What are some good questions to ask a service provider about Security Awareness Training that they have to offer?

Posted on 2014-07-30
Last Modified: 2014-08-15
We are looking at a provider called "Knowbe4". I want to come up with some questions about there services to dig deeper into what they can provide as far as security awareness. Before I have a meeting/call with them, I want to know what questions should I be asking them to make sure I get what I need out of there services? Please list a few high level questions. Thank you.
Question by:freebeee01
  • 3
  • 2
  • 2
LVL 20

Expert Comment

ID: 40229857
I would like to know how the training provider would push for changing the status quo. What means would they have as their primary channel for awareness training. I mean videos or Powerpoint slides are good, but how can we make it better? Making the training fun and interactive would help drive the points home.

Awareness programs and security trainings are 2 separate things. How would they be able to influence the behavior change in your users? All of your users, don't skip on the per-diems or contract emps. Awareness should not be just a “check the box" exercise.
LVL 20

Expert Comment

ID: 40229861
Also, how would they provide measurement? How would the awareness be measured?

Accepted Solution

Sean Jackson earned 500 total points
ID: 40230092
I would want to see some metrics from past engagements they've done.  Those could be redacted to protect the innocent, of course.

I would ask if they distribute materials among the staff, or is it all in a dark conference room with a powerpoint presentation.  Do they do it in smaller groups, one on one, etc?

I would ask how often they update their training materials.  Are they aware of the latest threats and vulnerabilities?  

Do their trainers hold any security certifications?

Do the OWNERS have any security certifications?  This would be a very good indicator on if the company is truly focused on security awareness or just making some money.
New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.


Author Comment

ID: 40230202
Those are some good questions. I need a few more. Something along the lines of how should I execute or implement this in my environment, so forth and so on.

Expert Comment

by:Sean Jackson
ID: 40230249
I would anticipate they would address those questions in your initial conversation.

Meaning, they're going to bring it up, not you.

Author Comment

ID: 40231010
This is SAAS (100% Cloud base training). I will be the facilitator/trainer for my company responsible for registering users,  reminding users to sign up for the training and do the exercise. The service will also provide templates that I can send to my users as an email to test them after they receive the training. I have a few questions for those that have incorporated this in there place of work.

1. What are some ideas to make training fun and interactive?

2. What are some corrective options/actions to deal with my employees who fail the PST (Phishing Security Test) after they have been given the training?

3.  What is the best approach to incorporate security awareness for new employees during their orientation when they hop on board? Maybe train HR personal so they will know how to provide a brief overview to the new employees in a form of a slide show, video, etc? I dont know, what's the best approach? Does anyone have any experience with this?

4, Also thinking about placing posters in certain areas of our building to encourage people to take the training, are there any posters online so that I can print it out?

5. How often should do the PST with my users, and why?

Anything else creative that I can do, let me know.

Assisted Solution

by:Sean Jackson
Sean Jackson earned 500 total points
ID: 40232225
I would not make it optional to attend the training, and for that, you need support from above.  Make the training available to them at times that are more convenient if you can't do it all at once.  If it's optional, no one is going to attend.

A good way to get this buy off would be to run a Phishing test (authorized by whomever has authority, of course) before the training, and show the results to management.  Show them just how bad it is, and how the training will directly address that vulnerability.

Training being fun and interactive? Show some examples?  I always like to use the balloon / yelling overwhelming scene from Sneakers to show how hackers can distract the victim and get them to follow instructions.

I have 'gamified' security awareness by creating a quiz system when users logged into the corporate admin area, they'd get one question, they had the option to postpone the question (if they were putting out some kind of fire), and if they got it right, they got a clip from Monty Python or something.  If they got it wrong, they got the troll being flung into the pit from The Holy Grail.  On the backend, we were able to see who was answering what questions wrong, what questions always had wrong answers (need more training), who was getting lots of questions wrong (need more individual training), and who was always getting things right.  Those in the last group got recognized and occasionally gift carded or lunch bought.

I would test Phishing every six months or so, assuming an external party hasn't tested it already for you (and you knew about it).

I know of no posters to help you.

If someone fails the testing, don't make them feel stupid, bad, or they should be in trouble.  Security isn't supposed to do any of those things.  Help them learn how to be more careful, more cautious about what they see in email.  It's not only going to help the company, it will help them personally to think a little more carefully about their interactions.  That means it can help them at home too.

I'm gladdened to see you're taking on this endeavor.  It can be tough.  Good job.

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Originally published Booming numbers of freelancing professionals are changing the face of work. In the United States alone last year, the number of workers freelancing grew from 700,000 to 54 million, according to a Freelancers’…
Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now