The Trouble if Security Awareness Training Is Mainly a Penalty

Every technology leader wants a security-aware, cyber-savvy enterprise culture. But what does that mean and how can we get there? There is an ongoing debate regarding security awareness training techniques, engagement and overall effectiveness. Let’s explore.

by / June 2, 2017
Shutterstock/sirtravelalot

Creating an enterprisewide “culture of security” is almost always listed as a top priority for experienced security and technology leaders in the public and private sectors.

Back in early 2007, when I was Michigan’s chief information security officer (CISO), I remember being interviewed by Bill Jackson at Government Computer News (GCN) about a long list of security topics. The title of that article was Culture of Security based on my final answer. Here is how the interview ends:

GCN: What's the biggest challenge left? 

LOHRMANN: Continuing to work on the culture, to help people understand how important security is at an individual level. ... Helping people understand the impact of their actions, I think that's the biggest challenge. 

Fast-forward more than a decade, And I believe transforming the security culture still remains our greatest challenge as we head toward 2020. But how can we get to this elusive “culture of security” while balancing the cost, benefits and many other business priorities we face? As we think about people, processes and technology, what can we do to enable people and reduce risk over time?

Can “Just in Time” Training Help?

One answer that I am seeing and hearing more about is “just in time” training (or just-in-time learning). According to ShifteLearning.com, there are many practical examples and benefits of just-in-time learning:

It is walking down to the desk of a more experienced co-worker to ask for a solution when you get stuck on a project. It is looking up Wikipedia when you come across a novel concept during your browsing sessions. It is calling up mom when you want advice on a recipe.

Just-in-time learning is having access to knowledge just when you need it. It is not having to wait till the public library opens or you can catch hold of a subject matter expert.

The concept has its origins in the world of manufacturing. In the manufacturing industry, efforts are made to lessen inventory costs and reduce wastage by perfectly synchronizing the manufacturing and distribution of products to the exact time when these are needed.” 

The articles goes on to list many benefits of just-in-time learning, such as how it enhances worker productivity and speeds up the learning process.

Taking the “just in time” concept further, several companies are advocating the use of these techniques for enterprise security awareness training. The general concept that I am seeing is to provide a very basic compliance-focused training for the majority of people, and to enforce much more specific training for the select few who they identify as needing it most, since they violate some security policy, and/or do something inappropriate, such as clicking on a simulated phishing link.

For example, Bay Dynamics encourages their just-in-time security training, which offers:

  • Identification of non-malicious users and repeat violators based on behavior
  • The ability to automatically sign up non-malicious users and repeat violators for brief policy specific training such as PII handling, phishing, and more
  • Attestation of completion and post-training behavior is tracked and can be reported on in Security Awareness dashboards

In this article from Dark Reading in 2016, Tom Pendergast elaborates on this trend further:  

“The first time Joe Employee saves a document to an unapproved cloud storage site (for example), he gets a system-generated pop-up that directs him to company policy on the use of cloud storage. Problem solved, 70% of the time — but not always.

So the next time he does it, the system provides a two-minute video on the problems with unapproved cloud usage. More improvement. But, Joe is among the 5% who still don’t get it, so when he does it again the system enrolls him in a required 15-minute training course on Acceptable Use policies. …

Can we “tune” UBA systems to identify these kinds of triggers? I believe we can. Pair these risk triggers with a flexible deployment of just-in-time training and you’ve created “lane assistance” warnings for information security, with the added benefit of only training those who need it and not wasting the time of those who don’t.” 

Other companies are now offering related “education triggers” or “teachable moments” that are targeted at those who violate security policy or need the training the most because they do something wrong. These approaches claim to identify, focus training, (and where necessary) get rid of the bad apples and focus on those in the organization who (despite being non-malicious) pose the greatest risk.

Several security leaders I have spoken to were (at least initially) attracted to this approach, since it cuts down on employee time required for security awareness training for the masses. I have heard the argument, “If I can focus on a select few troublemakers, and minimize the training for 98 percent of the employees, I can save time and money.”

Who can argue with the concept of learning just what you need to know at the exact right moment?

Not So Fast: Some Problems With Just-in-Time Security Training

But other industry leaders are not in favor of this “just in time” security training approach. They say this practice is like watering down the soup at your favorite restaurant. Yes, it may produce an immediate cost-saving benefit, but is it being penny wise and pound foolish in the end? They insist: With technology and threats moving so fast, don’t all staff need constantly refreshed, relevant, focused security awareness training?

This blog from Info Security Magazine offers another specific contrarian argument. Kai Roer, founder and CEO of CLTRe, writes, "Blaming people for not handling poor technology correctly is — in my opinion — simply wrong."

While there are certainly some benefits to fear-based (or carrot-stick-based) approaches that send you off to training if you fail, others ask where the carrot is for staff in this model. Most parents understand the need for a mix of rewards and punishments, but this is all about punishments.

An article from Fast Company Magazine, while not specifically about training, points out five myths to changing behavior. Here are two:

       Myth: Crisis is a powerful impetus for change.

       Reality: Ninety percent of patients who’ve had coronary bypasses don’t sustain changes in the unhealthy lifestyles that worsen their severe heart disease and greatly threaten their lives.

       Myth: Change is motivated by fear.

       Reality: It’s too easy for people to go into denial of the bad things that might happen to them. Compelling, positive visions of the future are a much stronger inspiration for change.

Other training experts I have spoken with say that fear can certainly help, if done in the appropriate balance with rewards. They have seen the classic “carrot and stick” approach work well in security training.

One well known CISO I spoke with (who wants to remain anonymous for this piece) is fine with just-in-time security training as a supplement. However, he has also seen examples of where it is being overused to penalize staff. This expert said, “They even lock staff out of some corporate networks until they complete training. They can’t do their jobs. The security team is viewed as the Network Nazis who shut down system access. Not good.”

My View on Just-in-Time Security Training

Back in 2014, I wrote this article on how to change the security culture in government. Of course, training is only one piece. The most important thing senior leaders must do is lead from the front. Second, all leaders must constantly communicate the vision for excellence, the process for getting there and the sense of urgency necessary by all.

I also pointed to this fascinating research on what motivates us at work beyond carrots and sticks. If you haven’t seen this before, I urge you to watch the video.

Spoiler Alert: For those you don’t want to watch the YouTube video, the main points are that research shows that what best motivates us is a sense of purpose in work, self-direction and mastery of a subject.

Or, in other terms, we need to offer compelling content that is intriguing and teaches people what they don’t already know about security in sticky ways, in order to change behaviors and motivate people.

Content is still king, and I also believe that brief, frequent and focused content works best with gamification or game-based learning. I have even suggested to CSO Magazine that we need to make security awareness training more about culture change with a potential name change.

And while I do think that “just in time” security training may be able to help select organizations in a very limited context (as a supplemental approach), I have a more fundamental concern with this trend, if it is front and center.

I worry that organizations that deploy this approach are making security training a penalty. In the extreme, security organizations can even send the message: “Only the ‘bad’ people (the policy violators, those who click on test phish or others who do something wrong), need go to security awareness training. The implied carrot becomes not having to take the security training.

Over months and years, a culture could develop where security awareness training is a punishment for the select few. Like being sent to detention at school or writing phrases on the chalk board multiple times. The message to staff: you don’t want to be one of “those people” who need security awareness training. With memories of ridicule in elementary school, the majority of staff have the goal of “not screwing up or not getting caught.”

Beyond views of the awareness training, the security team’s reputation can suffer. In this type of enterprise culture, the security team members are the bad guys — or “Dr. No” who might pull you over or get you fired. My blog followers are familiar with the seven reasons that security pros fail — and what you can do about it. Bottom line: You DON’T WANT TO GO THERE!

I was one of the first security pros to say: Be a security enabler — not a disabler. However, I learned this lesson the hard way, after I was almost fired for opposing WiFi deployments in my earlier days as Michigan CISO. Nevertheless, that negative experience set our team on a new course that won us awards for our WiFi implementation and our overall cybersecurity program. We saw that powerful role that each employee must play in protecting the enterprise from cyberthreats. 

In a healthy security culture, all front-line staff are proactively well trained on information and physical security, know what to do (and not do), where to report incidents, when to ask for help, who to contact and how to work together effectively. Staff have a good relationship with the security team — because the cyberpros are helpful. There is not an “us vs. them” problem.

The meaningful, customized security content is constantly updated in positive ways to meet the culture. Understanding risk (by all) in various scenarios is an important component of this overall security relationship. The security awareness training is a positive bridge to start meaningful conversations to enhance business projects, integrate streamlined processes and apply appropriate technology.

When pressed, one well known security luminary friend of mine asked: “How can tech-savvy companies encourage employee mistakes to become more innovative, offer training on failing fast and still use this approach to forcing security training mainly on those who screw up.” He went even further and commented: “The unspoken message to staff will be to hide mistakes and not report them.”

Final Thoughts

I recognize that some in the security industry will disagree with me on this blog. But I hope we can agree on this: We need to be passionately building (or rebuilding) enterprise cultures that put security at the top of the priority list.

We need innovative companies and government organizations that have healthy cybersecurity practices. The security teams must be enablers of positive change. I often hear staff say, “Teach me things I don’t already know.”

No doubt, fear must occasionally be a part of the training menu, but it must be an appetizer and not the main course. Yes, there are bad apples in organizations that need to be disciplined or removed, but spend more time with the good apples.

Just as model parents and teachers train their children by demonstrating, encouraging, motivating and challenging in fun, positive ways, much more than disciplining them, we must do the same to build healthy security cultures that endure. We want the staff to say “thank you!” They will, if we offer helpful security lessons that are intriguing, thoughtful and memorable.

And please don’t make end-user security awareness training mainly a punishment for doing something wrong.