The ‘human factor’ has become one of the biggest threats to network security, as users are posing unique security challenges to organizations. Technical errors and risky behaviors on corporate desktops or BYOD devices, as well as susceptibility to social engineering, are making them one of the weakest links in the security chain. Their actions can help a malicious hacker bypass even the most complex technical countermeasures and give direct access to data, info and systems.

A workplace that provides security training to their staff and adopts a best-practice approach can minimize this type of threat. Security awareness training can modify users’ standard reactions and habits, replacing them with new, more desirable ones. It can provide employees with the right knowledge and tools to understand their role and responsibility in safeguarding personally identifiable information (PII), systems and company assets from data breaches, and can dramatically improve their ability to react, stop and recover from threats. Training can help users reinforce common-sense security concepts as well as learn to recognize more sophisticated approaches and even new phishing techniques.

No matter how minor and uncomplicated an IT infrastructure might seem, executives should always be concerned for its security and privacy and strive to implement a meaningful Security Education, Training and Awareness (SETA) program that encourages the use of improved computer security practices for all involved in the management, operation and use of systems.

It is normally not effective for organizations to merely communicate to staff information about its policies and practices, although they are an essential part of the security program. Knowledge reinforcement needs to come through structured educational courses that, with theory, examples and best practices, can address any issues and resolve employees’ doubts. Users can get information from instructor lectures, printed books, online courseware, assignments or exercises, hands-on video labs, as well as quizzes or tests.

The key to an effective SETA program is the ability to reach the appropriate audience in a workplace and be tailored to different areas of the organization. Courses need to be delivered in a timely and efficient manner while encouraging best practices for network and systems security. The content can be scoped to meet any standards, requirements or compliance that the organization must adhere to. Doing so is vital to an organization’s progress and success, and therefore, it is important to reinforce the learning obtained from the program across all platforms, including formal classroom training and computer-based training with internal or external providers.

So, what should a good security awareness training program include? A good program needs to evolve around the concept that the more you know about the cyber-related risks, the more you are equipped to avoid them. An effective IT security program needs to be tailored to the needs of the audience, incorporate and address any cultural issues that could affect the way employees approach the theme and their work in general, as well as provide plenty of examples and best practices to make the issue “real” and relevant to users. Both IT and non-IT staff shall be active participants, obviously, of the organization’s SETA program, as maintaining computer security is each staff member’s responsibility.

Online vs. In-Class Success: What Will Train Your Staff More Effectively?

Determining which method of instruction to use (instructor-led or self-study) in a security awareness and training program can sometimes be difficult. An organization needs to decide what may be most appropriate to get the message out to personnel, and what could potentially have the most impact. There are several aspects to consider: cost, availability of training facilities, number of personnel involved, specific needs, current level of awareness of the staff, explicit concerns and previous incidents.

Is the company so small as to make the hiring of a trainer superfluous? Can it afford an onboard security awareness instructor or the hiring of a consulting company? Is a general awareness session needed or is a course that addresses a specific issue in the aftermath of an attack more appropriate? Are there barriers to online learning? All in all, these are possible issues that need to be addressed before devising the training program.

A common approach, especially for larger organizations, is awareness delivered in a classroom setting. This is often seen as the better means for an effective learning environment as it ensures interactions between the intended audience and the facilitator.

Classroom Pros: The classroom offers face-to-face training in an instruction-led situation; at face-value, it looks like the more attractive option. There’s the part that adds a ‘human touch’ and personal interaction to the method of training which fosters more direct social contact between students and instructors. The learning experience can more easily be personalized; particular cases can be discussed, and questions and doubts can be addressed immediately during the presentation. Concepts that are not clear can be reviewed, and students have the added benefit of being able to confront themselves with their co-workers to share their experience.

Classroom Cons: Within a short period of time in the classroom, the amount of information can overload the learner, whereas, the online platform is more convenient as material can be accessed anytime, anywhere without feeling overwhelmed. In class, the rhythm is dictated by the amount of time set aside, and learners need to adapt to the pace. Another drawback of a classroom setting is that it requires attendance, an important limitation for a company with an active telecommuting program, field offices, a dislocated workforce or international branches.

In addition, courses, lessons or lectures have a fixed time and place in which they start and end. Employees need to take time out of their schedule without, normally, a say on when it is the most convenient time. Although the presence of an instructor is often seen as one of the strengths of traditional learning, a student’s learning experience is reflective of the trainer’s aptitude and knowledge of the subject. The instructor’s command of the material and his or her skills in conveying the information will affect the program’s effectiveness.

Business employers have, for some time, opted for online learning as an alternative solution, as it can be just as effective as face-to-face education. Online learning is now a widespread reality in many schools and universities, delivering full curricula online via a virtual learning environment. This training method can provide students with the skillsets and knowledge base that they need, although some educators are still not so convinced with e-learning, believing it neither resembles traditional classroom teaching methods nor is it as efficient as an on-campus setting.

Online Pros: Online courses assure flexibility; training material can be reviewed at the employee’s convenience whenever and wherever he or she chooses. Learning becomes accessible to anyone regardless of physical location; trainees can listen to lectures, follow course modules, commence coursework sessions, work on exercises and participate in virtual labs, provided there is a computer and Internet connection. This is great for a distributed workforce as it eliminates the requirement of either providing training at different sites or calling all employees to a central location to sit in class. In addition, employees can work at their own pace and adjust their speed according to their level of familiarity with the topic. Learners can also start courses whenever they choose and work around their schedule.

An online solution can also provide a number of features that can aid IT security managers in assessing the readiness of the company workforce. Tracking and reporting can quickly show the number of users who have completed the training or are in progress. Built-in simulated phishing attacks capability allows organizations to train users in recognizing phishing and helps in collecting results. Analysis and reporting capabilities are essential when preparing a briefing for management and to identify weaknesses and issues to address quickly. Comprehensive customization capabilities are needed to adapt the training to the needs of each organization section and to evolving requirements.

Online Cons: Online training requires more effort from the students that need to be able to self-motivate and research by themselves what is unclear. This puts pressure on the trainees to be driven to take responsibility for their own education. No instructor is normally available in real time. Although some courses assure the help of a facilitator whom students can reach out to via email or chat, often the interaction is asynchronous with the trainer and the trainee in different places and during different times.

Students must rely on themselves to apply what is learned to specific examples derived by their experience. The lack of student interaction with colleagues and teachers is, then, the most obvious drawback. In addition, lesser course customization is possible. While in class, instructors can adjust to the needs of students and can tailor lesson plans to the specific needs of the audience, but online courses are normally more generic and have one-size-fits-all options.

Deciding on a security learning program really comes down to what works for the employee and employer, the preferred learning style and schedule, as well as the organization’s size and needs. Trainings can be delivered to the workforce in either platform, and both approaches (onsite vs offsite, or virtual instead of live, local classes) can be adopted because both can be effective. When in doubt, why not use blended learning, an education program that combines face-to-face instruction with computer mediated instruction?

For example, online training could provide general security awareness knowledge to employees by pointing out the main factors of risks, general trends and tips. Through this type of training, staff would have 24/7 access to material that builds their skillsets and increases their knowledge in the cybersecurity realm. Customized, in class, training could be periodically offered instead to reinforce knowledge, provide information on the latest security issues and trends, answer questions and solve doubts that employees might have or to address specific concerns after an incident has occurred. In-class training could also be specific to groups of employees in specific departments to focus on their particular needs and concerns.

Many training establishments have developed effective education and training programs that address skillsets and engage and challenge the learner by using a stimulating and creative approach. Organizations like the InfoSec Institute, for example, offer both online and in-class options; the Institute, in particular, has been ranked as a Top IT Training by Training Industry six years in a row according to the following criteria: student satisfaction, courseware quality, certification success, depth and breadth of training offerings, instructor expertise, and online training quality. “No other training company focused on security has ever won this award,” tells Jack Koziol, a Senior Instructor and Security Program Manager at InfoSec Institute. The training option also allows for a mix and match of modules to build a specific learning curriculum in ‘Securing the Human’.

Security Awareness

Conclusion

As NIST Computer Security Resource Center mentions, “Training can be deployed to audiences in a number of ways […] while each deployment method offers its own advantages and disadvantages, it comes down to the users’ preferred learning formats. Once the training method is determined, an effective and practical SETA program can be designed to address insider or outsider threats incorporating good risk management strategies.”

Whether security awareness training is done online or in a classroom, a security aware culture is essential to reduce risks and to prevent incidents. Training must aim at helping behavioral changes in the human element that could help reduce any high-risk computer security threats targeting the infrastructure and prepare staff to serve as human firewalls.

A strong SETA program is needed prior to security incidents occurring. Setting up security policies is one thing, but it is training that will help workers in recognizing threats in their everyday activities and to clarify their responsibility in protecting and safeguarding company information.

References

Brecht, D. (2011, May 17). Comparison of Online vs Traditional Classes. Retrieved from http://www.brighthub.com/education/online-learning/articles/40250.aspx

Global Learning Systems, LLC. (n.d.). Investing in Security Awareness Training: A Complete Guide to Security. Retrieved from http://www.globallearningsystems.com/security-awareness-training-guide/

Hamm, P. W. (2009). How to Mitigate IT Risks with Security Education and Training. Retrieved from http://eval.symantec.com/downloads/edu/How_to_Mitigate_IT_Risks_eweek.pdf

Olavsrud, T. (2014, May 21). 10 Tips to Embed Positive Information Security Behaviors in Employees. Retrieved from http://www.cio.com/article/2369305/security0/153570-10-Tips-to-Embed-Positive-Information-Security-Behaviors-in-Employees.html

Mann, I. (2007, April). The human factor is key to good security. Retrieved from http://www.computerweekly.com/opinion/The-human-factor-is-key-to-good-security

McGrath, S. (2016, March 7). Lack of security awareness poses a major threat to businesses. Retrieved from http://www.computerweekly.com/microscope/news/4500278103/Lack-of-security-awareness-poses-a-major-threat-to-businesses

Newcombe, T. (2016, October/November). Can Security Awareness Training Change Behavior and Reduce Risk? Retrieved from http://www.govtech.com/security/Can-Security-Awareness-Training-Change-Behavior-and-Reduce-Risk.html

NIST Computer Security Resource Center. (n.d.). Building A Training Course. Retrieved from http://csrc.nist.gov/groups/SMA/ate/training.html

Wilson, M. and Hash, J. (2003, October). Building an Information Technology Security Awareness and Training Program. Retrieved from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-50.pdf

Be Safe

Section Guide

Daniel
Brecht

View more articles from Daniel

SecurityIQ has published a number of videos on social engineering and phishing. You can sign up for a free account to browse their resources and test how phishing savvy you really are.

Section Guide

Daniel
Brecht

View more articles from Daniel