Training alone isn't enough. There were quizzes and red-flag scenarios in the course materials as well. But even these can only do so much. In speaking with Sjouwerman, I asked him what else can be done to ensure the training sticks. Is there some kind of final exam the users take?
The process actually doesn't begin with the training, according to Sjouwerman. It begins with a baseline Phishing Security Test where the users in an organization are sent a phishing email (something regarding banking, online services, social networking, current events, and so forth). The company then notes how many persons click the links and are unaware of the dangers or are taken in by the message.
Once that is done, the users go through the training, then administrators have the ability to send out different types of fake phishing tests to their users as often as they like (once a week is recommended). The administrators can see clearly if there is a return on investment, as well as which users may need more training.
I thought the process made sense. Obviously, it'd be great if admins could sprinkle USB drives around the parking lot to see what users do or perform additional social engineering tests, but this seemed like a good method of benchmarking the level of awareness among your user base.
We're still dealing with humans. They need repetitive training to ensure they get the point, whether it is sexual harassment training, safety training, or in this case, security awareness. But I also believe there has to be valid methods for ensuring the training is sticking, especially if the greater concern is not just to be able to prove to compliance regulators that you did, indeed, provide the training required, but to also ensure your users are learning.
This story, "Ex-hacker spills secrets of fighting social engineering," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.