As organisations recognise the need to educate their employees on security beyond a simple online training module, new challenges present themselves. Although implementation of formal security education and awareness programs are increasing, it is not something that requires a unique new approach – it is essentially a change management program. One well-known method for change management is the PROSCI ADKAR® model which identifies five critical steps, all of which must be achieved to realise change:
- Awareness of the need for change;
- Desire to participate in and support the change;
- Knowledge of how to change;
- Ability to implement required skills and behaviours;
- Reinforcement to sustain the change.
With this model and security communications in general, there are sticking points to overcome. Firstly, how to simplify the knowledge required without dumbing it down. Second, how much information does an individual or group need. In security we think in terms of risk management but there are too many risks for non-security professionals to consume. If you try to educate them on everything, they’ll become overwhelmed and confused.
To maximise impact and minimise confusion, you can use three simple principles to frame your security messaging:
- First you want your people to understand the Cyber risks they face and their Cyber Security responsibilities. This establishes why it is important, making them aware of the need and desire for change.
- Second, you need them to be able to identify potential Cyber Security incidents and data breaches. This gives them the required knowledge, helping them understand when to act.
- Finally, you want them to respond appropriately, including knowing when to raise a potential incident and who to contact. This provides them with the ability to implement their newfound knowledge by identifying who, how and where.
For example, one of the security risks every organisation should have high on their list, is email-based phishing:
- Understand: The risk is employees may be susceptible to phishing attacks. Technology does not block all phishing attempts so employees need to help us identify and report suspicious phishing emails. As a result of a successful phishing attack, staff could transfer company funds to criminals or facilitate unauthorised access to your technology systems. Potential impacts include financial loss, reputational damage, legal action and critical systems disruption.
- Identify: Some relevant examples of knowledge artefacts include:
- Double-check the sender’s email address–does the domain exactly match the supposed sender? Do you know this person? Have you received emails from this address before?
- Is the communication threatening or abusive?
- Are they asking you to open an attachment with specific file extensions…etc.
- Respond: Provide employees with a method to report suspicious communications, such as a single security operations centre email address or an automated phishing reporting button in your email client.
If you start each security education activity by mapping out content using the ‘understand, identify and respond’ principles, you’ll simplify the messaging and ensure you are always providing just enough information to be useful and easily implemented by your employees.
About the author: Bianca Wirth
Bianca Wirth has over 20 years’ experience in IT and security, consulting to over 100 Australian and New Zealand organisations from a diverse range of industries and government in this time. She has worked for a global software vendor, developed her own successful consulting business and guest lectures on security at universities. Bianca developed and implemented an award-winning security education & awareness program, and is currently the Cyber Security Consulting Manager at Insurance Australia Group (IAG).