3.2 Reinforcement Approaches for Cyber Security Education

00:10

Lesson two

00:12

Reinforcement approaches for cyber security Education

00:22

Can you name a cyber risk that we should focus on to maintain vigilance and threat recognition levels amongst our colleagues?

00:34

Hopefully, you chose fishing or social engineering as your answer because these are areas where users are most likely to be targeted or caught unaware.

00:46

So in this lesson, we're going to look at specific reinforcement techniques that can be applied to security education related to these risks.

01:11

The overall learning objective of this lesson

01:15

is to understand how to apply reinforcement principles within our security education program so that we can reverse the forgetting curve within our organization

01:30

within a security education program. Micro learning interventions can be used to both reinforce education already provided and to develop skills further

01:42

in listen three of module one. We showed how we could apply experiential learning techniques to coach uses to recognize different types of cyber threat by giving them the experience of interactively finding red flags in phishing emails.

01:57

This concept can be developed further by using interactive experiences as a platform to regularly refresh your colleagues knowledge on threat recognition skills on to help them recognize new threats that may have recently emerged.

02:12

I suggest that you develop a schedule of micro learning interventions so that users can receive regular exposure two examples of the cyber threats that they are most likely to encounter on a daily basis.

02:24

The material used in these exercises should not be a repeat of the same test that you use in your main education content.

02:32

Vary them and adjust the difficulty.

02:36

Remember that the forgetting curve kicks in quickly, so consider the frequency of delivery.

02:42

Ensure that they are frequent enough to be effective,

02:45

but not so frequent that they become a nuisance to everyone.

02:49

I would suggest a monthly frequency

02:52

based on examples that you have developed in house, augmented by ad hoc interventions when new threats or techniques come to your notice.

03:00

In this way, your micro learning initiative becomes responsive to current threat intelligence. On In this way, you are training your colleagues to deal with relevant threats,

03:10

and you're also sending out another important message that you are looking out for them on our actually helping them to recognize Fitz as they emerge.

03:22

If you have the capability to capture the results of these micro learning exercises,

03:27

the threat intelligence led approach has the capability to generate some highly relevant and valuable metrics, which I will expand on in the next lesson of this module.

03:37

But for now, let's just concentrate on the concept that small frequent reminders will help to stop the forgetting curve becoming too steep.

03:53

The reinforcement approach involves quite a few building blocks that operate together, so it may be helpful to run through a conceptual example to see how it all comes together. The next few slides will show the key stages in the development of a reinforcement program, which is designed to build and maintain threat recognition capability

04:13

throughout an organization.

04:15

Our aim here is to make the learning curve resilient so that cyber security threat recognition skills grow rather than deteriorate.

04:35

We're all familiar with the concept that content is king, and you can't start a micro learning process without content.

04:44

Remember that your content needs to be varied and challenging on that you'll need to build a library off, um, so that you have a stock of content to feeding to your micro learning initiative.

04:55

Did you take the opportunity to test drive the fishing test example that we showed in less than three of module one.

05:02

This example was built with power point using triggers and animation sequences, so you'll need to develop a few examples like these for yourself, making them a specific issue can to your organization.

05:15

New examples should regularly be developed based on your current threat intelligence in this area

05:21

to ensure that your training and education efforts are focused on current threats.

05:32

When you create your content, it's worth considering whether there will be different audiences within your organizations that might have specific needs.

05:43

If so, you could think about tailoring your content to different groups. For instance, would procurement have slightly different needs to sales and marketing? Maybe you could start to Taylor content for these specific audiences.

05:58

Remember, this gives you a great excuse to get out into the organization to discuss specific needs with particular groups, which makes this a great PR exercise for in for SEC. Sending out the message that you are tailoring security education for the specific threats on risks

06:15

face my particular activities within your organization.

06:25

Next,

06:27

decide on a schedule which starts with your usual training approach, bolstered by the shuttle off your micro learning interventions, Remember, vary them

06:38

and, if required, taylor them to specific organizational functions where relevant

06:53

delivery is the next stage of the process.

06:56

Pushing out your micro learning sessions to your colleagues using whatever tools and distribution approach best meets your needs and the resources you have available to you

07:13

on the final stage is, of course, measure the results of your micro learning exercises. Remember that our objective is to improve the threat recognition capabilities of our organization.

07:26

So we want to move beyond generating statistics that merely relate to who participated in the exercise on who didn't

07:32

I'll be covering the measurement issue and providing a few options in the next lesson.

07:39

What you're seeing above is an example of ambient advertising,

07:43

which is based on the concept of an encounter with something familiar, but where it is slightly out of normal context or proportion.

07:51

The element of surprise prompts a mental double take, which makes us think about the subject rather than subliminally ignoring it.

08:01

Looking at the example above a familiar object are familiar brand, but the context off it is unfamiliar, particularly the size

08:11

mentally it pauses up short on, makes you spend a little more time processing what we see.

08:18

I've deliberately used this example because it shows the use of Ambien influences by a major brand. Ambien Advertising is a major part of the portfolio of persuasion tools used by the advertising industry,

08:31

and they use it because they know it works.

08:35

These concepts could be applied in your information security education program, too.

08:46

Here's a few examples of ambient reinforces for your security education program that can be used to give your colleagues memory a nudge.

08:54

You can use mouse mats T shirts, perhaps one by your KN for *** colleagues or seat cushions in touchdown areas.

09:03

Your only real limitation is your creativity and imagination. There are literally hundreds of ways to introduce a familiar message on an unfamiliar medium in your workplace.

09:15

Just apply the concept of what do you think will work in your organization. For instance, some people just aren't comfortable wearing T shirts with slogans.

09:24

Also, don't overdo it. What's fresh today eventually becomes dull,

09:30

so select a few options and used them once in a while.

09:35

Also on the examples shown note that the logo and strap line, which recovered a module one, are carried through, creating a consistent Touchstone for the program.

09:50

If there's one sure fire way to ensure that the vast majority of your colleagues see an ambient reinforce, er, it's by introducing it into their virtual environment.

10:01

By adapting the desktop wallpaper to carry your message of prescribed intervals, you may need a little help from your I T colleagues to roll this out, but this is one of the most effective ways to ensure a message. It's seen throughout your organization. It costs nothing

10:18

except a few moments to modify the standard desktop background.

10:22

A most corporate I T departments have the capability to automatically update all devices to use a different wallpaper for the desktop background.

10:31

Again, make sure you vary this. Otherwise it will become stale, dropping the message for a few weeks and then repeating it with perhaps a new background compression everything up.

10:48

Another way of using ambient reinforcement is to embed something in a relevant application, such as putting a suspicious email reporting button in the outlook ribbon. This approach has a number of advantages.

11:01

Firstly, it makes things easy for everyone. Uses don't have to memorize the correct email to use. If they do see something suspicious, that's just turned up in their inbox.

11:13

There's also a positive message for the user in this because it looks like you were trying to support them as part of the Cyber Security education program.

11:22

Secondly, it's a constant reminder to the user, and it's positioned above onto the right of the preview pain coming into vision as the user reads or scans through each email.

11:35

By the way, although many vendors of simulated fishing chests off a free reporting buttons as part of their offering, it's worth remembering that you came by just the code for the button and insert your own email addresses and customize it for your own usage.

11:52

Several organizations supplied these as an actress fix Adin for reasonable prices. So just try searching for Outlook Adan's and you'll soon have a few organizations to choose from.

12:07

As with the previous example, you will need some help from your icy department to assist with deployment. But it's well worth the effort to have that constant reminder embedded into which is probably the most commonly used applications in the majority of organizations.

12:26

And now a quick post assessment question on this lesson.

12:31

What's the best frequency for a schedule off micro learning interventions

12:43

or hopefully you said monthly, and you may have added as required for threat intelligence led schemes.

12:56

In this session, we concentrated on techniques that can overcome the forgetting curve within your information security education program. We looked at micro learning interventions, which were based on the experiential learning and coaching techniques that we introduced in Module one. We showed how these can be delivered, his short lessons

13:16

based on current threat intelligence so that we can keep our colleagues aware of current and emerging threats.

13:22

We also locked up using ambient techniques that can be used as Touchstones to keep key messages fresh in the minds of our colleagues. We are now moving on. So lesson three of this module, which will look at how we can extract metrics from their security education program

13:39

so that we can go beyond statistics that merely measure participation in courses and exercises

13:46

and take us to the stage where we can draw real conclusions on our organization's intrinsic threat recognition capability.