How to Build an Effective Security Awareness Training Program

One of the biggest risks to an organization’s information security is often not a weakness in the technology control environment. Rather it is the action or inaction by employees and other personnel that can lead to security incidents—for example, through disclosure of information that could be used in a social engineering attack, not reporting observed unusual activity, accessing sensitive information unrelated to the user’s role without following the proper procedures, and so on. It is vital that organizations have a security awareness program in place to ensure employees are aware of the importance of protecting sensitive information, what they should do to handle information securely, and the risks of mishandling information.

Security awareness training is really about security behavior training - helping users to be more skeptical and less gullible about cybercriminals’ attempts to fool them, less likely to share information that could be used by cybercriminals to create customized messages, being more careful about opening attachments, verifying senders of emails, and so forth. The goal of security awareness training must ultimately be about improving the behavior of employees who have the potential of undermining the security provided by the organization’s security infrastructure.

Choose a Leader, Establish Baseline Awareness

The first step in the development of a formal security awareness program is assembling a security awareness leader responsible for the development, delivery, and maintenance of the security awareness program. Having a leader in place will help ensure the success of the security awareness program through assignment of responsibility for the program.

With a leader in place to advocate progress, it is important to establish a minimum awareness level for all personnel to be the base of the security awareness program. Regardless of role, it is recommended that all staff receive basic security awareness training, developed in accordance with organizational policy.  Security awareness training should start with the low-hanging fruit focused on the most common threats, such as mass-emailed phishing attempts that purport to be from employees’ banks or from the corporate email administrator.

Security awareness may be delivered in many ways, including formal training, computer-based training, e-mails and circulars, memos, notices, bulletins, posters, etc. The security awareness program should be delivered in a way that fits the overall culture of the organization and has the most impact to personnel.

Sponsor Frequent Training to Truly Change Behavior

Security awareness should be conducted as an on-going program to ensure that training and knowledge is not just delivered as an annual activity, rather it is used to maintain a high level of security awareness daily.  Frequency varies on the need to convey the message.  Awareness is an on-going learning process that changes organizational behaviors as well as attitudes and perception. This should be done in an effort that allows personnel to realize the importance of security and the consequences of failure to adhere to security policies and procedures.

In addition to content for all personnel, management training should include more detailed information regarding the consequences of a breach to management stakeholders.  Management that is security-aware better understands the risk factors to the organization’s information. This knowledge helps them make well-informed decisions related to business operations. Managers who are security-aware can also assist with development of data security policies, secure procedures, and security awareness training.  Management leadership and support for the security awareness program is crucial to its successful adoption by staff. Managers are encouraged to:

• Actively encourage personnel to participate and uphold the security awareness principles.
• Model the appropriate security awareness approach to reinforce the learning obtained from the program; and
• Include security awareness metrics into management and staff performance reviews.

Train Board Members, Leadership & All Roles

Security Awareness Training must be a board-level issue for it to get the attention it deserves. In a growing number of organizations, security is getting much more attention from boards of directors.  A board of directors that takes security seriously and gives it the priority it deserves will go a long way toward bolstering the security training program in an organization.  Gaining management buy-in to fund and encourage security awareness training will be essential to fostering not only good security training programs, but also creating a corporate culture in which security is valued. Ultimately, training must be consistent with the corporate culture.

With the basics in place, then we can tackle role-based security awareness that provides training personnel at the appropriate levels based on their job functions.  When scoping a role-based security awareness program, group individuals according to their roles (job functions) within the organization.  Then, using  role-based training, you can meet the unique needs of the people in your organization – answering their questions, addressing their challenges, and providing training that meshes with their job responsibilities and expectations.  Role-based security awareness training shows your employees that you understand and appreciate the unique challenges and demands they deal with on a day-to-day basis. This reinforces to your employees, that you do care about their unique needs and are doing your best to help them.

The key to an effective security awareness program is in targeting the delivery of relevant material to the appropriate audience in a timely and efficient manner. To be effective, the communication channel should also fit the organization’s culture. By disseminating security awareness training  repeatedly, the organization ensures that personnel are exposed to the same information multiple times in different ways. This greatly improves how people remember the information presented to them.

Vary Content and Delivery to Suit Audience

Content may need to be adapted depending on the communication channel—for example, the content in an electronic bulletin may be different than content in an instructor-led training seminar, even though both have the same underlying message. The communication channel used should match the audience receiving the training content and the type of content, as well as the content itself.

Security awareness training is a continuous effort. It is critical to frequently repeat the awareness training, so its message is reinforced.  The once-a-year frequency is common, and may work for some organizations; however, based on the existing best practices and research, reinforcing the awareness program every 90 days is the general recommendation. This frequency is especially effective for the specialized employee roles.

Measure Changes in Knowledge, Awareness & Behaviors

Metrics are key.  Deciding what to measure, how to measure and when to measure, enables effective measurement and management of the program.  Before implementing a security awareness training program, it is useful for decision makers to establish a baseline so that the level of awareness is understood before training commences. Creation of this “before” picture is an essential element of understanding how effective training has been over time.  The effectiveness of the training and awareness program could be measured by how it helps change the security behavior of users as it relates to knowledge, attitude, and actions.

Security awareness training, if implemented correctly, is an important necessity for any organization. If the user base is properly informed as to what to watch for, prevention, and remediation procedures, this alone could prevent a lot of potential problems that could affect the infrastructure and the company. Often, it is just awareness that is the key to prevention and protection.