subject: A Tailored Approach To Security Awareness Training [print this page] Managing a security awareness training program is like pushing a boulder uphill - in the dark - on roller skates. It may be extremely challenging to reach the top, but not impossible.
The goal of a security awareness training program should not only be to help individuals understand they play a significant role in the security of the organization, but also teach that consistently adhering to basic security protocols is the best way to help maintain a high level of security.
To achieve this goal, a trainer needs to recognize that awareness training is not like teaching someone to perform a specific duty with clearly defined guidelines and procedures: you are essentially asking people to "reprogram" their attitudes and habits. Considering that most workers regard performing even basic internal security steps - like locking keyboards, clearing desks, shredding documents - as a hindrance to productivity, it can take a lot of motivation to change their behavior. Hence the analogy of pushing a boulder uphill - in the dark - on roller skates.
Luckily trainers can use a variety of tools as leverage to help move the boulder along. The most effective may be to take a tailored approach to security awareness training sessions.
Since every organization is comprised of employees with a diverse level of education, experience and responsibility, a "one size fits all" method of training simply does not work very well. A truly effective awareness program may require the development of custom training sessions structured to appeal to the sophistication level of each segment.
For example, senior managers have a vested interest in protecting the security of the organization and are likely to already have good understanding of why security awareness is important. So they may quickly "buy in" to the goals of the program as long as they perceive their training sessions as being relevant to their job functions and significant to the organization.
One method used to tailor a training session for management is, prior to the session, monitor online newswires and collect videos of news reports that address relevant security issues or breaches. Then replay the videos in a group setting and follow it with a roundtable discussion about how to prevent similar issues within your own organization. Other techniques involve teaching the managers how to explain the importance of security awareness to their own teams, how to reduce risks within their departments, or even how emerging security threats could potentially impact the organization.
On the other hand, training sessions for front-line employees and support staff require a much different - and often more demanding - approach. Simply due to the nature of their job functions, these segments have a much higher chance of being directly exposed to security threats on a daily basis. Without effective, focused training, these employees are at greater risk to becoming the target of a social engineer and unwittingly contribute to a security breach. Therefore, trainers should structure customized training sessions for these types of segments to address critical topics including identifying physical security vulnerabilities, detecting and reacting to potential threats, and the importance of basic security precautions.
Developing an effective training session for these segments is no easy task, especially considering you are ultimately asking them to break bad habits and develop new ones that may inhibit their productivity. While some trainers opt for traditional training methods like written quizzes or role-play activities, many trainers consider light-hearted activities a more effective way to open up the lines of communication so that the serious message of security awareness is more easily accepted. One creative example of a "soft-sell" technique is to mimic a popular game show like Jeopardy or Family Feud. Attendees are split into teams, advance to different rounds and even compete for prizes!
Regardless of the training techniques used, it is important to recognize that different segments of employees require different motivational factors in order to "buy in" to the principles of security awareness.
Developing customized training sessions based on employee segments may ultimately provide the leverage you need to get that boulder to the top of the hill.
