Have you ever wondered why some security awareness programs fail? Sometimes it is because trainees simply fail to apply what they learned; other times, trainers’ approach to designing and implementing the training programs and then delivering it to their audience is not effective. Failure to involve and engage trainees prevents them from learning and retaining the concepts and techniques presented to them.
According to annual trends in InfoSec, human error is still the primary cause of many severe security breaches today. This demonstrates a need for more employees training and for focusing on tailoring classes to the real needs of each organization. Deeper knowledge of the company’s mission and objectives as well as of the job roles of the attendees who respond to IT security threats is essential to make courses more effective. End users need to be aware of their responsibilities and essential role in the protection of the company’s IT assets and valuable resources. Conducting IT security training for users is not a waste of time if done right and using a variety of teaching modalities that can capture the audience’s interest.
Why Institute a Company-Wide Security-Awareness Training Program?
Ira Winkler, CISSP and President at Secure Mentem, as well as the author of several security books, affirms in a Dark Reading article how “arguments against security awareness are shortsighted.” In fact, “security awareness programs strive to change behaviors of individuals, which in turn strengthen the security culture.” In his response to a CSO article questioning the value of the need to design and implement security programs, he highlights that “awareness mitigates non-technical issues that technology can’t… find[ing] that security awareness is one of the most reliable security measures available.”
Awareness, however, is also a continuous process and, therefore, it is important to ensure frequent training opportunities. Winkler adds that, “the return on investment for a security awareness program of this form can be huge, even if it prevents a single incident.” Developing computer security awareness and training programs can help company employees with the knowledge and skills that will enable them to perform their jobs more securely. During an awareness briefing, at a minimum, an organization ought to discuss department guidelines on security (network and systems) in the IT space to prevent, deter, and detect threats or attacks of various kinds. A physical security program should also be addressed to ensure that everyone knows the importance of letting only authorized users access to any restricted areas with proper identification. In essence, all users ought to be made fully aware of all administrative, technical, and physical safeguards to control information systems and of the security program in its entirety.
Essential Elements for a Good Awareness Program
The first essential element of a good awareness program is definitely executive support. No matter how well designed and effective the awareness training is, it must have full support by management. Only showing why the subject matter is essential and how important it is for the company as a whole can ensure participation by all in the workplace. A management that is not fully involved and that does not participate actively in the awareness program sends mixed signals to the workforce that might question the usefulness of the entire program and might begin thinking of it as a non-priority. Executives and all supervisors need to be involved. InfoSec awareness is used as a means to develop a network incident response that staff may be expected to handle. It is important that, like employees, managers are ready to guide their operatives and know how to prepare for and prevent cyber security threats and attacks.
Introducing relevant content is also paramount. Awareness efforts must tackle the CIA principles in information security: confidentiality, integrity and availability. Training also needs to focus on the security objectives for each area of the workplace and refer to specific policy IT standards and guidelines that define the roles and responsibilities of various employees in maintaining an information security management system (ISMS).
In addition to relevant content, training must also be able to address the needs of the intended trainee. A good training program must, first of all, recognize that there are different types of learners, learning styles, and associated strategies to consider. Tailoring sessions with sections and methodologies that cater to the different needs of each learner can help keep them interested and motivated during sessions.
Awareness techniques, computer- or lecture-based (or both) can be used. Which type of training works best? Employees can gain valuable insight by both training methods; it really comes down to preference, logistic requirements, affordability, and flexibility to deliver material to learners. It is practical to use a combination of formal training by subject matter experts (with face-to-face interaction) and independent learning via computer-based teaching (eLearning) to increase training effectiveness. Both CBT training videos and live courses are effective learning aids; managers need to decide which matches their organization’s training needs.
Computer-based training (CBT) using an Internet-connected computer as opposed to instructor/facilitator-led training can be easily distributed to a wider audience. CBT is appropriate for long-distance learning and can significantly reduce employee travel cost and time. Web-based training is especially popular for computer-related studies, but the course content needs to be updated frequently.
Online distance training is also great as refresher training or for initial training. However, computer-based training can easy overlook important subject matter points or not cover the most critical issues experienced by a particular office or department. Therefore, periodic, traditional instructor-led training may be more suitable to cover IT topics and address the current security challenges. It can also help trainees have answers to their questions on how to handle less frequent situations or specific real-life scenarios. Although self-paced CBT is definitely an important addition to a company awareness training effort, an instructor/facilitator uses important techniques for keeping learners attentive. A good trainer helps draw participants back into the conversation and stay engaged by asking questions, while also explaining answers.
To get the greatest possible learning impact, trainings should include some form of awareness activities that go beyond InfoSec documents and regulations; training should also be a place to discuss security issues and to review concerns as well. Awareness by itself is not enough; interactive training on content promotes learning by doing, while also making it memorable and relevant.
How to Create a Motivating Learning Environment
Have you ever noticed a person become restless and begin to doodle during training lectures? Why is this? The easiest answer is that, evidently, the material presented is boring and/or not perceived as important or somehow job-related. To get attendees to be more active, the material presented need to be perceived as relevant and some interactivity ought to be built in the training. To help end users deepen their understanding of a security concept and meet the learning objectives of a lesson, it may be most practical to use a case study or a scenario-based story on a specific, hypothetical or real-life problem, in addition to supporting literature that aligns with the topic.
To help stimulate end user learning in a security awareness training, trainers can:
- adopt online and offline instructional delivery to improve learning outcomes
- use visual aids (figures, stats, and more) with overheads and PowerPoint demonstrations to best illustrate concepts and help content stick
- ask the group various questions during lectures to keep all attendees involved and attentive, but also to gauge understanding and elicit feedback
- pass out subject related material to grasp the material being taught; handouts are meant for the learner to use as refresher tool to help them retain what they have learned in class
- create a peer learning situation to have participants communicate and collaborate with each other as well as express freely their point of view on topics
- incorporate role-playing training activities that can be used as a motivation technique while teaching subjects
- engage learners though active exercises to see what they have heard and learned
- present relevant examples of security incidents in the news or real scenarios of problems that could also affect their company, while able to stress the importance of the subject matter
From PowerPoints to whiteboards, reference manuals and handouts, all can greatly enhance a trainee’s learning experience, but participation and engagement are key instructional strategies to achieve successfully a number of learning goals. It maintains the learners’ focus and attention is high.
In building a security awareness program, the trainings need to be planned, organized and relevant to achieve results. Trainers ought to make the material easy to retain and keep learners actively involved. Aside from question-and-answer sessions, which provide helpful feedback, what may work best are short lectures, brief videos, and mini-presentations to cover the essentials. The security awareness program can include hands-on activities or exercise components to have trainees retain what has been taught. Companies’ real examples and realistic simulations can be used as ways and means for focus of practice and interactive activities.
As part of an effective IT security program, all company employees should undergo training sessions to verify their level of security knowledge. This training should be included as needed, and reassessed at annual intervals.
Today’s organization needs to give learners some choices in how they learn. Learners are more engaged in a learning environment that takes into consideration their learning preferences. A multimodal approach rather than passively listening to a lecture or watching demonstrations can motivate learners better than just sitting still listening to a lecture, getting bored and frustrated.
Regardless if security awareness is offered through on-site instructor-led training or by self-paced courses, the optimal learning experience ought to be engaging and interactive. Though there is good information in e-learning courses, however, when it comes to education and training, much focus needs to be placed on the learners’ level of motivation. On-site trainers might then make progress creating an environment that is more conducive to learning and possibly will be able to have the learner better connect to the course content and, therefore, make the learning experience worthwhile.
Armerding, T. (2014, June 16). Security training is lacking: Here are tips on how to do it better. Retrieved from http://www.csoonline.com/article/2362793/security-leadership/security-training-is-lacking-here-are-tips-on-how-to-do-it-better.html
Binwal, P. (2015, June 29). Creating a Cybersecurity Governance Framework: The Necessity of Time. Retrieved from https://securityintelligence.com/creating-a-cybersecurity-governance-framework-the-necessity-of-time/
Cobb, M. (2010, January). How to develop a culture of security in the enterprise. Retrieved from http://www.computerweekly.com/tip/How-to-develop-a-culture-of-security-in-the-enterprise
Craig, R. (2011, June). Security awareness and training programme design: A case study. Retrieved from http://www.computerweekly.com/tip/Security-awareness-and-training-programme-design-A-case-study
Honan, B. (2014, November 24). Forget Security Awareness, We Need Security Engagement. Retrieved from https://securityintelligence.com/forget-security-awareness-we-need-security-engagement/
Narisi, S. (2012, July 25). Don’t waste time training users, says security CEO. Retrieved from http://www.itmanagerdaily.com/it-security-training-ineffective/
Peltier, T. R. (2005, May/June). Implementing an Information Security Awareness Program. Retrieved from http://infosectoday.com/Articles/Peltier_awareness.pdf
Tom. (2008, March 25). Motivate Your Learners with These 5 Simple Tips. Retrieved from http://blogs.articulate.com/rapid-elearning/motivate-your-learners-with-these-5-simple-tips/
Wilson, M. & Hash, J. (2003, October). Building an Information Technology Security Awareness and Training Program. Retrieved from
Winkler, I. & Manke, S. (2013, July 10). 7 reasons for security awareness failure. Retrieved from http://www.csoonline.com/article/2133697/metrics-budgets/7-reasons-for-security-awareness-failure.html