Skip to main content

Why security awareness training is about finding your Trojan horse

security
(Image credit: Shutterstock / Golden Sikorka)

From the beginning of humanity, scam artists have used emotion to manipulate and exploit their chosen targets. Heightened emotions, like fear, anger, or even simple curiosity can be powerful weapons. They have the ability to incite automatic knee-jerk reaction, bypassing critical thinking.  That’s where social engineering comes in.

A cybercriminal will socially engineer a target - commonly through email phishing - to get the individual to do something against the normal call of duty by instigating fear, doubt or urgency in their messages. The result can be catastrophic, leading to loss data or money - and in worst cases, both. The emotions impacted trigger the user to carry out an action that will have negative consequences. Clearly, emotion is a powerful tactic used by cybercriminals. But, can (and should) your cybersecurity awareness program leverage the power of emotion to help prevent cyberattacks? Absolutely, and here’s why.

Trojan horses for the mind

Let’s face it, information for the sake of information feels boring, irrelevant, and is quickly forgotten. We can do better. And we can do so by making our messages compelling. That’s where emotion comes in. Infuse emotion into your messages gives them richer meaning and context. Messages driven by emotion are equivalent to a Trojan Horse for the mind.

In my book, Transformational Security Awareness, I outline four such Trojan Horses. They are:  sound, visuals, emotion and storytelling. If designed well, messages that leverage one or more of these Trojan Horses can cut through the noise and other mental distractions to reinforce any message. Once someone can intellectually and emotionally place themselves within the context of a situation, they are more likely to appreciate the meaning. And emotion allows the meaning to become rooted within the person’s memory. If you were to think about the times in your life that are most memorable, those are likely times when you experienced strong emotion. The reason being they are above or below your normal emotional baseline.

You need every advantage possible to make your security awareness messages stick. Simple text-based security awareness messaging will always be less effective than messaging that includes well-thought-out and well-designed visual components. Words alone are always of limited value when compared to what you can accomplish using words plus compelling imagery and sound. Be imaginative, engaging, yet also informative, and your colleagues will appreciate that more. 

Tread carefully

Over the past few years, the cybersecurity industry has been described as lacking empathy, with the most vocal of this being Facebook’s Chief Security officer Alex Stamos. When building effective security awareness training, you need to be aware of the emotional state of your audience. In other words, “read the room.” Emotions and empathy need to be engrained, otherwise it will have damaging effects on the staff, the security team, and the organization as a whole.

Whenever security training is carried out, it must be done so in a way that does not harm the relationship with the employees. Take into considering the timing of the training, the tone, the message, cultural nuisances etc. The last thing you want is any resentment or anger directed to the security team because the training was tone-deaf to the feelings of the wider company.

A notable example of a company getting an aspect of its security training criticized publicly happened at a prominent newspaper. As part of its simulated phishing training, the company created a phishing campaign that looked like they were offering a bonus. While this may seem generic and a beneficial tactic to train staff against phishing emails (a promise of money can reliably garner clicks), this campaign was poorly timed as some of these were directed at employees who had recently taken a pay cut and had also just transitioned working from home due to Covid.

And here’s where empathy comes in: it was insensitive to do this as these workers, naturally, would have jumped at the chance to receive additional funds. The employees who clicked were humiliated and embarrassed after realizing it was fake, and then angry and upset with the organization believing this was done to spite them. Humans are not computers and feelings need to be considered. Indeed, due to the current pandemic, emotions are heightened and if security awareness training does not adapt to these changes, then we run the risk of alienating people to the point where they resent or fear the security team. The most important asset a security team has is the relationship with its end users. When this relationship is fractured, employees will begin to distrust security or see security as a roadblock. There is a very fine line to walk between emulating all that a ‘bad guy’ might do and training your employees to become an effective last line of defense.

Should we play devil’s advocate?

There are security professionals that may say in this discussion that hackers will use worse tactics to play on emotions, regardless of the time, day or location, so why shouldn’t this be portrayed in the training simulations? This is a fair statement; but the most important aspect of this it to ensure you are not giving your fellow employees the feeling that training is being done disingenuously. If this is the case, then you, as a security department risk alienating and disenfranchising the very employees you want to take security seriously. Communication is critical to avoid a situation like this from happening.

Provide the necessary security awareness materials that will strike an emotional attachment with staff to make them feel important and a valuable component within the overall security of the business. Become an empathetic storyteller. For instance, give them a better understanding of what phishing is, how the simulations work, what you hope to achieve with it and how they can help you do that. It’s natural for employees to feel embarrassed about being phished, but you can frame your program in ways that will minimize or eliminate that embarrassment. Essentially, the more dialogue there is, the better the relationship will be.

How things have changed?

Looking back 20 years ago to where we are now, security training has definitely evolved for the better. For the most part, we are moving away from boring PowerPoint presentations to now generating various teaching and learning techniques that drive emotive reactions.

Moreover, there is more appreciation of the fact that people are all extremely individualistic and people respond in different ways to what they are shown. The success of an organization’s security is molded by its staff and this responsibility falls upon the shoulders of the security department. Creating rapport with your colleagues will help build an effective security awareness program with messages that embed themselves within the minds of your audience.

Perry Carpenter, Chief Evangelist and Strategy Officer, KnowBe4

Perry Carpenter
Perry Carpenter is Chief Evangelist and Strategy Officer at KnowBe4. Prior to joining Knowbe4 Perry was a former Research Director, Security & Risk Management and esteemed analyst at Gartner