The vast majority of cybersecurity incidents today target humans to some degree. 74% of all breaches in 2023 There was a human element involved. AI has become widely available to threat actors, Social engineering is on the riseProfessionally targeted campaigns will be automated and much harder to spot.
So why don't so many cybersecurity leaders properly train their teams to defend against these threats? It's because most security education today relies on phishing simulations and videos that merely meet the bare minimum of compliance training requirements. This makes it difficult for people to gain the skills they need to understand the threats and then use that knowledge to develop defensive habits.
Instead, teams should have access to role-playing, live simulations covering current threats, and serious games that leverage critical thinking skills and drive these concepts deeper into their minds.
Security awareness training that has employees click modules on their computers (likely multitasking in the background) is ineffective because it doesn't take into account each person's role, risk exposure, or IT security knowledge. A blanket approach fails to convey the knowledge and job-relevant security skills essential to change behavior in real work environments.
Moreover, these programs are ineffective if they don't also provide employees with the essential tools, processes, and resources to seamlessly integrate security behaviors into their daily work. For example, you may provide video training on the importance of using a password manager and having unique, strong passwords for each account, but if you don't provide access to a password management tool, the training is meaningless.
Another common problem is that learning content often focuses on specific security threats in isolation, rather than addressing them from the learner's perspective. It is helpful for learners to explore and understand the terminology around a particular type of attack, such as “vishing” (voice phishing), but this is only one aspect of a larger threat problem. It is important to be aware of social engineering attacks, no matter how they are targeted.
To effectively train your employees how to mitigate the human factor in cyber attacks, it's essential that they understand two key concepts about criminal behavior. First, we recommend teaching your employees: How the social engineering attack cycle works — Gathering information, building relationships and trust, exploiting, and executing. Shows how to gather information through open source intelligence and use it to establish relationships that attackers can exploit.
Secondly, it is important to cover How criminals exploit human nature Through compliance principles. Five psychological Compliance Principles teeth:
-
Favour, Similarity, Deception
-
Commitment, reciprocity and consistency
Understanding how social engineers use these principles and the psychology behind them can help you become more aware of these types of attacks and be better able to avoid them, no matter what channel they come from.
An effective way to drive these principles into someone's mind is through authentic, immersive gaming. Role-playing, simulations, etc. Piece of Cake – Social Engineering Security Awareness Tabletop Gameallows participants to try out clever tactics in a variety of scenarios and address security challenges in a playful way. By tailoring the scenarios to specific job roles, your team will understand through experiential learning why this security training is relevant to them. Learning will be meaningful and fun, and it could fundamentally change the way you think about security.
Six months after receiving the Piece of Cake training, the participant faced a real test: after the death of his parents, his brother inadvertently gave his phone number to scammers who called his parents' landline. He was initially caught off guard when the scammers, using a fake number to pretend to be from his parents' bank, called his personal number. However, this moment of grief made him vulnerable, and he remembered the advice to hang up and call back another way. Despite the emotional pressure, his instinct to see through this tactic and verify the caller's legitimacy demonstrated the lasting impact of his experiential learning in recognizing and thwarting social engineering attempts.
Tabletop exercises (TTX) have proven to be extremely beneficial not only for crisis management teams but also for leaders involved in decision-making during a crisis. Over 100 from CISA) to reflect the specific challenges of your organization is a great way to achieve this, allowing your team to develop and test consistent incident response plans. TTX-based training fosters collaboration and communication within organizationsIt enables critical knowledge sharing and improves incident response channels.
Experiential learning, such as interactive play that focuses on the human factors involved in cyber attacks, is the most effective way to deliver security training. These methods promote retention and practical application of security knowledge beyond the traditional passive learning models that primarily exist. Engaging employees in scenarios that replicate real-life situations and highlighting common tactics used in social engineering makes training more relevant and understandable, and helps employees take a more proactive stance towards cybersecurity within their organization.