Tuesday, June 21, 2022

Security Awareness Training Issues

Issues we've seen of some Security Awareness Training that limit its effectiveness, and ideas on how to improve them.

Does your solution suffer from these issues?

Training notifications resemble spam in a few ways (sense of urgency, a link) in addition to being overly annoying, and that is likely why we have seen them blocked, labelled Junk/spam, and otherwise ignored.  
* The notifications don't give the assignee an idea of how long the training will take.  For busy staff, especially those who have to track every hour (or less, as is the case for many professional service people) as billable,  this makes it very hard to schedule in to their plans.  Therefore, making it more likely for them to defer until they have a larger block of time and ability to listen to content to make sure they can complete in one go.   
      To Fix:  List the estimated time to complete, can it be paused or must it be completed in one go,  if Video, with or without Audio, just a slide-deck, or something else.
* Training is presented very piecemeal. Each element/training has its own mail stream, such that a busy person, in crunch time, can build up several queued training assignments and end-up with multiple nagging messages a day.  Junk mail handling is the easiest way to get them out of the way, cluttering up the key production communication tool of email.
      To Fix:  Consolidate those nag messages in some fashion.  A default should be One a day, with options both administratively and end user to set preferred time and timings to better reflect the local conditions of The Work (the reason the business exists, the training is a secondary support function that won't be allowed to wag the dog).
* Training alerts are currently oblivious to work schedules, even the most standard one of Monday to Friday.  The alert nag is based on X calendar days, not even X business days, so that trainees are getting alerts on off business hours. 
* If an assignee has been able to disconnect from email (weekends, vacations, collapse from overdoing a crunch, etc..), then they get a flood of those nags mixed in with all the other built up demands on their time leading to the nags being added to the rest of junk mail handling.
* If an assignee is trying to use a weekend to get The Work done during a normally quiet time, it's an interruption during a normally quiet time, again off to junk mail handling or similar in favour of The Work.

 * If an assignee is only paying attention to email on a weekend for emergencies (because normally a quiet time, vendors who send their marketing on weekends get down voted!)  Then any training alerts will only add up to frustration at the training and be invited to junk mail handling process.
      To Fix:  Default to X Business Days, not X Calendar Days for the training reminders, with those as clearly separate options.  And the Business Days needs to reflect the local Statutory and common Holidays, configurable would be nice to add business specific days that are reserved for things other than such secondary functions.   Bonus would be for a way to include(sync?) people vacation schedules to pause the training timers over peoples' scheduled time off.  Perhaps this could be the way to include Business and/or regional specific off days.
Related to the off hours notifications the system currently does, is that these notifications do trip up against a new legislative trend to protect employees personal time (that whole work/life balance thing).  Ontario is the first of the pack to have such legislation and off hours notifications put organizations based here in a rough spot, and we may well be forced to find other training providers that respect the Right to Disconnect.