There is no such thing as a stupid user

Vicki Gavin, cyber-security business partner at NHS England, explains why cyber-security awareness training doesn’t always deliver on its promise.

 

 

To be successful as a security professional we must understand the business we support and be able to communicate with them in language they understand, without resorting to jargon and Three Letter Acronyms (TLAs).

 

While a common language might simplify communication, all that is really needed is a desire to learn and a genuine wish to understand each other.  

 

Often, when we communicate with the businesses we support, there is a serious disconnect. One of the key drivers of this disconnect is the "stupid user" mentality.

 

All too often we, security professionals, forget we were not born with security knowledge and skills but have learned them over the course of our careers. We extrapolate: if a security professional can learn these concepts, so can everyone in the business they support. 

 

So, if we were not born as security professionals, and we can agree no one is, then information / cyber-security is a learned discipline. Anyone, with the desire to learn, who is provided the right education, can understand security. Intuitively, we all know this.

 

So why do our users still not understand and internalise the awareness materials we prepare for them?  

 

Interestingly, evidence shows there is one group who is particularly effective at communicating with our business folk: the cyber-criminals! Their phishing campaigns are succeeding, while our awareness training is failing. What are the criminals doing that we are not? 

 

Typically, successful phishing emails are focused, rewarding, interactive and clever.  If we analyse a typical phishing email we find that:

• They always offer the recipient some kind of reward. 
• They are focused. They have only one objective – click that link. 
• They vary their approach. They don’t just try once, with one sales pitch. 
• They require the recipient to take action to get to the prize. 
• They are very clever and engaging. 

Our corporate cyber-training, on the other hand, is not nearly as appealing. Our annual eLearning can often be described as required, wholesome, familiar and repetitive.  

 

Similarly, analysing corporate eLearning we find: 

• There is usually a penalty for failing to complete the training. There is rarely anything in it for participants!  In other words, there is not much of an incentive. 
• It generally covers all aspects of security policy from setting passwords to locking up laptops while travelling, and we’re surprised learners can’t take it all in. 
• Staff are required to complete the same online e-learning year after year.  As Einstein said, doing the same thing over again and expecting a different outcome is the definition of insanity. 
• The material is rarely engaging, Individuals are usually asked to read case study after case study and answer obvious questions.
• The whole experience is as dull as dishwater, ensuring learners will have trouble taking in and remembering this important information.

I am not sure why we assume that as security professionals we will be natural educators, no one is. Just like security professionals, educators are not born, they spend many years learning their craft. Fortunately, theirs is also a learnable skill, one which security professionals must master. 

 

At a very high level, being a good educator boils down to being a good communicator.  

 

To design a good learning experience, or one at least as appealing as a phishing email, think DOVE-C. Ensure your education and awareness activities tick all the boxes below. 

• Make it Desirable: Adults learn because they want to, not because they have to. Make it rewarding and make sure they can answer the question: “What’s in it for me?”. 
• Focus on One objective: Provide information in small bites at the learner’s pace. Reinforce learning, and focus on a single concept. Avoid the scattergun approach and remember, it takes a month to embed a new habit. 
• Variety is the spice of life: Vary the message and the method - we all learn things differently. So, ensure training appeals to all senses. 
• Engaging: Involve the learner, make them think, provide immediate feedback. Make it a “lean in” experience. We all remember better when learning is fun and active. 
• Compelling: Think theatre/drama, make it interesting / exciting – tell a story – think oral histories and ghost stories.  

When the businesses we support communicate with us, we often fail to take on board the details and imperatives of the business decisions they are making. We then design protocols and provide support which is not fit for purpose. 

 

As security professionals, we often make the mistake of assuming the need for security trumps all other considerations, but this is rarely the case. Our job is to support these business decisions by figuring out how to do things sustainably and securely; working in partnership with the businesses we support and ensuring both the risks and rewards are understood and accounted for, when making changes. 

 

---

 

Vicki Gavin is a cyber-security business partner at NHS England and a member of International Cyber Expo’s Advisory Council which takes place at London Olympia on the 26th and 27th September 2023

 

Main image courtesy of iStockPhoto.com