Many of the products out there would lead you to believe that anyone with Word can write a newsletter but this is not the case. Think about it, you are asking someone to voluntarily take time out of his or her day, or even potential free/personal time, to read a document about security. If done right, you can have a captive audience that happily takes the time to read your content. If done wrong, then all your hard work turns …

Read more »

Making good content is hard and easy to mess up. This is evident with the loads of boring training videos, out dated posters, and cheesy slogans slapped on a mouse pad. But don’t fret, just because it’s hard, doesn’t mean it’s impossible. Making good content is all about asking the right questions before hand. What content needs to be made? What are the different options? What should be used in tandem? What can be used in place of other things? …

Read more »

Now that we know how to effectively pair a problem behavior with a solution, what happens when the problem behavior is the product of more than one reason? For example, several organizations identify ‘falling for phishing attacks’ as one of the biggest problems they have with users in their organization. A cultural assessment reveals that not only do several users have a hard time identifying the ever changing phishing emails, but they also don’t see them as very dangerous, and …

Read more »

Recently, Mike has been posting about embedded training and how research seems to indicate that it’s more aptly described as a training tool rather than training that stands alone. This makes sense since a complete user security program requires several other topics besides phishing (e.g., passwords, risk and physical security to name a few). Still, like any tool it can be used to your advantage…   …or it can really set you back     and that is what I …

Read more »

In my previous couple of blogs, I talked about our research that shows that embedded training doesn’t do much more than act as a trigger.  You might get the idea that I’m not a big fan of products like those offered by PhishMe, Wombat and ThreatSim. But you couldn’t be more wrong. As I said in my first blog on the subject, there are two reasons to use these products: the training impact on the users is completely insignificant compared to the measurement …

Read more »