sole focus is on phishing training and simulated attacks, it will do nothing to teach users about how to reduce risks associated with issues like poor password management, physical security, and safe use of mobile devices.
If you're looking for a way to estimate your risks and the benefits associated with continuous training, take a 2014 study by Aberdeen can help you do just that. Aberdeen used Monte Carlo analysis to quantify risks related to cybersecurity attacks and gauge the potential risk reduction associated with security education. The research revealed that Wombat Security's training methodology can reduce business risk and impact from employees' poor cybersecurity behaviors by up to 60%.
Before engaging with any program, consider whether your provider can deliver those types of results.
5. Can you expect ROI?
As with many business efforts, it comes down to dollars and sense -- i.e., Does it make sense to commit my dollars to this? Many assume that ROI can't be measured for security awareness and training. And without a clear indication of expected return, it can be difficult (if not impossible) to get budget buy-in.
Well, a new Ponemon Institute study has done the math for everyone -- and the results are impressive to say the least. Like the Aberdeen research, Ponemon looked at how Wombat's training could impact the yearly cost of phishing to organizations (which the study placed at $3.77 million for organizations with about 10,000 employees). The results? A 50x one-year ROI on training and $1.8 million in yearly savings.
The bottom line here is that you shouldn't just hope for ROI, you should expect ROI. Not all programs can deliver on that expectation (or on the other points noted in this checklist). Do your research before you commit and ensure that the program you choose will help you achieve your awareness and training goals.
