Security awareness training is an important part of any organization’s cybersecurity strategy. Key to making awareness training work well, is that it must be “the right content to the right people at the right time”. Getting that done can be a big challenge! If you don’t have a plan for how to achieve this, your program will not be as efficient as it could be. We will give you an outline for how to create your awareness training plan that you can easily adopt for your own organization.
At the bottom of this post you can also download a Microsoft Word template for your awareness program plan to get you started in no time!
What’s the risk?
Starting with the risk picture is a good idea. You don’t need a big and complex risk model to start with the risk. If you don’t know your risks, start with a simple approach to this.
- What are your most valuable assets (people, data, software, hardware)?
- Who are the likely threat actors and what methods do they commonly use? Think about insiders, cybercrime and industrial espionage first.
- For scenarios that can threaten your most valuable assets, who are the people involved? What would they need to know to help stop this?
- What are your key technical and organization risk mitigation strategies?
If you have an overview of this in place, it is much easier to see what you should focus on in your security awareness program.
Different people need different knowledge to fulfill their roles. Programmers will need to learn about other things than accountants to contribute effectively to the cybersecurity of the firm. Creating a competence plan for different roles in the company is a good idea before you design the awareness contents and delivery channels. Make the roles relatively broad. Some example roles:
- Senior management
- Sales, marketing and business development
- System administrators
Typically your competence requirements would vary here. Key to a successful program is that the people targeted with training must understand the relevance of what they need to learn. Senior managers don’t need to know SQL injection, but they do need to know about social engineering. Sales reps don’t need to learn about ransomware types but they do need to learn why it is important to be careful while working in the airport lounge and that USB drives given away at trade shows can be unsafe.
A simple table with key knowledge requirements can be a tremendous help in planning a relevant awareness program.
Awareness is not built through training alone
e-Learning can be great for learning but it does not build a security aware organization by itself. In fact, training is perhaps the smallest part of the awareness activity cake. Here are four aspects of a good security awareness program that will help the organization move to a place where security is part of the way things are done, and not an annoying add-on:
- Formal training (classroom and e-learning)
- Defined workflows
- On the agenda in meetings and discussions. Responsibility of the project manager, team manager, or meeting facilitator!
- Top manager priority
- Making objectives part of performance management – including personal development plans
Can we measure security awareness?
Measuring security awareness can seem like an elusive goal – but tracking awareness related metrics is an important part of building a strong organizational culture with security as a natural part of the organization’s identity. Defining those metrics can be tough, so here are a few suggested ways to measure the effectiveness of such a program.
- Measure the completion rate of e-learning activities
- Run simulated phishing campaigns to test the effectiveness of social engineering training
- Gather 360 reviews on managers’ performance, and include in the survey questions about security focus from middle managers
- Track security incidents (reported, discovered)
- Run security quizzes as part of social competitions and track both participation and results.
Want a free template for planning your awareness program?
We have created a Word template to help with awareness program planning. Feel free to use it as the basis for your own awareness program!