Security awareness, training, and education
Learning is a continuum: it starts with awareness, builds to training, and evolves into education. We can use the definitions provided by NIST for further clarity.
- Awareness – the ability of the user to recognize or avoid behaviors that would compromise cybersecurity
- Training – the action provided to a user in the acquisition of security knowledge, skills, and competencies
- Education – knowledge or skill obtained or developed by the learning process
Awareness sessions aren’t training but are intended to enable individuals to recognize security problems and act accordingly. Training, on the other hand, is designed to make sure individuals have appropriate security skills and competencies.
Given the rapid change in the types of security threat, training should be done regularly and tailored to meet the different needs of the organization and its workforce.
There are four steps to be considered when developing and implementing an IT security training program.
The different roles will inform the design of the program in the organization, the current knowledge of role holders, and the broader organizational context.
Different roles have different training requirements
While there is a basic level of security awareness required of all employees, some roles need more frequent or in-depth training. For example, employees who handle customer personal data will need regular reminders of data protection laws such as GDPR in Europe and the raft of federal and state laws in the US.
Executives, some of whom might consider themselves above the need, are just as vulnerable and a target for criminals using whaling or business email compromise (BEC) threats. They also need a good grasp of the threat landscape and what the organization is doing about them so they can address any stakeholder questions.
Sub-contractors and temporary staff are often forgotten, particularly since they are frequently changed, but are a higher security risk and need to be included too.
Organizations in heavily regulated industries, such as health or financial services, must conduct mandatory training and provide evidence of completion to the authorities.
Another organizational characteristic such as size and operating location will also influence what is needed.
Needs-based on aptitude
Assessment tools can be used to determine a knowledge baseline for each employee, and advanced assessment tools can then create a training plan populated with relevant content.
The same tools can be used at the end of the module to evaluate what’s been learned and decide if any areas need more in-depth training.
Once the needs assessment has been completed, an outline of the program that matches topics to roles and individuals and identifies training priorities can be prepared.
Training material development
Ideas for topics can come from sources such as the needs assessment, current or emerging regulations, industry reports highlighting new threats and feedback from the workforce.
Basic training topics include malware, phishing, safe browsing, mobile security and password management, but there’s many more that help ensure the content is specific to learner needs.
Content should frequently be updated to reflect the changing threat landscape.
How you deliver awareness training will make or break its success.
Training simulators are useful for social engineering because they use real-world examples. Some have a library of phishing simulations covering, for example, drive-by-attacks, attachment attacks, data entry attacks, vishing, SMiShing and BEC attacks. Phishing indicators are used to highlight threats the learner missed or to link through to a detailed explanation of the threat.
Beyond simulators, there are other techniques that can help maximize engagement.
- Break learning topics down into easily digestible, bite-sized pieces. Some training content providers product microlearning modules that do just that.
- Make the tone of voice relevant to the audience. Don’t confuse C-level Execs with jargon or details they won’t need and don’t waffle to the IT team.
- Learners retain more knowledge if the content uses real-world examples that help with day to day problems they’re likely to face.
- Use all the senses to keep the learner’s attention. A mixture of voice, video, puzzles, and quizzes help keep the content fresh and entertaining.
- Make it easy to use. If the organization has an existing learning management system, then make sure the security awareness training is integrated and not left as a standalone tool that could be easily ignored or forgotten. Moreover, use the LMS dashboards and reporting tools for the same reason.
- Repeat the content regularly, especially the key messages
The measure, revise, repeat
Learner scorecards and dashboards make it easy to check progress at individual, team or organization level. They’re easy to configure and can cover metrics like planned and completed modules; score, pass rate; the number of retakes.
Some organizations choose to ‘gamify’ training by publishing leaderboards and lists of the most improved learners but take care since some of the workforces might find it motivational, but others won’t.
Similarly, unannounced drills – where simulated phishing emails are sent – can be useful but can also be received negatively. It’s more motivational to catch people winning and promote the benefits of awareness training rather than to look for failings.
Security training isn’t an option, nor is it a once ‘n done exercise. It needs to be revised to take account of changes to the threat landscape, to incorporate lessons learned from training and address any new laws or regulations.