Gone Phishing: Why Immersive Training Works

Gone Phishing

Phishing is a very effective low-cost attack vector that bypasses most traditional detection methods and it has been widely identified as one of the biggest security threats organisations face today. Today cybercriminals will target a specific organisation and develop sophisticated phishing emails in a bid to trick employees into opening malicious attachments.

This causes great concern for organisations because not only can phishing can have disastrous consequences on a company, the emails are so cleverly crafted that they are extremely difficult to spot, even to the most well trained eye.

As a result of the rise in targeted phishing scams, organisations must train their staff on how to spot these malicious emails. However, because of the ever changing nature of phishing, training cannot be carried out through simple paper-handouts or handbooks.

The security awareness training needs to be an experience that staff will actually remember and retain. Immersing a human in an experience triggers the brain in a way that traditional training doesn’t – by drawing an emotional response.

In complex vertebrates (contrary to wat some in security might say, your users do fit into this category), the amygdala is the area of the brain associated with both memories and emotions. An emotional experience sticks in our memory, making training techniques that elicit emotions more powerful. This is why posters and conventional computer=based training fall short.

One method of immersive training to help spot phishing attacks would be to send staff mock phishing emails. Staff that correctly identify the phishing email will be commended and the staff that do not will receive training to help them identify future attacks.

Repeating immersive training exercises capitalises on a neurological process called long-term potentiation, which is how the human brain forms memories and retains them. Memories form from similar synapses between neurons, and repetition of those synaptic processes cause us to learn and retain information.

Conducting annual training will not lead to retention – even if the training itself is compelling – because it won’t be frequent enough to stick in employees’ minds. Whenever we are learning something new, whether it’s to play a sport, instrument, speak a new language, etc. repetition is crucial. It’s the same with teaching email users safe email behaviour, repeatedly conducting security awareness exercises will allow them to make safe email use a habit.

Ultimately, immersing your employees in an experience will improve their behaviour. With that said, here are ways to make your immersive security awareness engaging:

  • Start simple: For the average user, security concepts are difficult to grasp, so start simple! Sending a beginner down a black diamond trail is a good way to turn them off of skiing forever (or worse, get them injured). It’s the same with security. Don’t trip up your users by starting them off with complicated concepts – get them on the beginner slope.
  • Be specific: Hollow platitudes will undoubtedly get your users to tune out. Avoid vague messages like “keep company resources safe”, instead give users specific, actionable information that will help them change behaviour.
  • Mix it up: How many of you pay attention to the airline safety demonstration prior to takeoff? That demonstration never changes so ultimately people lose interest. Don’t make the same mistake with security awareness. Vary both the content and delivery method of your security awareness to continually engage recipients.
  • Keep it going: Why is it so easy to forget what you learned in a boring class? After the final exam, you don’t need the information, so there’s no need to retain it. We do know that security is a constant and changing threat; therefore, security awareness needs to be continuously reinforced. By continuously training users at different times throughout the year, safe security behaviour becomes a habit, and not something forgotten as soon as training is over.
  • Be positive: It might be tempting to expose the users who are security risks, but in our experience the negative backlash this generates will quickly undermine your security awareness program. Keep things positive by measuring the results of your program and recognising people and departments who have done well. Educate and support those that need additional help.
Scott Greaux

Scott Gréaux has over 15 years of diverse information technology experience spending most of the past decade developing solutions to address complex information security problems. Most recently Scott served as General Electric’s Deputy Chief Information Security Officer where he led key global initiatives such as Policy and Policy Frameworks, Security Awareness, Advanced Threat initiative coordination and Information Security metric reporting. Scott brings his extensive experience and unique blend of business management and creative marketing practice to PhishMe where he works with customers to develop robust anti-phishing programs. Scott also oversees PhishMe’s managed service offering, support operations and leads PhishMe’s Customer Advisory Board where he works with customers and industry thought leaders to align PhishMe features with the ever changing threat landscape.