A good security awareness program is a great way to inform personnel on any kind of malicious activity targeting an enterprise’s use of cyberspace. It is crucial that organizations’ staff be wary of common fraud schemes, especially those targeting them rather than technical components of the infrastructure. Preparing staff to discover phishing or other types of cyber scams means providing a comprehensive system of training, policies and procedural instructions that could help recognize signs of malfeasance and report suspicious activity and not fall prey of scam artists. End-user training is one of the keys to the successful implementation of any security awareness program.
Detractors of security awareness training programs often point out how, regardless of how much training users receive, breaches are still perpetrated, and the human element is still one of the weakest links in the cyber security chain. Often, they also point out that there is a disconnect between the users’ performance and ability to recognize threats in an exercise setting (when they expect to be tested) and their behaviors and responses in a real-life environment. However, security awareness training is worth it. All personnel needs to be aware of common threats, so that, at the very least, they do not fall prey of the easier scams and phishing attempts. If falling victim of more sophisticated attacks, users can at least apply the knowledge acquired during training to mitigate the effects of the attack, gather the info necessary for security professionals to act and notify the proper department through the right channels; an organization always depends on its end users to be able to foster a security aware culture to reduce risks and to prevent cyber threats.
The important aspect to focus on is not whether security awareness is worth it, but whether the program implemented is effective and really addresses the needs of the organization in which it is put into practice. Questions to think about include if the proper budget has been allocated, is the effort supported by management, and are awareness topics relevant to the workforce addressed? An effective cyber security strategy and implementation plan to sustain security operations from pre-incident to post-incident starts with educating personnel in data breach prevention and response.
The Essential Components of an Effective Security Awareness Program
Although each organization can and should tailor an awareness program to its needs and the composition and location of its workforce, there are some aspects that must always be taken into consideration in order to create a program that is effective: performing a cybersecurity assessment to pinpoint the risks and impact of cyber-attacks, preferred training methods, reinforcement strategies and measurement to make sure that the company’s security goals are being met and the program periodically assessed.
- Identifying Cybersecurity Awareness Needs. What should staff be trained on? What skill sets do they need? Although every awareness training includes basic information that is always relevant, in order to meet the needs of the company and arouse the interest of the employees who will have an effective role in the organization’s cyber resilience, it is important to tailor the security program by focusing on countermeasures or behaviors relative to real, possible internal or external threats to the IT infrastructure. It is important to complete a risk assessment and establish the appropriate response that will enable personnel to take proper mitigation steps adequately. A business impact assessment (BIA) can help in developing strategies to manage an incident by finding ways to minimize their impacts. Through this analysis, it is possible to develop an information governance framework and structure a program that is specific to protecting an organization’s network infrastructure.
- Highlight Weaknesses. Part of the assessment involves also
identifying possible security vulnerabilities in systems or procedures with an eye on the human role in the cybersecurity chain. A simple review will help establish new security requirements and devise corrective actions that might need to be addressed through training.
- Executive Management Approval and Support. Before one can proceed, the security awareness program needs to be approved. Obtaining management’s authorization to move forward in the process will support, drive, give direction and enforcement for the plan to unfold. It is the leadership that must be in favor of investing in new security solutions but also training options. The involvement and support of upper management will also determine the level of importance that the entire program and training will have in the eyes of employees and will show the commitment of the employer to security.
- Investments in InfoSec Preparedness. For a Security Education, Training and Awareness (SETA) program to take off, significant planning in the investment is necessary to make sure enough funding is secured to cover at least the minimum training requirements and ensure an effective, organic program. The security awareness and training plan must be supportable by the budget and cover eventual contracts and course material that must be developed and/or provided by trainers. A long-term plan needs to be devised and funded through the support by management so that options are clear from the very beginning. The scope needs to include awareness and specialized training as well as periodic refresher courses for all employed computer users.
- Tailor the Program. One ought to develop an InfoSec awareness program according to corporate objectives to ensure that the program meets the needs of the business and complies with regulations, related policies, procedures, standards, and guidelines. It is important that the program is realistic. It would be impossible to restrict the use of e-mails and difficult to limit the use of social media; it is better to focus on changing online behaviors and on proper and safer use of any tools. After determining what the needs of the organization, its perceived weaknesses and the budget are, it is important to tailor the program by providing specific information and training activities relevant to the employee’s work. Basic topics like social engineering, spear phishing, e-mail security, passwords, mobile devices security, and malware are always present but what else needs to be taken into consideration? Is the workforce distributed and on different time zones? Is asynchronous training required or in-depth modules on BYOD security awareness are needed? Are there specific cultural issues that need to be addressed or taken into consideration? Is the workforce highly IT-literate in its entirety or requires more basic information?
- Which Type of Training? Apply Particular Instructional or Educational Methodologies. The training plan is what helps to strengthen the company’s security posture by first defining its scope and content tied to cyber security enforced policies and directives; this is what forms the basis for the SETA program with relevant learning at the right time for the right people. Shall training come from in-house or outsource? Be instructional or self-taught? Differentiation is crucial especially when addressing the training needs of large workforces. Company techniques can include one or more of the following instructional and assessment awareness tools, as suggested by NIST Special Publication 800-50, Building an Information Technology Security Awareness and Training Program (October 2003): posters, screensavers and warning banners, computer-generated alerts, on to agency-wide e-mail messages, or “web-based sessions, computer-based sessions, teleconferencing sessions, in-person instructor-led sessions, and brown bag seminars.” Employees have different learning styles and interests, and certain means to convey information might already have been saturated (for example, it would not be effective to establish a cyber security newsletter if employees already receive many of them on security topics throughout the month). This step calls for creativity to devise ways to reach all employees. A good mix of security awareness through e-mails (security alerts, tips of the day, and other updates) or information via an internal security portal, periodic in-class training, and annual CBT courses as well as memos when problems arise or new policies are issued can ensure information reach the entire workforce and prevent complacency and boredom. One may wish to include hands-on exercises to keep the topic alive and relevant. The frequency of training should also be carefully determined. Security awareness should not be a one-time deal but a continuous process. Too many repetitive training sessions, however, could cause employees to lose interest in the topic. Whatever type of training was identified as more effective in the company’s particular environment can be implemented in so many ways: from hands-on classroom style instructor-led training or seminar-style group demonstrations, if not self-paced individual Computer Based Trainings (CBTs) with generic lessons. Once it is determined what the best way to deliver security awareness training to employees is, then a plan for its implementation needs to be devised. The use of multiple methods of training is likely to have the highest rate of participants. A good mix of face-to-face instruction with computer-based training can aid in reaching out to all employees. Multiple solutions to deliver information can help involve off-site employees, remote workers, shift personnel or employees whose work commitment and roles prevent them from having predictable schedules.
- Strategy and Approach. Time to introduce the information security program; the scope and objectives of the training must be clearly stated, and the importance of participation in the program as well as upper management involvement needs to be evident to employees. Supervisors should be involved to make sure employees are given time and opportunities to participate in training sessions or online courses; this is important as not conveying that awareness training are an essential part of the employee work day and responsibilities would send the message that security is not essential in the organization. This would result in a lower investment of time and effort on the part of the workers with a consequent loss of efficacy of the program.
- Involve All Workforce Personnel. The purpose of cyber awareness is to help organizations teach their employees to secure behavior; therefore, companies will want to invest heavily in security education programs not only for those operatives who manage the IT infrastructure but to also include non-IT staff. This may mean adjusting the awareness and training strategy to be more in line with different roles in the corporation and to suit the needs of all users within it, from employees to supervisors and functional managers. Each member of staff needs to take part in a more active role when it comes to IT security and reduce exposure to data integrity attacks and other threats by preparing the company’s last line of defense—employees.
- Establish Accountability. It is important to communicate clearly what parts of the training are mandatory so that the workforce is all on the same page and is fully aware of corporate-specific policies and procedures. It is also essential to devise mechanisms to ensure mandatory training is attended (i.e. blocking users’ access to certain systems if they don’t complete periodic security awareness) or determine who will be responsible for ensuring attendance to ensure personnel can get the training they need since it is them being held accountable for their cyber negligence and malpractice.
Operate and Maintain
- Hands-on Exercises. Hands-on simulated exercises (e.g., SecurityIQ, AwareEd, PhishSim) and/or knowledge assessments through skillsets that places emphasis in interactive learning can help in making the training more relevant and easier to relate to real-life cyber security-related incidents. The organization needs to be ready also to provide fundamental InfoSec training that can help less technical staff understand basic IT principles that can help them better absorb awareness concepts. Training like InfoSec Institute’s Fundamentals of Information Security Boot Camp, for example, is a course aimed at beginner level IT staff or non-IT staff which might be a good place to start to realize the best practices against security breaches.
Monitor and Evaluate
- In-progress Reviews. Post-implementation evaluations
should be conducted during annual self-evaluations to ensure guidance and resources are updated and maintained, as they must remain adaptive and provide for continual reinforcement. This is when opportunities for program improvement (including gaps and deficiencies) are identified and discussed; if necessary, the training program can be changed. The post-implementation evaluation of the program is a must to provide feedback on the awareness and training material and ensure that employees have received the required education. In a nutshell, “Evaluation and feedback techniques can provide insights that should result in an update of the awareness and training program plan,” as mentioned in NIST Special Publication 800-50.
- Inspections. Inspect training reports and audit results to understand the security program’s strengths and weaknesses fully. The evaluation of security plans and programs can show progress is being made to ensure the agency’s security plans are aligned properly with its programs mission, goals, and objectives.
- Metrics, Administrative and Operational Oversight. Clear metrics can help demonstrate success and fine-tune the program. Measure the progress to help determine an agency’s IT security awareness and training needs are sufficient or if an area is not improving as expected. As noted in a NIST publication, “Effective security metrics should be used to identify weaknesses, determine trends to better utilize security resources, and judge the success or failure of implemented security solutions.”
- Program Assessment Activities and Feedback. People need regular feedback on their performance after implementing new security practices. It is a good idea to solicit end user ideas or encourage feedback to measure success and growth of the program, says Dan Lohrmann. He advises to “make sure that your awareness program is measured. How many users actually complete the training? What did they like? Did they learn anything? Have behaviors changed? Also, ask for new ideas and suggestions to improve. Encourage creativity. Provide mechanisms to get real-time data from staff.”
A security awareness program is not a one-time deal but comprises a continuous, holistic approach. As Shon Harris in the Information Security Governance Guide says: “It is important to understand that a security program has a continuous life cycle that should constantly be evaluated and improved upon; otherwise inconsistent efforts open the organization to increased risk.”
“The security of systems is dependent on the people that use them,” points out Dan Lohrmann. A good security awareness program can help ensure employees will be in a better position to prevent and respond to security incidents. SETA programs are normally tailored to the needs of each individual organization; however, they are usually made up of the same components: from planning and implementing activities to assessment and program evaluation.
Bernstein, S. (n.d.). Preparing for a Network Breach. Retrieved from https://www.jpmorgan.com/global/cb/prepare-network-breach
Brecht, D. (2010, December 18). Network Security Awareness Training: Worth It or Waste of Time? Retrieved from http://www.brighthub.com/computing/smb-security/articles/99793.aspx
Brecht, D. (2011, May 25). Understanding Network Security and Defense Countermeasures. Retrieved from http://www.brighthub.com/computing/smb-security/articles/107026.aspx
Harris, S. (2006, August). Information Security Governance Guide. Retrieved from http://searchsecurity.techtarget.com/tutorial/Information-Security-Governance-Guide
Harris, S. (2006, October). Steps in the information security program life cycle. Retrieved from http://searchsecurity.techtarget.com/tip/Steps-in-the-information-security-program-life-cycle
Hight, S. D. (2015, August 14). The Importance of a Security, Education, Training and Awareness program. Retrieved from http://www.infosecwriters.com/articles/2015/08/14/importance-security-education-training-and-awareness-program
Identity Theft Resource Center. (2017, January 19). Data Breaches Increase 40 Percent in 2016, Finds New Report… Retrieved from http://www.idtheftcenter.org/2016databreaches.html
Lohrmann, D. (2014, March 9). Ten Recommendations for Security Awareness Programs. Retrieved from http://www.govtech.com/blogs/lohrmann-on-cybersecurity/Ten-Recommendations-for-Security-Awareness-Programs.html
Monahan, D. (2014, April). Security Awareness Training: It’s Not Just for Compliance. Retrieved
Moskowitz, R. (2015, May 25). The Human Element of Computer Security. Retrieved from https://www.rsaconference.com/blogs/the-human-element-of-computer-security
Rogers, J. (2015, October 27). Humans – the weakest link or your greatest asset? Retrieved from https://www.brighttalk.com/webcast/10219/176489/humans-the-weakest-link-or-your-greatest-asset
Schmidt, J. (2011, December 20). How To Manage the Weak Link in Cybersecurity: Humans. Retrieved from http://www.crn.com/blogs-op-ed/channel-voices/232200743/how-to-manage-the-weak-link-in-cybersecurity-humans.htm
Wilson, M. and Hash, J. (2003, October). Building an Information Technology Security Awareness and Training Program. Retrieved from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-50.pdf