Being out on the proverbial frontline, employees are often the source of great debate when it comes to the role that they play in the information security battle. Human beings inevitably make mistakes, and those mistakes will continue to put companies at risk. While some security professionals might argue that users are a lost cause that need not be invested in, however, user security training and security awareness campaigns can actually have a significant impact on changing employee behavior and better preparing them to identify and fight against cyber-crime.
To begin, it’s important to understand the difference between user security training and user security awareness. Security training is designed to equip users with the basic skills needed to respond to potential security threats. User awareness is a more generic and widely applicable program that focuses on helping users identify where potential threats exist. Both are essential to help employees respond to today’s advanced threats.
Several frameworks exist to help guide companies in building security training and awareness programs. These resources include NIST publication SP800–50 and the Security Culture Framework developed by Roer Group. But how companies structure and implement their training and awareness programs will be shaped by their own unique requirements and the specific needs of their employees. Here are a few examples of possible approaches that companies can take:
Structured platforms. Organizations that have to provide user training or awareness programs due to a regulatory or compliance requirement tend to opt for a structured platform, such as a series of education modules. These modules typically feature a multiple choice quiz at the end of each section, allowing security professionals to track completion and maintain training records.
Design your own. For those cases that are more focused on specific security challenges, companies tend to either develop their own training and awareness modules or procure them from vendors.
Candid compliance. Enterprises looking for a more proactive approach to training, awareness, and education often opt to use mock social engineering and phishing campaigns. Such campaigns typically send a phishing e-mail to employees. If the user clicks on the link in question, they receive an educational message about the dangers of clicking suspicious links or opening attachments from untrusted sources.
Remember, Rome wasn’t built in a day, and changing user behavior doesn’t happen overnight. Teaching users to avoid suspicious links and malware-laden attachments takes a long time and requires sustained effort.
Ready, player one? With the growth of video games and the adoption of social media, mobile, and web technologies, “gamification” is emerging as one of the fastest and most effective ways to change employee behavior and reinforce information security standards. Gamification, which entails the use of gaming techniques to engage players, is in its infancy for security training and awareness programs—but it has the potential to engage users at a level not previously achievable with traditional training methods.
Increasing chances of success
There are a variety of options for companies that want to implement user training and awareness programs, but the underlying question is whether they will effectively change user behavior. Following are five best practices for increasing the chance that these programs will succeed:
Clearly define measurable goals and desired outcomes prior to embarking on a security training or awareness campaign.
Document the level of security awareness among employees before the new training and awareness programs are launched. This will provide a benchmark for measurement.
Evaluate different approaches to training and awareness, and determine which programs will best complement company culture.
Ensure continuous user engagement with interactive programs, such as education modules or gamification. Programs that consist of a one-way dialogue focused on PowerPoint slides is the least effective way to gain employees’ attention, ensure retention, and change user behavior.
Leverage marketing, design, and communication experts to create engaging training and awareness materials. Making security less of a technical deliverable and more of a corporate social responsibility initiative can be extremely impactful in persuading employees to pay attention and change their security behavior.
Remember, Rome wasn’t built in a day, and changing user behavior doesn’t happen overnight. Teaching users to avoid suspicious links and malware-laden attachments takes a long time and requires sustained effort. However, with the right plan, effective training and awareness campaigns, and a little bit of patience, employees can be transformed from a security liability into effective cyber-crime fighters, helping their companies win the cyber-war with better threat detection and response.
Javvad Malik is a security advocate at AlienVault.