We are experimenting with risk based security awareness, looking for feedback.
Posted by Training_Leave_5433@reddit | sysadmin | View on Reddit | 12 comments
Maybe this is a terrible idea but we stopped assuming every employee needs the same amount of security awareness training. We have started identifying who creates the majority of human risk and focused most of our remediation effort there, the nice thing is our training content is short enough that personalizing remediation to specific individuals is easier than pushing the same content to everyone. We are still figuring out what the human risk should even mean though. For anyone experimented with some different metrics/risk scoring or risk based awareness what we are missing, what we should look at or explore metric wise? Something you experimented with that were useful ( include more knowledge than I questioned)
Thank you:)).
its_all_one_electron@reddit
We've tried just focusing on ONE vector (phishing) and even that isn't enough.
A bunch of our employees can't even meet our low baseline of not entering their credentials into obviously fake Google websites that they get in phishing emails. At this point I feel like employees can't be taught at all and we need to implement something else to keep them from shooting themselves in the foot, because telling them how to not do that isn't working.
suttin@reddit
And the test emails are pretty damn easy to spot.
Though one time they did almost get me on a test. It was a fake service now email, with my managers name on it even. Only thing that didn’t make sense was the body of the actual message. It was different than anything I had seen before coming from snow
aust_b@reddit
That’s an HR and admin problem at that point. One place I worked at it got so bad they made a policy with like 5 corrective action steps before suspension without pay and then if you still managed to fuck up after remedial training you got the boot.
its_all_one_electron@reddit
Yeah HR would never do that. They also hate the infosec team as much as everyone else (they also failed a bunch of our phishing tests).
aust_b@reddit
Good luck out there. I’m in infosec now and honestly a big part of being successful is having good leadership.
its_all_one_electron@reddit
Hahahaha yep. And ours is absolutely horrible right now. Abrasive and "they just need to deal with it" with no bedside manner at all.
Top-Perspective-4069@reddit
Consider role-based tiers rather than risk-based. You need to have an understanding of who deals with more sensitive data but this is way more common and easier to deal with.
Suitable-Hand-1059@reddit
This is actually the suggested model by NIST. You should still have baseline security training for everyone, but additional training for those with access to sensitive information.
mortsdeer@reddit
This is the approach I thought OP was going to discuss, rather than variation based on failure on tests.
I think both approaches are warranted. Reminding people of the value of the data they have access to is a side effect of the special training.
SultrySpankDear@reddit
I like the idea a lot, honestly. “Spray the same 30‑minute training at everyone” clearly doesn’t work, so focusing on the people who actually click stuff / mishandle data makes sense.
Couple of thoughts from places I’ve seen this work better or worse:
If you only look at “who failed phishing,” you end up punishing the same folks over and over and miss the quiet high‑risk stuff. Mixing in things like repeated password reset requests, use of personal email for work docs, weird file sharing patterns, or people with broad access plus sloppy behavior can give a better picture.
Also, make sure it doesn’t feel like a scarlet letter. If people think “one mistake and security will babysit me forever,” they’ll hide incidents. Framing it as “we’ll invest more in folks with higher exposure or more complex roles” instead of “these are the problem children” helps a lot.
Metric wise, I’d look at trends per person and per team over time, not just raw scores. Is their “risk” going up or down after targeted training? That’s the part leadership tends to love, because you can show “we focused here and it actually changed behavior,” not just “these five people are bad at emails.”
PlasmaStones@reddit
Doesn't your insurance ask if you are training everyone?
Mindestiny@reddit
This is almost certainly going to be the biggest blocker because yes, typically cyber liability insurance wants you to be training all staff (though it doesn't mandate all staff be trained in the same way), and any sort of formal compliance certification or requirement this tends to be one of the hard defined items on the checklist.
That being said I don't inherently disagree with OP's approach, some people really don't need as much training but also nobody can possibly be apprised of every single threat and topic and it's important to give people refreshers. I'd frame it as everyone gets the typical baseline training but then absolutely target repeat offenders for additional remedial training. I wouldn't reduce the baseline so much as make sure my baseline is actually baseline and not actually overkill.