Do you remember when, once a year, you or a friend or family member would go and take a single self-defense class and be ready to face attackers in the streets? … Nope. Neither do I.
The fact is that most businesses expect end-users to face a constant barrage of phishing attacks, without any practice or guidance, most of the time. It can’t really be a surprise that the vast majority of security breaches still involve employees making incorrect defensive decisions when faced with phishing or social engineering attacks.
For many years, security awareness training was delivered through traditional learning management systems (LMS), which use static content like text and videos, followed by a quiz. You may not have realized it, but are a number of trade-offs that had to be made, for practical reasons that resulted in inefficient and ineffective knowledge transfer and retention.
To start with, people are just not willing to spend much time in a training course to learn skills they feel they were not hired to perform, when their performance is not measured on it. So, while there are many types of threats people need to learn about, they really only get a high level of guidance in a fairly short period of time, during an annual or semi-annual course. This means that they aren’t very well prepared by foundational training. And because the training was not very specific, it isn’t retained very long.
“The challenges were so quick I was able to do them in the time it took me to sip an espresso.” – IT Security Manager
So, if more frequent training isn’t the answer, what can we do? We need to recognize that traditional LMS, or even microlearning platforms, do not provide the ability to simulate phishing messages in an immersive or engaging way. And they certainly don’t provide the means or the psychological incentives for end-users to repeat and improve their skills.
The good news is that immersive, gamified phishing challenges are very effective and efficient at not only simulating phishing attacks, but also in engaging employees to improve. So, in between foundational phishing training (regardless of what type or how often they are delivered), weekly challenges not only allow end-users to retain knowledge of how to spot threats, but they incentivize end-users to practice and improve. This will add value to any security awareness program, regardless of how often foundational training is delivered.
Click Armor’s gamified phishing awareness course has been shown to measurably reduce the average end-user’s vulnerability by 60%, through a finely tuned combination of interactivity, feedback, practice and immersive simulations.
And now, Click Armor’s ability to provide continuous, gamified challenges through our Challenge Streams™ technology motivates end-users to practice and strengthen their skills. This combination provides a whole new level of human defenses against phishing and spear-phishing that wasn’t possible before.
Scott Wright is CEO of Click Armor, the gamified simulation platform that helps businesses avoid breaches by engaging employees to improve their proficiency in making decisions for cyber security risk and corporate compliance. He has over 20 years of cyber security coaching experience and was creator of the Honey Stick Project for Smartphones as a demonstration in measuring human vulnerabilities.
Photo by Patrick Amoy on Unsplash