Another short list comes from Lance Spitzer, training director for the SANS Securing the Human Program, who told an audience at a recent conference that the most important thing a security trainer can do is personalize it. "Don't talk about how it affects the corporation," he said. "Start with how they can protect their kids online and their own mobile device. Let them see what's in it for them."
Beyond that, he said, the key principles are to keep it brief and focused on limited topics, and reinforce it with repetition but not too much repetition.
The EMA report validates that, noting that, "studies on learning effectiveness indicate that training is better in shorter sessions with repetitive content that students can practice while they learn." The report recommended that training be conducted at least quarterly since, "a simple piece of information must be heard at least three times by the average person to be able to recall it in short-term member, and up to 20 times to commit it to long-term memory."
To those recommendations, Bernstein added that it is crucial that SAT programs, "include content specific to the company's policies and procedures. This should typically include social media, acceptable use, data retention, and bring your own device policies when applicable."
Heimerl has similar advice. "Make sure that your SAT accounts for your people, the way they work, the culture of your organization, and your organization itself," he said. "Yes, that means it is harder since you can't just copy what someone else does."
That, he said, means using specific examples that will make the training, "as un-theoretical as possible. Use a phishing email that someone in your organization received. Use an example of social engineering that someone in your organization experienced."
Finally, he said there are creative ways to promote security. In one firm, he said, the CEO was trying to get people to wear their employee badges, to improve physical security. He sent an email saying he expected employees to challenge anyone not wearing a badge. He then walked around the building without his badge on, and when a low-level worker challenged him, he gave him a $100 bill. It happened twice more on his walk.
"By the end of the day, the stories of the $100 bills had circulated around the company and they evolved to near 100% compliance in about three hours," Heimerl said. "It cost them about 30 minutes of the CEO's time and $300. That may have been the best $300 they ever spent."
Sign up for CIO Asia eNewsletters.