Security awareness and training are typically covered under the single heading of Information Security Awareness Training. In fact, that's the approach I took in the previous two posts on this topic, covering how to change employee behavior at a high level. This high-level approach is appropriate for many organizations, especially those with tenuous management commitment and a meager budget. However, awareness and training, when part of a formal methodology for employee behavior modification, are actually two different activities.
In this post, we continue our look at institutionalizing secure behavior in our organizations with a process for preparing users for more focused training.
Awareness vs. Training
It's a big temptation to jump right to how-to and policy training when implementing an Information Security Awareness Training Program (ISATP). However, you need to prepare your target audience first. Each person in your organization must understand why security is important. They must also realize management commitment to information asset assurance. Finally, each employee should understand the impact—both personal and organizational—if security best practices (as defined in policies, standards and guidelines) are not followed.
Once you have their attention, you can ask them to accept requests to sit through security training sessions, sessions that drag them away from their normal job of actually running or supporting business operations. A more important effect of awareness might be employee willingness to listen and learn.
Raising employee awareness
Building employee awareness begins with the new hire orientation process. Make sure this is included in your ISATP. On their first day, employees should understand what is and is not considered safe behavior. This initial exposure to company expectations might consist of requiring each person to sit through a short awareness presentation, followed by their reading and signing the acceptable use and password management policies. Microsoft provides a great PowerPoint presentation for this purpose. It's short but covers all reasons why security is important.
I wrote in the last post about breaking training into three different content groups, based on whether the target audience was management, IT staff, or business users. This is fine for training, but the awareness message is the same for all employees, regardless of role. Organizations which are just now implementing an ISATP should follow-up with existing employees to ensure the awareness message is consistently distributed throughout the entire workforce.
There are three principle methods of delivery for the security awareness message: Web-based, offline, and instructor led. Web-based delivery is the best way for most distributed organizations to reach all employees. Multi-purpose tools, like Articulate, enable customized messages, delivered by PowerPoint and enhanced with audio. They also allow integration of quizzes and tracking of participation. Examples of security training created with Articulate are available at my Web site. Placing an awareness presentation on the company Intranet, with participation tracking enabled, is a good way to reach everyone. It's also a good way of demonstrating awareness efforts to auditors.
Offline awareness presentations are provided for those employees without high speed access to the Intranet. However, special delivery packages are not usually needed if multi-purpose tools are used. For example, the training modules on my site are available for either online viewing or for download. I could also choose to distribute them via CD-ROM.
Instructor led training is typically not necessary for initial awareness delivery. The content should be high-level, easy to understand, and applicable to every participant. It's usually appropriate to reserve classroom training for in-depth training of targeted audiences.
Regardless of the delivery method, it's important to validate everyone participates. Leaving pockets of employees unaware of the importance of security and how their actions affect system assurance is like leaving one or more windows open on a locked house.
All efforts to enlighten employees must be evaluated. In a later post, I'll discuss a formal method of evaluation post-training behavior methods. Here we'll look at participant evaluation forms.
Identifying the right content for awareness presentations, for preparing users for more focused training, is not easy. The initial process for deciding what to include, and who should assist in the decision making, is covered in our previous planning discussion. But we don't always get it right the first time. In addition, our audience might see benefit in adding, subtracting, or expanding content. The delivery method might also need work.
Use of evaluation forms is an excellent way to get participant feedback, of alerting us to ways to more effectively reach our awareness objectives. The National Institute of Standards and Technology (NIST) Special Publication 800-16, Information Technology Training Requirements: A Role- and Performance-based Model, contains a great sample student questionnaire (Exhibit 5-2, p. 165).
The final word
Jumping directly to often mind-numbing, glassy-eye-causing, security training is not usually the best approach to changing employee behavior. Employees have to understand why protection of information assets is important, and why they should care. Awareness efforts, beginning with the first day of employment, and regularly reinforced, are the best way to get them interested in taking the next step.
Using post-presentation employee input, and actually using it to tailor the message to better fit the audience, is another great way to keep employees involved.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.