Last month we talked about how to create a successful security awareness organization architecture by first assessing the culture. More specifically, in order to change behaviors you first need to (a) identify the key problem behaviors, (b) find out why they are occurring, and (c) identify the holes in the current training. Simply put, you need to know your organizations culture specific problem before you can do anything about them. So what’s next? Well now that you know the what, …

Read more »

Recently, Mike has been posting about embedded training and how research seems to indicate that it’s more aptly described as a training tool rather than training that stands alone. This makes sense since a complete user security program requires several other topics besides phishing (e.g., passwords, risk and physical security to name a few). Still, like any tool it can be used to your advantage…   …or it can really set you back     and that is what I …

Read more »

I said in a previous blog that we should turn off the embedded training “most of the time” because it allows us to get far better measurements (and it really isn’t all that effective anyways). That should prompt the question: it’s not that effective, why not turn it off all the time? There’s a simple reason.  As I explained previously, embedded training is effective as a trigger for users who have already received a certain amount of training that either …

Read more »

In my previous couple of blogs, I talked about our research that shows that embedded training doesn’t do much more than act as a trigger.  You might get the idea that I’m not a big fan of products like those offered by PhishMe, Wombat and ThreatSim. But you couldn’t be more wrong. As I said in my first blog on the subject, there are two reasons to use these products: the training impact on the users is completely insignificant compared to the measurement …

Read more »

The recent trend in helping organizations protect their users against threats is to perform some sort of automated spear phishing attack.  Services like PhishMe, WombatSecurity and countless others are popping up, claiming to offer two major benefits: Provide usable metrics for the organization to track security awareness  Train users close to the event to protect themselves more effectively against attacks.   This is known “embedded” training While the first is incredibly useful, it’s the second that has always seemed fishy …

Read more »