Security Threats and the Human Factor
Although formal training is the most effective way to build security awareness, computer-based training is another option. Read this section on delivering security awareness training. After you read, you should be able to explain the benefits and limitations of computer-based and instructor-led security awareness training. How can human behavior be modified through security awareness and training programs?
The choice of learning medium is critical to the success of the learning process. Currently, delivery of security awareness programmes is mainly through two broad modes, namely computer-based training and instructor-led training.
According to the University of North Carolina, this channel for delivering security awareness training is the most attractive to training and IT managers. It is based on a belief that organisations should embrace new technology where the learning medium is founded on the technology itself. There exists some computer-based training programmes or systems in the market such as SANS Online Security training, InfoSec Institutes, Global Learning Systems scenario-based system, among others.
The online course developed by SANS focuses on equipping employees with knowledge that can be used in securing their organisation's systems. It is delivered in the form of training videos with guided instructions. The programme is available in various languages and covers different organisational sectors including workforce working in the health care industry, engineers, developers and utility providers. Upon completion of the course, the trainee has to go through an assessment which involves being tested on recognising phishing emails.
InfoSec's training programme delivers a highly interactive programme addressing compliance and security needs for logistics, manufacturing, retail, finance, government agencies and departments, educational institutions and consulting organisations. The training is delivered via interactive videos (short lectures) and exercises (realistic ones) that enable the learner to acquire hands-on experience in security awareness. Additionally, it provides customisable learning paths for each module and the ability to combine multiple modules.
Global Learning Systems also provide a comprehensive web-based security awareness training course, library and communication resources. The programme usually entails modules and courses that are scenario-based and can be deployed quickly. They are also customisable to provide an effective learning approach to the end user. It involves either 45-minute comprehensive or 20-minute short modules covering various topics. Besides the scenario-based learning approach, the programme also offers mini-challenges and quizzes.
Computer-based training programmes have several benefits, such as ease of delivery, reduced training costs, flexible learning structure and ongoing and easy access to information. However, these platforms also suffer from some drawbacks. The limitations include inadequate help or support on the training platform needed by the trainee to understand the topic thoroughly, unfamiliar learning environment, lack of mental stimulation for skilled trainees, non-customisable training programme and absence of formal accreditation such as CBT.
Instructor-led training is a preferred skill development choice of employers because it has been proven to be effective in behavioural development time and time again. Instructor-led training is coordinated by the organisation where training schedules, workshops and events are arranged through a contracted trainer. This is mostly achieved by hiring experts in the area of systems security. Such a programme varies based on the organisational needs, allocated budget, number of employees and departments seeking training. For instance, employees in the IT department would require less security oriented training time than employees in the marketing department. Some of the companies which provide such training services include SANS, InfoSec Institute, AppSec Consulting, HITECH, NIST (National Institute of Standards and Technology), NCSA (The National Cyber Security Alliance), FTC (the Federal Trade Commission) and SCIPP International, among others.
Some of the benefits of utilising instructor-led training for security awareness programme include face to face interaction between trainer and trainee, real-time and direct feedback, enhanced learning experience in a group setting, personalised training and hands-on learning experience. However, a number of challenges and limitations also exist in this traditional approach. Instructor-led training is generally time-consuming and costly, learning pace is inflexible, content is delivered in large volumes with no individual considerations. Additionally, the learning experience is significantly affected and influenced by trainer's teaching ability and generalised teaching methods can affect learners who may either be fast or slow at absorbing training content.
Source: I. Ghafir, J. Saleem, M. Hammoudeh, et al., https://link.springer.com/article/10.1007/s11227-018-2337-2
This work is licensed under a Creative Commons Attribution 4.0 License.