How to craft a security awareness program that works

Organizations struggle with making security awareness training programs that work. One expert says that's because we treat security awareness training as an event rather than a continuous program of education that adapts to the risks employees face.

Employees are often considered the weakest link in organizations' efforts to create a strong security posture. Even organizations with security awareness programs in place struggle to instill strong security behaviors. Steve Conrad, managing director of MediaPro, a learning services company that specializes in information security, data privacy and compliance, says organizations can and should do better.

"Are we treating employees with the same seriousness as we are other threats to the organization? If you updated your firewall software and virus definitions once a year, people would say that you're negligent," Conrad says.

"It's time to really step up the human element," he adds. "Traditionally, CIOs and CISOs have looked at technology and processes. Now it's time to look at people. They're a very high threat to the organization, but we don't necessarily treat them like any other threat vector. Employees generally want to do the right thing."

Effective awareness training should be tailored for a variety of situations

Effective awareness training starts with a risk assessment, Conrad says. You need to understand what your most valuable assets are so you can better craft a plan to protect them.

"What are your risks? Align your training around those," Conrad says. "You shouldn't give the same training to everyone in your organization. Your executives need certain training that others in the organization may not."

[ Related: 6 tips for your security awareness training ]

Call center employees may need extra training around social engineering risks, while human resources employees may need particular training about handling personally identifiable information (PII).

Conrad notes that the National Institute of Standards and Technology (NIST) Cybersecurity Framework is an excellent foundational document with which to start the process.

Once you know what you need to protect and who needs special training to protect it, you need to craft a program of continuous education around it.

"You can't offer lackluster training for 30 minutes one a year and say it doesn't work," Conrad says. "Why would you expect it to work? You need foundational training, but the overall training program needs to be one of reinforcement. You need to look at it as an overall program, not an event."

User behavior analytics can play a key role in a continuous program that adapts to the risks that your employees face. These analytics can provide pop-up alerts when employees engage in certain activities.

"We see you're doing this, be aware that these are the best practices and what you need to watch out for," Conrad says.

"We call it 'just-in-time training' or 'performance-at-work training,'" he adds. "You're disclosing proprietary information to a partner, can I give you education and a checklist of what you should and shouldn't be sharing?"

It's also essential to treat your security awareness program as a communication exercise — essentially a change management problem. IT and the security function may not have the skills to make that happen, so Conrad suggests partnering with the training organization or the marketing organization to most effectively get the awareness training across.

"Anytime you can communicate a message to a person and make it personal, you're going to be much better off," Conrad says.

For instance, foundational training could show employees tools and best practices they can use at home to protect their children and other family members. They can then apply those tools and practices on the job.

"That's a very reasonable way to approach it," Conrad says. "Tie in that emotional hook. Make it real and personal."

Join the CSO newsletter!

Error: Please check your email address.

More about Technology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Thor Olavsrud

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts