6 Things People Do Wrong in Security Awareness Training

let's get going all right well thank you all for coming back after lunch to uh uh join me and talking about something i'm pretty passionate about which is training um before uh as we get started here i enjoyed a uh the previous conversation on this track on how to bypass uh bitlocker and i i quickly realized that um my conversation my uh my topic today is not gonna be as technical although next year i am more than happy to talk about uh how people actually see things in the world and uh share a lot of research that i've done on how roombas actually work uh but that's a whole nother talk um that is probably gonna be a ted talk one

day for us but um i'm happy to do that in the future today's talk we're going to go over six things people do wrong in security awareness training and don't get me wrong there's going to be a lot of hope hopefully at the end but i wanted to to start off uh jumping in and saying you know who am i why is zach here this is my first b-sides um and uh what is it that i i'm hoping to offer today so i'll start with quickly with my bio a farm boy from the middle of indiana went to the big city in the big school and uh got a philosophy degree and like most people who get philosophy

degrees i realized that the job market was very tough for me so um at the age of 22 hired myself i haven't looked back i've only had the privilege of working for myself over the years started a number of companies most recently prior to hook security where i'm the ceo and co-founder now started the next schools in the upstate of south carolina so two high schools in middle school for entrepreneurs and it'll be self-evident throughout here but i'm most certainly not a graphic designer as a as a matter of fact another thing that i did after listening to uh dr adam anderson's talk on how to start a business i realized that i needed more graphics

so you'll see memes throughout here that are literally the first meme that i discovered when googling something for example i googled who am i meme and this popped up so i i shared this with you because it made me laugh and it's not wrong but uh it also has nothing to do with the presentation at hand so we're gonna i'm gonna jump pretty quickly into the six things we do wrong because i have this intuition that most of you in the audience uh are aware vaguely or acutely of the things we do wrong with security awareness training so the power of our presentation is not in that topic but it's actually in uh how we go about thinking and

addressing those in 2020 so let me back up and talk about something that i'm um certainly incredibly passionate in and that is public education and i'd like to make a case that um as we get going into uh understanding our own security awareness training that it parallels a number of things that we've discovered in our public education model so um some people might call me a public education reformer or radical but i don't think you can do that until you really appreciated how we got the public education system especially in the u.s that we have today and one way to think about it one layer of analysis would be to start back at the early 20th century

and say it was quite a miracle for us to go from having a population where less than 20 percent of the population was educated to 80 percent over the course of 50 years that was a remarkable journey that we were able to do and we did it through this um mass production batch processing one size fits all training now fast forward to the last 40 years and i'll kind of give you a heads up and continue to shock people because this is always shocking to me 1980 was 40 years ago so fast forward to the 1980s we started seeing some really crazy trends in our public education and that is we really couldn't get past um an 80 graduation rate

or um what educators like to say rather than call it a push out rate they like to call the dropout rate we got to a 20 dropout rate and that was largely nationally there are some different uh states different regions that responded differently to the public education models that we had but basically public education as it sits today and that's true even in greenville county in 2020 about 80 percent of the young people going through it do really well and 20 struggle immensely so um i'd like to go ahead and make a sweeping claim i'm happy to address this if you are skeptical in the future that we have built a corporate training methodology and we have

mirrored our corporate training based on the uh pedagogy that is the way in which the methodologies in the way in which we educate people from 1995 to 2005. so what we did when we came out with corporate training in particular security awareness training um as part of the infosec environment we just said well if it was good enough for how we learned in colleges and high school and middle schools we're going to take those same ways in which we train and we're just going to put them right over into our corporate training experience so you ended up with batch processing one by one size fits all um rote memorization training techniques in our corporate training space so i say

that to say we all know in 2020 we need to start doing some things that are radically different my passion in corporate training is to bring forward the latest in neuroscience and our psychology to disrupt the security awareness training space i like to call it psysec or psychological security as opposed to infosec but that's not the point of this talk what i'm against that backdrop i want us to stop and appreciate the things that we really do wrong um when it comes to our training and there are much there are many more than just six but these are the highlights and i'm going to jump right in and this right here would be the number one

thing um that we hear as an objection so over the past few years as i've been doing security awareness trading we often get this listen there are a lot of things to do here in this organization there are i appreciate security awareness training i know it needs to be done but we're going to get to it when it's convenient right i gotta look at everybody's schedule we're gonna figure this out there's a lot of things that have to come into play and essentially it boils down to a convenience argument right whenever it becomes um the easiest to do that's when we'll strike and do it so there are some questions that that raises of course

um but primarily i want to i want us to think okay if that's a symptom if we're faced up against and you're in an organization that just does security awareness training when it's convenient we're faced with a series of questions but i want to point out and pull a thread that says you might need to ask questions about your security culture at your company at your organization and even so i i would say most of the time it's hard to figure out exactly why we're only doing security awareness when it's training if there's not even a clear decision maker or an owner within the organization on who's in charge of the company schedule and where this

fits in uh this is the meme that you get when you uh do convenience meme apparently karen wants to talk to the manager when it's convenient the second thing that uh that you probably do wrong or i'll say we it might be mean for me to point a finger at all of you but uh i'll say we it's kind of like the seinfeld we um you only provide annual training okay and and i get this you're right like for years since the early 2000s late 90s when the security profession really became formalized it was a best practice to do security awareness training annually right like best practice is to go everything once a year right

but we have some issues with that one of the first things i want to point out is like how long does it take you just you personally i'm pointing at pointing at all of you on the on the talk to forget new information all right so i i sometimes i like to do this i'll go ahead and do it right now but if i ask you right now what was the first thing we just talked about 15 seconds ago there's a number of you that will pause and have to concentrate and say oh we talked about convenience yes but that information is just 20 seconds old what happens to information when it's 300 days old

right and how long does it take you to forget and there's a whole body of research around how people actually or what annual experience is due and how people remember annual experiences and you have a part of your brain that remembers traditions um and that's a fascinating part of this narrative structure of our brains i'm gonna pause right there and say one thing just this level set on your neurology what's going on in your head um as of late in the in the neuroscience psychological field there's finally been agreement that you have multiple brains kind of like you have multiple muscles in your hand i think your hand has like 18 muscles um you arguably have somewhere between

five and nine brains that work together so you don't have just one brain you have a number of brains and there's one of those brains that actually resonates really well with traditions and it looks like if you want to set a memory or some way in which you remember things year after year there needs to be food involved there needs to be songs there needs to be enjoyable experiences over time and you can actually develop traditions well uh think of it like christmas or easter or thanksgiving those are oftentimes trained traditions in our heads because those are annual experiences that have a lot of other things to them i'm not aware of anybody having a set

meal and songs and enjoyable experiences on like veterans day right and what happens is that you end up forgetting those traditions moreover than you do the other traditions but i i digress to say that if you're actually focused on creating security awareness across your organization at a habitual level that daily all of the users in the organization are aware of when they're secure and when they're vulnerable annual training does not hit that part of the brain and it does not work effectively there even if it becomes a tradition in your organization this is what happens when you type in annual meme apparently every year he comes back all right third thing you do wrong you do it all

at once right this is usually just a practical matter it's hey it's really hard to get our organization no matter if it's just two or three people or three four hundred several thousand folks it's incredibly difficult to get anybody's attention on this so when i get everybody's attention i'm gonna go over everything okay uh again there's some there's some memory errors but i'm gonna i'm gonna point to what you really have is a coverage and dilution error and what happens in training where you go over everything frankly if you go past two i know we we violated that issue with six on here but the subtitle of my talk is you might remember one of these six items so pick one that

you want to remember and that's what you'll keep what you actually end up having is a coverage or dilution error and that is when everything's important nothing is important and when you come to an organization you say listen it's incredibly important that you lock your desk clean your desk make sure that you don't click a phishing email make sure that you change your password make sure that you're properly patched make sure that you talk to somebody if you see this if all of those things are equally important to the end user all at once and they're given to them all at once it's impossible for those users to actually adopt those habits because they have they done you've diluted the

effect of priority and what's important to remember right that's another memory meme number four i see this actually quite common you avoid training executives and your contractors right people who have disproportion and influence to your organization and it's just like listen don't get me started every security professional that i've met who is involved in awareness training at some level hates this argument hates this fight zach i get it i don't know why you brought it up but i argue all the time that the ceo needs train they need to do this too etc well um i want to flip the script and make make an interesting argument here that uh your executives or one of the key

things that we found with executives when you do studies and small business owners and executives actually do perform different so i i won't get into the data there but if you allow me to aggregate it all together in general executives managers leaders and organizations are more open-minded when they feel empowered to know what's happening right so there there's a curiosity level that is much higher in the c-suite than anywhere else and that might strike you as odd because the c-suite might hit you back in a way that you think that they're not actually curious um but the the data shows that fundamentally leaders and executives are curious so when it comes to training one of the big fallacies that um

training um solution providers do right now is they train executives in the same way that they train other users and people in the organization and they don't focus on the curiosity let me go ahead and give out one possible solution to this because it might help illuminate it for you the the difference between training people on how to lock doors and how to pick locks okay when we approach executives and people in leadership um there's a level of how do you empower them so that they know they can do something with the information so in an organization traditionally you just train people how to lock your doors these are the things you need to do to

be safe well the data shows and the research shows that if you approach executives with that same material there's often a tremendous drop off of attention because it doesn't hit their curiosity however if you train them on how to pick locks your executives will not only feel empowered and their curiosity will be met but they will know also the importance of locking doors so you end up with different content experiences for your leadership and for your managers but that's one thing we do wrong is we rather not fight that fight and we want to have one size fits all and so we want everybody to go through the same training at the same way at the

same time so um you are using old content so this uh this is this is a debatable thing out there i but i will say uh if you are using the same training content year after year annually for your organizations and it's two or three years old and you know it is but that's the library you purchased from some solution provider um you know it's bad everybody knows it's bad it's the best that's out there and you're using an old library you're just like does it even expire my argument is yes right um when running um the schools like we were um i quickly made a ban you know banned for bid textbooks to enter the school

and that's because the take for example like a science tech textbook the second you hit print on a science textbook it's outdated right the delivery of a textbook to an end user at that point in time it's just dangerous and sloppy and so like i like to point out when we're talking with folks about their content do you even remember two years ago just 2018 the most popular netflix originals right and i i i usually ask this question out there um or even like game of thrones like we just went through a whole quarantine and i think it's hilarious that nobody watched game of thrones but that's because of a whole nother set of issues

but that's because the content we consume does have an expiration it does have a shelf life most content is not timeless um but if you're curious here are the uh here are the top consumed and netflix doesn't actually release the data on this so this is done by third party they say these were the top five in order um house of cards didn't even make it and you might have thought house of cards but uh these were the top five in 2018 uh consume netflix originals the last thing that we see people doing wrong in their security training is they just do it for compliance purposes right and it's like hey all these guys are the same

everybody is in the same so we just do whatever it takes to be compliant i've got other things to do i'm in the middle of putting out 100 other fires every day um and i just we need this to be compliant i don't care it's just part of the cost of doing business we're going to roll it out with the compliance motivation and i do think this is one that requires a level of self-awareness by the security advisor or security employee of the security leader in an organization whatever you fit understanding the motivations of your organization is paramount to being able to sidestep compliance motivation which is you have to do it it's not voluntary

it's compulsory get over it do this training each organization can be different and this is the beauty of different organizations and i i would encourage you if you're actually trying to sidestep and move away from a compliance motivation there's something you probably need to do and then and this might surprise you you might actually need to survey an interview and talk with each of the individual users and employees so one of the things that i think a number of organizations get wrong is they only leave the decision on how to be compliant to the leadership teams and what happens when you get compulsory or involuntary adoption throughout the organization is the same thing you see with torture

right um torturing we have found out in the last few years doesn't actually get information from the person being tortured so if we're trying to take an actor and get information out of him torturing is about the worst way to do that um what we've actually found is that um torturing leads to people saying whatever they need to say to end the torturing immediately and um you can draw a very quick parallel between that and your compliance training that people are just answering and doing whatever minimal viable thing they can do to be done with the compliance training whatever you think you need to hear i will swear to you that i have never click another phishing email again

uh cross cross my heart hope to die i will do everything just please let the compliance training move on so i can get back to my actual work uh but if you actually bring the interviews and decision making on how to be compliant down further in your culture and in your organization i think you'll you'll discover alternate alternative ways to motivate your company so here's some data because i know that you're all very interested in data this is actually pre-covid numbers um some of the ways we do training are going to fundamentally shift with the remote workforce rise however i will say there are some trend lines in here that ilt and vilt which is instructor-led

training video instructor-led training those are on the decline as you move into different learning management tools and i i'm proud to say that our organization and a number of other organizations in the space are starting to actually personalize and customize the training uh down to the level of the individual so um those tools are coming out where we no longer do a one-size-fits-all everybody gets the same training we start giving different training experiences to different types of learners different personalities different groups and departments within the organization get differentiated training so that's on the rise and that's good to see that's something i'm personally passionate about and that's the work that i do every day but i will talk about a surprising thing

just to get you guys going if you're stuck in an organization that works with the compliance motivation and that's that's simply to say here's some data uh from i believe the sample said it's actually only about a thousand employees so it's not a large set but you can see that employees do want to receive more training by and large that by and large people would like to know more be better at their job do more meaningful work day in and day out but as you can see on here um if you tie in training with the opportunities to be promoted which are higher um not it's not just compensation along the promotion but also recognition or

more influence within the organization if you tie in your security awareness training and your compliance training two people's motivations on being promoted you can see that people actually demand this your users will demand it um so that is a cultural thing a policy in your organization to to champion but um i can only send you more data on exactly how to overcome number six but i i figured this would help enlighten it so um i'll confess this was uh meme number two the first one of course uh is the original but uh that's still painful for me but um help me zack your only hope you just told me in a very fast overview there are six

things we do wrong true to form i only remember a handful of them i'll have to go back and look at your slides to try to remember all six but what could we do about these right so what what do you do about these and this slide actually has a lot of things to be unpacked and i'm sorry i didn't um make this one slide into 10 slides so that you could review them later however i want to start with a bit of inspiration if you're find yourself in an organization that's committing any of these six things how do you even start having conversations in order to address um these these issues these these wrongs as

it were oh and i think there's some interesting questions you can begin to ask yourself when you benchmark your security culture against the rest of your culture and say how do you integrate those two you know you can just start asking how many times do we have sales meetings in a week a quarter or a month a year and how often do we have security focus meetings right or uh how much of our sales collateral brags about our security posture and environment um at our organization how much of our security position is being utilized to secure more revenues and help our company grow right how much of the things that we're doing internally with our security

are helping our marketing team promote their digital properties and showcase what we do or how many times are you talking about with your current client base your security culture and the posture and you'll notice that it becomes a lot easier to address these issues when these things are on your radar and that might mean that you have to think of yourself differently within the organization and there's a level of business acumen that you have to be empathetic to what's going on in the other departments right you'll have to get your head above all the fires you're putting out every day but these are some questions i think that will really help gain the traction so you can address

these these issues right i do think i highly highlighted this as we went through but this is just kind of one of those things that you might have the data just shows you'll have to treat your executives differently and leverage their skill sets differently in the security awareness training right um i'm not really going to get into skeptic versus critical understandings um because there's a lot to unpack there when approaching an executive or someone that's higher up in the hierarchy and you're trying to advocate for different security awareness postures trainings programs whether you're dealing with a skeptical leader or a critical leader but at a high level a skeptical leader has a standard and your goal is to meet

that standard a critical leader has no understanding and has no level in which a standard in which you can make them happy and if you find yourself in a critical environment you have to do a lot more work to get a little done like i've mentioned show them how to pick locks not to lock doors use a curiosity against them and and i will say this in the long run um if you are utilizing fear-based tactics to get your executive's attention on your security awareness training posture it won't get attention in the long run fear is actually built around short attention span bursts so if you go to your executive and say hey uh if we don't do this we're we're going

to get hacked we're 200 more likely to do blah blah blah blah right you don't you might get their attention for the next 15 minutes in a meeting but you won't get their ongoing attention as they go back to the things that they can actually think through so your job as a security professional if you're trying to address these wrongs in your training app or apparatus as it were clarity is what wins going to them with clear thoughts on how this work going to them with your benchmarks going to them with what they can actually do in effect over time so um that goes into the next thing um some of my recommendations set small steps and

milestones um do the security awareness training before you answer tech support that's that has to do with the policy but essentially saying while people are working with you if they have a technical support issue or some sort of other support issue when you're engaged in those conversations with those users is a great time to ask them where they are in their security awareness training progress how they think about it etc and manage through security objectives and prioritize conversations you're going to run into dilution coverage error if you try to solve all of your security awareness training problems at once okay you just will pick your battles that's another way to say this the objectives that you really want to

cover and aim at that um i have a mentor say that your calendar shows your priorities so if you do have a company calendar um what is calendared wins and those are the priorities of your organization so i encourage you to keep keep a close eye on those on the calendar and make sure that your organization's priorities show up on that calendar and if security awareness training is won it should show up all right and and i and i'll always acknowledge that businesses these organizations uh adam anderson did this awesome talk about how to start your own um the business is irreducibly complex right unfortunately you can't just show up to business uh business every day and

say hey if we just do these one or two things right everything will work it's not how it works anymore unfortunately there's a list of a hundred things that a business has to get right every single day and it's irreducibly complex that's just what it is and your security awareness uh posture might not be in the top 10 things that your company has to get right might not be in the top 20. you know when i interview people and i ask them conceptually where does security awareness training fit into the top 100 things your company has to do every day they say somewhere between 60 and 80 right um they and so when you're when you're

working through that that's not always a bad thing but the question is uh does it get the respect it deserves at whatever level priority it is in your company and is that showing up on your company's calendars right uh always taking opportunities to interview the users how they enjoy the security awareness training how they're learning what they remember what they're intimidated by how to help them do their work better and and i'll say this this is just kind of a lasting idea this is one of my soap boxes in uh security professionals and training in general if you make other people better at their jobs focus on their wins you will avoid a number of these wrong

issues when it comes to your training right if you help your field sales people understand how that their security awareness training isn't just a defensive move but it's an offensive move that they can get more deals have better conversations move forward the ball and de-risk not only the past things that the company's achieved but the future de-risking the future is the next uh foreground of uh our security um work and i think security awareness training helping people do their jobs better and focusing on their wins makes it happen so um adam encouraged me to do this i i don't disagree um like i said before this is not a commercial for hook security because of her commercial i would say

hey if you sign up for a giveaway you're going to get an announcement on uh pre-ordering our book on psychological security but this is not a commercial on pre-ordering your book on psychological security so i don't want to sit here and tell you to pre-order the book um sorry that's a joke i can't see anybody's faces which makes us talk different but um uh if you sign up for the giveaway you're welcome to unsubscribe and stop following us once the once the raffle is complete for the pineapple raspberry pie and apple product but you'll get also an invite to a free course on how to use free tools to set up a security awareness training

um either company if you're looking at starting your own company on how to uh and you want to offer this professional service security awareness training uh i'm going to be doing it's probably going to be somewhere around two to four hours it'll get technical on how to set up fishing simulations learning management tools where to get the content how to deliver in what order but it's absolutely free it's free to you and then i will show you how to use free tools that are out there on the market to put something together so i think that'll be highly valuable expect that to come out sometime in july but if you sign up for the giveaway

that's the emails we'll use to notify people of uh that upcoming course lastly i saw that most people put on their b-side slides uh their twitter handles um here are my twitter handles and just know that they're inactive they're either bot or they're promotional so with that that is the the end of my presentation here hopefully um you're able to capture some things and get your head thinking through some epiphanies uh but i would love to process any questions that you all might have and go from there

and attendees can take themselves off mute to ask questions

are there are there questions into the discord as well today should we check there or no cool

hi i have a question can you hear me yep okay great so my question is around um if you have you know regular campaigns or content around security awareness so what's the length of that content or training each time you deliver it does that make sense yeah that's a great question um so it depends on what you're trying to accomplish so on the uh regularity of it i'll say if you're trying to help your organization form patterns pattern recognition comes somewhere around 14 to 21 days so you know that that loosely lines up with monthly that's what we do with our organization is train out monthly um but that's rounding up if you're uh if you're purist with the data you're

going to try to um build habits around 21 day schedules um so that's the first part the second it depends on what part of the brain that you're trying to engage with the training so um to make it real simple there's cognitive processes and there are psychological processes if you're trying to engage people to think differently and engage the frontal cortex and the cognitive pieces your training can be detailed and it can be you know we actually have a longer attention span than we thought uh tvs uh and commercials actually assume the wrong thing about how you think about things um that training can be up to eight minutes um as long as it's focused and engaging

with the cognitive part of your brain if you're trying to teach people to recognize things like phishing attacks um you should really focus on really low vision opportunities which are humorous narratives or tragic narratives that are less than 90 seconds and you can you can see some data that you really only get six seconds uh uh pure contact with uh there's two parts of your brain that you're engaging your amygdala and your hippocampus so if you're training monthly and your goal is to get people to think differently you shouldn't be afraid of content that goes up to eight minutes including any sort of assessment if you're trying to get people to recognize things um your training should be less

than 90 seconds and it should be humorous or tragic that's that's my understanding of the current data i think you have one other question so how do you help people in business to see the correlation between their personal lives and security and what they do in business because often with security awareness i find people in business like when okay here's the compliance people here's that fishing test that's coming out again and then they just sort of get through it but they don't see you know not that they're perfectly focused on security in their personal lives but sort of how you get them to see the alignment of the two so they're more motivated to be secure

inside or outside of the house if you will yeah that's a so um that's actually a really great question and there's going to be part of my answer that um is not that helpful but um you're you're tagging on uh perhaps a psychological phenomenon known as the hawthorne effect and the the hawthorne effect is simply this it's best demonstrated by a study where they would have a uh honor system for coffee uh set up in a you know a work lounge and you know coffee was 50 cents and what did they discover well about over time if you do the study enough about half the people will pay for the honor coffee right and they

typically will prepay they'll put in a dollar and maybe you know get two cups or you know they'll forget about them put a dollar in every day because they know other people aren't paying but about 50 percent of people pay and not pay that tends to be a good breakdown of the data um it what happens if you put a security camera uh right above the coffee machine well um you find that about a hundred percent of people start paying right overnight uh but here's the here's the interesting thing if i set either a stuffed animal or a set of like googly eyes on top of the coffee machine you know the compliance right there

with people who will pay in the honor system 100 wow really yeah so and because once people feel like they're seen they do different behaviors so if people do not feel seen they take different types of risk they don't they don't get less risky they just take different types um so all they have to do is feel like there's some sort of living thing looking at them and they change their behavior so um one of the things that you see between people um moving from you know business environments in which they're monitored and they feel seen to unseen things like in their own personal lives is the googly eyes go away right so um i'm going to offer it up as

a challenge i think there are ways in which we can help people understand that they're being seen um while still at home you asked the exact right word you said how to he'll help people see things helping people see things um is is one of the great challenges of the training industry i will say that there's probably uh tools and ways in which you can enlighten your users on how they're being seen right so um there's uh or let me back up rather than telling people all the dangers of what happens when their data is sold etc and you know all most of your personal users go home and use you know alexa or google home or

something actually my alexa just turned on when i said that um you you start to show them um what that means and how people are watching them at home on their other devices um and helping them realize what data is actually getting out and what is not so breaking it down from a a big scary boogie man that they can't do anything about to something that's a small little dragon that they just need to make sure they know they're being watched is probably um a great strategy but the tactics in there i'll say are still on the frontier of psychological training that's why you don't like my answer in full yeah thank you well can i perform a quick um zoom poll

and ask you to use the zoom reaction to raise your hand to indicate if your company that you work for exhibits the problems that zach identified at the beginning of the presentation

all right um i've never heard the analogy before between security awareness training and torture that's the first time i've heard that analogy before are there any other questions for zach today i did get one in the zoom chat that i can share out uh where it did have a question about frequency where um how to i'm going to read into it but the says um seems the frequency could easily get too frequent where members revolt any advice on how to balance uh memory versus training pushback um yes you're absolutely right um if something um seems to be taking a greater priority than the organization's culture um lens then the organization has to push back so if

you are doing let's say fishing simulations as part of your training and you're doing those too frequently and you're disrupting the business day while these sales people accounting folks operational researchers etc are trying to get their work done and they have other priorities other than your phishing simulation they will revolt because the culture is there to protect their domain of expertise and the things that they're hired to do so if you if you live in an organization that champions the security awareness training and it becomes a higher and higher priority you'll see less and less pushback but this is one of those subjective things where you'll need to know um where security awareness training fits into your organization today

and where it needs to fit in tomorrow and your frequency should be around there again that's part of the reason we you know we typically land on monthly um even though the data shows 21 days because if you really are trying to push within 21 day windows um training experiences to folks many organizations are not there yet and they're going to rebel and push back in order protect their other priorities so that's that's that's my best thought um so if you are going to try to um uh try to get more frequency and in that 21 day window um i recommend starting with benchmarking your culture having conversations with the executives working through that buy-in process over

time where you're interviewing your users and all of that will culminate after years of pushing into a culture that actually wants the security awareness training great great thank you any other questions today i have another question sorry to dominate um how do you monetize um you know security awareness results so i think sometimes in business it's you know the business leaders want you know the fishing activities to happen but you know there there's other things where they see direct correlation with the revenue or performance so what kpis or how do you monetize the results of what you're doing without there being a breach i'm not sure i completely understand your question so i apologize if i if i repeat this

back to you but um how do you utilize the results of your your training in order to push forward with the other company's objectives yeah let me ask it a different way how do you show that if you ran 12 campaigns in a year that you eliminated you know x amount of dollars and potential losses or you reduce risk by 50 percent yeah actually um i don't typically advocate for that application of the training results um as a protective measure um mainly because uh you know most security um the the risk is actually a zero or one right you know it's uh hey your company has existed another year you were secure enough good for you that kind of thing it's a

it's a kind of uh yes or no especially for small businesses which is a large part of the the efforts and the work that our psychological security aims at the small mid-sized businesses the i would actually argue that taking the results of your your 12 phishing campaigns is something that you can package in such a way that shows the results and it either buys transparency with your clients or your prospects it can help buy um you know opportunities to start a discussion and it actually becomes a great sales and prospecting tool for organizations of all different types whether they're you know accountants or manufacturers etc because um by bringing forward the results of your security awareness

training uh you become a thought leader naturally in all these uh other industries so my argument is your kpi should be finding home within uh first your your revenue systems and then secondly your hr systems which are you can recruit better people because they know that they're coming to a culture that is going to take employee training seriously and it's a great bragging point when you're trying to recruit talent to your organization so that's usually where i i advocate for the application of kpis um but yeah i don't so i don't have the data on um how to utilize kpis on you know uh proving that a loss did not occur um because of the trading