Beyond the Code: Modern Cybersecurity Training for 2024

The overwhelming majority of cybersecurity incidents today target humans to some degree. In fact, 74% of all breaches in 2023 involved the human element. Now that AI is widely available to threat actors and social engineering is on the rise, professionally targeted campaigns will become automated and even more difficult to spot. 

So, why aren't more cybersecurity leaders properly training their teams to defend against these threats? That's because most of today's security education relies on phishing simulations and videos that only meet the bare minimum requirements for compliance training. As a result, it becomes challenging for people to learn the skills needed to comprehend threats and use that knowledge to develop protective habits. 

Instead, your team needs to have access to role-playing, live simulations that cover current threats, and serious games that will tap into their critical thinking skills and deeply embed these concepts in their minds. 

Security awareness education that requires employees to click through a module on their computer (while likely multi-tasking in the background) are not effective because they don't consider each person's role, risk exposure, or IT security knowledge. A blanket approach is unable to convey the knowledge and job-relevant security skills that are crucial for changing someone's behavior in their actual work environment. 

Related:Positive Approaches to Cybersecurity Training

What's more, these programs are not effective unless employees are also provided essential tools, processes and resources to integrate security behaviors seamlessly into their daily routines. For example, if you make someone sit through a video training about how important it is to use a password manager to have a unique and robust password per account, but don't provide them access to a password management tool, the training becomes pointless. 

Another common issue is that learning content frequently focuses on specific security threats individually, rather than approaching them from a learner's perspective. While it's beneficial for learners to research and understand technical terms for specific types of attacks, such as 'vishing' (voice phishing), it's just one method within the larger issue of threats. It's important for them to recognize a social engineering attack, no matter how they are targeted. 

To effectively teach employees how to mitigate human factors in cyber-attacks, understanding two key concepts around how criminals work is essential. First, I recommend teaching people how a social engineering attack cycle works -- information gathering, establishing relationships and rapport, exploitation, and execution. Demonstrate how information can be gathered via open-source intelligence and then used to establish a relationship that can be exploited by the attacker. 

Related:‘They’re Coming After Us’: RSA Panel Explores CISO Legal Pressure

Second, it's important to cover how criminals exploit human nature via compliance principles. The five psychological compliance principles are:  

Once someone understands how social engineers use these principles and the psychology behind them, they will have a heightened sense of awareness for these types of attacks and become better at avoiding them, no matter via which channel they arrive. 

An effective way for these principles to stick in someone's mind is to use serious immersive games. Role-play and simulations, like Piece of Cake - The Social Engineering Security Awareness Tabletop Game, that get participants to play with manipulative tactics in different scenarios that address security challenges in a playful way. If you tailor scenarios to specific job functions, your teams will understand through experiential learning why this security training is relevant to them. It makes learning meaningful and enjoyable, which can lead to a fundamental shift in someone's attitude towards security. 

Related:To Catch a Cybercriminal -- and the Fallout That Follows

Half a year after undergoing "Piece of Cake" training, a participant faced a real test. Following his parents' death, his sibling inadvertently handed his number to scammers phoning their parents' landline. When these fraudsters called on his private number, pretending to be from the parents' bank with a spoofed number, he was initially caught off guard. Yet, amidst his vulnerability in this moment of grief, alarm bells went off, and he remembered the advice to cut off and ask back via a different channel. Despite the emotional pressure, this instinct to identify the tactic and verify the caller's legitimacy demonstrated the enduring impact of his experiential learning on recognizing and thwarting social engineering attempts. 

For leaders involved in decisions during crisis, as well as the crisis management team, tabletop exercises (TTXs) have proved invaluable. Tailoring scenarios (based on existing templates such as the more than 100 from CISA) to mirror the specific challenges of your organization is a great way to do this. It will help your team develop and test a cohesive incident response plan.  TTX-based training fosters collaboration and communication within organizations, allowing for vital knowledge sharing and improved incident response channels. 

Experiential learning, such as interactive play with a focus on the human factors involved in cyberattacks is the most effective way to offer security training. These methods facilitate better retention and practical application of security knowledge, beyond the traditional, passive learning models that predominantly exist. By engaging employees in scenarios that replicate real-life situations and highlighting the common tactics used in social engineering, training becomes more relevant and digestible, and employees can take a more proactive stance towards cybersecurity within the organization.