How to create an effective security awareness training program

Nov. 5, 2021
Begin by defining your program’s goals and scope of policy, along with garnering company buy-in
As such, end-users must be taught not only how to recognize social engineering and phishing threats, but also how to treat them, report them and ensure their colleagues aren’t falling foul to them. Accordingly, security awareness training (SAT) is among the most high-value mitigations any organization can perform to significantly reduce cybersecurity risk. Yet, it is difficult for many organizations to know where to begin when creating these programs. What follows is a handy guide that covers the various components that make up a SAT policy that will act as the basis for a comprehensive program.

Decisions, Decisions

Creating an effective SAT program requires asking and answering many questions along with making sure the policy covers all of the needed components.

First, think about the goal that the organization is trying to meet with its SAT program, it could be something like: “To significantly reduce the organization’s cybersecurity risk due to participant actions and decisions when faced with social engineering threats, by using security awareness training and education. Participants should be able to better recognize cybersecurity risks, understand how to report risks and threats, and where to go for help.”

Next, think about compliance requirements and try to map SAT program elements to compliance documents. Many security controls originate from computer security laws, requirements, recommendations or best practice guides. Tying the SAT program back to one or more compliance document(s) will likely assist the organization in getting the necessary approvals and for justifying the ongoing expense of the program. In addition, many computer security regulatory documents and recommendations require security awareness training. Most organizations fall under one or more regulations requiring security awareness training, but regardless, all organizations should implement a security awareness training program. If the organization does fall under one or more regulations requiring security awareness training, it cannot hurt to “map” (i.e., link) to the specific control in the document as part of the policy.

Once the goals and compliance requirements are mapped out, get senior management sponsorship and approvals. As with any security mitigation, senior management should be convinced of the need for the SAT program and be supportive of its implementation. This is vital as senior management must ultimately drive the organization’s security culture. A successful security awareness program will enable other parts of the overall business to prosper; and should be communicated that way. Additionally, senior management’s ability to function as an evangelist and lead advocate for the program will yield lasting benefits in adoption and engagement across the business.

There also needs to be thought given to where the program will originate within the business. While many SAT programs originate from within IT or IT security departments, others may be assigned to a centralized training department or Human Resources. Think about the resources, budget, support and responsibilities required for a successful program and which business unit this will sit most comfortable with. It is important that wherever the program originates that the SAT program is provided strong support given its importance to the organization.

Once these initial considerations have been made, here are some other factors to be aware of when creating the SAT program policy:

Consider the Scope

Along with the goal of the program, all policies should indicate the scope of what the policy applies to. This includes the types of participants and roles, locations, business units and even what languages the SAT program should/must cover. Will the SAT program extend to contractors, partners and other types of third parties? The most common scope is described as “All Participants,” but it is essential to consider requiring its use by any entity that has access to your network or data. Hackers often target trusted third parties and vendors, leveraging a compromise in them to access other targets. Accordingly, an SAT policy scope may include something like, “All participants, vendors, contractors and third parties with access to our confidential data.”

Your policy should define all technical terms. These could include words such as phishing, spear phishing, smishing, vishing, URL, etc. They should be formally described in the policy document to ensure all readers have a common understanding of them. Never assume that anyone or everyone understands all terms.

Internal vs External

A good SAT program is difficult for any organization to develop and service using only internal resources. But even if an external vendor is used, one or more internal participants will manage the SAT program. Therefore, it will need to be decided whether the SAT program is the responsibility of a single, completely dedicated, participant or participants, the part-time responsibility of one or more participants or outsourced to a vendor who administrates the SAT program on the organization’s behalf. Certainly, a dedicated participant(s) or an outsourced vendor who can concentrate on the SAT program is better than a part-time resource, although the size and resources of the organization can be a restraint to having dedicated resources. Many smaller companies outsource their SAT programs to other vendors and many SAT companies offer to manage the program as one option.

Whether the organization chooses internal or external resources, dedicated or shared part-time resources, the resources administrating your SAT program should understand the organization’s particular culture, needs and goals.

Training Specifics

The SAT program policy should cover the types of training, types of training content, when training exercises are performed, the frequency and how it is performed. For example, a SAT policy should state if training is conducted in-person, remotely, using in-person instruction, using pre-recorded videos, printed and/or electronic posters and newsletters, formal presentations, informal “lunch-n-learns,” games and quizzes. It should also document if simulated phishing is used as part of training or if that is out-of-scope. The frequency and timing of standard SAT training should also be documented.

For example, is a longer computer security training done when each participant is hired and then a shorter one conducted monthly thereafter, with longer annual renewals? The position or person responsible for overseeing the security awareness training program should also be documented here. If some of the training will require scored quizzes and/or pass/fail competency checks, it should be noted.

Expectations, Consequences and Rewards

Finally, the policy should set out what is expected of employees and what they can expect having completed the training. For example, it should say that participants are expected to complete all required training promptly and should set the expectation of both training and responsiveness to simulated phishing tests. Employees may be told that they should actively report their interaction with any simulated or real phishing campaign to the Help Desk or IT Security and that late reporting (before discovery by others) will not result in penalties. Organizations want to create a culture where reporting suspected phishing events is always encouraged, even if it is late.

Consider communicating that if any employee types in their login credentials (even a simulated phishing test), then the employee will be asked to immediately change their passwords. This will be based on a conservative conclusion that if the employee typed in their credentials to a simulated phishing campaign, they may have done the same to a real phishing campaign.

It is equally important that the consequences of participants taking or avoiding education and simulated phishing campaigns be documented within the policy. Positive reinforcement is preferred to using only negative consequences, whenever possible. However, all organizations need to document what a participant can expect if they fail to take required training in a timely manner, fail educational quizzes or fail one or more simulated phishing simulations. For example, state that every successful report of a real or simulated phishing event will result in a positive notification to the participant – or if the entire department completes satisfactory training, for example, then they could earn a lunch on the company.

By starting with a clear picture of what a security awareness training program policy should look like, organizations will put themselves in the best position to create an effective program that is patently understood by employees. Defining goals and the scope of the policy, along with setting expectations and getting buy-in from senior management puts organizations on the front foot on their way to reducing social engineering and phishing threats to their businesses.

About the author: Roger A. Grimes is a Data-Driven Defense Evangelist at KnowBe4. He is a 30-year computer security professional, author of 12 books and over 1,000 national magazine articles. He often consults with the world’s largest and smallest companies and militaries, and he has seen what does and doesn’t work. Grimes was a weekly security columnist for InfoWorld and CSO magazines from 2005 - 2019. He regularly presents at national computer security conferences and has been interviewed by national magazines and radio shows, including Newsweek magazine and NPR’s All Things Considered. Roger is known for his often contrarian, fact-filled viewpoints.