When aspiring pilots go through flight school, they learn both in a conventional ground setting and using a flight simulator. On the simulator, new pilots are immersed in the experience of flying, and receive real-time feedback about their decision making. Not surprisingly, the simulator is seen as a more effective training tool than conventional classroom training.
One of the greatest challenges facing security awareness initiatives is providing employees with an experience they will actually remember and retain. Training users to avoid risky security behavior is not nearly as complicated as teaching someone to fly a plane, but just like with pilots, immersive training that simulates the kind of attack methods employees face is a more effective way to conduct security awareness.
Immersing a human in an experience triggers the brain in a way that traditional training doesn’t – by drawing an emotional response. In complex vertebrates (contrary to what some in security might say, your users do fit into this category), the amygdala is the area of the brain associated with both memories and emotions. This is why hearing that old Van Halen song brings back memories of high school (at least for some of us!). An emotional experience sticks in our memory, making training techniques that elicit emotions more powerful. This is why posters and conventional computer based training fall short.
We observe the fleeting nature of email communication within our own customer base. Some of our customers choose to follow a PhishMe best practice and announce PhishMe campaigns before sending them out, while others do not inform their employees. While it would stand to reason that the employees who had been informed would be less likely to fall for the phish, there is no measurable difference in the end result of the campaigns. Simply sending a person an email informing them that a training exercise is going to be sent through email is not enough to change their behavior. You need to draw an emotional response as well. Those customers that do inform their employees, however, are able to fend off negative backlash as well as eliminate the perception that they are trying to pull one over on the users.
Equally important is providing feedback to participants, as simply simulating an attack won’t provide the meaningful information that triggers the emotional response. If users fall for a simulated phishing attack, but don’t know what they have done, it’s a missed opportunity to change their behavior. A great example of how feedback spurs behavioral change can be seen in the example of radar speeds signs. These are the signs usually placed near a construction site or school and display the speed we are driving just underneath the posted speed limit. These signs are effective at changing behavior positively because they provide us with instant feedback about our behavior, as well as a guideline for improving it. This technique leverages a concept called a feedback loop, discussed in greater detail in an article from Wired magazine.
Repeating immersive training exercises capitalizes on a neurological process called long-term potentiation, which is how the human brain forms memories and retains them. Memories form from similar synapses between neurons, and repetition of those synaptic processes cause us to learn and retain information. Conducting annual training will not lead to retention – even if the training itself is compelling – because it won’t be frequent enough to stick in employees’ minds. Whenever we are learning something new, whether it’s to play a sport, instrument, speak a new language, etc. repetition is crucial. By repeating his golf swing on the driving range thousands of times, Tiger Woods made that action become second nature. It’s the same with teaching email users safe email behavior, repeatedly conducting security awareness exercises will allow them to make safe email use a habit.
We’ve observed this first-hand with customers who purchase a PhishMe license and then only run one or two campaigns. They don’t see the improvement that customers who run consistent campaigns experience. Moreover, we’ve seen customers use PhishMe successfully to improve organizational resilience to phishing attacks, only to regress upon discontinuing PhishMe. Sporadically conducting training or discontinuing training altogether misses the opportunity to train new employees as well as update training to address emerging attack vectors.
Ultimately, immersing your employees in an experience will improve their behavior. Our experience training over 4 million unique users has shown that around 58% will fall for phishing emails prior to training, but after a few months of immersive training that number can be reduced to less than 10%.
–Rohyt Belani and Scott Greaux