Problem solve Get help with specific problems with your technologies, process and projects.

Is it important to hold fraud-training sessions during a fraud-risk analysis?

When conducting a fraud-risk analysis, how important is it to educate employees with fraud-training sessions? Security management expert Mike Rothman explains the best way to proceed.

We are in the process of performing fraud risk assessment. As part of this assessment, is it imperative/important to hold fraud-training sessions? If so, what should these sessions emphasize?
Holding fraud-training sessions is definitely not imperative. To the contrary, I think it's a bad idea to do training in the middle of a risk assessment.

The purpose of the risk assessment is to figure out how vulnerable systems are to fraud. Begin by determining a baseline relative to current activities, so that new processes and procedures can be put in place to more effectively deal with fraud.

Training employees in the middle of the assessment runs the risk of compromising the data gathered during the risk assessment. There will be plenty of time for training later, but during the assessment is the time to uncover and categorize those risks, so the organization can determine what needs to be done most urgently.

To be clear, fraud training is absolutely critical to fraud reduction efforts, but after the assessment is complete. When that time comes, focus on helping employees understand both what is considered private data and intellectual property (presumably the data that needs protection), as well as recognize typical attacks (mostly social engineering and other fraud attacks).

A helpful site to look at when starting a training program is PhishMe.com. This site automates the sending of phishing emails to employees and tracks whether they fall for the ruse. It can also test employees over time to see if educational and training efforts had a positive effect on their ability to deal with the fraud.

More information:

This was last published in May 2008

Dig Deeper on Security Awareness Training and Internal Threats-Information

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

I wand to have a good presentation about end user security awareness policy