More and more security breaches you read about have one factor in common ? User error. I see every day, how companies spend millions of Euros/Dolars/Yen in Corporate Security safeguards. There are RFID tags, Swipe cards, password policies, policy analysis once a month or quarter, secure access to the server room, firewalls that cost more then a 3rd world country has in a yearly budget and IPS/IDS. These are all very good measures but as a uneducated user in your company THEY are your weakest link. The ?i love you virus? spread because uneducated users opened attachments that they shouldn’t have. Most viruses, worse and spy/malware spreads that way. Then you have of course unknowing corporate espionage which i touched in this article already. So if they are our weakest link, how can they become our strongest weapon against all the factors listed? That is right, education, training and mentoring.
So-called security consultants usually tell you ?yes education is good BUT product X from Company X is so great that user education is not necessary anymore?. You don’t believe me ? I have heard this more then once. Funny enough those ?consultants? are employees of a company that HAPPENS to be a reseller for company X :). In my opinion , the only consultants you can trust are the ones that have no affiliation but thats another article.

Now I would like to take a quote that someone famous (Steve Ballmer) said in a funny video nicknamed ?monkey boy?. He sad developers, developers….. I would like to say: User education, User training, User education , User training. A lot of companies do give their users nowadays ?introductory? courses where they touch the subject of ?don’t do this and don’t do that?. And most of the times this is even someone from the IT Security department. BUT, it is mostly one of the not quite so socially engaged speakers because noone else wanted the job. And that is why noone listens. So on paper you train the user or you ?educate them? but in reality 80% of the group is asleep, checking their email or their mobile phone.
I have given many courses and quite a few education courses for normal users and I made a list of items what can be done to actually make them listen and to make them react or implement your suggestions:

• Speak friendly, and on their level. This means be open to them, do not think of yourself as a higher person because you are training them, look at them as prospects that can make your life easier.
• Use simple terms and take time explaining what you mean. Noone is helped if your sentence starts with: ?When you remotely dial into our VPN via ipsec using 3des…? NO! ?When you connect to the corporate network from home…? is enough for them.
• Do not use the best geek in your IT Sec deptmnt as your speaker unless he has given classes and is socially well versed and likable. I am by far the most knowledgeable person but I have spent many years talking to people and working on how I can make the whole class relaxed. That is the goal you need to have.
• If you have slides, make them few and simple. Talk more, interact with the class, stimulate them to ask questions or find their own answers.
• Move around a lot. People have to follow you and that keeps them alert.
• At the beginning of the class ask everyone to pack up their laptops and cell phones with the reason that this will make the class go faster because everyone can concentrate.
• Have frequent small breaks, give them air to breath and time to let the information sicker in.
• Touch all necessary topics, passwords, policies etc. But spend time before hand on finding ways to explain them in simple terms. Especially if you have a class of completely non-technical people.
• Make jokes, talk of your own experience , funny experiences, of stupid things that happened to YOU, mistakes that YOU made. This will help them relate to you easier. Make you seem less perfect. They will like it more. Just don’t start with: ? The time i took network down and caused billions of dollars of damage…? more like:? Don’t change your password when you are not concentrating, i changed mine, wasn’t listening, and when I got back from lunch I couldn’t log in anymore.!?
• Ask constant feedback and pose questions to the audience. Interaction is the best education!
• If you have someone that is not technically literate use them. Run your class by them, ask them for opinions (I use my wife for this and it works very well). It is easier or you that way to put yourself into the users shoes.

Now, if you take these steps or points into consideration your user education or security training class all of a sudden looks more like a group discussion with you as a leader. And THAT is the way it should be. If the user feels empowered by actually interacting in the security training, it makes them feel less forced. Let them get to their own conclusions regarding why passwords should be complex. You can always give them pointers about issues like passwords, like I described in the Easy yet secure passwords article.
If you can transform your security training into a security awareness discussion where everyone is relaxed and can speak their mind, i guarantee you that your users will become your biggest ally in your defense. They will be much wary regarding social engineering attacks, they will rather delete a funky mail then open it and they will handle company information MUCH more careful.
I have also given classes about how to teach well and I have gotten feedback from even educational institutions that this approach works very well. And if you like giving your class, you will all of a sudden find yourself requested to give classes maybe not just in your company.
If you have any experiences or more pointers to share, please do so, or if you want to get more info regarding this just drop me a line. But if you can implement even just a few of the points your class will be MUCH better then the generic user security training that everyone despises.

//Flosse

Popularity: 4% [?]