You are not your target audience

man with banjo

I have a confession to make. I really, really like banjos. In particular, I am a huge fan of Bela Fleck. Man, that guy can play! And when songs with banjos become popular (like Coleman Hell’s “2 Heads”) I feel particularly happy that people are enjoying an instrument that often gets dismissed. So, I will tell you what I’ll do. …

Stop obsessing over your awareness programme

writer at work

Your audience needs to be focused on your awareness messages, but your focus needs to be on something far more important than your message. Writers in Obscurity I have a couple of author friends who are working hard on their novels, but they are frustrated that they are not achieving the success they dreamt of. When I talked to them …

Should We Forget about Security Training?

wiping a blackboard

Every once in a while, I run across articles like The Register’s “Forget security training, it’s never going to solve Layer 8 (aka people)” and I feel like I need to address this sentiment. There are a handful of misconceptions about security awareness, and this is a big one. Dave Aitel famously presented a case in 2012 to stop offering security …

A new frontier of insider threats: malware that infects a person’s mind

Don’t let this evil barber cause you to tear your hair out! Samson, a supernaturally strong man in the Bible, was betrayed by his girlfriend, Delilah, who was paid by Samson’s enemies to learn the secret of his strength and find a way to defeat him. After much nagging, Samson finally is coerced into revealing his secret: he must never …

Security awareness material that inspires action

Security Awareness Programmes are wonderful. Managers wonder why people fail password audits, Awareness Trainers wonder why they have to constantly remind people not to reuse their passwords for different accounts, and the average person wonders why they have to sit through yet another presentation telling them to craft unique passwords for each account. The information in a typical Security Awareness …

The most controversial tip I can give you

  Sometimes the best way to get to the truth is to lie. Early in my teaching career, a mentor provided me with what I consider to be the best advice of my teaching career: Lie. If a student is having trouble understanding a concept using standard methods, tell them a lie that they will accept. Then, once they have accepted …

Most awareness programs overlook this highly impactful activity

I was startled by fact in the 2014 Ponemon Research Institute and Security Innovation study. Few respondents reported customizing their awareness materials to the Finance department (only 10% did). But 66% customized their material for the IT department! This means that the effort to customize was limited to a small segment of the organization. This is a large overlooked area! Customizing to …

Make your own phishing campaign on the cheap with no programming skills needed

Phishing on the cheap

An important part of any security awareness programme being able to test to see how effective phishing training is. Tracking simulated phishing When performing phishing simulations, you need some way of tracking the actions of your users. Tracking good actions tends to be easy, because it depends on the user proactively reporting the incident to a central desk. Tracking bad actions can be tricky. You need …

Why are your users failing to comply with policies?

One of the big frustrations for those who deliver security awareness programmes is the lack of compliance after training. Usually just a few problems In my experience, there tends to be a single policy or a small set of policies that “everyone hates”. Users devise methods, sometimes complex ones, to circumvent the policy for one reason or another. When this happens, …

Make your awareness material seem relevant to anybody

An organization’s security awareness programme tends to be focused on the policies and controls put in place by the organization. It’s very difficult for this type of material to be anything but dry. What’s worse is that the impact on the individual can be lost. And, without impact, awareness is just noise. If someone does not feel threatened, there is no sense of …