https://securityprofession.blog.gov.uk/2015/09/16/security-education-searching-for-innovative-ways-to-engage-our-teams/

Security education - Searching for innovative ways to engage our teams

When I was speaking at a Security conference this summer I talked about a campaign we’ve been running at HMRC to raise awareness of the threat of phishing attacks. I'd like to share the approach we used – it was not only engaging, but also provided us with a wealth of management data that helped us measure the effectiveness of the programme and reassess our vulnerability.

Increasing user awareness about the nature of security threats is vitally important, but finding a way of delivering key learning messages that genuinely engage people isn't always that easy to do. Also, measuring the success of awareness campaigns can be fraught with difficulty because awareness levels aren't that easy to quantify.

Practical advice

In our 'Think Before You Click' campaign we worked closely with a supplier to develop the key learning points for the campaign and deliver them in a fresh and appealing way. We published a series of articles on our intranet to deliver practical guidance and tips to help staff identify phishing emails. We stressed the importance of developing good cyber habits both at home and in the workplace and encouraged staff to share the advice provided with family and friends.

Training

We also developed a short learning product that used animation and cartoon characters to illustrate a spear phishing attack from both the victim's and the cyber criminal's perspectives. In it we delivered serious messages in a light hearted and fun way.  The learning was available to users from our learning library via self-service in the traditional way, but in addition we delivered the learning in a far more targeted and innovative way that enabled us to identify the highest risk users.

Simulation

We sent staff a series of emails that replicated real phishing attacks. In one of the most ‘clicked’ examples, users were sent an imitation invite to a Royal Garden Party. This approach allowed users to experience first-hand the type of tactics currently used by cyber criminals but in a safe and controlled environment. Users that clicked on a link in the simulations were directed to the learning product. We used the data from the phishing simulation exercises to quantify both pre and post-campaign awareness levels. We issued 130,000 simulation emails over a period of six weeks. Each week we saw the number of people clicking on links reducing as awareness grew, down by as much as 26% cent in the 6th week. More than 4000 staff have completed our online training.

The campaign, particularly the use of phishing simulations, generated a high level of user feedback and the discussions that took place really helped to embed some of the key learning points. We are currently reviewing the management information from the campaign but in view of its success we are keen to expand further on the phishing simulation approach used.

Are you looking to run a similar campaign? Can you share your experience on how security education can be delivered in an innovative way that engages the user? Please share your ideas with me, either by commenting on this blog or by emailing me at jonathan.lloyd-white@hmrc.gsi.gov.uk.

3 comments

  1. Comment by Tracy White posted on

    Great article, thanks for sharing.

    What I particularly liked about your method, was the use of links to redirect staff to your learning environment. I wondered if this provided a more softly, softly approach which staff were more amenable to. Did you experience any instances whereby staff were unhappy about the process and had a negative reaction? Additionally did you approach Senior Managers to get them onboard with your approach in the first instance, so they could provide support to their staff once the test was run?

    Reply
  2. Comment by Marios Kyriacou posted on

    Security awareness training is really important. But it's also how we go about it. It's a waste of time to do it once a year or to bombard our employees with information. At The Security Bureau, we've written a blog post that covers effective ways for new starters to learn about security. The link is here:
    http://www.thesecuritybureau.com/security-awareness-for-new-starters-things-have-to-change/

    Reply
  3. Comment by Jonathan Lloyd White posted on

    Thanks for the comments so far. Using the phishing simulations to direct staff to the learning was a completely new approach for us, whether it could be viewed as 'softly softly' however is perhaps open to question. Some staff for example were shocked when they clicked on the link, and a few felt tricked and were a little put out by the experience! However the vast majority clearly understood the purpose of the exercise and engaged positively with the campaign, so in general staff were amenable to it.

    Before issuing the simulations we provided staff with practical tips and advice about how to recognise and deal with phishing emails and we provided them with the training module. We also gave staff advance notice that phishing simulations would form part of our approach and explained why we would be using them. We reassured staff that this was a purely educational exercise and that no one would be in any trouble for clicking on links in the phishing simulations. To keep the exercise as realistic as possible only those who needed to know were given advance notice of the content of the phishing simulations and the timing of the exercises. We kept this group very small and as the campaign developed some colleagues did feel that they should have had some notice of the simulation exercises.

    Keeping managers informed whilst at the same time keeping the phishing simulation exercises realistic requires a fine balance. Some essential groundwork for the campaign was the early discussions we had with senior leaders across the organisation, as it was vital that they understood and supported the approach. We also had early meetings with key HR managers and trade union representatives to explain our approach and address their initial concerns. As this was a new approach for us it would have been all too easy for colleagues to misunderstand the nature of the exercise.

    Phishing is a long term threat we all face, both at work and at home, and the cyber criminals tactics will continue to develop as they continue to look for ways to exploit vulnerabilities. So our educational response cannot ever be a one off exercise. In the next phase of the campaign we'll use phishing simulations that replicate the latest techniques in use by cyber criminals and we'll give staff help so that they can identify the warning signs.

    Reply

Leave a comment

We only ask for your email address so we know you're a real person