News

How to Build a Security Awareness Training Program

  • None--Security Boulevard
  • published date: 2022-01-21 09:38:00 UTC

None

<div id="contentsContainer" class="style-scope qowt-page"><div id="contents" class="style-scope qowt-page"><p id="E183" class="x-scope qowt-word-para-0"><span id="E184" class="qowt-font3-Calibri">With increased digitization of everything post-pandemic, cybersecurity has become a top concern for global CEOs with almost <a href="https://www.pwc.com/us/en/library/ceo-agenda/ceo-survey.html" target="_blank" rel="noopener">half </a></span><span id="E188" class="qowt-font3-Calibri">planning to increase cybersecurity </span><span id="E189" class="qowt-font3-Calibri">investment </span><span id="E190" class="qowt-font3-Calibri">by</span><span id="E191" class="qowt-font3-Calibri"> 9%, according to PwC. </span><span id="E192" class="qowt-font3-Calibri">Since </span><a id="E193" contenteditable="false" href="https://www.verizon.com/business/resources/reports/dbir/" target="_blank" rel="noopener"><span id="E194" class="qowt-font3-Calibri">85%</span></a><span id="E195" class="qowt-font3-Calibri"> of breaches involve human error, throwing more money at the problem by buying the latest cybersecurity </span><span id="E196" class="qowt-font3-Calibri">technology </span><span id="E197" class="qowt-font3-Calibri">may </span><span id="E198" class="qowt-font3-Calibri">hit a point of diminishing returns</span><span id="E199" class="qowt-font3-Calibri">. At its core, cybersecurity isn’t just a technical problem, it’s a human problem. Organizations need more than technology—they need employees as both their first and last line of defense; employees who embrace security awareness and who identify, avoid and flag activities and items that are of a suspicious nature. </span></p><h2 id="E201" class="x-scope qowt-word-para-3"><span id="E202" class="qowt-font3-Calibri">Where Security Awareness Programs Fall Short </span></h2><p id="E204" class="x-scope qowt-word-para-0"><span id="E205" class="qowt-font3-Calibri">It can be argued that businesses are </span><a id="E206" contenteditable="false" href="https://venturebeat.com/2021/10/21/report-53-spike-in-hours-spent-on-cybersecurity-training-among-employees/" target="_blank" rel="noopener"><span id="E207" class="qowt-font3-Calibri">increasingly</span></a><span id="E208" class="qowt-font3-Calibri"> investing in cybersecurity awareness, yet cyber</span><span id="E210" class="qowt-font3-Calibri">attacks continue to rise by </span><a id="E211" contenteditable="false" href="https://www.accenture.com/us-en/blogs/security/triple-digit-increase-cyberattacks" target="_blank" rel="noopener"><span id="E212" class="qowt-font3-Calibri">triple digits</span></a><span id="E213" class="qowt-font3-Calibri">. The reality is that security awareness is multidimensional;</span><span id="E214" class="qowt-font3-Calibri"> blending</span><span id="E215" class="qowt-font3-Calibri"> </span><span id="E216" class="qowt-font3-Calibri">education, upskilling </span><span id="E217" class="qowt-font3-Calibri">and communications. <a href="https://securityboulevard.com/2021/12/protect-your-organization-by-cultivating-a-culture-of-cybersecurity-awareness/" target="_blank" rel="noopener">Security awareness</a> has become a check-</span><span id="E218" class="qowt-font3-Calibri">the-</span><span id="E219" class="qowt-font3-Calibri">box </span><span id="E220" class="qowt-font3-Calibri">set of activities for many organizations</span><span id="E221" class="qowt-font3-Calibri">, </span><span id="E222" class="qowt-font3-Calibri">but </span><span id="E223" class="qowt-font3-Calibri">what we really want </span><span id="E224" class="qowt-font3-Calibri">is </span><span id="E225" class="qowt-font3-Calibri">security-minded people—</span><span id="E228" class="qowt-font3-Calibri">those who don’t just </span><span id="E229" class="qowt-font3-Calibri">recite polic</span><span id="E230" class="qowt-font3-Calibri">ies</span><span id="E231" class="qowt-font3-Calibri"> but </span><span id="E232" class="qowt-font3-Calibri">who </span><span id="E233" class="qowt-font3-Calibri">integrate security into their daily lives</span><span id="E235" class="qowt-font3-Calibri">. </span></p><h2 id="E237" class="x-scope qowt-word-para-3"><span id="E238" class="qowt-font3-Calibri">Foundational Components </span><span id="E240" class="qowt-font3-Calibri">Of</span><span id="E242" class="qowt-font3-Calibri"> A Security Awareness Program</span></h2><p id="E244" class="x-scope qowt-word-para-0"><span id="E245" class="qowt-font3-Calibri">The phrase security awareness is built on an inherent (and incorrect) assumption. It assumes that just telling </span><span id="E246" class="qowt-font3-Calibri">employees about the existence of </span><span id="E247" class="qowt-font3-Calibri">cyberthreat</span><span id="E248" class="qowt-font3-Calibri">s </span><span id="E249" class="qowt-font3-Calibri">will </span><span id="E250" class="qowt-font3-Calibri">suddenly </span><span id="E251" class="qowt-font3-Calibri">lead to an enlightened workforce. For any security awareness program to be successful, it </span><span id="E252" class="qowt-font3-Calibri">should </span><span id="E253" class="qowt-font3-Calibri">include the following foundational elements:</span></p><p id="E255" class="qowt-li-0_0 qowt-list x-scope qowt-word-para-0"><strong><span id="E256" class="qowt-font3-Calibri">Passion for people:</span></strong><span id="E257" class="qowt-font3-Calibri"> It’s important we acknowledge that the leader of this program </span><span id="E258" class="qowt-font3-Calibri">should be </span><span id="E260" class="qowt-font3-Calibri">people-oriented</span><span id="E262" class="qowt-font3-Calibri">. </span><span id="E263" class="qowt-font3-Calibri">They need to see people as the solution, not the problem. If the leader </span><span id="E264" class="qowt-font3-Calibri">is biased against </span><span id="E265" class="qowt-font3-Calibri">users,</span><span id="E266" class="qowt-font3-Calibri"> </span><span id="E267" class="qowt-font3-Calibri">they’ll likely </span><span id="E268" class="qowt-font3-Calibri">subvert </span><span id="E269" class="qowt-font3-Calibri">the entire program</span><span id="E270" class="qowt-font3-Calibri">.</span><span id="E271" class="qowt-font3-Calibri"> Program owners </span><span id="E272" class="qowt-font3-Calibri">need to </span><span id="E273" class="qowt-font3-Calibri">garner </span><span id="E274" class="qowt-font3-Calibri">buy-in </span><span id="E275" class="qowt-font3-Calibri">from </span><span id="E276" class="qowt-font3-Calibri">upper management </span><span id="E277" class="qowt-font3-Calibri">because such </span><span id="E278" class="qowt-font3-Calibri">support </span><span id="E279" class="qowt-font3-Calibri">has </span><a id="E280" contenteditable="false" href="https://www.gartner.com/smarterwithgartner/3-ways-to-gain-support-for-your-security-awareness-training-program" target="_blank" rel="noopener"><span id="E281" class="qowt-font3-Calibri">significant impact</span></a><span id="E282" class="qowt-font3-Calibri"> on </span><span id="E283" class="qowt-font3-Calibri">communicating </span><span id="E284" class="qowt-font3-Calibri">key messages across the organization. </span></p><p id="E286" class="qowt-li-0_0 qowt-list x-scope qowt-word-para-0"><strong><span id="E287" class="qowt-font3-Calibri">Well-thought-out communications strategy:</span></strong><span id="E288" class="qowt-font3-Calibri"> When it comes to security awareness, it’s obvious there’s a communication component because</span><span id="E289" class="qowt-font3-Calibri">, depending on the </span><span id="E290" class="qowt-font3-Calibri">audience</span><span id="E291" class="qowt-font3-Calibri">, role or team, people can perceive </span><span id="E292" class="qowt-font3-Calibri">message</span><span id="E293" class="qowt-font3-Calibri">s</span><span id="E294" class="qowt-font3-Calibri"> in different ways based on how they receive </span><span id="E295" class="qowt-font3-Calibri">the</span><span id="E297" class="qowt-font3-Calibri">m, </span><span id="E298" class="qowt-font3-Calibri">the tool used to deliver the message and other factors </span><span id="E299" class="qowt-font3-Calibri">like </span><span id="E300" class="qowt-font3-Calibri">employment </span><span class="qowt-font3-Calibri">background, experience</span><span id="E301" class="qowt-font3-Calibri"> and</span><span id="E302" class="qowt-font3-Calibri"> culture</span><span id="E303" class="qowt-font3-Calibri">.</span></p></div></div><div id="contentsContainer" class="style-scope qowt-page"><div id="contents" class="style-scope qowt-page"><p id="E305" class="qowt-li-0_0 qowt-list x-scope qowt-word-para-0"><strong><span id="E306" class="qowt-font3-Calibri">Focus o</span><span id="E308" class="qowt-font3-Calibri">n</span><span id="E310" class="qowt-font3-Calibri"> behavioral change:</span></strong><span id="E311" class="qowt-font3-Calibri"> Security awareness isn’t just an awareness problem, it’s a behavior problem. Awareness doesn’t naturally lend itself to behavioral change. S</span><span id="E312" class="qowt-font3-Calibri">imilar to the perception of </span><span id="E313" class="qowt-font3-Calibri">speed limit signs </span><span id="E314" class="qowt-font3-Calibri">as merely </span><span id="E315" class="qowt-font3-Calibri">suggestions</span><span id="E317" class="qowt-font3-Calibri"> or a stop sign at which you </span><span id="E318" class="qowt-font3-Calibri">only paused to check for the presence of a police vehicle, many people will attempt to skirt security measures that they find inconvenient or that slow them down, even if they are aware of them.</span></p><p id="E320" class="x-scope qowt-word-para-0"><span id="E321" class="qowt-font3-Calibri">There’s also a gap between knowing something</span><span id="E322" class="qowt-font3-Calibri"> </span><span id="E323" class="qowt-font3-Calibri">and intending to act on that information. Knowledge never stopped a breach. How people behave is the key. </span><span id="E324" class="qowt-font3-Calibri">E</span><span id="E325" class="qowt-font3-Calibri">ven when we know something and have the best intentions to act on that knowledge, we don’t always do so. For example, we might see a suspicious email but we may not report it. This is what social-behavioral</span><span id="E327" class="qowt-font3-Calibri"> scientists</span><span id="E328" class="qowt-font3-Calibri"> </span><span id="E329" class="qowt-font3-Calibri">refer to as <a href="https://www.sciencedirect.com/topics/psychology/intention-behavior-gap" target="_blank" rel="noopener">the intention-behavior gap</a>, and</span><span id="E334" class="qowt-font3-Calibri"> it’s important that businesses recognize this as a core </span><span id="E335" class="qowt-font3-Calibri">element </span><span id="E336" class="qowt-font3-Calibri">of their security awareness program.</span></p><h3 id="E338" class="x-scope qowt-word-para-3"><span id="E339" class="qowt-font3-Calibri">Use A Maturity Model </span><span id="E341" class="qowt-font3-Calibri">To</span><span id="E343" class="qowt-font3-Calibri"> Measure Your Security Awareness Level </span></h3><p id="E345" class="x-scope qowt-word-para-0"><span id="E346" class="qowt-font3-Calibri">You can’t improve what you don’t measure, and that’s why all leaders must start by measuring their level of security awareness prior to charting out </span><span id="E347" class="qowt-font3-Calibri">a </span><span id="E348" class="qowt-font3-Calibri">security awareness </span><span id="E349" class="qowt-font3-Calibri">program. </span><span id="E350" class="qowt-font3-Calibri"> </span></p><h3><span id="E353" class="qowt-font3-Calibri">Level One</span><span id="E354" class="qowt-font3-Calibri">:</span><span id="E355" class="qowt-font3-Calibri"> Compliance-Driven Awareness</span></h3><p><span id="E356" class="qowt-font3-Calibri">This is the lowest possible level of security awareness in any organization. It’s a program that’s only concerned with checking a box to meet a regulatory or a contractual mandate</span><span id="E357" class="qowt-font3-Calibri"> or comply with pending legislation.</span><span id="E358" class="qowt-font3-Calibri"> </span></p><h3><span id="E361" class="qowt-font3-Calibri">Level Two</span><span id="E362" class="qowt-font3-Calibri">: </span><span id="E363" class="qowt-font3-Calibri">Information Dissemination</span></h3><p><span id="E364" class="qowt-font3-Calibri">Information dissemination is a well-intentioned effort to ensure that people have the right information to make good security decisions. Organizations at this level have moved beyond simple box</span><span id="E365" class="qowt-font3-Calibri">–</span><span id="E366" class="qowt-font3-Calibri">checking and are sending out newsletters, making videos available, assigning learning management system modules and potentially even celebrating events like </span><span id="E367" class="qowt-font3-Calibri">the annual </span><a href="https://securityboulevard.com/?s=cybersecurity+awareness+month" target="_blank" rel="noopener"><span id="E368" class="qowt-font3-Calibri">Cybersecurity Awareness Month</span></a><span id="E369" class="qowt-font3-Calibri"> every October</span><span id="E370" class="qowt-font3-Calibri">. </span></p><h3><span id="E373" class="qowt-font3-Calibri">Level Three</span><span id="E374" class="qowt-font3-Calibri">: </span><span id="E375" class="qowt-font3-Calibri">Behavior Shaping</span></h3><p><span id="E376" class="qowt-font3-Calibri">This goes beyond level two and involves an intentional effort to understand and direct human behavior</span><span id="E377" class="qowt-font3-Calibri">;</span><span id="E378" class="qowt-font3-Calibri"> specifically working with, rather than against, human nature. </span></p><h3><span id="E381" class="qowt-font3-Calibri">Level Four</span><span id="E382" class="qowt-font3-Calibri">:</span><span id="E383" class="qowt-font3-Calibri"> Culture Shaping</span></h3><p><span id="E384" class="qowt-font3-Calibri">This is the highest level of maturity where security-related values and beliefs are woven into the fabric of the organization and ha</span><span id="E386" class="qowt-font3-Calibri">ve become the established norm. Such values are </span><span id="E387" class="qowt-font3-Calibri">regularly practiced </span><span id="E388" class="qowt-font3-Calibri">by most</span><span id="E389" class="qowt-font3-Calibri"> employees and they can even be infectious to </span><span id="E390" class="qowt-font3-Calibri">newcomers.</span></p></div></div><div id="contentsContainer" class="style-scope qowt-page"><div id="contents" class="style-scope qowt-page"><h2 id="E392" class="x-scope qowt-word-para-3"><span id="E393" class="qowt-font3-Calibri">The ABCs of Cybersecurity Awareness Programs</span></h2><p id="E395" class="x-scope qowt-word-para-0"><span id="E396" class="qowt-font3-Calibri">Awareness (A), </span><span id="E397" class="qowt-font3-Calibri">b</span><span id="E398" class="qowt-font3-Calibri">ehavior (B) and </span><span id="E399" class="qowt-font3-Calibri">c</span><span id="E400" class="qowt-font3-Calibri">ulture (C) are the three main </span><span id="E401" class="qowt-font3-Calibri">pivot points </span><span id="E402" class="qowt-font3-Calibri">that can help businesses harness the full potential of </span><span id="E403" class="qowt-font3-Calibri">a</span><span id="E404" class="qowt-font3-Calibri"> security awareness program</span><span id="E405" class="qowt-font3-Calibri">.</span><span id="E406" class="qowt-font3-Calibri"> The more they learn </span><span id="E407" class="qowt-font3-Calibri">about how they can </span><span id="E408" class="qowt-font3-Calibri">measurably benefit by intentionally focusing on the ABCs</span><span id="E409" class="qowt-font3-Calibri">, the more they </span><span id="E410" class="qowt-font3-Calibri">will </span><span id="E411" class="qowt-font3-Calibri">invest</span><span id="E412" class="qowt-font3-Calibri"> and </span><span id="E413" class="qowt-font3-Calibri">the closer they will be to building a truly cyberresilient organization.</span></p></div></div>