What the US Naval Academy call teach us about effective IT security awareness training...<br />  

A couple of years ago, the US Naval Academy wanted to find the most effective mathematical instruction technique for their students. So, they launched a formal study. They categorised their maths teachers according to two types. The first type of teacher would teach in such a way as to maximise test results. While the second type of teacher would teach mathematics in a way to instil their students with a solid grounding of mathematical concepts. In order words, they taught for understanding. The study then followed the educational progress of the students as they progressed through the college. The results of the study were interesting. It transpired that, in subjects such as mechanics which required a strong mathematical grounding, the students instructed by teachers who taught for understanding performed way better than the students who were just thought for the test.
 
Security Awareness Training and Understanding
 
So how does this apply to IT Security Awareness training? Well, a lot of IT security or cyber security awareness training teaches participants concepts like phishing by presenting them with nicely manicured scenarios which pop-up in question boxes such as “What would you do if you received an email from an unknown sender who seemed to know your name?”. Or, "Sally needs a password to access the CRM. Is it safe for Bob to lend his password to Sally?" These will typically be followed by multiple choice answers. The problem with this sort of learning is that, if used alone, it often does not always instil a long-lasting proper conceptual understanding of a topic. Sometimes participants would be much better served if they were instructed on the motivations of hackers, the tools they use and the psychological tricks they use.


 
Teaching by deconstructing and stepping inside the mind of the hacker.

If a child wants to learn how a toy car works. they will often take it apart to see the constituent parts at work. “Deconstruction” can also be an extremely effective teaching technique. For example, here at SecureClick we teach participants that successful phishing campaigns are made up of elements such as a lure, a pretext, an emotional trigger and are delivered at a suitable time. The deconstruction of real-life phishing campaigns as devised by real cyber criminals into its constituent parts often results in participants getting a much deeper understanding of how phishing works. We’ll then ask them how the email could be modified to be add more credibility or we’ll ask them how an emotion trigger could be used to make it more convincing. We’ll give them an exercise where they will be asked to design their very own phishing campaign. Here you’ll be able to see your teachings being synthesised – it’s fascinating to watch! We get them thinking like a hacker. So, when that real phishing email does arrive in their inbox on some random Tuesday afternoon, they will have a much greater chance of detecting it.