Skip to content

Page040

Security Awareness and Training

Security awareness and training are often confused. Awareness changes user behavior; training provides a skill set.

Reminding users never to share accounts or write their passwords down is an example of awareness. It is assumed that some users are doing the wrong thing, and awareness is designed to change that behavior.

Security training teaches a user how to do something. Examples include training new help desk personnel to open, modify, and close service tickets; training network engineers to configure a router; or training a security administrator to create a new account.

Both awareness and training programs should undergo periodic content reviews to ensure that the data is timely and accurate. Information security can change quickly, such as during the COVID-19 pandemic, when countless organizations embraced telecommuting and remote technologies such as Slack, Discord, Zoom, Microsoft Meeting, Office365, and others.

The effectiveness of both awareness and training should be measured as well. The following types of metrics should be gathered before awareness and training programs begin, and then measured periodically to track program effectiveness:

  • Percentage of employees who have completed awareness and training programs
  • Employee-provided quality feedback on awareness and training programs
  • Clicks on authorized phishing campaigns
  • Vulnerabilities discovered during vulnerability scans
  • Patching effectiveness
  • Number of compromised systems
  • Security incidents
  • Dwell time (this describes the time it takes to identify an incident)
  • System and network uptime
  • Etc...

Gamification

Gamification is a form of learning that turns potentially dry material (such as security awareness briefings) into a game. Unlocking levels, points, badges, and avatars is fun, and unleashes a competitive spirit that encourages immersion and learning. Leaderboards can be used to encourage this competition, with individuals and teams vying for the top position.

Fig. 2.9 is from the SANS Institute’s Holiday Hack (see https://www.holidayhackchallenge.com/), an annual Christmas-themed hacking challenge that is highly gamified.

Fig. 2.9 SANS Holiday Hack.

Security Champions

Security champions are members of non-infosec teams (including operations, engineering, software development, and others) who act as a liaison with the information security team: “A security champions program enlists security-minded employees of all different disciplines from across a company for cybersecurity training and guidance. Once trained, these security champions become the voice for security within their various teams to drive crucial cybersecurity business outcomes throughout a business” [10].

The security champion role should be formal, and part of the person’s job description. Once the program is introduced, potential candidates can be identified (based on their knowledge, experience, and passion). This role should be considered a promotion (with an appropriate increase in compensation).