Ever been asked to provide end-user security training on a tight schedule and a shoestring budget? Last summer, Ruth Charles was in just that situation.
Ruth was acting head of cyber security policy and training at the University of Cambridge (now IT director at Newnham College, Cambridge), and with some imagination met the brief with a set of security training videos that were relevant, effective and popular.
Here she explains how she did it with a top ten guide.
1. Know your target audience
The online security training we had been using previously was an off-the-shelf package consisting of a generic slide deck with question and answer checks as you went through.
It was aimed at corporate end users and contained gems such as “always wear your lanyard and challenge anyone you do not recognise in your building” that simply could not be transposed into a university context.
Unsurprisingly, it had received heavy negative feedback from across the university because it didn’t mesh at all with the university’s way of working or the behaviours you would expect from academic staff and students. We knew our training had to tell stories that resonated with an academic community.
2. Keep it short
A common theme that emerged from the feedback was that people did not want to spend one to two hours clicking "next" through 30 or 60 slides and steadily losing the will to live.
We decided to provide much smaller, bite-sized chunks of training, in a video format, setting a ground rule that each short clip would be three to five minutes long. The online "course" would be made up of a number of these short clips with self-test quizzes attached.
They were brief, relatively entertaining and framed as something people could sit and watch while having a cup of coffee at their desk.
With lots of unrealistic ideas flying around about what could be produced in a short time, my colleague Lynn Foot and I worked quickly to identify suitable, affordable online animation software and mocked up a demo using a series of cartoon characters to illustrate points around phishing.
We showed it to our cyber security programme board who were enthusiastic and gave us a green light to buy a year’s licence for the software to develop further training materials. Having a real example, however rough and ready, to demonstrate the concept can make a big difference.
4. Assess your assets
With little to no budget, look at what you have immediately available that you can use.
We delivered our training via our existing Moodle VLE, which worked very well as it allowed us to enrol people into the training and send them automatic alerts when a new module was uploaded. We could also produce data and reports on uptake and completion of the training.
We found volunteer staff members with mellifluous experience of performing in local dramatic societies to be the voices to do the narration on the video narrators.
5. Identify the biggest threats
In terms of the content, we asked our CERT team for their top ten threats – the things they see over and over again that cause the most amount of inconvenience, that are hitting the greatest amount of users and absorbing the greatest amount of time.
Those became our topics for our weekly video – phishing, spear phishing, malware, student loans scam emails, social engineering – narrating a story that put them in the Cambridge context with Cambridge terminology.
6. Keep it simple
At this level, people don’t need to know about all the different types of malware. They just need to know that it exists and it could find various routes on to their computer such as by them visiting a malicious website or opening a malicious attachment.
We offered tips about how to recognise websites that look suspicious, how to avoid exposing yourself to this threat and what to do if you thought you had accidentally downloaded malware on your machine.
The main message was don’t panic, there’s local help at hand and the important thing is to tell someone.
Keep it very simple, very reassuring and constantly reinforce the message that there are people who can help you if you speak to them.
7. Find common ground
We deliberately sought to make animations that would cover overlapping user groups, in terms of our staff, our students and our post doc communities, rather than tackling topics that were too specialised for one community and not another.
We looked for common ground to make all the modules as relevant to as many of the different user groups as possible
8. Be diverse
The only complaint we received came from our equality and diversity unit after two or three videos, rightly drawing our attention to the fact that our cartoon computer officer was always a man.
We immediately found a female cartoon character in the library that we could also use. We were equally keen that our departmental administrator was not always female and our academic cartoon character was not always a man with a beard.
While our videos were timely and relevant for the summer of 2017, the threat landscape is constantly changing and so the advice we give also adapts and changes.
Training needs to be refreshed and updated periodically. Try to factor in resource to enable those updates further down the line or risk stagnation.
10. Be realistic
We created our successful end user training over a period of two months at an affordable cost. But it wasn’t free.
The animation package cost around 700 euros (£615). More significantly, two salaried staff – Lynn and I – spent two months working on the project full time.
If you choose not to buy something off the shelf there is a cost internally and, just as there would be time in doing software development, there is time in ensuring what you are doing is targeted correctly and actually meets your needs.