Luc Pelfini, CISA - Bitterli Consulting · Luc Pelfini, CISA ... • Presentation with slides and...

EuroCACS 2006 – Session 213:

Developing Effective Interactive Security Awareness Trainings

Luc Pelfini, CISAhttp://www.bitterli-consulting.ch

[email protected]

Please observe the copyright: You are allowed to use and further

distribute this presentation only with this copyright notice attached. If

you use parts of this documentation in presentations or other diagrams

you have to refer to the source. Any commercial use of this

presentation is only allowed with written consent of the author.

© Bitterli Consulting AG, 21.3.2006

IntroductionLearning Objectives

• After this session you will understand

– Advantages and disadvantages of

interactive awareness trainings

– Steps to develop a successful interactive

training considering all relevant factors

– Available training techniques to compose

absorbing interactive trainings

– Pitfalls to avoid while developing the

training and during the rollout


AgendaSession 213

• Introduction

• Considering influencing factors

• Developing training content

• Training techniques

• Rollout

• Insights, Conclusions

• Summary


AgendaPart 1

• Introduction

• Considering influencing factors

• Developing training content


IntroductionCase Study: Assumptions for this Presentation

• International company with widespreadbranches

• More than 5’000 employees

• Divisions with diverse business requirements

• Local languages coexist with companylanguage

• Information security awareness campaignalready established

Remark: examples and cost estimations in thispresentation are derived from varying companies


Influencing FactorsTo be considered for Training Development

• Superordinate awareness campaign

• Intention, goal, scope

• Company culture / country

• Target audience

• Educational psychology


Influencing FactorsSuperordinate Awareness Campaign

Gr oupwide Busine ss Infor mation Security Awareness Campaign

Divisional Bus ine ss Inform ation Sec urity A wareness Campaign (To reach Le vel I)

Kickoff

meeting

Initial

measure-

ment

Letter

to staff

Management

Training

1.5 h

End User

Training

1.5 h

0.5 h0.5 h

Laptop

User

Training

1.5 h

Othe r

Activities

Final

Measurement

Trainings


Influencing FactorsSuperordinate Awareness Campaign

• Repeating statements and logos,

from the awareness campaign

– “... - on your guard!”

– “Be aware!”


Influencing FactorsIntention, Goal

• A class-based training is not the onlyand necessarily the best way toachieve the goal

• Not all possible training techniquesare appropriate for a specificintention/goal


Influencing FactorsScope

• Do not overload the boat

• Concentrate on issues concerning allintended participants

• Approve scope and content with projectsteering committee and stakeholders

• Ensure high-level management support inrespective countries, divisions, ...


Influencing FactorsCompany Culture / Country

• Consider the company culture

– Formal vs. informal

– Helping and open culture vs. “closed-

shop” organization

• Be aware: the required security

conscious behavior may result in a

cultural change process


Influencing FactorsTarget Audience

• Do not rely on assumptions how your

target groups are - find out!

• Ask yourself again and again: does

one training fit all?

• Are (minor?) adaptations required for

a specific target group, country,

division?


Influencing FactorsTarget Audience

• Try to adapt to your audience in

– language, wording

– attire

– argumentation

• Try to anticipate objections of specific

audience groups


Influencing FactorsEducational Psychology

“What you tell me, I forget;

What you teach me, I remember;

What you let me do, I understand.”Konfuzius approx. 500 B.C.



• Principles to support learning

– create associations

– from general to the detail

– create interest

– repeat content in different ways

– use positive wording / formulation

– create a positive learning environment



• Some people want to know what they

have to do, ...

• ... others, why they are supposed to

do something.

• Be assured, you will find numbers of

both groups in your trainings.


Developing training contentStep-by-step Approach

1. Define target groups

2. Analyze unwanted behaviorappearing in each target group

3. Analyze possible reasons forunwanted behavior and definewanted behavior

4. Identify possible approaches toencourage wanted behavior


Developing training contentStep-by-step Approach

5. Define learning objectives andtraining content

6. Select appropriate trainingtechniques for each specifiedcontent

7. Perform and video tape a testtraining

8. Approval


AgendaPart 2

• Training techniques


Training TechniquesOverview

• What is an interactive training session?

• Toolbox for class-based and computer

based training

• Influence of selected technique on

deliverables

• How to evoke emotional attention

• Selection of training techniques


Training TechniquesWhat is an interactive Training Session?

• Interactive means

– Two-way communication

• Activate participants:

– Have them do something

– Ask questions, do exercises

– Use different training techniques

– Use different input channels


Training TechniquesTool-box for interactive class-based Trainings

• Presentation with slides and handout

• Pin board and cards

• Spontaneous drawing/writing

• Video sequences/movies

• Discussion, voting, completing diagrams

• Other exercises (and solutions)

• Hands-on training (e.g. on the computer)

• Final test, feedback form


Training TechniquesTool-box for interactive Computer Based Training

Presentation with slides and handout

Pin board and cards

Video sequences / Movies

Voting, completing diagrams

Other exercises (and solutions)

Hands-on training (e.g. on the computer)

Final test, feedback form

Spontaneous drawing/writing

Discussion


Training TechniquesReasons for alternating Training Techniques

• Changes/brakes are creating attention

• Different media support different senses

• Each participant has different

preferences for learning

• Variety keeps attention on a higher level

• Not all media are appropriate for each

content


Training TechniquesInfluence on Deliverables

• Keep in mind that the selected

training techniques determine the

– Deliverables for participants (handout,

voting-cards, feedback-form)

– Deliverables for trainers (speaker

guideline, DVD, posters)

– Infrastructure required (beamer, pin

board, sound-system, ...)


Training TechniquesEvoking Emotional Affection

Monitoring/Surveillance Laptop Theft

• Pictures may create emotional affection



• Headlines and provocative

statements/questions may create

emotional affection

– “Approximately every fifth of you is

handling personal passwords without

due care!”

– “What do you think: Does your

employer read your e-mail?”



• Be aware: evoking emotional affection

may have a double-edged effect!

• Let’s watch a non IT related example ...


Training TechniquesSlides and Handout

• Central thread through the whole trainingsession

• Learning objectives

• Statements on explicitly wanted andunwanted behavior

• Explanations, visualizations

• Checklists

• Contact persons


Training TechniquesPin Board and Cards


Training TechniquesPosters


Training TechniquesSpontaneous Drawing/Writing


Training TechniquesVideo Sequences

• Video sequences

– provide audio-visual activation

– may evoke emotional affection

– can be used to provide a connection to

the company by using employees as

actors



• Off-the-shelf+ Cheap

+ Low effort forprocurement

– No connection toyour company

– Licensing issues

– Expensivetranslation /synchronisation

• Tailor-made

+ Company culture

visible

+ No licensing issues

–/+Can be expensive

– Time and effort for

plot, coordination,

production, etc.


Training TechniquesVideo Sequences: off-the-shelf

• Large variety of off-the-shelf videos

available on DVD or VHS for about

400.- for each subject

– end-user training

– laptop training

– social engineering


Training TechniquesVideo Sequences: tailor-made

• Professional production team isinevitable

• Clear plot required

• Actors from your company?

• 15 minute movie in 3 languages withtotal cost of approx. 70’000.-


Training TechniquesBrochure, Handbook

• Have the participants to work with theBrochure/Handbook in an exercise

• Possible content

– Foreword from CEO, CRO, CFO

– Mandatory principles, policies

– Explanations and real life examples for eachprinciple

– Glossary

• Signed receipt from each employee?


Training TechniquesGadget / Give-Away

• Token of esteem for all participants

• Reminder of Information Security

• Shows an important message

• Provide the Intranet page of

Information Security

• Should not be completely out of

context


Training TechniquesGadget / Give-Away

1 day

2.00-3.00

2-5 days

1.50-3.00

2-5 days

3.00-5.00

1 day

3.50-5.00

mouse pad

Page

holder


Training TechniquesFeedback Form - Content (1)

• Feedback requested anonymouslyregarding:

– Training

• Training met my expectations

• Content, duration, level of interaction

• Trainer

• Handout

• Room, infrastructure

• Administration


Training TechniquesFeedback Form - Content (2)

– Participant

• Knowledge prior to training

• New insights/knowledge thanks to thetraining

• Training will influence my behavior in thefuture

• I would like to know more aboutinformation security

• Feedback form should provide free spacefor additional comments/questions


Training TechniquesTest or Quiz?

• Are tests accepted or would a

voluntary quiz be better?

• Should the test be part of the training

or would it be better a few months

afterwards?

there are no definite answers


AgendaPart 3

• Rollout

• Insights, Conclusions

• Summary


RolloutSpeaker Guideline and Checklist

• Having several trainers makes a speaker

guideline inevitable

• Speaker guideline provides:

– List of material on hand

– Checklist: some weeks before first training

– Checklist: 1-3 days before any training

starts


RolloutSpeaker Guideline and Checklist

• Speaker guideline provides (cont.):

– Preparation activities starting 60 minutesbefore training starts

– Explanations for each slide:

• Purpose of slide / didactical background

• Step-by-step guidance

• Frequently asked questions and answers


RolloutTrainer Selection

• Selecting appropriate trainer:

– Supported by (local) management

– Accepted by audience

– Able to perform trainings (personality)

– Able to communicate the training

content

– Willing to invest required time


RolloutTrain-the-Trainer

• Required to provide (worldwide) asconsistent training quality as possible

• Covers training skills as well as trainingcontent

• For 8 - 10 trainers takes about 1 - 2 daysfor a 60 minute training

• May result in final changes in trainingmaterial


RolloutAnalyzing Feedback Forms

• Analysis of feedback forms

– Insights regarding training content acceptance and

open questions

– Success per trainer, per business unit, per country

– Answer questions from feedback forms

– Take results into account for further awareness

activities

• Analysis of attendance forms

– Subsequent trainings (and reminders) for

employees who missed the regular training


RolloutSolutions for small Locations and new Employees

• Possible solution for small locations

and new entries:

– Blend of speaker guideline and

handout for self-study

– Handout and video-conference

– Videotaped class-based training

– Computer-based training


RolloutAlternative Solution: Computer Based Training

• Development without existing class-basedtraining is time consuming and challenging

• Developing a CBT is an iterative and

creative process.

• Off-shoring introduces numerous new risks

• Translation into several languages

• Implementation in existing learning

platform may be surprisingly complex



• Precondition

– Set up on existing class-based training?

– Strong focus on quality

– Activation of users as far as possible with CBT

– Integration into existing learning platform

• Costs

– Inhouse: approx. 60 days

– Translation per language: 5 to 10 days

– Costs for production: 50’000.- to 95’000.-



Example from www.datenschutz.ch


Insights, ConclusionsExpected and unexpected Challenges

• Recurring discussions on training content

• Translations and quality assurance

• Selection and training of trainers

• Managing thousands of participants

worldwide - and “motivate” them to join

the awareness training

• Logistics (transportation, facilities, ...)


Insights, ConclusionsBusiness Plan is inevitable

• Benefits (intention, need)

• Budget (internal and external)

• Possible solutions

• Scope (content, target groups,divisions)

• Time frame

• Project organization


Insights, ConclusionsAppropriate Project Organization

• Back office with 0.5 to 1.0 FTE for:

– Project management

– Coordinating/supervising externals

– Participant invitation and registration

– Logistics (training material, rooms, ...)

– Analysis of feedback and attendance forms

• Local Security Officers or other candidates

– To be nominated as a trainer

– To support coordination and administration


Insights, ConclusionsBudget for interactive Awareness Training

see part 2Implementation

approx. 130Training delivery

15 - 50Design

15 - 50Analysis

90Backoffice

DaysActivity


SummaryPitfalls

• Underestimating efforts required

• Underestimating complexity in an

international company with different

divisions and countries

• Lack of project management (e.g. no

business case, no planning)

• Lack of back office (at least 0.5 FTE)


SummaryLearning Objectives

• Do you now understand

– Advantages and disadvantages of

interactive awareness trainings

– Steps to develop a successful interactive

training considering all relevant factors

– Available elements to compose an

absorbing interactive training

– Pitfalls to avoid while developing the

training and during the rollout


SummaryYour Questions

• ?


For More Information:

Luc M. Pelfini, CISA

Bitterli Consulting AG

[email protected]

www.bitterli-consulting.ch

Thank you!

Luc Pelfini, CISA - Bitterli Consulting · Luc Pelfini, CISA ... • Presentation with slides and...

Documents

Transcript of Luc Pelfini, CISA - Bitterli Consulting · Luc Pelfini, CISA ... • Presentation with slides and...