Top 5 Components of a Strong Information Security Awareness and Training Program
- Written by: Jeff Hudgens
October is National Cyber Security Awareness Month (NCSAM), a great time to provide information security awareness and training for your organization’s employees – each a vital link in the defense of your networks and information. In fact, each month of the year should be used for awareness and training efforts, but this takes a well-implemented and maintained program with strong leadership support.
One may ask, “What are the key elements in designing and implementing a strong information security awareness and training program?” Though there are many factors for success, some are more important than others. The top five factors for building a solid program within your organization are:
- Leadership Involvement. Many times, awareness and training programs fail because senior management and executives are exempted, or they choose not to participate due to conflicting requirements. Employees can see and gauge senior management and executive participation, and will react accordingly. If senior managers and executives are engaged fully, this sends a positive signal and reinforces the organization’s commitment to security. Senior leaders should attend awareness and training events, participate in phishing training activities, and be knowledgeable on the organizations information security policies.
- Persistence. Conducting information security awareness training one time per year is not enough. An end user’s “performance” with regards to information security will decline over the course of the year, unless awareness activities are conducted throughout the year. A best practice is to build a yearlong plan with learning goals, and then break the plan down into smaller quarterly action plans with themes that will be focused on each quarter. For example, awareness activities during Q1 may be dedicated to threats and mitigation for mobile devices, Q2 to social media, Q3 to physical security, and Q4 to reinforcing the organization’s Acceptable Use and other policies. By using quarterly themes, security and training staff can focus their threat research and training development efforts.
- Relevance. Awareness and training should be relevant to the organizations users. One size does not fit all, so organizations should consider how it would train employees who are part of the IT staff versus how they would train, say, the Human Resources staff. In addition, to best gain the attention of end users, it is a good idea to provide awareness and training with regards to employees using information resources in home and travel settings, as well as work settings.
- Immediate Feedback. One of the best ways to reinforce awareness is to provide training activities that provide the “hands-on” aspects of learning. For example, implementing a phishing training program and routinely testing employees’ reactions to this common tactic (as well as other social engineering tactics) is a great way to reinforce awareness activities. However, this type of training is best when immediate feedback can be given and “the teachable moment” can be best utilized. If a user clicks on a link in a phishing training email, taking that user immediately to a short training presentation on phishing indicators will provide the best learning value.
In addition to “hands-on” activities, such as the phishing training emails, organizations should also consider gaming techniques to impart learning for end users. Gaming techniques are an excellent way to engage end users and reinforce learning objectives. - Assessments. Part of providing value within a strong awareness and training program is the ability to make adjustments to the program in order to constantly improve it and keep it from stagnating. To determine any required adjustments, the organization must understand where it started and how it is progressing. Metrics are, therefore, a key attribute in gauging whether learning objectives are being met. Metrics can be gathered in many ways, such as from automated data collection in phishing training emails, surveys, and post-event interviews. As part of its assessment efforts, the organization must also have a way to analyze the metrics and present the resulting information in a meaningful way to senior management and executives.
Successful information security awareness and training programs incorporate these factors, among others.