Deploying Continuous and Measurable Security Education for Employees. Security awareness and training methodology and best practices

Transcription

1 Deploying Continuous and Measurable Security Education for Employees Security awareness and training methodology and best practices February 2015

2 Executive Summary Knowing that end users are the last line of defense against social engineering and cyber security attacks, security officers require an effective approach to educating them. Wombat Security Technologies is the first and only company to offer a complete suite of security education solutions that leverage progressive training techniques to effectively improve human response against cyber-attacks. At Wombat Security, we believe that to be effective, training should leverage proven Learning Science Principles and be delivered continuously throughout the year. Unfortunately, much of the training delivered today to end users consists of videos and PowerPoint presentations delivered once a year. Over 95 percent of all [security] incidents investigated recognize human error as a contributing factor. IBM Security Services 2014 Cyber Security Intelligence Index Information security officers and risk managers who want to actively protect their end users and their organizations should shift to a continuous, cyclical training approach, which offers measurable benefits over presenting annually. Though we believe that PowerPoint presentations and videos can be informational, our experience has shown that they are seldom educational. These types of media can successfully inform end users of dangers, but they are not engaging enough to bridge the gap between awareness and understanding. Interactive training methods help users absorb and appropriately recall the knowledge and tactics necessary to avoid attack. We believe there would not be a debate about the value of end-user security awareness and training if all programs were effective, ongoing efforts, instead of discrete events. We know the value of a balanced, thoughtful approach that draws on Learning Science Principles. That s why our methodology which employs a cyclical model of assessment, education, reinforcement, and measurement has helped our customers change behaviors within their organizations and reduce malware infections and successful phishing attacks by up to 90%. 1 Wombat Security Technologies, Inc

3 A Continuous Approach to Security Education This document offers guidance about using the Wombat Security Continuous Training Methodology to effectively teach your end users to recognize and avoid phishing attacks; social engineering traps; malicious links, websites, and downloads; and other risky behaviors that could negatively impact your organization s security posture. Our Continuous Training Methodology includes four key steps: Assess, Educate, Reinforce, and Measure. These components can be used independently, but they are most effective when they are combined, which delivers a 360-degree approach to security awareness and training. You can deliver these steps via our Security Education Platform, which is purpose-built for information security officers and enables seamless execution of your program: 1. Assess Create a variety of custom knowledge assessments and use mock attacks to diagnose your organization s potential vulnerabilities and determine where your end users are most susceptible. 2. Educate Maximize learning and retention with a broad set of focused interactive training modules. 3. Reinforce Remind your employees about best practices by bringing messaging into the workplace. Share articles, display posters and images, reward participants with security-minded gifts, and more. 4. Measure Use data and analysis to drive strategies and effectively guide current and future efforts. A single cycle of the four-step methodology can be executed in as little as a month or (more typically) over two to three months, which allows you to repeat the steps multiple times per year. We strongly recommend this repetition as it drives measureable change and helps to create a culture of security awareness that extends to every level of your organization. Research and industry results have shown that once a year classroom or video training is not effective in the battle against data and security breaches. Ongoing security awareness and training programs are most effective at maintaining top of mind awareness, maximizing learning, and lengthening retention of the learned topics. The steps in our unique Continuous Training Methodology, which are discussed in more detail in the subsequent sections, help you create a program that evolves and enables continuous improvement. 2 Wombat Security Technologies, Inc

4 Before you embark on a security awareness and training program, you should communicate your plan to all appropriate stakeholders in your organization, including human resources, legal, internal communications, executive management, and other relevant parties. If your organization opts to inform your full employee base prior to the initiation of the program, please be advised that this could skew baseline results, particularly those related to simulated attacks. Step 1: Assess Knowledge and Susceptibility to Attack We believe that assessment is a critical first step to security training. It is important to establish a baseline understanding of your employees levels of security knowledge prior to kicking off your educational efforts. This baseline provides valuable insight into the level of training required and creates a benchmark to measure against as you progress through your program and you continue to reassess and train your employees. Equally important, this initial assessment provides data to prioritize your plan of attack on the vulnerabilities and weaknesses in your organization. To ensure clear results, consider how you would like to see user data grouped for reporting to management teams and for easy implementation of follow-up training. After segmenting into various groups, we recommend a multi-pronged evaluation to begin your program: an organization-wide evaluation using our CyberStrength Knowledge Assessments as well as simulated attacks using our PhishGuru, SmishGuru, and USBGuru products. CyberStrength Knowledge Assessments CyberStrength helps you gauge your employees knowledge about topics that are critical to a strong security posture. We have developed a comprehensive portfolio of more than 150 questions that cover a range of subjects, including safe interactions with s, URLs, and websites; proper use of mobile devices and mobile apps; understanding and avoiding social engineering scams; and other behaviors that can negatively impact your people, areas, data, and systems. We recommend starting with a broad assessment across all subject areas to get an overall understanding of employee knowledge. However, if there are particular topic areas where you are concerned about knowledge gaps, you can create a highly focused assessment. You can also create your own questions to assess understanding of company-specific policies and the pervasiveness of known issues. 3 Wombat Security Technologies, Inc

5 You can assess your employees on the following topic areas using our portfolio of questions: Phishing Passwords Internet browsing Mobility and security outside the office Data protection Mobile device safety Social engineering Physical security Social networking Compliance-related initiatives We recommend that you pair our CyberStrength assessments with our simulated attacks. However, CyberStrength can be used as a standalone evaluation tool. If your organization is not receptive to using mock attacks, these scenario-based questions offer a less invasive opportunity for evaluating knowledge levels. You can use and analyze the data gathered through the course of the assessments to plan a targeted approach to awareness training. PhishGuru, SmishGuru, and USBGuru Simulated Attacks Our PhishGuru, SmishGuru, and USBGuru simulated attack tools can help you evaluate your employees understanding of the dangers associated with phishing, smishing, and USB attacks. Through mock attacks, you can evaluate your organization s level of susceptibility in a safe, controlled manner. You ll get a sense of how your employees would respond to phishing and spear phishing s (PhishGuru), malicious SMS/text messages (SmishGuru), and infected/unauthorized storage devices (USBGuru) without exposing your network to an actual attack. This helps you gauge how vulnerable your organization could be to these dangerous and pervasive threats. One of Wombat s retail customers used our Anti-Phishing Training Suite to assess and educate their employees about phishing threats. The customer experienced the following results: Significant click rate reductions on mock phishing attacks (35% to 6%) An 84% reduction in susceptibility in just 45 days In the initial stages of your program, we recommend implementing a PhishGuru campaign and a SmishGuru campaign simultaneously. Because these two threat vectors are so prevalent phishing, in particular it s critical to establish a baseline of your employees susceptibility to these types of attacks. USBGuru simulated attacks can be implemented at any point in your annual program to reinforce your policies about the responsible use of removable memory devices, but we recommend pairing all of the simulated attacks early in the program so you can understand your vulnerabilities and incorporate the results into your education program. 4 Wombat Security Technologies, Inc

6 Our PhishGuru, SmishGuru, and USBGuru tools prime your employees to learn how to avoid actual attacks. Any employee who falls for a mock attack is automatically presented with a Teachable Moment, which explains the situation and provides practical guidance and tips for future reference. This approach which pairs simulated attacks with just-in-time teaching is an excellent forerunner to our interactive training modules because it motivates and engages your employees. Our data shows that employees who fall for a mock attack are up to 90% more likely to complete follow-up training. In addition, our reporting functions gather actionable data, so you can evaluate how your employees behaviors could negatively impact the security of your networks, data, and systems. You can also use the results to plan and focus your future security awareness and training efforts. Step 2: Educate with Interactive Training Modules Research shows it is important to provide continuous training to be effective. Training once a year isn t enough, and training only a subset of employees does not create an organization-wide culture of security. And simply telling your employees that issues such as phishing, web threats, or social engineering exist is not going to reduce data breaches and malware infections. To truly bring about change, your employees must understand how security threats present themselves in day-to-day situations. In addition, providing training on separate threat vectors throughout the training cycle results in fresh content and engaged employees. Our interactive training modules are designed to help change behaviors for all employees in your organization not just those who happened to engage with a mock phishing or other simulated attack. After all, it s dangerous to assume that all employees who didn t click on a phishing did so purposefully, because they recognized the threat. Without training, yesterday s non-clickers can be today s clickers. Our training modules build on our assessments to help your employees make the right decisions when they are face-to-face with security threats. These training modules help users recognize the role they play in protecting your network, data, and assets. Each of our modules offers 10 to 15 minutes of interactive training about a specific security topic. Our development and design processes leverage proven Learning Science Principles and employ methods that have been proven to be more effective than once-a-year training presentations and videos that do not allow for interaction. We recommend assigning three training modules per quarter to all employees, either all in the first month of the quarter or spread out (one per month). Modules should be chosen to address the top three risks identified in the results of your CyberStrength assessments and/or simulated attacks. Individuals who fell for simulated attacks or who scored particularly low in assessment areas can be assigned mandatory training or asked to complete their training assignments in a shorter time period. 5 Wombat Security Technologies, Inc

7 We recommend that users complete their assignments within 30 days so the program continues to progress throughout the year. Training Assignments Based on Simulated Attack Results It s important to assign follow-up training for any employee who falls for a mock attack. Our exclusive Auto-Enrollment feature allows you to do this automatically within PhishGuru, but you should also assign training for individuals who fall for a smishing or USB attack. Linking mock attacks to our interactive modules allows you to deliver targeted training to your most susceptible end users. We recommend assigning one or multiple training modules for users who fall for one of our simulated attacks: PhishGuru Security, URL Training, Anti-Phishing Phyllis, Anti-Phishing Phil, Social Engineering SmishGuru Mobile Device Security, Mobile App Security (future), Social Engineering USBGuru Data Protection and Destruction, Social Engineering We have seen a major reduction in malware infections in our organization, a result we attribute to the Wombat methodology. In November, we had 56 employee computers infected with malware. Later that month, we sent a mock phishing attack to about 18,000 users, followed by in-depth training for employees who fell for the mock phishing message. By February, our malware infections dropped to three users that s a nearly 95% reduction! I know this is primarily due to the increased awareness we created with the training. A leading international financial services company based in the Midwestern U.S. Training Assignments Based on CyberStrength Results If you used CyberStrength as a standalone assessment or you have users who didn t fall for mock attacks, we recommend you determine assignments by reviewing the results and analysis of your company-wide CyberStrength assessment from Step 1. Our comprehensive reports will help you prioritize the assignments based upon those results. 6 Wombat Security Technologies, Inc

8 Here are the options Wombat recommends: Option 1 Option 2 Prioritize training modules for entire groups based on low scores on modules across the group. Group related modules for assignments on particular topic areas. (Note: Some of these topics have overlapping content due to the breadth of included training modules and their applicability across many areas.) Following are some examples of the training modules you could assign based on topic areas: 1. Phishing Security, URL Training, Anti-Phishing Phil, Anti-Phishing Phyllis, Social Engineering 2. Internet browsing Safer Web Browsing, Safe Social Networks, Password Security 3. Mobile device safety Mobile Device Security, Mobile App Security (future), Security Beyond the Office, Social Engineering 4. Compliance-related initiatives Protected Health Information, Personally Identifiable Information, Payment Card Information Data Security Standard, Data Protection and Destruction 5. General safety Security Essentials, Physical Security, Password Security, Safer Web Browsing, Security, Social Engineering Step 3: Reinforce with Security Awareness Materials Wombat Security customers are creating a culture of security awareness within their organizations using our Security Awareness Materials. This portfolio of posters, images, articles, and other visual cues remind your employees about the security principles they learned during in-depth training. When these materials are viewed and shared on a regular basis, they reinforce the lessons from our interactive modules, helping your employees retain their knowledge and respond appropriately when they encounter security threats. Posters 14 different posters in two sizes (11 in. x 17 in. and 24 in. x 36 in.) provide tips and advice about relevant security issues. Articles 14 different articles discuss security topics in greater detail. Add to internal newsletters and intranets or copy and paste into alerts for your employees. Images 14 horizontal poster images (1024 x 768 resolution) can be downloaded and incorporated into screen savers as daily reminders at the desktop. Additionally, they can be added to electronic message boards and intranets to drive awareness. Gifts A selection of inexpensive giveaways can be used to reward your employees. 7 Wombat Security Technologies, Inc

9 Step 4: Measure Results Our Security Education Platform s detailed reporting provides insight into each assessment and education component you choose to include in your security awareness and training program. As users are completing their training assignments, you can monitor the results and look back over the data that was gathered throughout the assessment and training steps. You ll be able to review employees interactions with CyberStrength assessments; PhishGuru, SmishGuru, and/or USBGuru assessments; and our interactive training modules. You ll have access to detailed information about who completed which assignments, who fell for specific simulated attacks, which concepts employees understand well, topic areas of weakness, and improvements over time. Our extensive library of reports provides you with aggregate and individual data that shows completion status of assignments, most missed items, as well as each user s training report card, and other data about the assignments. As the training completion deadline approaches, you can use the assignment completion report to determine which employees need to be reminded again about the due date of their training assignments. Results will appear immediately and you can gauge employee proficiency and begin to plan the next assessments and the next training module assignments. At any point in the cycle, you can print reports to provide a summary of results to managers, human resources, executives, and any other interested parties. For Best Results, Repeat the Cycle Once you conclude the initial phase of your security assessment and training program, it is important to reassess in order to gauge the effectiveness of the training and the users retention of the materials. Reassessing also creates a heightened awareness of cyber security and can be used to identify remaining weaknesses. Deploying additional simulated attacks will help you determine if your employees are more alert to these types of threats, and a follow-up knowledge assessment will help you measure progress by topic area. CyberStrength allows security officers to develop I continue to enjoy working with Wombat as a true partner to help raise the level of security awareness with our associates and the broader security community. Information Security Officer at a leading financial institution custom questions and scenarios to increase difficulty throughout the training life cycle. Assessments can also be tailored to align with the results of the training metrics. Following reassessment, it is important to provide additional educational content and practical tips employees need to recognize and avoid attacks. We suggest repeating this continuous, cyclical approach throughout the year. 8 Wombat Security Technologies, Inc

10 Suggested CyberStrength Reassessment Schedules Quarterly or biannual CyberStrength assessments allow you to continue to measure improvement from the baseline. With this data you can determine the appropriate modules and training initiatives for your next set of assignments. When you aren t performing a broad content assessment, we suggest focusing on seasonal issues, as in the following schedule: Safety on the Internet: August October Anti-phishing: November January Compliance: February - March Mobility and travel: April July Suggested Simulated Attack Reassessment Schedule We recommend that you conduct ongoing simulated attacks to ensure groups receive attacks at least four to six times per year. Many of our customers send out monthly simulated attacks to maintain a high level of awareness. During these reassessments, we recommend that users who fall for simulated attacks be assigned the relevant training modules as indicated in Step 2. If you plan to employ a continuous cycle of simulated attacks and use Auto-Enrollment (the automated scheduling feature within PhishGuru), we suggest assigning only one training module per Auto-Enrollment and varying that training module between attacks to maximize the topics covered. Suggestions for Additional Training Assignments Here are some other ways you may consider creating assignments for your users: Mandatory Mobile Device Security and Mobile App Security (future) training for BYOD device registration. Mandatory training following any device infections. You can select training assignments based on the device(s) infected and the actions that resulted in the infection (if known). The interactive nature of the Wombat training, as opposed to a simple quiz at the end, made everything else we looked at seem poor in comparison. New hire assessment and training to gain a baseline Information Security Officer at a public of knowledge, and basic training as they enter the college in the Northeastern U.S. organization. Assign Security Essentials as either the initial training module for all employees or as a capstone module for employees once they finish the other training modules. 9 Wombat Security Technologies, Inc

11 Keep Your Efforts Engaging and Fun We pair Teachable Moments with our simulated attacks because these just-in-time teaching segments help to engage users. We believe in making the most of each touch point in the assessment and training process to lengthen knowledge retention. And we encourage you to do the same with your security awareness and training program. You don t want your employees to think of security initiatives as a chore. If you keep your employees engaged and interested, your efforts will be more successful. Here are some ideas to get you started but keep in mind that the best ideas will be generated by your organization to fit your corporate culture: Rewards for trainees with the highest scores or who complete their training most quickly. Create a competition between departments/groups for first dates of completion, training module scores, or assessment scores. Elect a security champion within each group/department who provides on-the-spot recognition for employees exhibiting the right security behaviors (e.g., not letting tailgaters through secure entrances, locking their computers when they leave their desks, using passwords/locking mechanisms on corporate mobile phones, etc.). Continuous Security Education Action Plan Here is a summary of the Continuous Training Methodology outlined above. Step 1: Assess Knowledge a. Break users into functional, geographic, and access level groups as appropriate b. Issue a broad cyber security assessment to gain baseline knowledge c. Deliver simulated phishing, smishing, and memory device attacks d. Review results to determine training modules to assign Step 2: Educate via In-depth Training Modules a. Select three training modules that will strengthen employee knowledge in the top three areas of weakness b. Ensure that victims of simulated attacks are either assigned mandatory training or complete training within a shorter timeframe; schedule general training assignments to be completed within 30 days to ensure progress Step 3: Reinforce with Security Awareness Materials a. Display posters, share articles, and reinforce security best practices throughout your workplace b. Reward employees and security advocates with small gifts and tokens to recognize and encourage good behaviors 10 Wombat Security Technologies, Inc

12 Step 4: Analyze Results a. Review Security Education Platform reports to determine training saturation and potential areas of weakness b. Use this data and analysis to determine the next phase of assessment and training Repeat the Cycle Here is a suggested timeline for implementing knowledge assessments, simulated attacks, and interactive training. 11 Wombat Security Technologies, Inc

13 A Wombat customer in the manufacturing sector used PhishGuru and follow-up training. The initial mock attack had a 35% click rate. Those who fell for the attack were automatically enrolled in training; non-clickers were also assigned training. The customer experienced the following results: 69% reduction in susceptibility in 54 days A 90% increase in training penetration with Auto-Enrollment Only 4.7% repeat offenders in a follow-up mock phishing attack The Building Blocks of Effective Training All Wombat training solutions are based on the proven Learning Science Principles summarized below. We offer a complete library of software-based training modules that employ these principles. This is a critical element of effective training that cannot be replaced with video-based or presentation-based training, neither of which applies these effective education techniques. Offer Conceptual and Procedural Knowledge Conceptual knowledge provides the big picture and lets a person apply techniques to solve a problem. Procedural knowledge focuses on the specific actions required to solve the problem. Combining the two types of knowledge greatly enhances users' understanding. For example, users need to understand why phishing s are a threat and what the attackers are trying to accomplish (the big picture). However, they also need the procedural knowledge that will help them follow the steps it takes to understand the parts of a URL and make a determination if a link is potentially malicious. Serve Small Bites People learn better when they can focus on small pieces of information that the mind can digest easily. It's unreasonable to cover 55 different topics in 15 minutes of security training and expect employees to remember it all and then change their behaviors. Short bursts of training are always more effective. Reinforce Lessons People learn by repeating elements over time. Without frequent feedback and opportunities for practice, even well-learned abilities go away. Security training should be an ongoing event, not a one-off seminar. Train in Context People tend to remember context more than content. In security training, it's important to present lessons in the same context as the one in which the person is most likely to be attacked. 12 Wombat Security Technologies, Inc

14 Give Immediate Feedback If you've ever played sports, it's easy to understand this one. Calling it at the point of the foul i.e., delivering just-in-time teaching when mistakes are made takes advantage of teachable moments and greatly increases their impact. If a user falls for a company-generated simulated attack and gets advice and tips on the spot, it's less likely they'll fall for that trick again. Let Them Set the Pace It may sound cliché, but everyone really does learn at their own pace. A one-size-fits-all security training program is doomed to fail because it does not allow users to progress at the best speed for them. Tell a Story When people are introduced to characters and narrative development, they often form subtle emotional ties to the material that helps keep them engaged. Rather than listing facts and data, use storytelling techniques. Vary the Message Concepts are best learned when they are encountered in many contexts and expressed in different ways. Security training that presents a concept to a user multiple times and in different phrasing makes the trainee more likely to relate it to past experiences and forge new connections. Involve Your Students Students who are actively involved in the learning process are more likely to remember what they re taught. If a trainee can practice identifying phishing schemes and creating good passwords, improvement can be dramatic. Sadly, hands-on learning still takes a backseat to old-school instructional models, including the dreaded lecture. Make Them Think People need an opportunity to evaluate and process their performance before they can improve. Security awareness and training programs should challenge employees to examine the information presented, question its validity, and draw their own conclusions. 13 Wombat Security Technologies, Inc

15 Product Descriptions Assessments Wombat Security offers two primary assessment tools: customizable knowledge assessments and simulated attacks. CyberStrength Knowledge Assessments This tool enables security officers to evaluate employees cyber security knowledge. Our library of 150+ questions and multiple subject areas allow you to create broad or targeted assessments. There s also the option to create custom questions, which give organizations the ability to assess known issues and understanding of specific corporate policies. With results from the assessment you can determine how likely or unlikely your employees are to identify phishing attacks, use their mobile devices safely, be responsible about online and social media activities, work securely on the road, appropriately handle payment card info, etc. Simulated Attacks Simulated attacks mimic the techniques social engineers use to collect sensitive and confidential information from people. Our three tools PhishGuru, SmishGuru, and USBGuru will help you safely assess your organizations level of vulnerability to attack. PhishGuru allows you to create groups, design a simulated phishing , and send it directly to your users. Should a user click on the simulated phishing link, download an attachment, or enter information into a landing page, they will receive a just-in-time teaching message via a customizable Teachable Moment. Everyone who falls for the attack will receive a Teachable Moment, which helps the employee recognize what could have been a critical mistake. This is an eye-opening and humbling experience, and it has been shown to make employees more receptive to follow-on training. Our customers have experienced up to 90% greater completion rates when using simulated attacks prior to training. SmishGuru is a first-of its kind software-as-a-service product that enables security officers to send simulated SMS/texting attacks to their users mobile phones to assess their susceptibility to smishing techniques. These customizable messages are paired with a Teachable Moment, which again alerts employees to the dangers of actual smishing attacks and primes them for additional training. USBGuru targets another cyber security threat vector: infected USB drives and other removable memory devices. Using this tool, an organization can determine which employees are most susceptible to these attacks and who should receive additional training. Like our award-winning PhishGuru simulated attack tool, USBGuru provides a Teachable Moment that instructs users about the dangers of infected media devices and helps them understand how to avoid future mistakes. 14 Wombat Security Technologies, Inc

16 Interactive Training Modules Our modules are designed to deliver focused training about key topics in 10 to 15 minutes. You can also customize each module using our Training Jackets, which allow you to incorporate personalized content at the beginning and close of each module, including completion certificates and policy acknowledgments. Security or Anti-Phishing Phyllis Users learn to spot bait and traps commonly found in phishing s and spear phishing attacks. We offer two styles of education on this subject, an interactive training module and a character-driven training game. Both present examples of phishing s and ask users to identify potential traps. URL Training or Anti-Phishing Phil Employees learn how URLs are constructed, URL warning signs, and how to identify and avoid malicious links. We offer two styles of education on this subject, an interactive training module and a character-driven training game. Both options ask users to determine malicious links from legitimate links. Data Protection and Destruction We teach your employees how to safely use portable storage devices and media. They will also learn techniques for properly disposing of and destroying confidential data and files. Mobile Device Security and Mobile App Security (future) Whether you issue mobile devices to your employees or you are a Bring Your Own Device (BYOD) organization, your employees can benefit from our interactive training and suggested best practices for safe use of mobile devices. Using these sister modules, users will learn the importance of physical and technical safeguards, ways to improve the security of their mobile devices communications and connections, and how to judge the reliability and safety of mobile applications. Password Security Users are given tips and tricks to create stronger passwords, including how to use a password family to aid in password recall. Hands-on practice helps employees better understand the concepts behind creating strong passwords. Physical Security This module introduces key components of physical security and helps your employees understand their role in maintaining a safe and secure work environment. They will also learn how they can prevent and correct physical security breaches and best practices that will help them keep your people, areas, and assets secure. Safe Social Networks This module educates your users about common traps and scams found in the public forums of social networks. They will learn what they should and should not share on social platforms, which helps keep your data more secure. Safer Web Browsing This training teaches your employees how to avoid many of the common pitfalls and dangers associated with web browsing. They will learn how to identify potentially dangerous URLs, avoid malware and virus downloads, and spot Internet scams. 15 Wombat Security Technologies, Inc

17 Security Beyond the Office Employees will learn best practices for keeping your data, network, and equipment safe when working outside the office. Topics include safe use of WiFi networks, the dangers of public computers, and practical physical security measures. Security Essentials This scenario-driven module introduces users to security issues that are commonly encountered in day-to-day business and personal activities. This is an excellent option for introducing new hires to simple, effective best practices they can use to improve security in the workplace and beyond. We also recommend it for use at the close of your initial training cycle and as an occasional refresher for employees who previously completed training. Social Engineering - We teach your employees how to recognize and avoid common social engineering techniques and keep your people, areas, and assets secure. Standards- and compliance-related training Personally Identifiable Information (PII) Educate employees about the different types of PII, guidelines for identifying, collecting, and handling PII, actions to take in the event of a PII breach and tips and techniques for improving overall PII security. Protected Health Information (PHI) Teach employees about PHI identifiers; mandates and components of PHI compliance; and best practices for using, disclosing, transmitting and storing PHI. Payment Card Information Data Security Standard (PCI DSS) Users will learn to understand PCI DSS requirements, identify PCI DSS compliance, manage records and accounts, and recognize and act upon security breaches. Reports Assessment Reports CyberStrength Assessment Report Shows the overall score of the assessment across the users who have completed it; the status of the assignment completion; scores by category; and scores by group. This gives you an at-a-glance view of strengths and weaknesses. Risk Report Each section of this report gives you the ability to drill down into detailed information about a range of assessment results, including scores by group, lowest overall score by group, most missed questions, and lowest scores by person. You can use this analysis to tailor your follow-up training efforts and focus on the most important topics in different areas of your organization. 16 Wombat Security Technologies, Inc

18 PhishGuru Campaign Report This at-a-glance report displays user responses to your simulated phishing attack campaigns. Bar charts show response times following the distribution of each mock phishing as well as daily activity reports post-send. From this report, you can also access more detailed analysis: Campaign Event Report Shows user activities such as views, clicks on links/attachments, and data entry submissions. Device Type Report Shows the types of devices, operating systems, and browsers that were used by employees who fell for a mock phishing , giving you insight into which devices your users are most vulnerable on. Network Map Displays a map that pinpoints the IP addresses of the users who fell for a simulated attack. Look for anomalies in your data and see what regions are most susceptible. Contact Groups Report Provides an overview of results across multiple campaigns, broken out by group. This allows you determine the types of phishing messages users are most likely to fall for. SmishGuru Campaign Report This at-a-glance report shows who fell for the simulated attack, how many people viewed and clicked the mock smishing message, and more. USBGuru Campaign Report Shows the number of USB devices that were accessed and the IP addresses of the users who fell for the simulated attack. Responses per Device Displays the number of unique responses per USB device planted in your location(s). You can use this data to determine which areas of your organization and which employees were more likely to pick up and use an untested/unauthorized USB drive. 17 Wombat Security Technologies, Inc

19 Training Module Reports Assignment Details Shows the details of how each user is progressing within an assignment and includes each user who was assigned training. A pie chart displays the status of each user in an assignment, and a bar chart shows the completion rate of each module within the assignment. Assignment Status Gives a snapshot of 5 to 25 assignments, side-by-side, for selected dates. A bar chart and table display the percentage of users who have completed, are in progress on, or have not started an assignment. Module Completion Summary Provides a list of all users' scores within a training module along with the date they completed the module, helping you track progress of your training. Module Performance Shows scores for each group or user by training module, helping you to understand in which topic areas groups and/or users have the most aptitude. Most Missed Alerts you to the questions and topic areas users are having the most trouble with. By highlighting weaknesses, you can more effectively focus your training efforts. User Report Cards Allows you to see all the training activity for a single user, including training scores in specific modules and a cumulative performance rating. You can identify users who need extra training as well as track improvements As of mid-july, there were over 400,000 successful completions of [Wombat Security s] Safer Web Browsing, Password Security, Security, and Smartphone Security training modules. Over 32,000 users have completed the Smartphone Security training module in the last 2 weeks. This is amazing for non-mandatory training. We have now justified the cost of training with just those four modules! We are very happy with our investment. Security Awareness and Training Director at a large technology company 18 Wombat Security Technologies, Inc