Lessons from Masters of Persuasion: Customization is Key
Category: Best Practices, Security Awareness Training
March 6, 2019
Today’s cybercriminals are masters of persuasion. They diligently research your employees’ roles, interests and motivations, and use this information to attempt to manipulate their behavior. Marketers have used this same information to sell you products like soap and cars for years. Depending on factors like your location, employer, hobbies and browsing history, advertisers (and malicious actors) can tailor their messages to your interests — and may ultimately influence your decisions.
As security awareness practitioners, we need to be better than the criminals at influencing our employees’ behavior. Just like today’s digital marketing, customization is key. Tailoring your training and awareness program by employee role, responsibility and access can make it much more effective.
Sound time consuming? It doesn’t have to be. Regardless of what training platform you use, you can take these steps to get the right training to the right person and be more effective.
Lesson One From a Criminal: Send the Right Phish to the Right Targets
Many security awareness training solutions like Infosec IQ include phishing simulators to teach employees how to detect attacks. Once you’ve completed your first few simulations and benchmarked your organization’s phishing susceptibility, we recommend creating your own templates to mimic the actual threats targeting your users.
For most of our clients, this means sending targeted, customized phishing simulations to employees in different departments, roles and locations. Here’s what this might look like:
- Marketing simulation: Domain expiration notice from your registration service
- Sales simulation: Salesforce account deletion notice from your administrator
- Accounting simulation: Direct deposit account change request from employee
Using a phishing simulator equipped with domain spoofing, typosquatting and reply tracking can help you test your employees using the same tactics leveraged by hackers in the wild.
Lesson Two From a Marketer: Engage With Custom, Layered Content
Most of our clients supplement phishing simulation exercises with continuous, computer-based awareness training. This layered approach helps you address user knowledge gaps identified during simulations in a “just-in-time” way that means they’re more likely to engage with the message.
Like simulations, it’s important to deliver awareness training modules personalized to your employees’ roles and departments. A secure coding module for your developers, for example, is of no use to your accounting team. And while a one-hour, annual security training for all employees might seem like an easy training solution, it’s probably not the best way to share data destruction best practices with HR.
Infosec IQ clients can customize training content using our role-based training modules, or create their own professional-grade training modules with Infosec IQ’s Publishing Assistant. You can create custom modules to:
- Explain specific threats targeting your organization: Use real-life examples, like an aggressive spearphish that targeted someone in your organization, to create a custom module showing your users how to detect the threat.
- Explain your security policies, not someone else’s: Policies are as unique as the organizations that create them. Your modules should highlight what’s truly important for your environment.
- Leverage Infosec IQ beyond your security organization: Publishing Assistant allows you to create custom modules covering a variety of topics. Covering topics like workplace safety and onboarding can help you forge relationships across your organization, and get even more value from Infosec IQ.
Infosec IQ’s Publishing Assistant includes 55 narrator voices in 27 languages, and also supports SSML tags to help you control narrator pace, volume, emphasis and more.
Lesson Three: Right Training, Right Person, Right Time
Once you’ve customized your training program to employees’ roles and departments, it’s time to determine when and how to deliver the training to employees. We recommend adjusting training difficulty and cadence based on employees’ phishing simulation and training performance, as well as incorporating data from your endpoint protection software. Blocked security events give you real-world input on what your users do and do not understand about security — giving you a good indication of how users will react if a threat slips by your existing controls.
Infosec IQ’s Event-Activated Learning integrates with your endpoint protection software to deliver training exactly at the right time — in the teachable moment. If your endpoint protection software can report on it, you can fully automate training around it. This additional layer of security education can be used to deliver just-in-time training to employees who:
- Attempt to download malware
- Fall victim to phishing
- Execute hostile browser add-ons
- Run macros or other malware-embedded attachments
At Infosec, we’ve learned effective security awareness programs start with engagement. Like all good defenses, effective training and awareness requires a layered approach. Layering phishing simulations with personalized awareness training and real-world Event-Activated Learning will help you deliver the right training to the right employees at the right time.