Advanced Persistent Training 2nd Edition

A big thank you to Apress for the second edition of Advanced Persistent Training: Take Your Security Awareness Program to the Next Level! Available in print and ebook. The second edition adds a new chapter on how to bootstrap a security culture with case studies from a large international organisation and a 40-person department. Both were able to experience massive …

Why empathy is so important in awareness training

I'm going to tell you some things

I talk a lot about the importance of empathy when teaching, and there are many reasons for empathy when designing and delivering your security awareness campaign or security culture program. But this comic from The Oatmeal probably sums it up best. Nope, it’s not about security or awareness or culture. It’s about how we, as people, can find it difficult …

BSides Edinburgh

I was delighted to speak at BSides Edinburgh (first BSides in Scotland!) this month. What a great group of people! My talk was “How to get your users to give up sex for a year: Security Cultural Engineering”. Pulling inspiration from new material from the 2nd edition of my book (!), I talk about the ways that organizations have radically …

A Non-Security Awareness Guy Walks Into a Bar

A non-security awareness guy walks into a bar

Or, in this case, he walks into the European SANS Security Awareness Summit. I love it when professionals in a particular field view a niche part in their own field. In this case, my colleague Bill Montgomery, from VanityAndSecurity.wordpress.com attended the SANS event with me when I presented on cognitive bias in communicating risk. Bill’s response was a blog post: …

Go Phish Yourself Turns One!

I can’t believe it has been a year! So much has happened. I started this blog because I was having trouble finding security awareness advice that didn’t come from vendors. The material from vendors is often very high quality but vendors tend to only talk about things that their products can solve. I wanted a blog that talked about the …

Are Your Security Awareness Policies Toothless? Here’s How To Get Your Bite Back

Are your security awareness policies toothless?

Security policies in general, not just security awareness policies, can suffer from a disease I like to call, ‘ginger-vitis‘. Management wants to have policies in place, or is forced to put them in place, but it doesn’t want to make life difficult for others or to create conflict. So, they often gingerly omit the section of the policy that defines …

Should you train secure behaviours or teach awareness theory?

Security Awareness Behaviour or Theory?

Lots of teachers, not just security awareness professionals, wrestle with the decision to train a new behaviour with or without teaching the underlying theory. Should we just teach people to lock their workstations when they leave it, or try to convince them of why it is a good idea? When is teaching the behaviour more important than explaining the theory? …

Difficult students won’t be difficult students forever

It is so frustrating, and even a little demoralizing, when you use all your best skills to lay out a new behaviour that you want your users to adopt, and then that one person dismisses you. I’ve been there. Pfff… I’ve prepped a full 30 minute presentation, brought in exciting, eye-catching visuals, the jokes integrated with the material, and the …

Change your security awareness messaging model. And win!

Bad security awareness motivation

Just Doooo Eeeet! No matter hard hard they try, many security awareness teams can end up sounding like they are trying to force their colleagues to comply with corporate policies. This is completely understandable, because management expects certain behaviours from people. The most direct way to accomplish this is to tell people what they are supposed to do. You know, just …

Are other departments sinking your phishing awareness?

Are other departments sinking your phishing awareness?

You work hard to craft your messages and training to get people to recognise and respond appropriately to phishing emails. You research, pilot, purchase, and manage phishing education and phishing simulators to provide the best chance for everyone to internalise the skills and behaviours they need to protect themselves and your organisation. Phishing Torpedo incoming … Then some other department …