User behavior is the magic ingredient which can ensure end user training programs are successful or an ignoble failure. The recent RSA Conference 2014 in San Francisco featured a panel discussion on this topic, "Changing User Behavior: The Science of Awareness" hosted by Frank Dimina, director of federal sales at Check Point Software Technologies. Dimina asked the panelists (Kati Rodzon, an independent security contractor; Aaron Higbee, co-founder and chief technology officer of PhishMe, Inc.; and Lance Spitzner, training director of SANS Securing the Human program) to comment on four topics: why traditional security awareness training fails, the importance of changing human behavior, adapting to different cultures, and how to verify the "controls."
Salient points drawn out of the panelists emphasized the importance honesty plays in the training regime. To emphasize this point, Higbee reached into a paper bag and pulled out a few 99¢ tacos that he had purchased on the way over. He noted how the taco in his hand only vaguely resembled the taco in the promotional advertisements. The analogy here is that if you insult your customers' intelligence, you draw into question the credibility of your content, driving home the point that you must be honest with your users. Rodzon noted that it's totally acceptable to acknowledge to users that you "know this is a pain, thank you." The panel agreed that while awareness programs originally came about to ensure an entity was compliant to an identified standard, being compliant does not equate to being secure. Furthermore, rarely are these "compliance" training programs designed to change employee behavior.
You should also take into account cultural diversity and customs when implementing security awareness training programs. An important point indeed: think strategically for the global effort; execute tactically on the local scale. For example, a Fortune 100 company discovered that tailgating into their facilities in the Far East was occurring with regularity. Their US-centric training included a video showing how to confront an employee without appropriate identification to deny that individual entrance to the facility. When overseas employees viewed this video, however, the act of confrontation was viewed as culturally distasteful, and the training had little positive effect. Following the adage of executing locally, the training was then adjusted to change the action from confrontation to facilitation. Instead of confronting the user and denying entry, the new training suggested noting the absence of identification and escorting the user to the appropriate point of entry where he could be fully identified and given access. In the long run, the adjusted training proved much more effective. Instead of simply turning away someone who could just be a forgetful employee as a potential intruder, employees were taught to escort the individual to the appropriate personnel in a collaborative rather than confrontational manner.
Another salient point the panel made was that organizations need to ensure their users understand the means by which results of the training are to be measured, as well as emphasize how important the security training is in reducing the overall risk to the enterprise.
Higbee, when interviewed separately, reemphasized his panel comments, noting a large part of the success in training employees to recognize phish in their email is to build upon that which already exists in "the suspicious part of the mind." He explained how PhishMe research shows that the training engagement with the employee must be ongoing, the teaching point must be provided quickly (no more than 30 seconds), and the results must be measurable to be of value to the enterprise. In order for results to be valuable, they need to provide evidence that engagement with the employee is producing the desired result: behavior change.
In sum, know what behavior you're attempting to adjust in your end user training, know how you will measure this adjustment, and above all, ensure your employees know why and how the training will be implemented through honest and forthright communication. Your awareness programs should go well beyond compliance—they should reduce the company's risk.