What are some good questions to ask a service provider about Security Awareness Training that they have to offer?

Posted on 2014-07-30
Last Modified: 2014-08-15
We are looking at a provider called "Knowbe4". I want to come up with some questions about there services to dig deeper into what they can provide as far as security awareness. Before I have a meeting/call with them, I want to know what questions should I be asking them to make sure I get what I need out of there services? Please list a few high level questions. Thank you.
Question by:freebeee01
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
LVL 20

Expert Comment

ID: 40229857
I would like to know how the training provider would push for changing the status quo. What means would they have as their primary channel for awareness training. I mean videos or Powerpoint slides are good, but how can we make it better? Making the training fun and interactive would help drive the points home.

Awareness programs and security trainings are 2 separate things. How would they be able to influence the behavior change in your users? All of your users, don't skip on the per-diems or contract emps. Awareness should not be just a “check the box" exercise.
LVL 20

Expert Comment

ID: 40229861
Also, how would they provide measurement? How would the awareness be measured?

Accepted Solution

Sean Jackson earned 500 total points
ID: 40230092
I would want to see some metrics from past engagements they've done.  Those could be redacted to protect the innocent, of course.

I would ask if they distribute materials among the staff, or is it all in a dark conference room with a powerpoint presentation.  Do they do it in smaller groups, one on one, etc?

I would ask how often they update their training materials.  Are they aware of the latest threats and vulnerabilities?  

Do their trainers hold any security certifications?

Do the OWNERS have any security certifications?  This would be a very good indicator on if the company is truly focused on security awareness or just making some money.
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).


Author Comment

ID: 40230202
Those are some good questions. I need a few more. Something along the lines of how should I execute or implement this in my environment, so forth and so on.

Expert Comment

by:Sean Jackson
ID: 40230249
I would anticipate they would address those questions in your initial conversation.

Meaning, they're going to bring it up, not you.

Author Comment

ID: 40231010
This is SAAS (100% Cloud base training). I will be the facilitator/trainer for my company responsible for registering users,  reminding users to sign up for the training and do the exercise. The service will also provide templates that I can send to my users as an email to test them after they receive the training. I have a few questions for those that have incorporated this in there place of work.

1. What are some ideas to make training fun and interactive?

2. What are some corrective options/actions to deal with my employees who fail the PST (Phishing Security Test) after they have been given the training?

3.  What is the best approach to incorporate security awareness for new employees during their orientation when they hop on board? Maybe train HR personal so they will know how to provide a brief overview to the new employees in a form of a slide show, video, etc? I dont know, what's the best approach? Does anyone have any experience with this?

4, Also thinking about placing posters in certain areas of our building to encourage people to take the training, are there any posters online so that I can print it out?

5. How often should do the PST with my users, and why?

Anything else creative that I can do, let me know.

Assisted Solution

by:Sean Jackson
Sean Jackson earned 500 total points
ID: 40232225
I would not make it optional to attend the training, and for that, you need support from above.  Make the training available to them at times that are more convenient if you can't do it all at once.  If it's optional, no one is going to attend.

A good way to get this buy off would be to run a Phishing test (authorized by whomever has authority, of course) before the training, and show the results to management.  Show them just how bad it is, and how the training will directly address that vulnerability.

Training being fun and interactive? Show some examples?  I always like to use the balloon / yelling overwhelming scene from Sneakers to show how hackers can distract the victim and get them to follow instructions.

I have 'gamified' security awareness by creating a quiz system when users logged into the corporate admin area, they'd get one question, they had the option to postpone the question (if they were putting out some kind of fire), and if they got it right, they got a clip from Monty Python or something.  If they got it wrong, they got the troll being flung into the pit from The Holy Grail.  On the backend, we were able to see who was answering what questions wrong, what questions always had wrong answers (need more training), who was getting lots of questions wrong (need more individual training), and who was always getting things right.  Those in the last group got recognized and occasionally gift carded or lunch bought.

I would test Phishing every six months or so, assuming an external party hasn't tested it already for you (and you knew about it).

I know of no posters to help you.

If someone fails the testing, don't make them feel stupid, bad, or they should be in trouble.  Security isn't supposed to do any of those things.  Help them learn how to be more careful, more cautious about what they see in email.  It's not only going to help the company, it will help them personally to think a little more carefully about their interactions.  That means it can help them at home too.

I'm gladdened to see you're taking on this endeavor.  It can be tough.  Good job.

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read…
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

761 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question