How long does it take for employees to be security conscious?

[Inga Goddijn <inga () riskbasedsecurity com>]

http://www.csoonline.com/article/2995989/security-awareness/how-long-does-it-take-for-employees-to-be-security-conscious.html

The U.S. Postal Services received some frustrating news in early October
from the Office of the Inspector General on the effectiveness of its security
awareness training program
<https://www.uspsoig.gov/sites/default/files/document-library-files/2015/IT-AR-16-001.pdf>.


An internal USPS phishing simulation campaign found that more than 25
percent of the 3,125 employees who were tested clicked on a phony link.
What’s more, 93 percent of the baited employees didn’t report the incident
to the USPS Computer Incident Response Team, according to the report.

The testing came less than a year after a USPS data breach
<http://www.csoonline.com/article/2845325/data-breach/us-postal-service-suffers-breach-of-employee-customer-data.html>
that compromised the personal information of 800,000 employees, as well as
some customers who contacted the government. The November 2014 cyber
intrusion appeared to be caused by a phishing email attack, according to
the report. USPS already had annual security awareness training available
to all employees with network access.

Such discouraging results beg the question: How much security awareness
training is enough before employees actually get it?

Malcolm Gladwell contended that 10,000 hours was the magic number for
achieving mastery of a skill in his book “Outliers,” but who has that kind
of time?

Sports psychologists suggest that motor memory for a new skill can be
achieved with about 15 repetitions, but detecting sophisticated and often
subtle phishing scams is much more complicated than memorizing plays.

“With motor memory skills, perfect practice makes perfect, and every
repetition improves things, but when it comes to changing behavior, such as
trying to keep people from being snookered by phishing scams, it’s a whole
different kettle of fish,” says Dr. Gregg Martin, a cognitive-behavioral
practitioner and a board certified neuropsychologist in Canton, Ohio. “If
you tell a professional something more than two or three times, they tend
to tune you out.”

The answer to how much repetition is needed before employees can
consistently identify phishing scams and other online threats lies
somewhere between once a year and constant reinforcement to the point of
paranoia, according to researchers and security professionals.
*A starting point*

“I wish the answer was ‘five times,’” says Tom Pendergast, chief strategist
for security, privacy and compliance at MediaPro, which provides security
awareness training. “But in reality, it’s more about repeating training and
phishing simulations until you’ve raised the general level of awareness,
and sometimes even paranoia, to where people are really, really looking out
for these [scams].

For starters, once-a-year security awareness training is probably not
enough, psychologists say. Humans tend to halve their memory of newly
learned knowledge in a matter of days or weeks unless they consciously
review the learned material.

Carnegie Mellon University’s CyLab studied
<http://www.cl.cam.ac.uk/%7Erja14/shb09/downs1.pdf> 500 people who where
sent fake phishing emails one month apart. Those who clicked on the first
email scam were immediately identified and given training on what to look
out for in the future. One month later, the number of people who fell for
the simulated phishing
<http://www.csoonline.com/article/2975807/cyber-attacks-espionage/phishing-is-a-37-million-annual-cost-for-average-large-company.html>
email dropped by 50%. Over three months, the failure rate was cut in half
each time the test was given. The study, conducted in 2009, did not look at
retention beyond three months.

CyLab professor Jason Hong, an author of the study, believes the research
findings still hold true today. “The only thing that’s really new is that
there are a lot more communication channels [besides email.] Now people try
phishing attacks on Facebook or Twitter, but the general theme is still
essentially the same. We haven’t seen any major new innovations in phishing
attacks, other than the attacker may have more information about you.”

While phishing simulation does provide that “Aha!” moment for many
employees, it doesn’t solve all their security awareness issues, says Joe
Ferrara, president and CEO of Wombat Security Technologies. “You have to
follow that up with in-depth education.”

Pendergast recommends starting off by providing security education on a
quarterly basis. Once you determine how many repeat offenders are out
there, then “tailor your phishing exercises to your audience,“ Pendergast
says. For instance, if the sales team is shown to be more susceptible to
phishing lures, then send phishing simulations and reminders on a monthly
basis.

He also recommends a quarterly refresh on other security awareness methods.
“Maybe you’ve got a fun video about phishing that you put out in the first
quarter. Then maybe do something on incident reporting in the second
quarter. We know that reporting a phishing incident is just as important as
not replying to them, so IT can identify where the threat is coming from
and go after it,” he adds.
*Employees learn faster with ‘conditions’*

Famous American psychologist B.F. Skinner taught mice how to push a lever
in a single try – when the lever dispensed food. He called it a
“conditional relationship.” Companies use that same psychology today to
reward employees who detect and report phishing scams, or sometimes even to
penalize them for phishing blunders.

One company that is looking to drive down phishing incidents to below 1%
has gone as far as to tie phishing failures into its compensation system,
Ferrara says, referring to a customer. “When people do fall for the
simulated attacks, they are actually looking at it as part of the
methodology in their bonus formula,” he says.

Rewards (even small ones) are more common for employees who can detect real
phishing scams. At safety science company UL LLC, when employees detect and
report a phishing scam the security team gives them validation by sending
them a thank-you note and copying their supervisors, the head of the
business unit and occasionally the CEO. “That goes a long way,” says Steve
Wenc, senior vice president and chief risk officer.

Insurance provider XL Group created several videos around protecting
company information, including from phishing scams, and issued a challenge
to employees -- for every view of the video, the company would donate a
dollar to Doctors Without Borders, an international medical humanitarian
organization that provides aid in nearly 70 countries. The campaign
exceeded its goal of 10,000 views, raising $10,000 for the organization.

Human nature is tough to change, and the constant threat of cyber attacks
will keep security awareness training on companies’ agendas, but how often
to train and test will depend on the desired results, Ferrara says.

“It’s a constant battle,” Ferrara says. “Just like anything else, nothing
is 100%, but you’re always trying to reduce your risk.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!