Security awareness, training, and education
Learning is a continuum: it starts with awareness, builds to training, and evolves into education. We can use the definitions provided by NIST for further clarity.
- Awareness - the ability of the user to recognize or avoid behaviors that would compromise cybersecurity
- Training - the action provided to a user in the acquisition of security knowledge, skills, and competencies
- Education - knowledge or skill obtained or developed by the learning process
See Infosec IQ in action
Awareness sessions aren't training but are intended to enable individuals to recognize security problems and act accordingly. Training, on the other hand, is designed to make sure individuals have appropriate security skills and competencies.
Given the rapid change in the types of security threat, training should be done regularly and tailored to meet the different needs of the organization and its workforce.
There are four steps to be considered when developing and implementing an IT security training program.
Program design
The different roles will inform the design of the program in the organization, the current knowledge of role holders, and the broader organizational context.
Different roles have different training requirements
While there is a basic level of security awareness required of all employees, some roles need more frequent or in-depth training. For example, employees who handle customer personal data will need regular reminders of data protection laws such as GDPR in Europe and the raft of federal and state laws in the US.
Executives, some of whom might consider themselves above the need, are just as vulnerable and a target for criminals using whaling or business email compromise (BEC) threats. They also need a good grasp of the threat landscape and what the organization is doing about them so they can address any stakeholder questions.
Sub-contractors and temporary staff are often forgotten, particularly since they are frequently changed, but are a higher security risk and need to be included too.
Organizational context
Organizations in heavily regulated industries, such as health or financial services, must conduct mandatory training and provide evidence of completion to the authorities.
Another organizational characteristic such as size and operating location will also influence what is needed.
Needs-based on aptitude
Assessment tools can be used to determine a knowledge baseline for each employee, and advanced assessment tools can then create a training plan populated with relevant content.
The same tools can be used at the end of the module to evaluate what's been learned and decide if any areas need more in-depth training.
Once the needs assessment has been completed, an outline of the program that matches topics to roles and individuals and identifies training priorities can be prepared.
Training material development
Ideas for topics can come from sources such as the needs assessment, current or emerging regulations, industry reports highlighting new threats and feedback from the workforce.
Basic training topics include malware, phishing, safe browsing, mobile security and password management, but there's many more that help ensure the content is specific to learner needs.
Content should frequently be updated to reflect the changing threat landscape.
Implementation
How you deliver awareness training will make or break its success.
Training simulators are useful for social engineering because they use real-world examples. Some have a library of phishing simulations covering, for example, drive-by-attacks, attachment attacks, data entry attacks, vishing, SMiShing and BEC attacks. Phishing indicators are used to highlight threats the learner missed or to link through to a detailed explanation of the threat.
Beyond simulators, there are other techniques that can help maximize engagement.
- Break learning topics down into easily digestible, bite-sized pieces. Some training content providers product microlearning modules that do just that.
- Make the tone of voice relevant to the audience. Don't confuse C-level Execs with jargon or details they won't need and don't waffle to the IT team.
- Learners retain more knowledge if the content uses real-world examples that help with day to day problems they're likely to face.
- Use all the senses to keep the learner's attention. A mixture of voice, video, puzzles, and quizzes help keep the content fresh and entertaining.
- Make it easy to use. If the organization has an existing learning management system, then make sure the security awareness training is integrated and not left as a standalone tool that could be easily ignored or forgotten. Moreover, use the LMS dashboards and reporting tools for the same reason.
- Repeat the content regularly, especially the key messages
The measure, revise, repeat
Learner scorecards and dashboards make it easy to check progress at individual, team or organization level. They're easy to configure and can cover metrics like planned and completed modules; score, pass rate; the number of retakes.
Some organizations choose to 'gamify' training by publishing leaderboards and lists of the most improved learners but take care since some of the workforces might find it motivational, but others won't.
Similarly, unannounced drills – where simulated phishing emails are sent – can be useful but can also be received negatively. It's more motivational to catch people winning and promote the benefits of awareness training rather than to look for failings.
Get six free posters
Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.
Security training isn't an option, nor is it a once 'n done exercise. It needs to be revised to take account of changes to the threat landscape, to incorporate lessons learned from training and address any new laws or regulations.
- Reduce security events
- Reinforce cyber secure behaviors
- Strengthen cybersecurity culture at your organization
In this Series
- Security awareness, training, and education
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness