Industry professionals agree that the most significant security threat to an organization is its own employees. Controls can be implemented to help combat this problem and some would argue that such controls are sufficient on their own. However, the strongest security measures can be circumvented by a single incident of creative social engineering. Only by taking a balanced approach to technical control and employee training can organizations adequately secure themselves.
The best defense to human-based threats, such as social engineering and phishing is true understanding. Your environment is ever changing in terms of people, technology, and points of exposure and you need to manage these elements in a volatile landscape. Risk control processes must be enforced to prepare your employees for the threats that target them as vulnerabilities. The SANS Institute recommends organizations educate their employees about security issues and regularly test to ensure they retain what they learn. In recent years the Information Security industry has begun implementing automated training and testing facilities, known as Learning Management Systems (LMS), to accomplish this task. According to a recent study by Bersin & Associates more than 40 percent of all organizations and more than 70 percent of large enterprises have an LMS.
Building an effective training program where appropriate retention and understanding occur is challenging. Not only is the choice and development of the right content important, but its proper delivery is paramount to the program's success. This article aims to provide a renewed sense of purpose with regard to employee training.
Beyond WHAT and on to HOW
While Information Security specialists consider many aspects in building and launching a complete training program, I will focus on those areas that are often overlooked, yet critical to a program's success. The key question is, "How can we turn the world of Information Security, an uninteresting topic for many, into an effective and enjoyable learning process?" In response, we will look not only at the raw content but also consider three additional strategies: expanding the framework for the LMS, emphasizing the relevance of the training material and creatively using humor where appropriate.