Published on January 07, 2010 by Karen Letain in News
I have been reviewing how we can make security awareness training more exciting and more relevant for the learner this year. What new tools can we add to the toolbox that will inspire the learner to actually change their behaviors when it comes to being aware of security risks.
With the plethora of social media, video and other communication tools out there, I figure there has to be some way to tie all of these mediums together to produce a truly awesome ongoing weekly awareness campaign. You can tweet about it, put together a video on youtube that you can put on the internal website or use some free video animation tools to flash images that resonate to the learner's everyday work tasks. This past year, Terranova spent a lot of time on the development of new online content with a different pedagogical format focusing more on risks/consequences/threats and best practices than prior versions. We also spent time creating new videos that can be used to promote awareness on various topics. However, I think we really need to look at what can be done with all of these other wonderful tools out there. What are you planning to do this year to freshen up your training? We would love to hear about your ideas!
Published on September 03, 2009 by Karen Letain in News
Is there really an answer to this? Does it not depend upon the product and the individual learner?
Quite likely, the only real answer to this question is to determine the amount of training that is necessary by reviewing the corporate security policies and determining what is critical from a security perspective and what is not. Typical physical security training is about a minimum of 40 hours of training per core competency. This however, could be overkill if the individual's role is not that of a physical security officer, but instead is a program or project manager with no responsibility for security within the organization.
The amount of training is typically related to the type of task being performed. With security awareness that is difficult to quantify unless you look at what is critical from a security perspective based on the individual's job role in the organization. Ultimately, security awareness training should be based on the role the individual learner has in the organization and what potential risks/threats that person might encounter. Basing training on the individual's role is a much more precise way to develop effective security awareness training.
Published on June 19, 2009 by Karen Letain in News
Rolling out a large Information Security Awareness Training Program can be an incredibly daunting task. Especially, if you have to ensure that your efforts are measurable in order to meet industry standards or adhere to legislation.
Let’s face it, you can’t measure the number of times employees look at the security awareness posters you just put up in the coffee room or in the elevator and how the heck do you measure the impact of a banner on the company intranet? Did it really change the outcomes and behaviors of the employees?
And what about that 1.5 hour live training session? Did anyone actually listen and has implemented the recommendations?
If your budget has been cut and you can’t afford an online training component with a back-end LMS to track and provide reporting functions then start small and try the following techniques:
1. After your live training sessions, walk around and measure the impact by talking to employees and asking questions.
2. At lunch, do “walk-by’s”. Check to see if employees are leaving their desks without adhering to the “clean desk” policy and have left their laptops unlocked, etc. If so, create some friendly reminder cards to place on their desks as reinforcement.
3. Pick a month a year and do a “security awareness month” combine short videos with games and posters that supplements your regular yearly ongoing training programs.
4. Provide incentives (if possible – even an apple, chocolate bar, etc) for those you catch doing the “right” thing when it comes to being security aware.
The key is to track all of these items. Start a spreadsheet and track the number of employees talked to per month, the number of incidents discovered in the walk-by’s and the number of employees caught doing something correctly. Create some nice monthly graphs with the data and provide them to management so they know you are on top of the security awareness issue.
