“Users need to be hyper-vigilant when the situation calls for it. Effective training should focus on helping users recognize those risky situations,” he said.
And Kevin Mitnick, once known as the “world’s most wanted hacker” and now head of Mitnick Security Consulting, said regular, even intense, awareness training shouldn’t have a negative effect on morale or productivity.
“That would be like saying wearing a seat belt takes away the enjoyment of driving. Or locking your car makes people drive poorly,” he said. “You wouldn't blame the manufacturer if someone left his keys in the car and a thief drove off with the vehicle. The driver would be responsible.
“In the world we live in, security precautions become second nature and people adapt.”
That said, there is general agreement that security training does need to take into account how people do their jobs, and can’t be so stringent that it stifles their productivity.
Hawthorn calls it, “being realistic. User security policies are like diets. If they aren’t sustainable and you have no way of enforcing them, either using technical controls or firing the person, you end up with something that fades away or people cheat on,” he said.
“So yes, giving users realistic guidance is powerful because it’s both sustainable and relatable, which makes the training stick with the user.”
Spitzner also said it is a mistake to, “focus on perfect security, and forget that real people are involved.
“Passwords are a great example. Security researchers talk all the time about what the ‘perfect’ password is, only to come up with a solution that no one can remember or follow," he said. "Human security is all about behavior – the more difficult the behavior the less likely it can be done."
Belani said that for training to be effective, it has to go beyond awareness to “behavioral conditioning.” He cited the work of Nobel Prize winner Daniel Kahneman, author of “Thinking Fast and Slow,” who said when people are doing repetitive tasks, the brain tends to operate in a version of autopilot that does not require deep thought – what he called “System 1.” With more complex tasks, it uses a more deliberate process that requires more effort – or “System 2.”
The key, Belani said, is to train employees, “proactively to use the System 2 deliberate-thinking process to recognize when something is out of the norm, by paying attention to certain details that normally our System 1 set of thinking would ignore.”
This kind of conditioning, he said, actually helps workers to sort the legitimate from the malicious and makes them more productive.
And Shelley said while it would not be practical to offer every employee customized training, it is possible to tailor training to various employee groups, based on things like their department and technology profile.
Sign up for CIO Asia eNewsletters.