Could lack of security awareness cost $1 billion?

The following is a guest post by a 2016 Secure360 Twin Cities Gold Sponsor Optiv. 

The conventional wisdom says that the difference between robbery and fraud is this: in a robbery you know money was stolen, but you don’t know who took the money; in fraud, you know who took the money, but you don’t know if it was a crime. In today’s world of digital banking, it is not obvious when money is being stolen or who has stolen the money when you realize it was stolen. A case in point is an $80 million bank heist in February from the Bangladesh Central Bank that could have approached being a $1 billion bank heist.

“Hackers misspelled ‘foundation’ in the NGO’s name as ‘fandation,’ prompting a routing bank, Deutsche Bank, to seek clarification from the Bangladesh central bank, which stopped the transaction, one of the officials said.” Furthermore, the high number of transactions raised suspicions at the Federal Reserve Bank of New York, from where the funds were being transferred.

In today’s complex and highly transactional world, awareness is essential to stopping money from leaking out of your enterprise. While a similar attempt to defraud your company may not grab headlines, failing to address this sort of risk will feel as dramatic to you, when you are asked to explain why your personnel did not catch the scam.

The path forward

Do not treat security awareness training as merely a compliance issue, or allow your staff to attend it with complacency.

To maintain the attention of your audience, and to increase their retention of your material:

• Start planning with a decision about what you want the audience to come away with, focus on those and reinforce throughout.
• As you prepare material, consider what your audience will be thinking about; it needs to be your key take-away.
• Attention spans are short – make your points early and re-engage their attention about every ten minutes.
• Present problems to be resolved; a moderate challenge increases engagement.
• Repetition reinforces learning; find ways to present your concepts after the formal training has ended.

Start with the end in mind

Does your current security awareness training enable your staff to recognize the types of attacks that represent your biggest risks? Be clear about your objective for training, focus on that and that alone.

What is your point?

Cognitive science has shown that what ends up in a learner’s memory is not necessarily the material as presented—it is what the learner was thinking about while the material was being presented. Ensure that training is focused on the points you need them to take away.

Make your point early

The attention span of a human is about ten minutes. If you haven’t changed topics, started a new activity or in some way shifted gears, you will lose their attention. Energize presentations by accenting a point with an anecdote or some humor that is related to the point, to draw students’ thoughts back to the training.

To make it easier for students to maintain attention, plan your lecture in sections that will last about ten minutes, make your point early in each section and reinforce it with explanation and examples through the body of the section. Close out the section with something that signals the change, such as the anecdote.

Challenge the student, but moderately

People love a challenge, but only if is not too hard. Or, as it turns out, not too easy. You might call it a “Goldilocks problem.” If the problem is too hard, meaning that it is not solvable given the audience’s subject matter knowledge, they will give up on the problem and turn to daydreaming. Ironically, if the challenge is too simple, they will judge the material as boring and turn their attention away.

Increasing knowledge is really about answering the questions posed by a person’s current knowledge. No subject is completely explored, there are always questions left at that frontier where existing knowledge ends. To make material more attention grabbing, the instructor’s job is to appeal to the student’s curiosity about those questions.

Organize your lesson plan around these types of challenges, ones that are at the frontier of your audience’s knowledge of the subject. Anticipate the questions they have in mind that will lead them into the new knowledge you would like them to possess. Make sure the questions that are posed are neither too challenging nor too boring.

Repeat after me, repetition aids retention

It turns out that attention span is not the only reason that four hours of lecture might be ineffective. Your workforce will retain more of the knowledge if it is repeated, but spread over time measured in days rather than hours. Research shows that “for learners to develop the full meaning of the information, the connection with that initial information must be strengthened through repetition (McKeachie’s Teaching Tips: Strategies, Research, and Theory for College and University Teachers. 12th ed. Boston: Houghton Mifflin, 2005).”

Tests regarding the study technique for tests that we call “cramming” have shown that short term, intense, studying does improve tests scores, but that retention of the material is short term. Less intense studying, spread over a longer period of time with repeated events, creates a greater likelihood of long term recall of the material studied.

Conclusion

In today’s fast paced world, attackers can take advantage of that pace to induce costly errors in your work environment. Ensure that your awareness training is focused on your risks and delivered in a way that encourages the right behaviors to prevent that dramatic, or even small, loss.