HACKER Q&A
📣 phunel

Security Awareness Training


I'm at a bit of a loss. Just wanted to ask the community if there were any recommendations for decent security awareness training. This requirement is coming up more and more with regulators and underwriters.

In essence, this is of course more 'box ticking' and has little to do with actual security, but the requirement remains.

Would love to hear from actual experience. I've gotten quotes from about a half dozen suppliers and I've yet to find a supplier that the staff wouldn't hate me for subjecting them to. The materials are almost universally pretty childish and melodramatic.

Saw the Stacksi launch earlier last year and they seem to have the right idea for this domain. Would love to find a comparable company but offering security awareness training - or if the Stacksi guys are reading this, please consider adding this to your product line up! :)

  👤 andersonmvd Accepted Answer ✓
If it's a general course, you can even pay a udemy course to each employee for 15 bucks each (or even less for companies?) like https://www.udemy.com/course/security-awareness-training/? Haven't tested it, but for box ticking it may be enough.

If it's for developers or engineers, I've been working on the approach that you get security awareness when working with security engineers. The idea to have a security person close to your team that will teach in practice what it's hard to absorb with some courses out there. Not a replacement for a course, but another way to learn. For more details on this, the info is on my profile.

👤 kespindler
Depending on the size of your team, and whether you just need to "check a box" and say you do it, versus you're actually worried about employee mistakes re: cybersecurity (e.g. you have a big and varied enough team where training is geniunely important), it's pretty easy to design this yourself.

Write up or copy a few page doc outlining security best practices, then require every employee to read & sign an acknowledgement that they've read it. Now every employee has gone through security training.

👤 chair6
Check out SafeStack, https://academy.safestack.io/safestack-courses/security-awar... .. they're one of the less-cringey, more-modern awareness options I've seen recently.
👤 binarybyes
If you want a company that is trying to change the paradigm around security awareness training, I'd highly recommend looking at Ninjio: https://ninjio.com/

They take a drip-feed approach, with one 5ish minute video monthly rather than an hour yearly. People don't mind 5 minutes once a month, and as a bonus, it has been shown that the drip feed method helps to keep security on peoples minds, as well as increase their overall retention

👤 rdj
If it’s security training for developers, architects, and technical teams take a look into the CTF style trainings (hands on keyboard, hacking exercises). We’ve turned it into an annual event (leaderboards, trophies, bragging rights, swag, pizza, the works) and the participants not only loved it, they have started to pregame, plan teams and held live debriefs where they talk through the experience and where it actually impacts their code.
👤 plasma
Haven’t used them myself, but I see https://www.securecodewarrior.com mentioned, aim is to teach developers and seems engaging.
👤 jiveturkey
Did you look at eset? They have a free one too. I'm at a loss as to how Stacksi is relevant. They do some AI form filling for you. How's that going to apply to security awareness training.