Last month we talked about how to create a successful security awareness organization architecture by first assessing the culture. More specifically, in order to change behaviors you first need to (a) identify the key problem behaviors, (b) find out why they are occurring, and (c) identify the holes in the current training. Simply put, you need to know your organizations culture specific problem before you can do anything about them. So what’s next? Well now that you know the what, …
Read more »
I said in a previous blog that we should turn off the embedded training “most of the time” because it allows us to get far better measurements (and it really isn’t all that effective anyways). That should prompt the question: it’s not that effective, why not turn it off all the time? There’s a simple reason. As I explained previously, embedded training is effective as a trigger for users who have already received a certain amount of training that either …
Read more »
The recent trend in helping organizations protect their users against threats is to perform some sort of automated spear phishing attack. Services like PhishMe, WombatSecurity and countless others are popping up, claiming to offer two major benefits: Provide usable metrics for the organization to track security awareness Train users close to the event to protect themselves more effectively against attacks. This is known “embedded” training While the first is incredibly useful, it’s the second that has always seemed fishy …
Read more »