Traditional cybersecurity training is proving inadequate in an era of increasingly sophisticated cyber threats. The focus must shift towards more interactive methods, such as role-playing and simulations, to better prepare employees against social engineering attacks. Experiential learning methods facilitate retention and practical application of security knowledge.
According to Cornelia Puhze, Human Factors SIG Chair at FIRST and Security Awareness & Communications Expert at Switch, most cybersecurity incidents target humans to some degree. With AI available to threat actors, targeted campaigns become automated and more challenging to detect. Currently, most security education relies on phishing simulations and compliance videos, which fail to equip people with the skills to understand and mitigate real threats.
Role-playing and live simulations addressing current threats are essential. Such training must tap into critical thinking and deeply embed security concepts in employees’ minds. Traditional online modules lacking context to employees’ roles and risk exposures fail to change behavior effectively.
Additionally, these programs are only impactful if complemented with tools and resources that help seamlessly integrate security behaviors into daily routines.
Interactive experiential cybersecurity methods
An example was cited where generalized video training on password management becomes ineffective without providing access to password management tools.
Similarly, understanding isolated technical terms like ‘vishing’ does not help unless employees recognize all forms of social engineering attacks. Practical training should teach the criminal process: information gathering, establishing relationships, exploitation, and execution. Understanding the psychological principles, such as social proof, liking, similarity and deception, commitment, reciprocation, consistency, and distraction, is crucial as these are commonly used by social engineers.
Severe and immersive games, tailored to specific job functions, make the learning process meaningful and enjoyable, promoting a fundamental shift in attitude towards security. Puhze shares a success story of a “Piece of Cake” training participant who, despite being emotionally vulnerable, recognized and thwarted a social engineering attempt due to his experiential training. For crisis management teams, tabletop exercises (TTXs) customized to an organization’s specific challenges help develop and test a cohesive incident response plan, improving knowledge sharing and response channels.
Experiential learning, focusing on human factors, is the most effective way to conduct security training. Engaging employees in real-life scenario simulations and emphasizing common social engineering tactics makes training more relevant and effective. This approach enables employees to adopt a proactive stance toward cybersecurity within their organizations.
