Some information security awareness training is doomed to fail before it starts

Some studies have shown that most of the advanced persistent attacks (APT) are caused by the lack of security awareness of personnel. There are also a large number of cases that show that the proportion of "people" in security incidents is very high. Many people in the industry jokingly call "human" the "eighth layer" of TCP / IP, which requires a good awareness education to reduce the attack surface of the system.

Seeing this, many people may feel that a safety awareness training will be held every year and a simple test will be conducted after the training. If everyone passes the test, they can meet the compliance requirements and explain their work to the leaders. I can only say that Tucson is broken! Some information security awareness training has failed at the beginning!

What the hell is consciousness?

Exploration of information security training system

• The training contents are mainly knowledge points, lack of vivid case sharing, poor sense of substitution of employees, easy to distract in class;
• The training form is single, only face-to-face training courses;
• There is no reasonable distinction between training objects and lack of post training;
• The training content is only safety awareness, lack of safety technology training and policy compliance training;
• The training is limited to new employees' induction training, and the intensity of consciousness stimulation is insufficient, which makes it difficult to change the behavior habits of employees;
• The training takes up the daily working time of the staff, and the staff refuses to participate in the training or has negative emotions;
• The results of training examination are not related to the personal performance of employees, and employees do not attach importance to it;
• Training performance cannot be measured, visualized, and awareness improvement effect cannot be compared;
• Lack of effective channels to collect feedback and suggestions.

Figure 1. Vipshop information security training system architecture

• (1) Content management: it is to manage the safety training content in the "training content layer", mainly combing and expanding the knowledge points of safety training according to the needs and safety events;
• (2) Demand management: collect security training needs of Technology Center, business department, HR, etc., and extract knowledge points of information security events from "material management" to form security training needs;
• (3) Training development: it is a process of developing training courseware, animation, posters, etc. according to the safety training knowledge points in the "content management" and considering the carrier in the "training carrier layer" and the manifestation in the "training form layer";
• (4) Material management: classify and manage the pictures, articles, animations and safety event cases that constitute the final training courseware, and develop them quickly and iteratively according to the needs of safety training;
• (5) Lecturer Management: for the lecturers of face-to-face information security training courses, implement the lecturer certification system and course satisfaction management, and feed back information through the channels of "communication and exchange", so that the lecturers can continuously improve their lecture skills;
• (6) Performance evaluation: mainly two aspects of performance evaluation, the first is the assessment management of trainees, the second is the training target performance management of information security department. The assessment management of trainees mainly focuses on the attendance rate of offline courses, completion rate of online courses, passing rate of examinations and other indicators. The performance management of training objectives mainly focuses on the completion of annual information security training objectives, the number of security incidents actively reported by employees, the number of violations reported by employees, and the satisfaction of security training. It is an important part of training system measurement and continuous improvement;
• (7) Communication and exchange: it is an effective channel for trainees to feedback information security training effect, report security incidents / security violations, and put forward improvement suggestions. These channels include v-learning forum discussion area, e-mail, V classroom satisfaction questionnaire, IM chat tools and other channels.

The training carrier follows the development of the times. To what extent does the trend of the times develop, there will naturally be a corresponding carrier. In the era of no computer, use offline face-to-face courses and posters. Later, with the help of computers, mobile phones and wechat, it became a necessity of life and a new carrier of security training. Therefore, in the training carrier layer, we only need to keep up with the trend development, and there is not much innovation. Maybe in the future, we will do security training with holographic projection and VR games.

In order to stimulate consciousness with certain intensity and for a long time, the current training carrier of vipshop is divided into online and offline parts. Offline courses are mainly face-to-face courses and entity publications, while online courses include v-learning, e-mail, OA on the PC side, v-classroom and wechat on the mobile side, etc.

• Content is not attractive enough? We promote security content through interesting animation videos and long maps of information close to current events.

Figure 2. Safety technology training animation video

Figure 3. Long picture of security awareness information - Telecommunication fraud

• Monotonous form? We publicize safety training through VSRC WeChat official account, PPT, security staff manual, information long map, animation, safety tips, poster / easy to pull treasure, and information security activities. Make sure you have a variety of forms.

Figure 4. Information security Tips-1

Figure 5. Information security tips-2

Figure 6, VSRC WeChat official account sharing

Figure 7. Information security face-to-face training PPT case sharing 1

Figure 8. Information security face-to-face training PPT - case sharing-2

Figure 9. Information security week - a hot spot

Figure 10 information security week - active partners

Figure 11. Vipshop OA column

Figure 12. 12th information security bimonthly - cover

Figure 13. Cover of the 13th bimonthly issue of information security

Figure 14. Information security bimonthly - Security Vulnerability warning

• Taking up valuable working time? We make the most of our employees' fragmented time! It includes the time for employees to take the subway and bus, wait for the elevator, pass the corridor, and lock the computer screen. These time are available fragment time. In fragment time, we push the long safety awareness map, play the animation video of safety awareness, and play the computer screen protection picture, so as to improve the safety awareness imperceptibly.

Figure 15. Screensaver - no account sharing

Figure 16. Screen protection picture - no weak password

• (1) Regular safety knowledge points are the contents that training objects must understand.
• (2) For example, if a "phishing email" appears in the company, the company shall immediately develop the training content about the security incident and send it to the whole company in the form of a security tip email as an early warning of the security incident to avoid expanding the scope of influence.
• (3) According to the "demand management" in "system management", the training content is planned by collecting the training needs of different departments.

Figure 17. Video course catalog of information security awareness education

Figure 18. Information security awareness education animation - Data Security

Figure 19. Information security awareness education animation - sharing account

Figure 20 information security bimonthly - life related security alerts

Figure 21. Information security technology training animation - course catalog

Figure 22. Training animation of information security technology -- SQL injection vulnerability

Figure 23. Security coding specification

5. The training object layer focuses on the personnel receiving information security training. We analyze the training objects from two dimensions: the first is the audience classification of the training courses; the second is the needs of the career development of the training objects.

The audience classification of training courses refers to that in addition to the "one size fits all" safety awareness training courses for all staff, special post safety skills training should also be implemented for each post, such as safety development, safety operation and maintenance, safety emergency response and other different categories.

Career development needs refer to the different safety training needs that may arise when employees enter the company with the consideration of technology promotion and post promotion.

For example a, a program developer needs to master the knowledge of security coding. When a program developer is promoted to a system architect, he may need to understand the security model, security architecture, threat modeling and other deeper technologies.

Example B, a salesman, promoted to business manager or even business director. From the past, it may only need to manage their own security awareness, to now, it is not a small challenge to manage the security awareness of all the people under the team, which needs to give them a security awareness training after identity transformation.

The training object layer is mainly divided into four stages: new employee stage, on-the-job stage, promotion stage and continuous education stage.

November to December 2016 is the time for all members of vipshop to take the information security examination. The one-and-a-half-month information security examination has been completed before New Year's Day 2017, with more than 26000 participants.

The information security department has carefully planned this examination, setting different examination contents for the whole staff awareness, development post, testing post, project manager post and product manager post. It embodies the specific concept of post training and post examination. The examination content design is closely combined with the training content.

In terms of information security awareness test questions, we have compiled two sets of question banks, covering nine different security fields, including mobile security, terminal security, confidential information disclosure, account Authority security, social engineering security, business security, personnel turnover security, key post responsibility separation and data extraction security. In the employee examination, each security field will randomly select questions in the system, and each person's examination content is different. The examination of technical personnel is composed of top 10 security loopholes, security coding specifications, security assessment process, business security technology and other aspects, to ensure that technical personnel can master the basic security technology and comply with the security management process.

Figure 24. 2016 Information Security Online Training

Figure 25. 2016 information security online exam

Although vipshop's information security training has initially become a system, it is still not to the extreme.

In the future, we will focus on the following key contents:

• (1) Increase more job-specific training, first expand the coverage of job-specific training, and strive to have its own training content in high-risk departments;
• (2) Gradually deepen the training depth of key training objects and make efforts in the "promotion stage";
• (3) Performance evaluation methods are gradually diversified. Social engineering simulation and internal phishing are considered to test the safety awareness of employees;
• (4) Keep up with the trend of the times, innovate in training carrier and training form, and increase user stickiness.
• (5) At the same time of addition, subtraction should be done properly. Some safety training forms with bad feedback or no one's attention will be transformed or abandoned to improve the ROI of safety training resources;
• (6) Optimize the linkage between safety events and safety training, and make more summary and sorting on material management and content management.