Converting a wicked learning environment into a kind educational setting requires managers to have more input on everyday activities. This means going out of the way, abandoning training, and embracing learning.
FREMONT, CA: In order for security awareness initiatives to succeed, it is not enough merely enough to provide the staff with information; one needs to adjust their learning environment to facilitate the creation of enhanced instinctive response to security threats.
There are many awareness-raising campaigns and training solutions, most of which have suffered from three common mistakes—mistakes that, if taken into account when creating an awareness-raising program, might very well increase its effectiveness and produce a better ROI for the organization.
1. Singular Events
Many of the training programs concentrate on special training activities. They are part of a security awareness week or even a month (if the budget permits), but they typically fall into regular bi-annual training. If the Chief Information Security Officer (CISO) can handle it, they may offer some verbal training, which is less effective, while providing some interaction with employees. Most often, the job will be left to some training video—an asynchronous approach that leaves staff feeling that while information security is important, it is somehow not as applicable to their day-to-day operations. It also typically leaves workers with unanswered questions.
2. Learning to Swim from a Textbook
Knowledge can be categorized into two types: declarative and procedural. Declarative is simply a knowledge of the truth, such as being able to identify symmetric encryption, malware, or understanding the rules for taking homework. Procedural awareness is actionable know-how: how to write a symmetric encryption algorithm, how to determine if a file is ransomware, and should one take their work home at a particular time—understanding security tradeoffs and possible compromises. Procedural knowledge is the knowledge that one uses when riding a bike or swimming in a swimming pool. No one teaches that through computer-based instruction, no one would board a plane where the pilot has only read the manual only.
Security decisions, such as the detection of fraudulent emails, the transmission of information over the phone, or the choice of a good password, all relate to procedural knowledge, and they are taught as if they were declarative knowledge. One can teach personnel what fraud is, but to detect fraud as it occurs is a whole different ball game.
3. Lack of Feedback
Converting a wicked learning environment into a kind educational setting requires managers to have more input on everyday activities. This means going out of the way, abandoning training, and embracing learning. Many CISOs use auditing; however, for an audit to serve as a learning tool, they should provide the audited individual with immediate, direct, and reliable feedback. In order for workers to benefit from a decision taken, they would have to remember the particular scenario that led to that decision, the unique complexities, and stressors. As such, immediate feedback provides a better opportunity for workers to internalize the information.
Check out: Top Enterprise Security Startups