Ask HN: Security Awareness Training

8 points by phunel ↗ HN
I'm at a bit of a loss. Just wanted to ask the community if there were any recommendations for decent security awareness training. This requirement is coming up more and more with regulators and underwriters.

In essence, this is of course more 'box ticking' and has little to do with actual security, but the requirement remains.

Would love to hear from actual experience. I've gotten quotes from about a half dozen suppliers and I've yet to find a supplier that the staff wouldn't hate me for subjecting them to. The materials are almost universally pretty childish and melodramatic.

Saw the Stacksi launch earlier last year and they seem to have the right idea for this domain. Would love to find a comparable company but offering security awareness training - or if the Stacksi guys are reading this, please consider adding this to your product line up! :)

9 comments

[ 0.21 ms ] story [ 835 ms ] thread
Did you look at eset? They have a free one too. I'm at a loss as to how Stacksi is relevant. They do some AI form filling for you. How's that going to apply to security awareness training.
Depending on the size of your team, and whether you just need to "check a box" and say you do it, versus you're actually worried about employee mistakes re: cybersecurity (e.g. you have a big and varied enough team where training is geniunely important), it's pretty easy to design this yourself.

Write up or copy a few page doc outlining security best practices, then require every employee to read & sign an acknowledgement that they've read it. Now every employee has gone through security training.

If it’s security training for developers, architects, and technical teams take a look into the CTF style trainings (hands on keyboard, hacking exercises). We’ve turned it into an annual event (leaderboards, trophies, bragging rights, swag, pizza, the works) and the participants not only loved it, they have started to pregame, plan teams and held live debriefs where they talk through the experience and where it actually impacts their code.
If it's a general course, you can even pay a udemy course to each employee for 15 bucks each (or even less for companies?) like https://www.udemy.com/course/security-awareness-training/? Haven't tested it, but for box ticking it may be enough.

If it's for developers or engineers, I've been working on the approach that you get security awareness when working with security engineers. The idea to have a security person close to your team that will teach in practice what it's hard to absorb with some courses out there. Not a replacement for a course, but another way to learn. For more details on this, the info is on my profile.

Thank you. Found the udemy courses today too and I think this is ultimately what we'll do. Basically every other vendor's videos are some weird paw patrol/person of interest hybrid. The company pricing for udemy is strange though - as far as I can tell they won't let you purchase a bunch of seats for one course, they insist on a subscription to their catalog - so will be tedious to setup an account for each person but that's fine.
If you want a company that is trying to change the paradigm around security awareness training, I'd highly recommend looking at Ninjio: https://ninjio.com/

They take a drip-feed approach, with one 5ish minute video monthly rather than an hour yearly. People don't mind 5 minutes once a month, and as a bonus, it has been shown that the drip feed method helps to keep security on peoples minds, as well as increase their overall retention