PhishMe Blog

STAY CURRENT ON INDUSTRY TRENDS & PHISHME NEWS

Breaking out of the compliance mindset

BY Rohyt Belani IN 7 Principles Critical to Security Awareness Programs, Blog

During my years at Mandiant, I responded to a lot of breaches for a wide variety of organizations. Every breach case had one thing in common – the customer was compliant. While compliance is a requirement for many organizations, compliance does not equal security. I was recently talking to a CISO who has divided his department into two teams – one focused on security and the other focused on compliance. The security team deals with emerging threats to the network, while the compliance team deals with regulations. It’s an interesting strategy, and one that reflects how separate compliance and security…

READ MORE

0 comments

Use metrics to measure and improve security awareness

BY Scott Greaux IN 7 Principles Critical to Security Awareness Programs, Blog

It’s no secret that data is revolutionizing industries. Baseball managers have applied data to buck century-old beliefs about strategy (think Moneyball), anyone who has ever used Amazon.com knows that data has transformed retail, local law enforcement analyzes data to predict crime, and scientists are even using data to stop the spread of infectious diseases. Most security awareness programs fail to gather metrics. Those that do typically measure inputs instead of outputs. What this means is that many teams are measuring items such as the number users who complete a CBT course or attended a lunch instead of the number of…

READ MORE

0 comments

How do you make security awareness engaging?

BY Scott Greaux IN 7 Principles Critical to Security Awareness Programs, Blog

Think back to all of the corporate training you’ve sat through during your career. Chances are (especially if you’ve worked at a large enterprise), that some of that training had little relevance to your job duties. How much knowledge from those courses did you retain? Although you technically completed the training, would you have been able to apply any of the information you were given in real life? For many employees, security awareness training falls into this category. It’s something they probably don’t care about, and that doesn’t help them do their jobs. This is why traditional awareness training has…

READ MORE

0 comments

Negative reinforcement: How NOT to improve user behavior

BY Rohyt Belani IN Blog

One of the interesting aspects of security awareness training is the intersection of information security with human resources. We know from experience that security practitioners are not always experts in the latter, but what we recently saw from Dave Clemente was a real doozy. Clemente suggested that employees who engage in unsafe IT security behavior (such as clicking on phishing links) be reprimanded and that unsafe behavior should even negatively affect their performance review. To the security part of your mind, it might feel good to punish people for their security sins. We need to remember, however, that the ultimate…

READ MORE

0 comments

For effective security awareness, keep it focused

BY Rohyt Belani IN 7 Principles Critical to Security Awareness Programs, Blog

In their book, “Switch: How to Change Things When Change is Hard” authors Chip and Dan Heath examine how influencing humans to change requires appealing to two parts of the brain: the rational and the emotional. Since the emotional part of our brain often gets frustrated when asked to make huge changes, Chip and Dan recommend that we “shrink the change” to change behavior in the face of resistance. The Heaths cite financial guru Dave Ramsey’s “Debt Snowball” strategy as an effective example of shrinking the change. For people mired in a mountain of debt, this strategy advocates paying off…

READ MORE

0 comments

To make training stick, immerse employees

BY Rohyt Belani IN 7 Principles Critical to Security Awareness Programs, Blog

When aspiring pilots go through flight school, they learn both in a conventional ground setting and using a flight simulator. On the simulator, new pilots are immersed in the experience of flying, and receive real-time feedback about their decision making. Not surprisingly, the simulator is seen as a more effective training tool than conventional classroom training. One of the greatest challenges facing security awareness initiatives is providing employees with an experience they will actually remember and retain. Training users to avoid risky security behavior is not nearly as complicated as teaching someone to fly a plane, but just like with…

READ MORE

0 comments