Why Does Security Awareness Training Fail?
People are the weakest link in security. If you want to know how to solve this problem, read this.
Many studies show that regardless of the heavy investments into cybersecurity technology, the largest risk is still with your people (see for example Verizon). You might have trained them for security awareness, but have you truly reduced the risk?
The main challenge in security awareness training is that the employees do not meet security related anomalies or pitfalls in their everyday work. It takes time to build security aware culture in a company and one mandatory presentation or video course is not enough to change the behaviour.
What would be the best practices in security awareness training? It seems, that in order to truly reduce the people risk, you need to do some homework.
Best Practices in Security Awareness Training
1. Risk-Driven Training Program
Typical security awareness training covers the most common security pitfalls, such as weak passwords, phishing, rogue Wi-Fi networks and malicious exe-files. Unfortunately, one-size-for-all security awareness training has only limited impact to the security risk with people.
In order to maximize the reduction of the total risk, you need to consider that different employees have different risk profiles. Your security training program should reflect this in such a way that the content and the amount of training depends on the risk profiles of the employees.
One-size-for-all security awareness training has only limited impact to people risk in security.
2. Use Best Practices in Teaching and Learning
How to train your employees in such a way that they can identify risks in real situations and change their behaviour? Security is a boring subject and the employees do not meet suspicious situations every day.
Often, mandatory tests are proposed as a solution. They work to a certain level, but there are also more positive methods, which provide better results.
Best practices of teaching and learning include:
Teaching topics in small pieces
Recaps of earlier learning sessions provide repetition
Exercises, which challenge your gaming and competition instincts
Entertaining videos and interactive formats
Binding of content to everyday work
Emotionally compelling stories
Entertaining videos and emotionally compelling stories in security awareness training? Sounds funny for security awareness training but works like a charm.
If your objective is to truly reduce your people risk, you need to focus on the best practices of teaching and learning. Teaching is an old science and it is better to listen, what the respected practitioners say. Quite often, you can find the best experts of this topic in your HR department.
So, rethink how you teach.
To truly reduce the people risk, you need to understand the modern best practices in teaching and learning - consult your HR on this.
3. Include Key Security Processes (Security Incidents, Risk Reporting,...)
In order to train your organisation to respond to security incidents and risks, you need to have certain processes in place. However, the existence of the processes does not mean that the users know, what to do. The challenge is even harder, when you keep in mind that most users use these processes very seldomly.
Top-class security awareness training includes instructions for at least the following processes:
Security incident handling
Data breach handling
User permission handling
Again, you should keep in mind the best practices of teaching and learning. The users remember new things best, if they really do something that is taught. In minimum, they should create some test incidents or reports with your real process.
At this point, you might start to feel that most things are covered. However, the biggest challenge is still ahead.
Teaching security processes improves quickly your organisations capability to respond to security incidents and risks.
4. No Mercy for Management
Often, management is forgotten in security awareness training.
Although they participate to the same training as the employees, their position from risk management point of view is totally different. Management has normally large user permissions and they make decisions, which include large risks.
It is obvious that the management focuses on business related topics, which lowers the priority of other things, security included. It is also common that management thinks that they have some privileges of not following all the rules. This might get worse when you go higher in the organisation.
If you want to truly reduce your people risk, you need to address the management separately. Employees copy their behaviour from their management and colleagues and if the management is sloppy in security awareness, training of employees may be waste of time.
The management should have their own security awareness training at least for the following topics:
Security governance roles and responsibilities
How to coach subordinates in security awareness?
How to run risk assessment sessions for the team?
How to escalate risks and incidents?
How to manage risks as a system owner or site owner?
Focusing on management may be the quickest way to reduce the people risk.
Here we are. Now we know how to reduce the people risk.
But did the behaviour change? You need to do follow-up.
5. Evaluate People Risk Properly in Internal Audits
How can you evaluate the learning results? Your training includes testing, but the real evaluation takes place in real situations.
If you rethink your internal auditing practices, you can combine the preparation to audits to real risk assessment. Random checks of passwords, random phishing attempts, social engineering attempts... For each pitfall that you had in the training, you can create a real test.
You can also detect changes in behaviour, when you review security incident and data breach logs. In a security aware organisation, employees report anomalies easily as they can count on the investigation process. Risk registers also give a realistic picture, how large part of the organisation is truly risk aware.
You should require more from your auditors. Obviously, external audits do not guarantee that your people risk has decreased. However, if you use internal auditing in a clever way, you can address both compliance and people risk.
Evaluation of people risk in internal audits is not as difficult as you might think.
The main motivation for security awareness training should be the true lowering of the security related risks. Mandatory participation to a security awareness presentation or video course is not enough for this.
If you search for the top level results in security awareness, you should not be happy with the basics of security awareness. You should:
Customize the training program based on employees' risk profiles
Use modern best practices in teaching and learning
Include training of the key security processes
Create own training track for the management
Develop internal auditing to evaluate changes in people risk
If we got you interested and you want to discuss about the world champion level security awareness programs, you can contact us here: https://www.dexintel.com .