The same organizations wading through the aftermath of breaches conduct onboarding and annual training to address security awareness education and compliance requirements. Some even take it a step further and perform annual social engineering testing to evaluate the impact of their training.
However, yearly education and testing are not enough. What if we took a step back and imagined the users as assets instead of as liabilities? What if we approached security awareness training in a way that engaged users and got their buy-in?
Organizations need to adopt mature security awareness programs that include altering the culture of security awareness in the organization. Creating a mature security awareness program involves three important steps: assessing the current program, optimizing training to engage users, and designing a security awareness road map.
Assess the current security awareness program
Organizations should evaluate their programs by reviewing current policies and procedures related to security awareness. Items to evaluate include training, quizzes, posters, mock phishing exercises, and annual security awareness tests. The assessment should identify any gaps that can be correlated to incidents within the past year.
An important part of the assessment is identifying how many times users have inadvertently introduced malware into the environment by visiting a malicious website or attaching removable media to company machines. Did users notify IT, or was the malware found via detective technical controls? Understanding the root cause of these incidents can reveal potential program gaps.
Additionally, conducting an employee security awareness survey to identify how employees perceive information security is critical. The survey results can provide insight into employees’ security awareness in all departments. Additionally, the survey should help uncover trends in the departments or among user bases that are less aware of security issues. Moreover, the survey should identify security-minded “power users” who can become advocates of the security awareness program.
Optimize security awareness training
Training is an integral part of a security awareness program. When addressing employee training, organizations should take a risk-based approach. Employees who pose a higher risk for cybersecurity, either through business function or through lack of education, should be trained more frequently.
For example, a large number of phishing scams involve sending emails with attachments of fake resumes to employees in a human resource department. The purported resume is actually ransomware and encrypts file-share contents. Through their business function, human resource employees are considered members of a high-risk department and should receive additional training above and beyond the norm.
Limitations of traditional training include not connecting with the user, treating the user as the problem, and thinking a one-size-fits-all program will be effective. Though it’s not possible to tailor a single training program to every learning style, organizations can develop programs based on shared characteristics, including:
-
Risk level. Some users – for example, those in accounting – are at a greater risk of being targeted by cybercriminals because of their access to financial information. Others are targeted based on their higher level of access to intellectual property and sensitive data. Identifying levels of risk among users or departments will help shape the focus of the security awareness training program. Higher-risk users or departments should receive training more frequently.
-
Learning-style differences. Incorporating multiple types of learning styles into security awareness training programs is an effective way to include various types of learners in the organization. For example, some users might prefer personalized, informal learning through games or social media posts, but others might be more comfortable in a traditional classroom setting.
One thing is certain: Slide deck and slide deck-driven computer-based training (CBT) tends to be neither engaging nor lasting. When developing or improving security awareness training programs, organizations should focus on offering programs that connect with the end users in substantive ways. Training needs to be interactive, fun, and memorable. These qualities can be accomplished through a few different approaches, including:
-
Change agents. One way to infuse a security awareness training program with relatability is through the use of a change agent. A change agent is an overall theme, mascot, or tagline – something that the user can connect with in the work environment as well as on a personal level. The most effective change agents are simple yet memorable.
-
Gamification. Increasingly, organizations are moving away from classic slide decks and CBT to using electronic games, or gamification, for training. Games tap into intrinsic physiological responses that motivate us, so they can be a perfect medium for e-learning. Trivia, mystery, or action games that have built-in security twists can make training fun. If gamification seems like it might be a fruitful approach, it’s a good idea to consider what motivates specific groups of users. For example, an article from the Interaction Design Foundation describes four types of players in gaming. Some users might be drawn to particular types of games based on some of these player types.
-
Multiple mediums. Effective training programs use different mediums, such as email, social media posts, or videos. The end goal of using various mediums is getting the message through to users. Emails can be personalized and come from the user’s regional security awareness advocate or ambassador as opposed to a generic security inbox. Change agents can be posted on social media or message boards. Security awareness videos can use humor, relevant content, and management buy-in.
-
Translation to the real world. Connecting security awareness training to an end user's "real world" is another way to engage. To prompt users to consider the importance of cybersecurity in their personal and family lives, training can include components and topics such as best practices on social media, good password habits, and online safety for children. Cybersecurity is everywhere, so why not tap into its universality by incorporating it into a security awareness training program?
One size does not fit all when it comes to training. Some individuals learn best by being challenged, while others learn better through reading independently. Understanding that users have different learning styles is key in setting up an effective security awareness training program.
Design the security awareness road map
Once organizations have completed the research, considered new approaches, and taken organizational specifics into account, the final step is to put together a plan that includes several components, such as:
-
Frequent security awareness communications. In addition to classroom training, employees should receive weekly or monthly newsletters or emails reminding them of information security risks. The message should be simple and straightforward. It should provide guidance or clarification such as the definition of “phishing” and cues to look for in an email, how to politely confront someone who looks unfamiliar in secure areas, and whom to contact in the event of suspicious activity at a workstation.
-
Training reevaluation. The organization should reevaluate training at six, nine, and 12 months after formal training through an employee security awareness survey.
-
Employee testing. A pivotal portion of the security awareness road map includes identifying its effectiveness through employee testing. Traditionally, after formal training occurs, employee testing should be conducted in the form of tests or quizzes. More effective testing includes conducting monthly or quarterly phishing simulations targeting every employee who has a company email address.
The goal of the simulated phishing exercise is to further educate workforces. Employees should be informed a month or so prior to conducting tests to include them in the process. This type of testing can provide organizations with a baseline to better understand what types of ploys their employees fall for, what departments appear to have a high fail rate, and what user bases not only pass the simulation but also appropriately report the phishing email to IT.
-
Metrics. Tracking metrics over time can answer the question of whether security awareness is improving in the organization. Metrics also allow organizations to implement corrective actions for those users who continually fail the simulated phishing exercises.
-
Pen testing. In addition to the simulated phishing exercises, organizations should conduct annual social engineering penetration tests. These tests can help identify to what extent an attacker could access critical data in the event an employee clicked on a URL, opened a malicious document, or did not properly validate the identity of a visitor. Pen testing also tests the ability of an organization’s technical controls to identify and block threats before they reach end users.
-
Ongoing education. Changing the culture of an organization often starts with awareness and builds through education. Employees need to feel a part of the process and understand the importance of supporting the message. This is where organizations can incorporate a change agent into the information security awareness education program. That same agent brand or theme should be a part of all security awareness communications including emails, posters, screen savers, and information fairs. As the program matures, the more security-minded employees, or power users, identified through surveys can act as advocates to help convey the message effectively and help the lessons permeate the workforce.
Focus on the end goal
Keep in mind that the goal of security awareness training is to educate end users and to turn liabilities into assets. By assessing the current program, optimizing training, and designing a security awareness road map, organizations can connect with their users in a meaningful way and strengthen their cybersecurity postures.