- cross-posted to:
- cybersecurity@infosec.pub
- cross-posted to:
- cybersecurity@infosec.pub
You must log in or register to comment.
(From the linked study, not the article)
Annual Security Training: At UCSD Health, each employee must complete a standalone security awareness training once per year (with the material designed by KnowBe4).
When employees first join, the HR system automatically assigns an employee this annual security training to complete within a few weeks. Once a user has completed their training, the system automatically reassigns this training to the user after one year (365 days) has elapsed
I haven’t dug very deep into the study to see what the training actually involves but this sounds like something employees would just bullshit their way through as fast as they can. I don’t think this proves that training in general is ineffective but that it needs to be made more engaging and interactive
Agreed. I had a consulting gig once, actually doing cyber security for Meta. They made us take an automated training, part of which was listening to videos of Mark Zuckerberg talking unironically about how important privacy is to the culture of Meta. The thing is, they had no good mechanism for making sure you actually watched the video. You could just mute Mark and then keep an eye on the run time, because at the end there would be a quiz. Most of the quiz questions were super stupid intuitive like “A friend asks you to use your Meta access to do X to their profile for them, what should you do?” And then multiple choice, with a bunch of obvious bad answers like “Like just do it, it’s fine.”
