Your address will show here 12 34 56 78
Click the image above to view the one minute video about Internet Security Awareness training and how your organization can get: [list style=”arrow” color=”blue”]
  • A free security audit to measure how Phish-prone™ your organization is
  • First2Know™ Internet Security Awareness Training to make your employees less susceptible to phishing attacks (25 minute, high-quality training that is updated to keep pace with industry changes)
  • Clear reporting and measures of the training’s effectiveness through training reports and scheduled phishing security tests
  • ThreatApp™ daily smartphone updates with relevant threat intelligence
[/list] If you didn’t leave my site to begin using this service (I’d forgive you), I would like to share information about the CEO’s design concept, and my involvement in the project, which was to help deliver the  Dynamic Content Updates (DCU)™ technology and to select a solution that can run on client LMS systems or through a KnowBe4 portal customized for each client. Cybercrime is a behavioral issue You’ve probably heard – a lot – about all the hacks that have occurred from Epsilon (and the long list of impacted companies), Sony, the CIA… … even the bombing and shootings in Norway had cybercriminals using the incidents to phish for profit within 24 hours. [blockquote type=”blockquote_quotes” align=”left”]Cybercrime thrives because of behavioral issues.[/blockquote]Cybercrime is a big problem; half a billion dollars in 2010 and growing. The amazing thing is that the weakest link in defending against cybercrime are end users. Cybercrime thrives because of behavioral issues. Yes, there are inherent weaknesses in antivirus software which only protect against a portion of threats (yes, only a portion-and perhaps not as high as you expect!). However, finding weaknesses in computer code, hardware, or antivirus software is difficult. It is much simpler for hackers to use social engineering to trick users into inviting them right into the system. The cost of a single breach can be crippling to a business. And it may only take one successful hack of the right account for an internet thief to hit the jackpot: just one. These criminals are flooding the internet with attempts to produce results. In fact, if the internet pipeline were a faucet in your home, 80% of it would be clogged with this garbage. Of all the tools in a hacker’s arsenal, phishing is the tool of choice. It is the optimal pathway for them to gain a backstage pass to your company’s network. The strategy depends on fooling a user into some action. It could be as simple as clicking a link. The user actions are the keys to success for cybercrime to thrive. This is why Internet Security Awareness Training is truly the best defense against cybercrime. But, I didn’t know any of this. I learned it all because I met Stu. Stu Sjouwerman, founder of KnowBe4 and an amazing training designer There are many ways to describe Stu Sjouwerman, founder of KnowBe4: Serial Entrepreneur, Author, IT Security Expert, Marketeer, and truly one of the nicest people I have had the pleasure of working for. All of these are accurate descriptions. Many wouldn’t think to describe Stu as a training designer, but he was the IT Security Expert who recognized that cybercrime is primarily a behavioral issue that can be improved through training -and he designed a great solution to address it. I wish I could take credit for the design, but Stu had it all worked out; my involvement was to help deliver on it. Stu’s vision for developing Internet Security Awareness Training illustrates key principles of good training design: [list style=”arrow” color=”blue”]
  • Clearly understand your problem Stakeholders value training when they clearly understand the problem it will solve for their business. The free security audit measures how Phish-prone™ employees are. This is an actual test of your company’s employees-not an abstracted, generalized conclusion of risk exposure based on industry averages. The tests are real-world examples using the same tactics as cybercriminals.  There is no risk for stakeholders to gain a clear and accurate measure of the true risk exposure for their organization.
  • Design a system, not a course Too often, information security training is designed like a marketing campaign. A lot of information is blasted at users as one course to complete. Get the check in the box to “mark compliance”, and be on your way. This won’t produce meaningful or lasting behavioral change. Many courses don’t provide any type of experience in how to react to threats, opting instead to test recall of facts about cybercrime.  Even courses with skills-application testing have a critical design flaw: users know that they are in training and that their actions are being measured. This heightened awareness of the fact their behavior is monitored in the training environment can influence users to act differently than they normally would in the work environment. In contrast, KnowBe4 uses the security audit to measure actual the on-the-job results to establish a baseline. The provided training presents scenarios to educate you on how to react to potential threats, and what to do if you suspect if your system is compromised.  The training measures capture what you learned. What is more important is what transfers to the workplace-when you are not in training when cybercrime is top-of-mind as a core subject matter. Are learned skills being applied? Ongoing scheduled phishing security tests enable stakeholders to see how skills transfer to work, and enables the organization to take corrective action when necessary. Support tools such as Threat App™ compliment the training. To make cybercrime prevention in a business effective, a course alone simply won’t do. It requires skills application in the a real-world workflow, not a separated test experience as part of a learning event where learners realize they are being monitored as part of training.
  • Repetition, reinforcement = results [blockquote type=”blockquote_quotes” align=”right”]Clients in a test campaign realized an immediate overall 74.55% reduction in phishing susceptibility after the first training session. But continued phishing tests and supplemental training reduced the Phish-prone™ rate to 0% for all these clients by the 5th cycle.[/blockquote] The results are transparent and undeniable. The security audit illustrates the starting point, the training reports clearly indicate what skills are developed, and the ongoing phishing test measures how thes skills are translating to applied results in the workplace. Dr. John Medina stated that most of learning is controlled forgetting and reminds us about the importance of reinforcement.  These principles are applied by this training design. Let’s talk about results:  Clients in a test campaign realized an immediate overall 74.55% reduction in phishing susceptibility after the first training session. But continued phishing tests and supplemental training reduced the Phish-prone™ rate to 0% for all these clients by the 5th cycle.
  • It needs to be real The scheduled phish tests are as real as a true attack. The complex mechanics to perform a fake-phish are complex and were designed by white-hat hackers to exactly replicate all the components of a real cyberattack (just without the malware part). This is critical. A poorly designed fake-phish might be easily identified by users (i.e.  if everyone in the organization got the same phish attempt email at the same time). Also, fake-phishing has to bypass all safeguards put in by an IT team to ensure they get to users and not blacklisted and blocked by network safegrards before it can reach the user to measure their behavior. By essentially replicating every move cybercriminals use to get to employees in the organization, stakeholders can trust that the results reported from phish tests are valid, reliable, and most importantly, specific to their organization’s security weaknesses.
  • It needs to be relevant Relevance is a critical challenge to address in security training. Cybercriminals constantly change tactics and attack vectors at a blinding pace. The training must keep in lockstep with these changes to be relevant. This is no small task. It required the development of a proprietary Dynamic Content Updates (DCU)™ technology to enable the training to update with industry changes without disrupting user registration or completion data.
  • It needs to work… …and that means work on many levels. It works to drive behavioral change. As for a training design that works, Stu envisioned something quick and focused despite the complexity of the topic (only 25 mins to produce the behavioral change needed), high-quality and interesting (let’s be honest-there is a lot of tech training that could be sold as a sleep agent and we needed to avoid that), and easy to navigate (we didn’t want to build a mini-course within the course to explain how to use the course… erm, that sentence was as painful to type as it is to experience one of these designs). Finally, we had to determine how this would work for deployment. Looking at potential clients, we realized that some would have LMS systems, and others would not. We needed a solution to allow clients with an LMS to use their system, while also providing access, tracking and reporting services to clients without an LMS. All of this needed to be done so KnowBe4 had centralized control to perform the content updates and manage access for the subscription-based service while keeping costs and administrative overhead for clients extremely low.
[/list] Strategies to deliver on the design This is the design vision Stu shared with me when I walked into his office during our first meeting. My task was to find opportunities to deliver on this vision. Challenge 1: Deployment with SCORM Cloud The first key challenge was to determine how to deploy the content to the client base. Some have LMS systems; others did not. KnowBe4 needed central control over the content for the critical and frequent updates and to administer access controls. For our clients without LMS systems, we needed to provide a customized portal for access, tracking, and reporting. After a review of over 50 potential solutions (LMS/LCMS/CMS vendors, assessment systems, portal tools, and other cloud-based services) SCORM Cloud was chosen as our solution. SCORM Cloud allows KnowBe4 to centrally perform the content updates and  administer access permissions. This was preferable to providing SCORM packages to clients to upload into their systems which would require immense levels of effort to coordinate. It was also was a far superior alternative to purchasing an LMS system and working to coordinate access with client LMS systems (because when either vendor updates, it often requires reconfigurations to maintain the ties between the systems). The SCORM Cloud pricing model proved much more cost-effective than LMS systems. Another key element of SCORM Cloud is the ability to use it’s API to create custom portals for access, tracking, and reporting and to tie SCORM Cloud to other critical business services. The KnowBe4 site is a mashup using SCORM Cloud’s APIs, customized parts of the site coded by the development team, and other backend services like Salesforce™ to provide customers an integrated, seamless experience. Challenge 2: Creating a Dynamic Content Updates (DCU)™ Engine to Keep Pace with Industry Stu provided a development script to the team at Prometheus Training. They produced a great piece of engaging, easy-t0-navigate content in Articulate Studio. Now, we had to figure out a way that we could expose pieces of the SCORM packaged content in a manner that we could update the content with frequency while ensuring we wouldn’t have to upload updated packages that risk impacting user registration, progress, or completion data. For those of you who have worked with SCORM, you know this is quite a trick. Without giving up any secrets of our DCU™ “secret sauce”, I can share that this required a mashup between elements of Articulate Studio 9, and elements of the prior versions of Articulate. It was one of the white hat hacker security pros, Brian, that had the vision of building a utility to expose content for updating “from the side” without really breaking open the core SCORM assets.  I was very lucky to have Brian to really look at how the different versions of Articulate package content to expose a pathway for this to be possible. Who else to expose the opportunity, but a professional hacker (note: Brian uses his powers for good; this is hacking for a good purpose)? After looking at a few options, we finally found a mashup of tool versions with an option that would work. Brian built a proprietary tool to feed the updates from the DCU™ into the course without cracking open SCORM and risking user data. We did hit some challenges in pulling off the trick. By substituting portions of different versions of Studio that weren’t designed to go together, we  experienced some unexpected side effects. Some of the interactions other parts of the training (parts we left in the original Studio 9 engine) stopped working as expected. Support matters most: Kudos for the Articulate Team I have said often in LinkedIn and ASTD chatrooms that support is the key differentiator for any vendor. I have yet to use a system that I haven’t experienced a problem with. Therefore, it’s your partner’s response to the problem that matters most. High praise must go to the support team at Articulate for two reasons: [list style=”arrow” color=”blue”]
  • First, they went to the archive for prior versions of Articulate no longer sold for us to perform the experiment. It was a very strange request and they had every right to refuse. We were essentially asking permission to explore “retired” versions of the product to crack open and mashup into a new solution for a very unique business purpose. They graciously honored the request.
  • Second, and more amazing, was when we put the pieces together to get the DCU™ component operating, but then saw unexpected consequences in another part of the asset, they provided support. Again, they had every right to refuse. Not only was this on a retired product, but a mashup between components from their organization that weren’t designed to be put together. But, they stuck by our side and guided us to the results we needed to build something truly unique.
[/list] [blockquote type=”blockquote_quotes” align=”right”]Each individual of your organization can be trained to eliminate the risk exposure to cybercrime for less than I paid for my last two cups of coffee. [/blockquote]The superb customer support and technical insights from the team at Articulate guided me to the options to fix the issues. So, the DCU™ was successfully created, all content was back to operating as designed, and we had a way to update content successfully without uploading new SCORM packages that could risk critical user data. I am immensely proud of being involved in the project and grateful for the support of all involved. I truly believe in the product. KnowBe4 is an extremely valuable service with a great design that delivers real results. Each individual of your organization can be trained to eliminate the risk exposure to cybercrime for less than I paid for my last two cups of coffee. That’s not marketing claim, that’s fact you can measure in your business.

In preparation for the Learning Solutions Conference and the launch of my colleague’s Internet Security Awareness Training business, the site will be going through a significant redevelopment in the next few weeks. This upgrade will better serve our short term needs coming up as well as longer term planned actions for Business Critical Learning. Stay tuned for: [list style=”arrow” color=”blue”]
  • A video showing a simple technique to take one good assessment question and extend it to multiple options to create deep question banks (releasing at LS11)
  • Liveblogging from Learning Solutions 2011 (here, but also twitter hashtag #LS2011)
  • The astounding video introducing Internet Security Awareness Training along with the background on this project which uses SCORMCloud
  • A review of Clark Quinn’s “Designing mLearning” (from all my experiences learning from Clark, I know it will be awesome, I just have to read to know exactly why)
  • More on Interzoic’s Accord LMS (Chris Wylie has offered me an advanced tour of some features coming up- he has some great functionality being added to extend this very capable platform)
[/list] Back soon in time to blog for LS11 and offer it in both traditional web and mobile formats.

Internet Security Awareness Training (ISAT) using SCORMCloud to be unveiled shortly.  Amazing project. Amazing team.  I think this one will be a game-changer. The leader on this project is a visionary and great guy to work with (more when they go into public beta, but I am VERY eager to tell more of the story). I have 2 Speaking engagements coming up- FX Conferences in January, Elearning Guild’s Learning Solutions in March. These, coupled with my blog gig with Interzoic Accord LMS, and all the happenings at CitiFinancial (some major/cool projects happening), are keeping me plenty busy. Stay tuned on a bit more about ISAT, SCORMCloud, the conferences. My big plans for 2011 are  to get freesources posted to the site, and releasing a product line of high-quality training at ridiculously low prices offered in web and mobile flavors, 3 languages (English, French, and Spanish), and that will run in any LMS (compliments of OpenSesame). 2010 allowed me to work with some really talented, smart, motivated, and engaging people to provide some great opportunities. Continuing in these relationships, 2011 promises to be a very interesting year and has gotten off to a great start.