Missouri builds security awareness with bite-size training
- By Amanda Ziadeh
- Jun 10, 2016
With end users commonly acknowledged as the weakest link in security, the state of Missouri decided to move from an annual training session to monthly, 10-minute interactive lessons.
Missouri adopted the security education program from Security Mentor in July 2015 to teach its user base of more than 40,000 state agency employees better practices for protecting the state’s sensitive information.
Security Mentor’s training focuses on the specific security threats employees experience daily and uses interactive lessons for a “learn-by-doing” approach – which was what Missouri was looking for.
Each monthly 10-minute lessons focuses on a single topic and uses gamification elements -- such as storytelling, points, competition and rules -- to keep the user actively engaged. The sessions, designed by IT security professionals, help employees learn about phishing, social engineering, computer and email security, reporting incidents, passwords, social networking, web security, public Wi-Fi, mobile security, data loss prevention, safe disposal, privacy, working remotely and travel security.
Lesson completion due dates can be set, which will trigger emails reminding staff to log in to the training session. From their account, employees can access current and past lessons and view their training status. Managers can view reports on varying aspects of the training -- from agencywide down to individual employee progress and completion, and trainee satisfaction is measured at an end-of-lesson survey. And because each lesson covers an individual topic, metrics can be examined internally by topic or focus area, according to company spokesman John Kreuzer.
For example, the number of clean office violations could be evaluated before and after employees take the Office Security lesson. Similarly, administrators can compare the number of times employees click on phishing links or open a malicious attachments before and after training, or view the number of incidents reported and attacks prevented in training.
Security Mentor's security awareness training is available as a service from the company’s website or as lessons hosted on an internal learning management system. Some customization for organization-specific security policies is supported, and new modules can be added as threats change, the company said.
“Security Mentor provides us with near real-time metrics to monitor participation and progress throughout the user base,” Missouri Chief Information Security Officer Michael Roling said. The training has visibly lowered end-user risk and opened communication over security concerns, improved the state’s security posture and increased the number of employee participants.
Eight months after implementing the training, more than 85 percent of employees have already participated. The state measures the program’s success by its ability to heighten the users’ level of awareness. “Our end users have become one of the best ‘intrusion detection systems’ as a result and have alerted us to many sophisticated attacks,” Roling said.
Security Monitor’s training program is priced on a per trainee basis, with both volume discounts and government pricing available. Missouri has been receiving inquiries about its implementation from other state governments and organizations and anticipates expanding the program in the future.
Amanda Ziadeh is a former reporter/producer for GCN.