cybersecurity

5120 readers

40 users here now

An umbrella community for all things cybersecurity / infosec. News, research, questions, are all welcome!

Community Rules

Be kind
Limit promotional activities
Non-cybersecurity posts should be redirected to other communities within infosec.pub.

Enjoy!

founded 2 years ago

MODERATORS

shellsharks

tweedge

174

Study concludes cybersecurity training doesn’t work (www.kpbs.org)

submitted 2 days ago by cm0002 to c/cybersecurity

48 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] shalafi@lemmy.world 23 points 2 days ago* (last edited 2 days ago) (3 children)

Perhaps because corporate security training is boring as hell?

I worked up a training class over the course of a year. Ridiculous to take so long, but I wanted to nail it. I figured there were three key things.

The things I talked about had to be relevant to the employees. I pared the stories down to items they could actually encounter. This is how an attack can affect you, how it can affect us. Here are things I've seen right here at our business.
Anything I wanted to talk about had to come with actionable prevention techniques. Here's the problem, here's what you can do about it. They had to feel empowered, not helpless.
The class had to be entertaining and interesting, start to finish, no fumble fucking around, no baffling them with jargon. I rehearsed that entire year until I could do it in my sleep. Plenty of humor threaded throughout the talk.

Nervous as hell when the day finally came. I have no problem speaking to a group, love it in fact. But talking cybersecurity to non-technical people is about as boring as it gets. Business owners bought everyone lunch and we met in the conference room.

Timed it to run for 40 minutes, left space at the end for questions. Talk about a resounding success! Everyone in the room was engaged and had questions, some even staying beyond the allotted hour. Fuck me, I actually got applause! (Yes, and everyone clapped. Really.)

Phishing tests went from 25% failure to 4% failure overnight. I left a USB drive on the floor by the printer. No one touched it for three days, and then only to place it on the table.

My next job was at a software dev. Security training involved cutsie animated characters and multiple choice questions. Yeah, a live puppet show would have been more effective.

[–] Jayb151@lemmy.world 2 points 23 hours ago (1 children)

Hell ya. I'm glad you feel really proud about that. I've lead so many garbage trainings, it makes the great ones really stand out!

[–] shalafi@lemmy.world 1 points 23 hours ago

Thank you! I AM proud! It's one of the finest things I've accomplished in the corporate world, and actually useful.

[–] driftWood 0 points 22 hours ago

The dedication to your task is commendable 👏. This is becoming rare day by day.

[–] Jumi@lemmy.world 6 points 2 days ago (1 children)

A good teacher builds their lessons around their pupils.

[–] shalafi@lemmy.world 1 points 23 hours ago

This was before I watched Paul Harrell (RIP) on YouTube. Gun content, take that as you will. But the man was a masterclass in how to present information.

Tell 'em what you're going to tell 'em. Tell 'em. Tell' em what you just told them.

Never once talked down to anyone, except for "so called experts". Never assumed the audience knew specific things. Always showed examples and tests, with controls. Always spelled out any inexact differences in testing, no matter how small. Sprinkled in some dry humor, often unexpectedly. Anyone who teaches could learn from the man.