7 Elements of a Successful Security Awareness Training Program
As cybersecurity experts often like to say, humans are the weakest link in an organization's security. Technology can only go so far in protecting data and other assets, but the end users can always undo the best of defenses.
"It's a common thought that everything would be better if users were perfect," Alex Stamos, at the time Facebook's chief security officer, acknowledged in his Black Hat conference keynote speech in 2017.
Phishing simulations & training
Stamos added that it was not only dangerous to shift responsibility to users, but that users need safety nets.
"This modern world of technology is full of tight ropes and for the most part, we have not put any safety nets under those tight ropes," he said.
While Stamos was addressing developers and white hats, this idea applies to companies. One of the best safety nets that organizations themselves can create is a user-awareness training program. Strong security takes a combination of technology, processes and people, and a security-awareness training program helps strengthen the people component of this strategy.
Successful security-awareness training programs have many elements in common. Here are some of the top ones.
Board and C-Suite Buy-In
A 2017 survey by global consulting firm Protivity found that high-performing security programs are distinguished by having a board that understands and is engaged with security risks. Protivity found that engagement and understanding has increased compared to 2015.
Part of the increased engagement may be due to the growing intensity of data-breach incidents and ransomware attacks like WannaCry. Every high-profile attack and news headline help increase the level of board and C-suite security awareness.
But without an understanding of how the human factor plays a role in security, organizations may be putting all their eggs in the technology basket — especially those organizations that are still building their awareness-training programs. Leaders need to understand the human role in security awareness. Having adequate leadership support helps not only with resource allocation for security programs, but also assists with two other elements of a strong awareness program: the creation of a security culture and collaboration with other departments.
Cross-Department Partnerships
The awareness program is likely to be developed by the IT department, or perhaps Risk or Compliance, but implementation needs partners in other departments. Partners could help with a couple of key needs: delivery (in the case of live, in-person sessions) and dissemination. Some examples:
- The Human Resources department could help create policies that make the training mandatory, as well as track participation
- The communication director or another professional communicator could be recruited to deliver the training (after themselves being trained first)
- If the compliance department has a newsletter, a partnership with the compliance department could be used to distribute security-awareness content
Diversity of Tools
Long PowerPoint presentations are a thing of the past — at least when it comes to awareness training. Having employees stuck in their seats for 45 minutes listening to someone talk the entire time doesn't create an engaged audience that will retain the material. (There's even a special name for this problem: "Death by PowerPoint.")
The best programs avoid this issue by using a variety of delivery methods, from video to interactive online modules and simulated phishing attacks. Even a 45-minute live, in-person session can become much more stimulating and engaging when it mixes a short presentation with other tools. This helps with different learning styles. Even better, interactive as well as hands-on learning improves retention.
Some companies are also experimenting with gamification, which applies gaming principles to solving various business problems. Gamification reinforces positive security behaviors in a much more engaging, immersive and entertaining way
Key Topics
The program needs to focus on the topics that will help users change their behaviors. Some common ones that apply to any sector include:
Social Engineering
Since almost every successful cyberattack or data breach begins with social engineering, employees at every level, all the way up to leadership, need to be trained on the most common social-engineering techniques.
Phishing
As the most frequently-used form of social engineering, phishing (typically via email) is responsible for common incidents like business email compromise and direct- deposit schemes, so it's imperative to talk about phishing on a regular basis.
Mobile Security
With today's mobile workforce, many employees get work done on the go. And they don't think twice about connecting their laptop or phone to a Wi-Fi network at a coffee shop, putting their work data at risk.
Relevancy
If employees are given information that they can't relate to or don't find relevant, they're going to tune out any type of presentation. In the context of security, one way to make the training relevant is by connecting it to their personal lives. Many of the security lessons can be applied to their home and family life as much as work, and by connecting the dots, they're more likely to be aware of how their behavior makes a difference in either environment.
Another way to make training relatable is by borrowing techniques from entertainers, like telling stories. Take a look at almost any commercial and you may realize why salespeople and marketers use stories. Neuroscience has proven that storytelling helps human relate and compels them to act.
[download]Download the BEST PRACTICES FOR DEVELOPING AN ENGAGING SECURITY AWARENESS PROGRAM whitepaper[/download]
Humor is another way to make content relatable, and it doesn't hurt to sprinkle humor into a security presentation. To see the impact humor can have, check out the story of the marketing phenomenon created by the Metro Trains agency in Melbourne, Australia. The agency's three-minute animated video, "Dumb Ways to Die," took a topic as seemingly boring as commuter train safety to a YouTube viewership of more than 169 million (as of August 2018). And more importantly, the agency saw a decrease in safety-related incidents.
Consistency and Metrics
Cognitive neuroscientists believe that it may take as many as six exposures to a piece of information before it is permanently memorized. That is to say, a successful awareness program is not a one-time activity, nor is it a once-a-year activity. It needs a regular, ongoing schedule that includes different types of activities delivered at appropriate intervals — some may be monthly, others quarterly or annually.
For example:
- Monthly emails from the IT team with refreshers on good cyberhygiene
- Semi-yearly online trainings
- An annual, "all hands on deck" company-wide session
Additionally, the impact and the effectiveness of the program and the various campaigns need to be measured. Some ways to do that include tracking simulated-phishing click rates before and after a module on email phishing, measuring participation in a gamified program, and so on.
Security Culture
As Dr. Kelly Caine of Clemson University's School of Computing said during the 2017 Infosecurity North America Conference, "It's actually executives, managers, system administrators, designers and coders — rather than users — that are the weak links in information security."
A strong security culture starts at the top, but it also fosters the belief that security is everyone's problem and responsibility. When the culture says that security belongs to everybody, the IT department no longer is fighting the battle solo.
To launch a program, start by assessing the needs and then begin creating the content. There are numerous online tools available, including free ones, so there's no need to reinvent the wheel. The program, however, needs to be custom-tailored to each organization's unique case, as well as the sector the organization operates in. When it comes to security, you can never be too prepared.
Phishing simulations & training
Sources
Managing the Crown Jewels and Other Critical Data, Protiviti Inc.
Gamifying Security Awareness, RSA
Users aren't the weakest link in cybersecurity: 3 tips for IT leaders, TechRepublic
Ten Recommendations for Security Awareness Programs, Government Technology magazine
"Dumb Ways to Die": the story behind a global marketing phenomenon, Campaign UK
Black Hat USA 2017, Las Vegas, Nevada, July 2017
In this Series
- 7 Elements of a Successful Security Awareness Training Program
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness