Social Engineering Awareness Programs: Part 3

SOCIAL ENGINEERING AWARENESS PROGRAMS: PART 3

Reinforcement and Incentivization

The opinions expressed in this post do not necessarily reflect those of Joe’s employers: past, present, or future. While I am a security professional, I am not your security professional. The data included in this post is sound by current industry parameters, your mileage may vary.

INTRODUCTION

At this point in the awareness life cycle, the culture has been set. Training has been designed and conducted. At this point, we are trying to reinforce the training and provide incentives for those who thwart attacks or report “interesting” attempts or by volume. Note: Be careful about incentivization. Well Fargo is an excellent example as to what happens when people are financially rewarded for something that they could sabotage.

THE Reinforcement

Now that the training is complete and people are continuing with their normal tasking. It is time to keep security, in this case, social engineering in the forefront of people’s minds. This is critical for long term retention.

In reinforcing the training, a program that I have used is called the “Security Thought of the Month.” I abbreviated it as STOM. This is a program where concepts exist for two months at a time. The first month is training month, the second is a testing month. The first month, an initial email is sent to lay the foundation for the concept. Each week, a short email (a paragraph or less) is sent to reinforce the previous email(s) for the month.

The second month is when testing occurs. For some concepts like Social Engineering, this testing should occur more frequently than once per year. I recommend an ongoing testing campaign through various user groups each month. Services from organizations like PhishMe, Social-Engineer.com, and Sword and Shield Enterprise Security allow companies to test their people’s ability to identify and withstand clicking the phish.

I recommend ensuring social engineering be included in any penetration testing that organizations are subject to. If none are required and/or desired, some organizations like those mentioned above do perform Social Engineering Penetration Testing as well. This allows the company to get an accurate picture of how prone their employees are to fall victim to a variety of social engineering attacks.

THE Incentivization

In conjunction with reinforcement is incentivization. When people do things right or save the organization from catastrophe, they should be rewarded. I like the concepts of challenge coins or free time off. I recommend 10 minute increments with a minimum of 60 minutes off to take it. Giving shirts or parking spots or gift certificates is another method that I have observed to work. Again, be cautious of the incentives used as Wells Fargo employees demonstrated a misuse scenario that once revealed, was almost worse than any attack could have been.

CONCLUSION

In conclusion, training is not enough. Reinforcement should remain as an ongoing process. Keeping the concepts fresh in the mind of the people of the organization is a critical step in preventing catastrophe from the outside in. People must be equipped with the tools to determine what is legitimate and not. Subjecting them to a real world scenario is an effective method of accomplishing this.

 

Social Engineering Awareness Programs: Part 1
Social Engineering Awareness Programs: Part 2


Enter your email address:


Delivered by FeedBurner

SUBSCRIBE TO OUR MAILING LIST

* indicates required



About Joe Gray

Joe Gray is a native of East Tennessee. He joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Since leaving the Navy, Joe has lived and worked in St. Louis, MO, Richmond, VA, and Atlanta, GA. His primary experience is in the Information Assurance (IA) and Cyber Security compliance field. He has worked as a Systems Engineer, Information Systems Auditor, Senior UNIX Administrator, Information Systems Security Officer, and Director of IT Security. Joe is in pursuit of his PhD in Information Technology (with focus in Information Assurance and Security). His undergraduate and graduate degrees are also in Information Technology (with focus in Information Assurance and Security) from Capella University, where he graduated Summa Cum Laude for both degrees and completed a Graduate Certificate in Business Intelligence. He also is a part-time (Adjunct) Faculty at Georgia Gwinnett College. Joe holds the (ISC)² CISSP-ISSMP, GIAC GSNA, CompTIA Security+, CompTIA Network+, and CompTIA A+ certifications. In his spare time, Joe enjoys reading news relevant to information security, blogging, bass fishing, and flying his drone in addition to tinkering with and testing scripts in R and Python.