Thomas O.

Thanks BJM. SoSafe CISO here. We're a Google Workspace house internally now, so I don't have direct knowledge of a workaround myself. We try to keep pretty up to date on our customer-facing docs, but I've pinged our VP Product to see if there's anything undocumented that we're aware of.

Fun fact from my deep past - I once ran a security culture programme for an organisation of about 6000 employees. I just about managed to double the average success rate for resilience against targeted phishing with a small but sustained effort over a year. The company subsequently got compromised regardless, but I'm confident that the improvement in secure behaviours saved us from other attacks, and after the compromise we got to enact some sweeping access control changes against risks we'd previously raised. 😉

This is with my SoSafe cap off. Until recently I was myself very dismissive of security awareness training and thought of it as a compliance checkbox only, but in hindsight I was leaving available risk reduction on the table. Some training and sims are better than others, programmes can be rolled out and sustained differently to different effects. We're not going to revolutionise the behaviour of our peers with training and sims alone, but I definitely think they're still worth it.

To be reliably secure against medium complexity attacks I'd argue that training and sims form a valuable part of defence in depth. If you can tune those low(er) cost services to deliver a, say, 30% benefit in reducing vulnerability to more targeted attacks like those targeting internal changes or vacation allowance (which suggest) a level of bespoke targeting, you're already delivering a very meaningful risk reduction for the business. Beyond that, it's careful access control design, containment and resilience, reduction in blast radius though tight permissioning, auditability of actions, etc, right?

I do think the study misses a core point. I think of basic security training and phishing simulations alone (with required good completion rates) as part of the minimum bar for regulatory compliance and to secure our cybersec insurance coverage. That alone is vital to an organisation's security posture.

Hmm, I've read it again in more detail. Yes of course, if your training completion rates are low, the training is going to deliver low value. That's a given. Techniques to raise that completion rate is an interesting conversation though

Fascinating study and, I think, broadly correct for the majority of cases. We could debate specific %s, but I don't think we'd reach 50%