The more relevant the training is to how the user operates day-to-day, the better it will resonate and be retained.
Stacy Shelley, vice president and chief evangelist, PhishLabs
“What technologies do they use? What threats are they likely to encounter? The more relevant the training is to how the user operates day-to-day, the better it will resonate and be retained,” he said.
There is general agreement that any generally good thing – physical fitness, diets, working – can be overdone. Still they say regular security training is not overdoing it.
Regular fake spear phishing tests, rather than sowing distrust, should, “help the organization know who are the biggest offenders and how to better train them,” Loomis said.
Shelley suggested thinking about awareness training, “as conditioning, in which an individual’s susceptibility to attack will increase over time without frequent training to keep them sharp.”
But, it is also important to be realistic about what can be accomplished.
“Training can absolutely reduce the chance and percentage of those who fall victim,” Spitzner said. “Most organizations can reduce failure rate to less than 5 percent. Can they make it 0 percent? Absolutely not. Can any control reduce risk to 0 percent? Absolutely not.”
Sign up for CIO Asia eNewsletters.