Escaping Traditional Cyber Security Awareness Training

Escaping Traditional Cyber Security Awareness Training - Sage Knows IT.  All Rights Reserved.

As many of you know, Cyber Security Awareness Training has always been near and dear to my heart.  I am a firm believer that everyone should be equipped with the right tools to defend themselves should they become the ire targets of bad actors; but over the years, I have seen somewhat of a plateau in terms of the effectiveness among my colleagues.

One of the apparent challenges many have with today’s methods of learning is literally consuming the same material without flair or consequences.  In hindsight, I can see where that would be an issue.  It’s like chewing the same piece of gum for an extended period of time.  After the flavor is gone, it just seems like you are going through the motions.  Eventually, it will lose it’s appeal or purpose and it gets discarded.  Same could apply to using the same techniques year over year.

You see, as an employee, if all you are looking forward to is 1-hour of downtime clicking through screens, boredom will set in and quite quickly.  The brain will not be receptive to learning because there is no interest or value with the seemingly regurgitated material.  So how do you solve that as an organization?

A quick aside that will dove-tail into this post (I promise).  One of my favorite networking events the last 12-months has been joining the ISC(2) Alamo Chapter.  It’s been a joy getting to know all of the members as well as see the breadth of knowledge and (non-monetary) resources they have at their disposal.  This month they organized an Escape the Room-esque style of event.

For months since the announcement, I didn’t know what to expect and was filled with anxiety and excitement for the event.  I have seen others in the community (but outside of our Chapter) stream Capture The Flag (CTFs) content and seeing the lengths that they would go through to complete the challenges, I felt I would be outside of my depth.  When I logged into this month’s meeting, I was utterly shocked at what we were getting into.

The Chapter Head introduced that they had secured a spot for all of us to participate in a web-based team builder exercise developed by a company called Living Security.  The vendor specializes in Cyber Security Awareness Training for Fortune 1000 companies and/or large enterprises.  What makes them unique is the format and literal gamification approach they take to providing awareness training.

Gaming Into Gear

Effortlessly, we were assigned into groups of three by the administrator.  The material instantaneously captured my attention as the initial presentation was laid out as if we were agents of a secret organization.  Our mission (if we choose to accept it) was to complete 10 challenges within a 1 hour timeframe.  The challenges were described as an engagement of activities including the identification of security violations, OSINT (open source intelligence) and Social Engineering attacks.  After the announcement of the last two activities, my ears perked up, I adjusted out of my seat and leaned in considerably.  With a big smile on my face, and excitement in my heart, I yelled to my virtual team, “YEAAAAAAAAH!”
YouTube: Living Security

It was literally at this moment that I knew this wasn’t just a techie version of escape the room but that this would be a unique Cyber Security Awareness Training platform and I was definitely here for it.

Without spoiling the details, I will say that the initial challenge was fun; not terribly difficult which I assume was by design.  We were asked to identify a variety of violations in a corporate office.  This challenge was likely placed there to get us acquainted with the platform itself.  In the back of my mind, I was secretly hoping the next one would be a bit more challenging.

We knocked out challenges 2 – 5 pretty quickly but as we got to challenge 6, we could tell that the difficulty was noticeably different.  In the previous challenges, the leader of the group could single handedly solve the challenge without much input from the rest of the team.  Challenge 6 was going to require a bit more teamwork and this is where it got fun.

Instead of playing the role of the end user or admin, we got to test our skills as the threat actor. I recall the group looking at each other with a small smirk on our faces and a nod.  This was an interesting approach to learning.  

In one of the challenges, we had to do our own OSINT to craft the perfect social engineering attack against our target. With a wide variety of material presented by the platform, we had to ensure that the attack we were about to purportrate was convincing enough to trick our target and gain access.  This required much needed teamwork and with the clock ticking, we could start to feel the anxiety of not getting to the end, kick in.

Although we were only able to complete 7 challenges in an hour, I personally felt like I learned a lot more doing this than the traditional way of learning.  After speaking with Living Security and providing feedback, I learned that they do provide a variety of different challenges with more difficulty than what was presented to us.  This is good to know as we were only a small group and putting this on an enterprise scale, would require a vast amount of challenges and difficulties.  To know that this is scalable is a positive sign for the company.

Is Gamification the Future of Cyber Security Awareness Training?

Is Gamification the Future of Cyber Security Awareness Training?

That is the question and I would say yes.  There is something to being competitive that brings out the best in all of us and if we can harness that energy into learning something new and be effective, I believe that experience will last a lifetime, improving network security.

Unfortunately, I did not have the opportunity to inquire about their clients’ average ROIs (return on investment)  or net gains by utilizing a service like this but I would definitely be interested in the metrics from a business perspective.  As a security researcher, I would love to dive deep into year over year metrics and see how effective this approach is.  With the increased amount of ransomware and data breach attacks in the last five year, out of the box thinking like this could be a game changer (sorry, needed at least one pun).

To support this blog, this post may contain affiliate links. Please read our Privacy Policy for more information.
Drawing on over two decades of experience in the Information Technology industry, I have acquired a diverse range of roles that have shaped my distinctive outlook. Through this journey, I have developed into an accomplished authority in risk management, catering to Fortune 500 companies and small businesses on a global scale. Over the past 12 years, my primary focus has centered on empowering small business owners and insurance professionals to comprehend the ramifications of cyber incidents and effectively mitigate the risks associated with potential data breaches. My passion for cybersecurity has inspired me to create the Sage Knows IT blog. Through this platform, I aim to help small business owners and aspiring IT professionals understand the roadmap of the IT industry based on my experiences. Information Technology and Information Security are crucial for our future, and I hope my blog will motivate those who are interested in joining this ever-evolving field.

Related Posts

Title Image: AI Security Realities: Rethinking PII as the Sole Indicator

AI Security Realities: Rethinking PII as the Sole Risk Indicator

During a client meeting, I addressed misconceptions about cybersecurity, especially the notion that absence of PII equates to no risk. I discussed how cyber threats extend beyond data theft to include system vulnerabilities that could disrupt operations and impact users, citing the SolarWinds and New York Times attacks as examples. I explained that comprehensive assessments are crucial for understanding broader cybersecurity risks, not just those involving PII. Additionally, I highlighted the importance of protecting AI models from poisoning, underscoring the need for robust security measures in AI development.

10 Ways to Improve Your Math Skills for Cybersecurity

10 Ways to Improve Your Math Skills for Cybersecurity

As highlighted in our earlier discussion, The Intersection of Math and Cybersecurity, a solid grasp of mathematics is indispensable within the realm of cybersecurity. The specific demands…

The Intersection of Math and Cybersecurity - Does Cybersecurity Require Math?

The Intersection of Math and Cybersecurity

During my weekend exploration of a renowned Q&A platform, I unexpectedly encountered a question that left me intrigued. I couldn’t help but wonder if the original poster (OP) was playfully jesting or sincerely seeking knowledge. This curious moment brought forth a reminiscent smile as I recalled the age-old adage we all encountered during our early school years: “Math is fundamental to all endeavors.” However, an interesting twist emerged: Does this axiom extend its influence into the intricate realm of Cybersecurity?

Client Confidence Crisis: How Neglecting Security Practices Can Drive Customers Away

In today’s digital landscape, establishing an Information Systems Security Program (ISSP) is no longer optional but a crucial necessity for organizations. This blog post explores the vital importance of implementing an ISSP early on and understanding the factors that influence its establishment and modification. Senior management’s role in championing ISSPs is emphasized, as their buy-in and recognition of its significance set the tone for organizational security practices.

However, misconceptions and flawed reasoning often hinder the adoption of robust security measures. From the belief that “it will never happen to us” to relying solely on insurance coverage, these notions can prove detrimental to an organization’s security posture. Furthermore, assumptions that clients don’t care about security or that the cloud provides ultimate protection are debunked, shedding light on the evolving expectations and regulations surrounding data protection.

The ugly truth emerges as we delve into the constant threat of internet vulnerability scans and the risks organizations face when vulnerabilities are discovered. This post aims to dismantle these flawed mindsets, highlighting the need for a comprehensive security approach beyond insurance coverage and the importance of addressing vulnerabilities proactively.

Stay tuned for the upcoming parts of this conversation, where we will explore additional influential factors and provide insights into developing effective ISSPs. Together, let’s navigate the complex world of system security and ensure the protection of your organization’s invaluable assets.

Maximizing Email Security: Understanding the Importance of DKIM, SPF, and DMARC

Email is a crucial part of our daily lives, but unfortunately, it’s also a popular target for cybercriminals who use various tactics like spam, phishing, and spoofing to scam people. The FTC recently issued a warning to users of MetaMask and PayPal about phishing scams that are currently circulating through fake emails. The scam claims that the user’s cryptocurrency wallet has been blocked and encourages them to click a link and update their wallet to prevent the loss of their crypto. To protect email users from these threats, authentication protocols like DKIM, SPF, and DMARC are strongly recommended.

Top 10 Cybersecurity Job Sites

Top 10 Job Sites for Cybersecurity Professionals

As the world continues to rely heavily on technology, the demand for cybersecurity professionals continues to grow. Cybersecurity jobs offer high salaries, job security, and a wide range of career options. However, finding the right job can be challenging.