Security Awareness, Training, and Education

The most effective way to combat the risk posed by people is to provide formal security awareness training. Read this section on conducting a formal security awareness training. Once read, you should understand the need for training programs, the types of security awareness training, and how to evaluate a training program.

Conducting A Formal Security Awareness Training

The Need

The management's directives pertaining to security are captured in the security policy, and the standards, procedures, and guidelines are developed to support these directives. However, these directives will not be effective if no one knows about them and how the company expects them to be implemented.

  • For security to be successful and effective, senior management on down to the rest of the staff needs to be fully aware of the importance of enterprise and information security.
  • All employees should understand the underlying significance of security and the specific security related requirements expected out of them.
  • The controls and procedures of a security program should reflect the nature of the data being processed.
  • The security program should be developed in a fashion that makes sense for the different cultures and environments.
  • The security program should communicate the what, how, and why of security to its employees.
  • Security-awareness training should be comprehensive, tailored for specific groups, and organization-wide with a goal that each employee understands the importance of security to the company as a whole and to each individual.
  • Expected responsibilities and acceptable behaviors need to be clarified, and noncompliance repercussions, which could range from a warning to dismissal, need to be explained before being invoked.

Different Types of Security Awareness Trainings

There are usually at least three separate audiences for a security-awareness program: management, staff, and technical employees.

  • Each type of awareness training needs to be geared toward the individual audience to ensure that each group understands its particular responsibilities, liabilities, and expectations.
  • Members of management would benefit the most from a short, focused security awareness orientation that discusses corporate assets and financial gains and losses pertaining to security.
  • Mid-management would benefit from a more detailed explanation of the policies, procedures, standards, and guidelines and how they map to the individual departments for which they are responsible.
  • Middle managers should be taught why their support for their specific departments is critical and what their level of responsibility is for ensuring that employees practice safe computing activities. They should also be shown how the consequences of noncompliance by individuals who report to them can affect the company as a whole and how they, as managers, may have to answer for such indiscretions.
  • The technical departments must receive a different presentation that aligns more to their daily tasks. They should receive a more in-depth training to discuss technical configurations, incident handling, and indications of different types of security compromises so they can be properly recognized.
  • Employees should not try to combat an attacker or address fraudulent activities by themselves instead they should be told to report these issues to upper management, and upper management should determine how to handle the situation.
  • The presentation given to staff members needs to demonstrate why security is important to the company and to them individually. The better they understand how insecure activities can negatively affect them, the more willing they will be to participate in preventing such activities.
  • It is usually best to have each employee sign a document indicating that they have heard and understand all the security topics discussed and understand the ramifications of noncompliance.
  • Security training should happen periodically and continually.

Evaluating The Program

Security-awareness training is a type of control, and just like any other control it should be monitored and evaluated for its effectiveness.

  • After the employees attend awareness training, a company may give them questionnaires and surveys to gauge their retention level and to get their feedback about the training, to evaluate the program's effectiveness.
  • A good indication of the effectiveness of the program can be captured by comparing the number of reports of security incidents that were made before and after the training.
  • For online training, capture individuals' names and what training modules have or have not been completed within a specific time period. This can then be integrated into their job performance documentation.
  • Security-awareness training must repeat the most important messages in different formats, be kept up-to-date, be entertaining, positive, and humorous, be simple to understand, and – most important – be supported by senior management.

Specialized Training Programs
  • Train the individuals to use specialized devices and technologies.
  • Different roles require different types of training (firewall administration, risk management, policy development, IDSs, and so on). A skilled staff is one of the most critical components to the security of a company, and not enough companies are spending the funds and energy necessary to give their staffs proper levels of security education.

Creative Commons License This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License.

Last modified: Thursday, April 15, 2021, 2:37 PM