It’s been quite a while since my last post but I got inspired by a recent discussion about the effectiveness of phishing training for employees. The person I was speaking with was frustrated that no matter how many phishing simulations they did, their employees were still clicking on the next phish.
Phishing attacks can be quite sophisticated, and it’s more important than ever to ensure that employees are trained to spot them. However, simply providing employees with a set of rules or policies or making them watch a video each time they click on a simulated phish is clearly insufficient which got me thinking, how do we help employees build muscle memory and prevent phishing attacks?
I love analogies so please humor me while I try to explain why rules-based training isn’t enough using the example of making a peanut butter and jelly sandwich.
The rules for making a PB&J sandwich are simple: use two pieces of bread, creamy or crunchy peanut butter, your favorite flavor of jelly, and a knife.
But anyone trying to teach a child how to make a sandwich knows the rules aren’t enough. You need to show them the process:
- Lay both pieces of bread on a plate or paper towel.
- Open the peanut butter container.
- Use the knife to scoop peanut butter from the container.
- Use the knife to spread the peanut butter on one or both pieces of bread.
- Use a clean paper towel to wipe off the knife.
- Use the knife to scoop jelly from the container.
- Use the knife to spread the jelly on top of the peanut butter.
- Place the two pieces of bread together with the peanut butter and jelly in between them.
As you can see, the process is much more complicated than the rules and even includes decisions about things that aren’t even called out in the rules! The same goes for phishing training. It’s not enough to give employees a stack of policies or have them watch a training video. They need to walk away with a detailed process they can understand and follow to build muscle memory.
To drive this point home, let’s use another analogy. Imagine your child is learning to drive. You give them the rule book from the DMV, and they read it cover to cover. Then, you take them to get their learner’s permit. As you leave the DMV, you hand them the keys and say, “You’ve learned the rules, and you’ve watched me drive for the past 15 years. You should know how to drive, so take us home!”
How well do you think they’ll do? Good luck getting out of the parking lot without hitting something! They need someone to walk them through the process for months until they build enough muscle memory.
The same goes for phishing, teaching a developer how to build code securely, or any other type of training. You start with your policies and standards but if you don’t take the time to build out standard operating procedures, employees are left to figure things out ad-hoc.
Rules-based training is not enough. Employees need a detailed process they can follow to build muscle memory. Only then will you see a real change in behavior and adoption.
Disagree or have another thought? Please let me know in the comments and let’s discuss!