Training Lessons We Can Learn from Cybercriminals
In our recent international Global eLearning Conference, we participated in an eye-opening presentation from speaker Tiffany Franklin. Tiffany is Manager of Cyber Security Education, eLearning, and Simulated Phishing at Optiv. This interesting session drew comparisons between the tricks of cybercriminals and the training lessons we can learn and apply to creating and delivering Learning & Development content, within our organizations.
The first half of this talk prompts us to identify our threat actor persona. The second half identifies the main elements of a successful cyber-attack. The parallels drawn here show how we can leverage these same initiatives to improve L&D and training effectiveness.
Cyber Criminals can Teach How to Create More Engaging Content
Tiffany revealed four primary threat actor personas that are used successfully in cyber criminal strategies. She encourages us to evaluate these personas as we consider developing training projects.
Cyberterrorist – This type of criminal instills fear or intimidation to coerce cooperation from their victim. Are you suggesting punitive measures will be taken if your training is not accepted?
State-Sponsored Actor – These bad actors are financed or directed by foreign governments. They target high-profile companies and military establishments or hope to gain government secrets. Are you doing what’s expected from management by delivering your training?
Hacktivist – You’ll find these characters compelled by a cause, with targets varying according to ideology. Are you promoting a social, political, or economic cause as a reason to take your training?
Cybercriminal – Cybercriminals attack to gain personal wealth or power by acquiring access to valuable, marketable data. The word cybercriminal is also a general designation for non-specific bad actors. Are you guided by personal goals to deliver your training?
The Power of Phishing
Although we’re all aware of cybercrime, it may surprise you to learn the extent of its reach. Nearly one-third of all cyber-attacks involve phishing. In fact, Ms. Franklin tells us, attackers send 3.4 billion phishing emails every day!
Phishing emails appear to be legitimate emails. Typically, they prey on human emotion and the urge to act or comply using words. Because cybercriminals are very experienced in their craft, even the savviest technology users can fall prey to phishing.
Because this strategy can be so effective in achieving its end goal, we’re going to break down the elements of the phishing email and see how we can apply them to L&D departments. There are training lessons to be leveraged here.
Spear Phishing
This strategy differs in that it often uses social media for what looks like a benign request. It might be as simple as a LinkedIn invite. When using these methods, attackers will craft their “offer,” especially for the victim. They will do considerable reconnaissance and leverage a person’s interests and cultural differences to improve effectiveness.
Once again, there are training lessons to learn here. Are you crafting training content and delivery specifically for your learners? Are you dissecting your user base to understand the person elements… cultural differences, and user interest? Are you helping them to see a clear value to them for engaging in your training?
Phishing – The Lure
The lure element uses specific email components and strategies to get the recipient to open and read the email. They are not elaborate but relatively short, sweet, and to the point. Timing is critical. For instance, an email sent on Friday afternoon is unlikely to be reported before Monday morning. They should be relatively easy to respond to and evoke buy-in from the victim. Tiffany uses one example of a lost ring email, with a picture of the ring on which to click. Opening the image will deliver malware to the user’s computer.
How can we use this example to deliver more effective trainings? Using these same tactics – making trainings short, sweet, and to the point, rather than laboring on for hours, will make it easier to engage our learners. By scheduling trainings for optimum learning time, they will be more effective. For example, Friday afternoon would most likely have learners distracted and looking forward to the weekend. Make your trainings exciting and easy to respond to, and you’re more likely to gain buy-in from your trainees.
Phishing – The Hook
Cybercriminals are looking for action when they launch a phishing attack. They want the reader to do something. They can use various Hooks to reel victims in once they’ve set a successful lure.
In the training environment, your learners are most likely to ask WIIFM? Or, What’s In It For Me? What will you use to hook your participants? Here are some of the standard hooks that cyber crooks will use and that you can borrow:
- Emotion
- Compliance Threats
- Incentives
- Personal Development
How can you apply these training lessons to your course delivery to improve effectiveness?
Summing Up
After delivering this intriguing presentation, Tiffany Franklin summarizes by outlining our objectives. These are the same objectives that make cyber-attacks so prolific and such a problem today. She reminds us to include the following when developing Learning & Development content:
- Reflect on our Motivations,
- Identify our Objectives,
- Understand the Audience,
- Develop a Meaningful Lure, and
- Use a Strong Hook!
To view the LIVE video from the November 2020 Global eLearning Conference, visit our YouTube channel. You’ll see Tiffany’s presentation and other speakers from this international event.
Global eLearning was the host and exclusive sponsor for this event. Global eLearning provides translation and localization services to meet the unique needs of the Learning & Development industry. Our next event is scheduled for September 21, 2021. We hope you’ll join us. For more information about Global eLearning, click here.