Skip to main content

Could Lack of Security Awareness Cost $1 Billion?

March 24, 2016

Awareness Thwarts $1B Bank Heist

The conventional wisdom says that the difference between robbery and fraud is this: in a robbery you know money was stolen, but you don't know who took the money; in fraud, you know who took the money, but you don’t know if it was a crime. In today's world of digital banking, it is not obvious when money is being stolen or who has stolen the money when you realize it was stolen. A case in point is an $80 million bank heist in February from the Bangladesh Central Bank that could have approached being a $1 billion bank heist.

"Hackers misspelled ‘foundation’ in the NGO's name as ‘fandation,’ prompting a routing bank, Deutsche Bank, to seek clarification from the Bangladesh central bank, which stopped the transaction, one of the officials said." Furthermore, the high number of transactions raised suspicions at the Federal Reserve Bank of New York, from where the funds were being transferred.  

In today's complex and highly transactional world, awareness is essential to stopping money from leaking out of your enterprise. While a similar attempt to defraud your company may not grab headlines, failing to address this sort of risk will feel as dramatic to you, when you are asked to explain why your personnel did not catch the scam.

The Path Forward

Do not treat security awareness training as merely a compliance issue, or allow your staff to attend it with complacency.

To maintain the attention of your audience, and to increase their retention of your material:

  • Start planning with a decision about what you want the audience to come away with, focus on those and reinforce throughout.
  • As you prepare material, consider what your audience will be thinking about; it needs to be your key take-away.
  • Attention spans are short - make your points early and re-engage their attention about every ten minutes.
  • Present problems to be resolved; a moderate challenge increases engagement.
  • Repetition reinforces learning; find ways to present your concepts after the formal training has ended.

Start With the End in Mind

Does your current security awareness training enable your staff to recognize the types of attacks that represent your biggest risks? Be clear about your objective for training, focus on that and that alone.

What is your Point?

Cognitive science has shown that what ends up in a learner’s memory is not necessarily the material as presented—it is what the learner was thinking about while the material was being presented. Ensure that training is focused on the points you need them to take away.

Make your Point Early

The attention span of a human is about ten minutes. If you haven't changed topics, started a new activity or in some way shifted gears, you will lose their attention. Energize presentations by accenting a point with an anecdote or some humor that is related to the point, to draw students' thoughts back to the training. 
 
To make it easier for students to maintain attention, plan your lecture in sections that will last about ten minutes, make your point early in each section and reinforce it with explanation and examples through the body of the section. Close out the section with something that signals the change, such as the anecdote. 

Challenge the Student, but Moderately

People love a challenge, but only if is not too hard. Or, as it turns out, not too easy. You might call it a "Goldilocks problem." If the problem is too hard, meaning that it is not solvable given the audience's subject matter knowledge, they will give up on the problem and turn to daydreaming. Ironically, if the challenge is too simple, they will judge the material as boring and turn their attention away.
 
Increasing knowledge is really about answering the questions posed by a person's current knowledge. No subject is completely explored, there are always questions left at that frontier where existing knowledge ends. To make material more attention grabbing, the instructor's job is to appeal to the student's curiosity about those questions.
 
Organize your lesson plan around these types of challenges, ones that are at the frontier of your audience's knowledge of the subject. Anticipate the questions they have in mind that will lead them into the new knowledge you would like them to possess. Make sure the questions that are posed are neither too challenging nor too boring.

Repeat After Me, Repetition Aids Retention

It turns out that attention span is not the only reason that four hours of lecture might be ineffective. Your workforce will retain more of the knowledge if it is repeated, but spread over time measured in days rather than hours. Research shows that "for learners to develop the full meaning of the information, the connection with that initial information must be strengthened through repetition. [1]"
 
Tests regarding the study technique for tests that we call "cramming" have shown that short term, intense, studying does improve tests scores, but that retention of the material is short term. Less intense studying, spread over a longer period of time with repeated events, creates a greater likelihood of long term recall of the material studied.

Conclusion

In today's fast paced world, attackers can take advantage of that pace to induce costly errors in your work environment. Ensure that your awareness training is focused on your risks and delivered in a way that encourages the right behaviors to prevent that dramatic, or even small, loss.

-----------------------------------

[1] Hsueh-Chao, Marcella Hu & Hossein Nassaji, Ease of Inferencing, Learner Inferential Strategies, and Their Relationship with the Retention of Word Meanings Inferred from Context, 68 Can. Modern Language Rev. 1, 71 (2012) as cited by McKeachie, Wilbert, et al. McKeachie’s Teaching Tips: Strategies, Research, and Theory for College and University Teachers. 12th ed. Boston: Houghton Mifflin, 2005.

Originally published in the Secure360 blog

Related Blogs

April 26, 2018

Thoughts on Breach of Trust vs. a Breach of Security

General thought: A breach of trust is different than a breach of security. Trust and security, while related, are very different from each other. In r...

See Details

March 22, 2018

Get Control of the Mayhem: A Day in the Life of a Piece of Unstructured Sensitive Data

Sensitive and relevant data, such as personally identifiable information (PII) or intellectual property, may be running rampant in your organization. ...

See Details

November 09, 2017

Third-Party Breaches Will Continue Until Morale Improves

I have some bad news for you: breaches at third parties are not going to stop – not any time soon. Various studies show that somewhere between one-thi...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Related Insights

July 21, 2015

Data Security Solutions

Learn how we can help secure your date throughout its lifecycle.

See Details

April 24, 2013

Cyber Security Flaws We All Know and Love

Joseph Belans provided an excellent presentation at BSides titled "Hacking like it's 1999: Security Flaws We All Know and Love." Below is a video rec...

See Details

February 08, 2013

Cyber Security Awareness eLearning Demo

FishNet Security delivered another successful webinar helping our customers to hit the ground running with their 2013 security awareness initiatives. ...

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.