Concerns about Information Security Training and Awareness – Part 3
OK, OK, security awareness training and awareness for senior management is an almost impossible endeavor, but that does not mean that the same obstacles are present in security training and awareness for the rest of an organization. As I have said before, I’ve had my share of experience with security training and awareness, and have accumulated several important “lessons learned” concerning successes and failures, including:
- Successfully conveying perceived purpose to the target audience is all important. Making whatever skills to be taught or message to be presented relevant to this audience is the difference between being able to engage and motivate them to learn or not being able to do so. Conveying perceived purpose is difficult, however, because many users use computers purely out of necessity and do not necessarily think that being unable to use their computers temporarily because of a security-related problem is such a bad thing. This is where HR can help considerably. If compliance with information security policy, standards and procedures is included among employee performance review criteria, employees are much more likely to realize that information security is important and thus are likely to be more open and receptive to security training and awareness efforts.
- Training and awareness must be tailored to different groups within an organization. “One size fits all” definitely does not apply to security training and awareness. Training and awareness for casual PC users needs to be radically different from training and awareness for system administrators; the same principle applies to expert system administrators versus novice system administrators. Tailoring security awareness and training to different groups is truly one of the greatest challenges for information security professionals, especially considering that training and awareness budgets are usually rather limited.
- Those who are trained must be held accountable. I am confident that in and of itself having a group of people come into a room and hear a presentation on information security does little good. At a minimum, requiring attendees to take a test afterwards or show hands-on that they have learned to follow a mandatory security procedure is necessary. Those who do not pass the test or practicum need to receive more training before they once again attempt to pass.
- Skip the theory and get down to the practical. Too often information security training and awareness consists of communicating many security platitudes, but nobody but these professionals really care about these platitudes. Those who receive security training and awareness need to learn practical things such as how to create a strong password, why it is important to avoid opening attachments and how to disconnect a network cable from a network interface card if there is reason to believe that a computer has been compromised.
- Training must be recurrent. We often require that all employees and contractors receive security training once every year, but psychologists say most concepts that we learn are forgotten within the matter of hours (sometime minutes) after we are exposed to them. Following up, say with a brief individual distance learning session, two or three weeks after a group training session is imperative.
These prescriptions are by no means any kind of “silver bullet.” At the same time, however, paying attention to them could very well make your security training and awareness effort go much better than ever before.