Ask HN: Security Awareness Training

8 pointsphunel4y ago9 comments

I'm at a bit of a loss. Just wanted to ask the community if there were any recommendations for decent security awareness training. This requirement is coming up more and more with regulators and underwriters.

In essence, this is of course more 'box ticking' and has little to do with actual security, but the requirement remains.

Would love to hear from actual experience. I've gotten quotes from about a half dozen suppliers and I've yet to find a supplier that the staff wouldn't hate me for subjecting them to. The materials are almost universally pretty childish and melodramatic.

Saw the Stacksi launch earlier last year and they seem to have the right idea for this domain. Would love to find a comparable company but offering security awareness training - or if the Stacksi guys are reading this, please consider adding this to your product line up! :)

Ask HN: Security Awareness Training

8 pointsphunel4y ago9 comments

In essence, this is of course more 'box ticking' and has little to do with actual security, but the requirement remains.

9 comments

9 comments · 7 top-level

andersonmvd4y ago· 1 in thread

If it's a general course, you can even pay a udemy course to each employee for 15 bucks each (or even less for companies?) like https://www.udemy.com/course/security-awareness-training/? Haven't tested it, but for box ticking it may be enough.

If it's for developers or engineers, I've been working on the approach that you get security awareness when working with security engineers. The idea to have a security person close to your team that will teach in practice what it's hard to absorb with some courses out there. Not a replacement for a course, but another way to learn. For more details on this, the info is on my profile.

phunelOP4y ago

Thank you. Found the udemy courses today too and I think this is ultimately what we'll do. Basically every other vendor's videos are some weird paw patrol/person of interest hybrid. The company pricing for udemy is strange though - as far as I can tell they won't let you purchase a bunch of seats for one course, they insist on a subscription to their catalog - so will be tedious to setup an account for each person but that's fine.

chair64y ago· 1 in thread

Check out SafeStack, https://academy.safestack.io/safestack-courses/security-awar... .. they're one of the less-cringey, more-modern awareness options I've seen recently.

phunelOP4y ago

Appreciate the suggestion. Will give them a look too.

kespindler4y ago

Depending on the size of your team, and whether you just need to "check a box" and say you do it, versus you're actually worried about employee mistakes re: cybersecurity (e.g. you have a big and varied enough team where training is geniunely important), it's pretty easy to design this yourself.

Write up or copy a few page doc outlining security best practices, then require every employee to read & sign an acknowledgement that they've read it. Now every employee has gone through security training.

binarybyes4y ago

If you want a company that is trying to change the paradigm around security awareness training, I'd highly recommend looking at Ninjio: https://ninjio.com/

They take a drip-feed approach, with one 5ish minute video monthly rather than an hour yearly. People don't mind 5 minutes once a month, and as a bonus, it has been shown that the drip feed method helps to keep security on peoples minds, as well as increase their overall retention

rdj4y ago

If it’s security training for developers, architects, and technical teams take a look into the CTF style trainings (hands on keyboard, hacking exercises). We’ve turned it into an annual event (leaderboards, trophies, bragging rights, swag, pizza, the works) and the participants not only loved it, they have started to pregame, plan teams and held live debriefs where they talk through the experience and where it actually impacts their code.

plasma4y ago

Haven’t used them myself, but I see https://www.securecodewarrior.com mentioned, aim is to teach developers and seems engaging.

jiveturkey4y ago

Did you look at eset? They have a free one too. I'm at a loss as to how Stacksi is relevant. They do some AI form filling for you. How's that going to apply to security awareness training.

j / k navigate · click thread line to collapse

9 comments

9 comments · 7 top-level

andersonmvd4y ago· 1 in thread

phunelOP4y ago

chair64y ago· 1 in thread

Check out SafeStack, https://academy.safestack.io/safestack-courses/security-awar... .. they're one of the less-cringey, more-modern awareness options I've seen recently.

phunelOP4y ago

Appreciate the suggestion. Will give them a look too.

kespindler4y ago

binarybyes4y ago

If you want a company that is trying to change the paradigm around security awareness training, I'd highly recommend looking at Ninjio: https://ninjio.com/

rdj4y ago

plasma4y ago

Haven’t used them myself, but I see https://www.securecodewarrior.com mentioned, aim is to teach developers and seems engaging.

jiveturkey4y ago

Did you look at eset? They have a free one too. I'm at a loss as to how Stacksi is relevant. They do some AI form filling for you. How's that going to apply to security awareness training.

j / k navigate · click thread line to collapse