This report gathers and analyzes the front line observations of security leaders from the major vertical sectors -- such as finance, manufacturing, health, and entertainment - who have used a relatively new approach to user awareness: simulated attack training.
It discusses how practicing CSOs from Fortune 500 companies maximize the strengths and avoid the pitfalls in what can be a controversial, but is a very effective, method of training users to avoid being phished: learning by experience.
"Phishing, and the more targeted and sophisticated spear-phishing, is the weapon of choice for the modern cyber-criminal and is used by the more organized hacker for data and intellectual property theft," said Perry Carpenter, former security awareness analyst from Gartner who is now working as a security expert in the financial sector. "While there is no foolproof technological defense, contemporary thought now focuses on training the user to recognize and resist targeted social engineering."
The purpose of the CSO discussion was to exchange the ideas and experience of senior security leaders on the implementation and use of simulated attack training within a continuous training methodology.
More than anything else, the report shows how simulated attack training can introduce measurement into training -- not only is it effective, its effectiveness can be measured and monitored to allow the most cost-efficient training for the highest risk people and topics.
The report concludes with a checklist on how to implement and manage simulated attack training as part of a continuous training methodology, including:
- Get internal buy-in from execs across departments. Involve the executive team early through phishing attacks or third-party advice (analyst firms or industry contacts)
- Assess the existing level of user awareness prior to starting a new simulated attack methodology
- Use the upfront assessment data, combined with new data from the simulated attacks, to prioritize future training
- Provide training that utilizes learning science principles to lengthen retention by the 'students'
- Review the data returned from simulated attacks and training in order to determine the next round of training and assessments that should be scheduled
- Ensure that any awareness training program is a continuous process: heightened user awareness loses value if you don't reinforce learned concepts over time.
The complete report is available here (registration required).