Luc Pelfini, CISA - Bitterli Consulting · Luc Pelfini, CISA ... • Presentation with slides and...
Transcript of Luc Pelfini, CISA - Bitterli Consulting · Luc Pelfini, CISA ... • Presentation with slides and...
EuroCACS 2006 – Session 213:
Developing Effective Interactive Security Awareness Trainings
Luc Pelfini, CISAhttp://www.bitterli-consulting.ch
Please observe the copyright: You are allowed to use and further
distribute this presentation only with this copyright notice attached. If
you use parts of this documentation in presentations or other diagrams
you have to refer to the source. Any commercial use of this
presentation is only allowed with written consent of the author.
© Bitterli Consulting AG, 21.3.2006
IntroductionLearning Objectives
• After this session you will understand
– Advantages and disadvantages of
interactive awareness trainings
– Steps to develop a successful interactive
training considering all relevant factors
– Available training techniques to compose
absorbing interactive trainings
– Pitfalls to avoid while developing the
training and during the rollout
© Bitterli Consulting AG, 21.3.2006
AgendaSession 213
• Introduction
• Considering influencing factors
• Developing training content
• Training techniques
• Rollout
• Insights, Conclusions
• Summary
© Bitterli Consulting AG, 21.3.2006
AgendaPart 1
• Introduction
• Considering influencing factors
• Developing training content
© Bitterli Consulting AG, 21.3.2006
IntroductionCase Study: Assumptions for this Presentation
• International company with widespreadbranches
• More than 5’000 employees
• Divisions with diverse business requirements
• Local languages coexist with companylanguage
• Information security awareness campaignalready established
Remark: examples and cost estimations in thispresentation are derived from varying companies
© Bitterli Consulting AG, 21.3.2006
Influencing FactorsTo be considered for Training Development
• Superordinate awareness campaign
• Intention, goal, scope
• Company culture / country
• Target audience
• Educational psychology
© Bitterli Consulting AG, 21.3.2006
Influencing FactorsSuperordinate Awareness Campaign
Gr oupwide Busine ss Infor mation Security Awareness Campaign
Divisional Bus ine ss Inform ation Sec urity A wareness Campaign (To reach Le vel I)
Kickoff
meeting
Initial
measure-
ment
Letter
to staff
Management
Training
1.5 h
End User
Training
1.5 h
0.5 h0.5 h
Laptop
User
Training
1.5 h
Othe r
Activities
Final
Measurement
Trainings
© Bitterli Consulting AG, 21.3.2006
Influencing FactorsSuperordinate Awareness Campaign
• Repeating statements and logos,
from the awareness campaign
– “... - on your guard!”
– “Be aware!”
© Bitterli Consulting AG, 21.3.2006
Influencing FactorsIntention, Goal
• A class-based training is not the onlyand necessarily the best way toachieve the goal
• Not all possible training techniquesare appropriate for a specificintention/goal
© Bitterli Consulting AG, 21.3.2006
Influencing FactorsScope
• Do not overload the boat
• Concentrate on issues concerning allintended participants
• Approve scope and content with projectsteering committee and stakeholders
• Ensure high-level management support inrespective countries, divisions, ...
© Bitterli Consulting AG, 21.3.2006
Influencing FactorsCompany Culture / Country
• Consider the company culture
– Formal vs. informal
– Helping and open culture vs. “closed-
shop” organization
• Be aware: the required security
conscious behavior may result in a
cultural change process
© Bitterli Consulting AG, 21.3.2006
Influencing FactorsTarget Audience
• Do not rely on assumptions how your
target groups are - find out!
• Ask yourself again and again: does
one training fit all?
• Are (minor?) adaptations required for
a specific target group, country,
division?
© Bitterli Consulting AG, 21.3.2006
Influencing FactorsTarget Audience
• Try to adapt to your audience in
– language, wording
– attire
– argumentation
• Try to anticipate objections of specific
audience groups
© Bitterli Consulting AG, 21.3.2006
Influencing FactorsEducational Psychology
“What you tell me, I forget;
What you teach me, I remember;
What you let me do, I understand.”Konfuzius approx. 500 B.C.
© Bitterli Consulting AG, 21.3.2006
Influencing FactorsEducational Psychology
© Bitterli Consulting AG, 21.3.2006
Influencing FactorsEducational Psychology
• Principles to support learning
– create associations
– from general to the detail
– create interest
– repeat content in different ways
– use positive wording / formulation
– create a positive learning environment
© Bitterli Consulting AG, 21.3.2006
Influencing FactorsEducational Psychology
• Some people want to know what they
have to do, ...
• ... others, why they are supposed to
do something.
• Be assured, you will find numbers of
both groups in your trainings.
© Bitterli Consulting AG, 21.3.2006
Developing training contentStep-by-step Approach
1. Define target groups
2. Analyze unwanted behaviorappearing in each target group
3. Analyze possible reasons forunwanted behavior and definewanted behavior
4. Identify possible approaches toencourage wanted behavior
© Bitterli Consulting AG, 21.3.2006
Developing training contentStep-by-step Approach
5. Define learning objectives andtraining content
6. Select appropriate trainingtechniques for each specifiedcontent
7. Perform and video tape a testtraining
8. Approval
© Bitterli Consulting AG, 21.3.2006
AgendaPart 2
• Training techniques
© Bitterli Consulting AG, 21.3.2006
Training TechniquesOverview
• What is an interactive training session?
• Toolbox for class-based and computer
based training
• Influence of selected technique on
deliverables
• How to evoke emotional attention
• Selection of training techniques
© Bitterli Consulting AG, 21.3.2006
Training TechniquesWhat is an interactive Training Session?
• Interactive means
– Two-way communication
• Activate participants:
– Have them do something
– Ask questions, do exercises
– Use different training techniques
– Use different input channels
© Bitterli Consulting AG, 21.3.2006
Training TechniquesTool-box for interactive class-based Trainings
• Presentation with slides and handout
• Pin board and cards
• Spontaneous drawing/writing
• Video sequences/movies
• Discussion, voting, completing diagrams
• Other exercises (and solutions)
• Hands-on training (e.g. on the computer)
• Final test, feedback form
© Bitterli Consulting AG, 21.3.2006
Training TechniquesTool-box for interactive Computer Based Training
Presentation with slides and handout
Pin board and cards
Video sequences / Movies
Voting, completing diagrams
Other exercises (and solutions)
Hands-on training (e.g. on the computer)
Final test, feedback form
Spontaneous drawing/writing
Discussion
© Bitterli Consulting AG, 21.3.2006
Training TechniquesReasons for alternating Training Techniques
• Changes/brakes are creating attention
• Different media support different senses
• Each participant has different
preferences for learning
• Variety keeps attention on a higher level
• Not all media are appropriate for each
content
© Bitterli Consulting AG, 21.3.2006
Training TechniquesInfluence on Deliverables
• Keep in mind that the selected
training techniques determine the
– Deliverables for participants (handout,
voting-cards, feedback-form)
– Deliverables for trainers (speaker
guideline, DVD, posters)
– Infrastructure required (beamer, pin
board, sound-system, ...)
© Bitterli Consulting AG, 21.3.2006
Training TechniquesEvoking Emotional Affection
Monitoring/Surveillance Laptop Theft
• Pictures may create emotional affection
© Bitterli Consulting AG, 21.3.2006
Training TechniquesEvoking Emotional Affection
• Headlines and provocative
statements/questions may create
emotional affection
– “Approximately every fifth of you is
handling personal passwords without
due care!”
– “What do you think: Does your
employer read your e-mail?”
© Bitterli Consulting AG, 21.3.2006
Training TechniquesEvoking Emotional Affection
© Bitterli Consulting AG, 21.3.2006
Training TechniquesEvoking Emotional Affection
• Be aware: evoking emotional affection
may have a double-edged effect!
• Let’s watch a non IT related example ...
© Bitterli Consulting AG, 21.3.2006
Training TechniquesSlides and Handout
• Central thread through the whole trainingsession
• Learning objectives
• Statements on explicitly wanted andunwanted behavior
• Explanations, visualizations
• Checklists
• Contact persons
© Bitterli Consulting AG, 21.3.2006
Training TechniquesPin Board and Cards
© Bitterli Consulting AG, 21.3.2006
Training TechniquesPosters
© Bitterli Consulting AG, 21.3.2006
Training TechniquesSpontaneous Drawing/Writing
© Bitterli Consulting AG, 21.3.2006
Training TechniquesVideo Sequences
• Video sequences
– provide audio-visual activation
– may evoke emotional affection
– can be used to provide a connection to
the company by using employees as
actors
© Bitterli Consulting AG, 21.3.2006
Training TechniquesVideo Sequences
© Bitterli Consulting AG, 21.3.2006
Training TechniquesVideo Sequences
• Off-the-shelf+ Cheap
+ Low effort forprocurement
– No connection toyour company
– Licensing issues
– Expensivetranslation /synchronisation
• Tailor-made
+ Company culture
visible
+ No licensing issues
–/+Can be expensive
– Time and effort for
plot, coordination,
production, etc.
© Bitterli Consulting AG, 21.3.2006
Training TechniquesVideo Sequences: off-the-shelf
• Large variety of off-the-shelf videos
available on DVD or VHS for about
400.- for each subject
– end-user training
– laptop training
– social engineering
© Bitterli Consulting AG, 21.3.2006
Training TechniquesVideo Sequences: tailor-made
• Professional production team isinevitable
• Clear plot required
• Actors from your company?
• 15 minute movie in 3 languages withtotal cost of approx. 70’000.-
© Bitterli Consulting AG, 21.3.2006
Training TechniquesBrochure, Handbook
• Have the participants to work with theBrochure/Handbook in an exercise
• Possible content
– Foreword from CEO, CRO, CFO
– Mandatory principles, policies
– Explanations and real life examples for eachprinciple
– Glossary
• Signed receipt from each employee?
© Bitterli Consulting AG, 21.3.2006
Training TechniquesGadget / Give-Away
• Token of esteem for all participants
• Reminder of Information Security
• Shows an important message
• Provide the Intranet page of
Information Security
• Should not be completely out of
context
© Bitterli Consulting AG, 21.3.2006
Training TechniquesGadget / Give-Away
1 day
2.00-3.00
2-5 days
1.50-3.00
2-5 days
3.00-5.00
1 day
3.50-5.00
mouse pad
Page
holder
© Bitterli Consulting AG, 21.3.2006
Training TechniquesFeedback Form - Content (1)
• Feedback requested anonymouslyregarding:
– Training
• Training met my expectations
• Content, duration, level of interaction
• Trainer
• Handout
• Room, infrastructure
• Administration
© Bitterli Consulting AG, 21.3.2006
Training TechniquesFeedback Form - Content (2)
– Participant
• Knowledge prior to training
• New insights/knowledge thanks to thetraining
• Training will influence my behavior in thefuture
• I would like to know more aboutinformation security
• Feedback form should provide free spacefor additional comments/questions
© Bitterli Consulting AG, 21.3.2006
Training TechniquesTest or Quiz?
• Are tests accepted or would a
voluntary quiz be better?
• Should the test be part of the training
or would it be better a few months
afterwards?
there are no definite answers
© Bitterli Consulting AG, 21.3.2006
AgendaPart 3
• Rollout
• Insights, Conclusions
• Summary
© Bitterli Consulting AG, 21.3.2006
RolloutSpeaker Guideline and Checklist
• Having several trainers makes a speaker
guideline inevitable
• Speaker guideline provides:
– List of material on hand
– Checklist: some weeks before first training
– Checklist: 1-3 days before any training
starts
© Bitterli Consulting AG, 21.3.2006
RolloutSpeaker Guideline and Checklist
• Speaker guideline provides (cont.):
– Preparation activities starting 60 minutesbefore training starts
– Explanations for each slide:
• Purpose of slide / didactical background
• Step-by-step guidance
• Frequently asked questions and answers
© Bitterli Consulting AG, 21.3.2006
RolloutTrainer Selection
• Selecting appropriate trainer:
– Supported by (local) management
– Accepted by audience
– Able to perform trainings (personality)
– Able to communicate the training
content
– Willing to invest required time
© Bitterli Consulting AG, 21.3.2006
RolloutTrain-the-Trainer
• Required to provide (worldwide) asconsistent training quality as possible
• Covers training skills as well as trainingcontent
• For 8 - 10 trainers takes about 1 - 2 daysfor a 60 minute training
• May result in final changes in trainingmaterial
© Bitterli Consulting AG, 21.3.2006
RolloutAnalyzing Feedback Forms
• Analysis of feedback forms
– Insights regarding training content acceptance and
open questions
– Success per trainer, per business unit, per country
– Answer questions from feedback forms
– Take results into account for further awareness
activities
• Analysis of attendance forms
– Subsequent trainings (and reminders) for
employees who missed the regular training
© Bitterli Consulting AG, 21.3.2006
RolloutSolutions for small Locations and new Employees
• Possible solution for small locations
and new entries:
– Blend of speaker guideline and
handout for self-study
– Handout and video-conference
– Videotaped class-based training
– Computer-based training
© Bitterli Consulting AG, 21.3.2006
RolloutAlternative Solution: Computer Based Training
• Development without existing class-basedtraining is time consuming and challenging
• Developing a CBT is an iterative and
creative process.
• Off-shoring introduces numerous new risks
• Translation into several languages
• Implementation in existing learning
platform may be surprisingly complex
© Bitterli Consulting AG, 21.3.2006
RolloutAlternative Solution: Computer Based Training
• Precondition
– Set up on existing class-based training?
– Strong focus on quality
– Activation of users as far as possible with CBT
– Integration into existing learning platform
• Costs
– Inhouse: approx. 60 days
– Translation per language: 5 to 10 days
– Costs for production: 50’000.- to 95’000.-
© Bitterli Consulting AG, 21.3.2006
RolloutAlternative Solution: Computer Based Training
Example from www.datenschutz.ch
© Bitterli Consulting AG, 21.3.2006
RolloutAlternative Solution: Computer Based Training
Example from www.datenschutz.ch
© Bitterli Consulting AG, 21.3.2006
RolloutAlternative Solution: Computer Based Training
Example from www.datenschutz.ch
© Bitterli Consulting AG, 21.3.2006
Insights, ConclusionsExpected and unexpected Challenges
• Recurring discussions on training content
• Translations and quality assurance
• Selection and training of trainers
• Managing thousands of participants
worldwide - and “motivate” them to join
the awareness training
• Logistics (transportation, facilities, ...)
© Bitterli Consulting AG, 21.3.2006
Insights, ConclusionsBusiness Plan is inevitable
• Benefits (intention, need)
• Budget (internal and external)
• Possible solutions
• Scope (content, target groups,divisions)
• Time frame
• Project organization
© Bitterli Consulting AG, 21.3.2006
Insights, ConclusionsAppropriate Project Organization
• Back office with 0.5 to 1.0 FTE for:
– Project management
– Coordinating/supervising externals
– Participant invitation and registration
– Logistics (training material, rooms, ...)
– Analysis of feedback and attendance forms
• Local Security Officers or other candidates
– To be nominated as a trainer
– To support coordination and administration
© Bitterli Consulting AG, 21.3.2006
Insights, ConclusionsBudget for interactive Awareness Training
see part 2Implementation
approx. 130Training delivery
15 - 50Design
15 - 50Analysis
90Backoffice
DaysActivity
© Bitterli Consulting AG, 21.3.2006
SummaryPitfalls
• Underestimating efforts required
• Underestimating complexity in an
international company with different
divisions and countries
• Lack of project management (e.g. no
business case, no planning)
• Lack of back office (at least 0.5 FTE)
© Bitterli Consulting AG, 21.3.2006
SummaryLearning Objectives
• Do you now understand
– Advantages and disadvantages of
interactive awareness trainings
– Steps to develop a successful interactive
training considering all relevant factors
– Available elements to compose an
absorbing interactive training
– Pitfalls to avoid while developing the
training and during the rollout
© Bitterli Consulting AG, 21.3.2006
SummaryYour Questions
• ?
© Bitterli Consulting AG, 21.3.2006
For More Information:
Luc M. Pelfini, CISA
Bitterli Consulting AG
www.bitterli-consulting.ch
Thank you!