The Problem with IT Security User Education

Most people realize that the user is the best line of defence against hacking, so organizations try to educate their users on defensive techniques. The problem is that the effectiveness of training plummets quickly after the class has ended.

An hour-long slide presentation will be forgotten in a month, even if taught by an expert and compelling educator. People need an opportunity to practice what they have learned, but that is hard to do when things like phishing emails might reach someone once a month. If they fail to respond properly at those infrequent times, they cause an Incident Response headache for the IT department.

Another problem with IT Security User Education is the lack of metrics. An organization can spend a lot of money on an educational initiative and never know if that investment was worthwhile. Test scores immediately after training provides some metrics, but test scores suffer the same problem as the lack of opportunity to practice. Most organizations want to know if the education was worth it.

But …

  • What if you could provide the opportunity for users to practice what they have learned, not just at training time, but all year?
  • What if you could know how risky your users are with real-time quantified metrics?

SelfPhish

What people need is a ‘live fire’ exercise where they are faced with real phishing emails using real-world techniques. People get to experience the dangers of phishing with none of the risks. Each phishing attempt is tracked and users’ responses recorded and compared to the rest of the company.

You can know:

  • Who needs extra education (or extra protection)?
  • Was the training worth it?
  • How much risk exposure are my users introducing?
Users are trained to:
  • Recognize phishing emails from the most obvious to the most complex
  • Curb the emotions that trigger someone to fall for phishing emails
  • Alert the IT Department when something is wrong
  • Maintain a steady ‘alert state’ for anything ‘phishy’

What makes SelfPhish different?

  • The SelfPhish heuristic algorithms learn where the weaknesses are in a user’s ability to identify a phishing email (users are kept “in the zone” of what they need to learn).
  • Simulated phishing emails are crafted and sent automatically by the system (no need for admins to craft and launch phishing campaigns).
  • When users show competence in identifying and dealing with a certain type of phishing emails, SelfPhish adapts and sends different types of phishing simulations to make sure the user is constantly learning.
  • There is nothing like SelfPhish in the market!
Don’t wait for hackers to make the first move: be SelfPhish

Leave a Reply

Your email address will not be published. Required fields are marked *