1.13 Establish and maintain a security awareness, education, and training program

  • Methods and techniques to present awareness and training (social engineering, phishing, security championships, gamification)
  • Periodic content reviews
  • Program effectiveness evaluation

An effective risk management program requires us to modify the behaviors of the users to comply with the new risk management policies.  That means that we must transfer the ideas in the security policies to the people.

First, we create awareness.  That means allowing users to recognize security.  We can do that through formal education, and informal notices such as posters, newsletters and events.  Each user should understand their responsibilities under the policy and understand the activities that are not authorized.  Users get bored, so the program should be creative and interesting.  The employees must also understand the value of the program.  If they do not value security, then they will not cooperate.

Training means teaching people to comply with the security policy.  We might train new employees when they are first hired and retrain existing employees when there are new systems or policies that they need to learn about.  Training should be ongoing for all employees and should be revised often so that it is up-to-date and interesting.

Education is further teaching people skills that they require to perform their job.  Education might be performed by an external provider such as a school.  The ideas learned in education apply not just to the employer but to the industry or job as a whole.  An example of education is a security certification or a degree in information technology from a university.  We might require existing employees to obtain new education (at their expense or at the expense of the organization) or we might require new hires to possess specific types of education.

Some important parts of an effective Security Awareness Program

  • Social Engineering – we might randomly send employees fake phishing e-mails and see whether they click on them or report them

  • Gamification – we can turn the security training into a game where people are encouraged to find the threats or answer questions.  This makes the training more interactive and more interesting.

  • Security Champion – a security champion is an employee who encourages others to follow security procedures.  He might work for the IT department, or we might designate employees in other departments to act as security champions.  We want to pick people who are passionate about security.

  • Content Review – we must regularly review the content so that it remains accurate and relevant

  • Program Evaluation

    • Metrics – we can measure how many people completed the training and if the training is a game, what score they received

    • Quizzes – we can randomly quiz people to make sure that they understand the security requirements

    • Security Awareness Day – we can have a single day where we celebrate and encourage security

    • Evaluation of the organization’s security – the ultimate measure of how successful our security program is to see how secure our organization is