I'm noticing a trend in awareness training, one I wanted to share and see if others are seeing the same thing. In general there are two ways to deliver training, what I call Scheduled or On Demand. Scheduled is what you think of for traditional training. A certain time and/or place is set and people … Continue reading Security Awareness Training - Scheduled or On Demand?
One of the great things about the annual RSA conference is meeting people smarter then you. Simple, informal conversations or structured presentations are a tremendous way to learn and come up with new ideas. The other night I had a chance to have dinner with Andy Jaquith, author of Security Metrics, often considered the bible … Continue reading Security Awareness Metric - What is Your Prevention / Detection Ratio?
I've posted several times about the tremendous value of an active phishing assessment program. Not only does it result in effective behavior change, but based on my experience phishing assessments are positive and a highly engaging way to reach people. In may ways it becomes a challenge of who can 'spot the phish' first, gamifying … Continue reading Tuning the Human Sensor with Phishing Attacks
Continuing our top three trend I wanted to share the top three reasons I see awareness programs fail. By fail I mean they do not have an impact. If compliance is your only goal, this is much simpler to achieve. Having an impact through behavior change is a far greater challenge. 1. No Plan: This … Continue reading Top 3 Reasons Security Awareness Training Fails
While working with executives and security professionals on awareness training, I tend to run across the same questions or misconceptions. I wanted to share with you the top three I most commonly run into and explain why were others sees problems, I see solutions. 1. Awareness never worked in the past, why should it work … Continue reading Top 3 Misconceptions on Security Awareness Training