Humans are often characterized as the “weakest link” in the information security chain. This designation may be circumstantially right, but it also neglects the fact that humans, if properly motivated and educated, can play an important role in bolstering the security ecosystem.
Employees can break the multimillion-dollar defense mechanism of an organization simply by clicking on a malicious link that installs an exploit kit (practical example of the weakest link). On the flip side, security-conscious employees can pick up the slack where the technology and processes fail, acting as a last resort in the security defense mechanism.
Many organizations have developed security awareness programs to transition their employees to a “human firewall." Nevertheless, end-users still contribute to a fair percentage of breaches. If you're scratching your head wondering whether these training methods are effective, you aren't alone.
Effective security awareness training is often described as the one that can change employees' behavior throughout an organization. Sounds good, but what exactly is the human behavior that needs altering?
Given the complexity of the human brain and the myriad factors that could influence human actions, it's no wonder that traditional training approaches that are simplistic and one-dimensional have not proved adequate. In fact, an effective approach calls for a multidisciplinary team and collaborative efforts of different subject matter experts besides information security. Undoubtedly, this approach requires sufficient funding by the management.
Security awareness training should begin with the senior management. Once they are clear how effective training ultimately mitigates the risks, they are more likely to invest in it. Realistically, perfect security training, just like perfect security, is not achievable. But setting up reasonable goals up front and communicating them clearly to the stakeholders will greatly reduce misunderstandings and avoid perception of failure due to wrong assumptions.
Here are some guidelines for creating a more productive security awareness program.
- Make it relevant: Try to customize the training content for departments/groups that have a similar job function, and provide specific examples of what they encounter in their day-to-day activities. Moreover, the complexity of the content should be adjusted based on the roles and responsibilities of each group. NIST Publications 800-50 and 800-16 are great references.
- Use effective communication methods: Being a subject matter expert doesn't mean information security professionals possess all the skills required to develop or conducts end user training. In fact, communication, education, human resources and psychology experts and end-user representatives should also be engaged to add their insight to the planning, development and delivery phases of security awareness training.
- Motivate your people: Another reason to have the right mix of experts in an awareness program is to galvanize the employees about the training before they are required to take it. Employee motivation is a key prerequisite of successful training to a point that it can make or break the effort. The key is avoiding those workers who participate merely because it's required by organization's security policy and finish it with little knowledge gained.
- Up the frequency, shrink the size: To increase the program's effectiveness, the content should be broken down to information nuggets focused on a specific subject, presented to the user community on daily basis and repeated after certain period of time. How this is done, of course, takes a lot of planning, communication and, more importantly, creativity.
- Conduct random security drills: A mock exercise will help assess users' skills in a more realistic manner, and the experience will make them feel more comfortable in dealing with real-world scenarios in the future.
Some organizations are willing to break away from conventional approaches and invest in effective training that goes beyond compliance requirements.
For example, Barclays Bank PLC launched a training campaign for its 150,000 employees worldwide. The bank hired a digital media company to create a 22-minute “mockumentary” film, fusing humor with such blockbuster security themes as incident reporting, appropriate disposal of confidential materials, and password security.
Most often, security awareness training is delivered in a fashion that the employees have a completely passive role: They receive education and are expected to follow certain instructions.
Wouldn't they be more serious about learning if they were engaged and had to play an active role? Here is an idea: Assign someone in each department the role of security ambassador and let them assume limited security responsibilities, such as serving as the point person for incident reporting. This position can be rotated, say weekly, so a larger number of employees get a chance to participate.