In many cases, security awareness programs fail because they are not tied to the overall company-wide security policies. In some cases, security policies and therefore security awareness training is not given the proper attention and buy-in required by key stakeholders within the company.
I was reading Seth Godin’s blog entry today http://sethgodin.typepad.com/ (yes…he is a marketing guru and no he is neither an education psychologist nor does he have a PhD in Education, at least as far as I know). Seth is a best selling author, entrepreneur and agent of change. So what does this have to do with Security Awareness training or any training for that matter? For any corporate training to be adopted by an entire organization you need to understand how to market it effectively.
A sentence that Seth put in his blog today really resonated with me. It is as follows:
If you're having trouble persuading people to buy what you sell, perhaps you should sell something else. Failing that, perhaps you could talk about what you sell in a different way.
This can be applied directly to your security awareness training. Let’s give it a try:
If you're having trouble persuading people to take security awareness training, perhaps it is time to try something else. Failing that, perhaps you could talk about the training in a different way.
Security awareness training is an essential part of an organization’s yearly training regime and if you are facing resistance from end-users in taking the training then perhaps it is time to try some fresh content, videos or even games to make it more enjoyable. If you are currently conducting your awareness training via an instructor-led model, perhaps it is time to look at e-learning or even just add in some video or gaming type exercises into your existing structure.
A recent article in Frobes on Women Gaming made some interesting links to not only gender based learning but also how we learn and develop skills as individuals. http://www.forbes.com/2010/03/25/women-gaming-video-forbes-woman-time-online.html
The concept of gaming is becoming more accepted in business where it functions as a superb training and operations tool. Videogames are now being used for collaboration and brainstorming as well as performance evaluation. Games based learning is proving to be the new learning tool of the future and it is definitely growing.
Games Based Learning also referred to as "Serious Game" is all about leveraging the power of computer gaiming to captivate and engage end users to develop new knowledge and skills. This type of learning enables users to undertake tasks and experience situations that may be too costly or otherwise impossible.
Although many of the concepts included in end user security awareness training are universal, such training often must be tailored to address the policies and requirements of a particular organization. In addition, many forms of training fail because they are rote and do not require users to think about and apply security concepts. A flexible, highly interactive video game, can support organizational security training objectives while engaging typical users in an engaging security adventure.
However, there are problems with deploying games-based learning for organizations. First, it is difficult to find a generic end-user interactive gaming software for security awareness. Second, the cost of creating such a game internally can be quite high and Third, maintaining and updating the content can be time-consuming and costly.
Consistent updates will assist you in managing change throughout the yearly life cycle of your security awareness program. It is imperative that you update your program to ensure that training/ awareness/education deployments do not become stagnant and therefore irrelevant to real emerging issues faced by the organization. A planned and consistent update program will also allow you to address changes in security policy, directives and procedures driven from new threats, technologies or legislation. The following 5 steps we hope will assist you in managing program changes:
1. The awareness program should be continuously updated as new technology and associated security issues emerge. Typical program refresh time is every 12 months but changes in an organization’s policies or new emerging threats might dictate a shorter refresh cycle.
2. New training requirements will emerge as new skills and capabilities become necessary to respond to changes in technology and the overall security landscape. Look at implementing role-based e-learning – ie., manager training for new and existing managers, IT admin training, etc.
3. Changes to the organization’s objectives and/or mission can also affect how to best design training content and methods. Review resources and determine what mix of e-learning/seminar and/or outsourced training is required and balance training methods on both your current resources and budget.
4. Emerging trends and regulations/laws will also impact the type and extend of security awareness activities necessary to keep users educated about the latest threats and best practices.
5. New security directives will also drive the need to update and or explore additional training methods or components.
The Computer Security Institute (CSI) released the 14th edition of its annual CSI Computer Crime and Security Survey in December 2009. Insight was gathered from 443 US-based respondents across both public and private sectors.
While respondents indicated they were not extremely happy about any of the technologies being currently used, they did feel that there is still a lack of a comprehensive solution for monitoring and measuring what is going on.
Respondents also expressed even greater concern over a perceived lack of proper security awareness training for users at endpoints. An amazing 43.4 percent of them said that less than 1 percent of their security budget was allocated to awareness training, and 55 percent said current investments in this area were inadequate.
Twenty-five percent of respondents said more than 60 percent of financial losses came from accidental breaches by insiders, not external hacks, and 16.1 percent said 81 to 100 percent of all losses came from accidental breaches as well.
No matter how effective or strong the information security program may be it is only as effective as the most malicious or incompetent employee. There are numerous examples of businesses that have spent hundreds of thousands incorporating leading-edge technology, procedures, monitory systems, policies and comprehensive training programs, only to have one employee do something that compromised the systems, the data or some business process. While we cannot discount governance and technology, the obvious fact remains that information security must involve everyone in the company.
Everyone must know their part and understand the consequence of violating the policies the organization has put into place. What types of consequences does an organization put into place to ensure security awareness is taken seriously? This will depend upon the organization, its structure, HR regulations, etc. We have seen some organizations that have implemented a security awareness program as part of their new hire orientation training. To ensure that the new employee understands the security policies, badge access or computer access is not granted until they pass a test proving they have read and understood the information presented to them.
Consistent reinforcement of security procedures and policies needs to be done with existing staff as well. Yearly, ongoing training is a must, but how do you know if any of the information provided is being retained? You can encourage employees to do a yearly examination and it can be done anonymously. This would provide the organization with data to measure the effectiveness of the program and would also provide the employee with the necessary incentive to take the training. For more suggestions on security awareness program retention or incentive planning contact us! As always, your feedback or ideas are very welcome!
Maximizing what little security budget is left isn't easy but it is possible. Despite the recession, businesses are still investing in security. But, what if your company isn't? There are ways to maximize the security budget you do have and actually increase your security posture. A simple approach can be extremely effective. Here are some recommendations:
1. Review existing security tools and augment with open source
Supplementing your existing IT Security infrastructure can be done via a myriad of open source tools that are extremely affordable. Review the tools you do have and supplement with open source or look at tweaking your current one's by contacting the vendor and seeing if there are any tweaks or scripts that can be written for a small professional services fee.
2. Keep training your staff
ALL employees need constant training. Review your existing training strategies and increase sessions or add free training tools and resources to your existing repetoire to "freshen" the content. Their are a "ton" of free resources out there. Microsoft has a great free security awareness tool kit you can use that contains all types of slogans, newsletter templates, etc...http://technet.microsoft.com/en-us/security/cc165442.aspx
3. Increase security awareness
If your staff are trained and aware of potential risks and threats your ability to avoid security breaches is increased exponentially. Regular training, education and continuous communication and marketing techniques,can condition employees to be paranoid of e-mail attachments and URLs sent by strangers, or to be more cognizant of any potential inside employee issues.
I have talked quite a bit in this blog about successful awareness training program factors, yet, I keep hearing stories from clients and friends about awareness training programs that are just not able to deliver.
The success of a security awareness program really depends upon the delivery of the information and how it is tailored for each audience. Security awareness training should be delivered to end users in each department as well as incorporated into new employee orientation. This can be administered using an online training format in small learning bites that are easily digestible and delivered per month or quarter or through instructor-led sessions or smaller, informal lunch and learn's. For managers and executives it may be more receptive if delivered in an instructor-led session format or online but with lessons geared toward IT risks that managers/executives need to be aware of.
When considering training options for your employees you will need to consider both instructor led and online learning formats. In security awareness training there are instances when both are required. If you need to conduct general end user security awareness training, online training options have certain efficiencies and cost advantages. Cost factors include course development, instructor time, instructor salaries, preparation time, classroom costs, travel expenses, material costs and employees time.
Other factors that are not included when looking at costs are the speed of delivery of the training and the instructional efficiency. Instructional efficiency is where all of the information delivered leads to learning that improves performance (reference - Moran, J.V. 2002 - ROI for E-Learning http://wwwlearningcircuits.org/2002/feb2002/moran.html). Online learning's advantage over instructor-led training is that it can be delivered in a timely, consistent way with the ability to easily update materials.
In the second part of this series, we will look at the advantages and disadvantages for the learner from both a delivery and efficiency factor. Stay tuned!
TerraNova Security Awareness © 2008
