The following methodologies address the previous concerns and when properly implemented can reduce user risk to nearly 0%.
* These methodologies were developed as part of the PeopleSecNextGen Human Firewall solution and are being released as part of the HumanSAMM project.
These are just a few of the things you can and should be measuring…
User phish click behavior – Should track historical click rates to look for trends
Did the user watch the training video? How much of the video did the user watch?
Did the user open the phishes? Did the user open the educational emails?
How long does it take for the user to relapse or forget their training?
What was the cumulative risk of that user each month?
How many months has the user spent as Low, Medium and High risk?
What was the cumulative difficulty of the phishes sent during the attack emulations this month compared to the previous month?
What types of phishes is the user most susceptible to?
Adjust Accordingly (Mass Customization)
Security Awareness Training & Education or (SATE) programs should customize training frequency, content and attack simulations to the individual needs of each user.
For example: Most people in this room would be classified as “Low Risk” users. Why should a SATE program waste the time of “Low Risk” users doing needless training. Alternatively, high risk users tend to need so much education that the impact on human resources would be cost prohibitive without “Mass Customization”
Train according to need and escalate frequency for user training and testing as needed.
Change the tone of training materials based on user risk
(higher risk == more aggresive)
Only send high difficulty phishes and spear phishes to low risk users.
Pre-emptively increase attack simulation and education frequency
based on previously observed user retention rate
High Frequency – “Micro Training”
User attention spans are at an all time low and training programs need to join the modern era, by keeping training short.
Training should be between 10 seconds to 1 minute
Training should drive home a single point and not cover multiple topics
Training should be offered in multiple formats/styles so the user can engage with the content they prefer.
High Frequency Attack Emulations
Phishing attack emulations against your users is where you get some of your most key metrics and the best way to truly understand your risk
Attack emulations should vary in difficulty and frequency just like real life
Emulations should include:
Complex General Target Phishes
Easily Identifiable Mass Phishes (nigerian style)
Get creative with these and be proactive with your training. If there is a specific phish hitting your industry then conduct attack emulations of that exact threat before it happens.
Users will be better prepared if/when they do see it
Avoid Dashboard Overload
Users are less likely to login to a training portal than to open an email.
Phishing is primarily an email based risk – deliver training content to the user’s inbox
Engage with the user however works best
Do they respond better to a text message?
Do they respond better over the phone?
Do they respond better via email?
Just In Time Training
When the user makes a mistake they are uniquely open to learning at that exact moment. Don’t waste time exploiting users and instead have an emotion invoking landing page that has a single clear message.
Immediately after the user clicks on a phish have them automatically sent saying “Hey, we saw you clicked on this….here are some tips”
Make those tips specific to the phishing emulation the user received
When they do good you should tell them, send users who didn’t click on phishes a good job email.
Let’s face it technology can only drive risk so low….in order to remediate the incessant clickers you need to make sure the user knows they are being held accountable for their actions.
Pick up the phone and call the user
Conduct high risk user group training
Conduct 1 on 1 high risk user training (as needed)
Get human resources involved
(Any user who spends 3+ months at high risk should face disciplinary actions)
The following are a few competition tips:
Have departments compete against each other for a catered lunch
Award the most secure individuals in the company
Create a leaderboard
Sticks & Carrots
Praise secure users – company wide
Remove any elevated user privileges from high risk users
Don’t let high risk users participate on “Casual Dress” days
Create embarrassing landing pages for high risk phish clickers
Have an “I just clicked on a phish” audio file auto-play
Have a wall of shame where you
Tie yearly bonuses to user security
Insecure users forfeit their bonus
Secure users get an extra bonus
High risk users can be conditioned to become part of the solution by implementing the following: