In previous posts, we made a business case for raising employee security awareness and a training program to teach them how to protect themselves and the business. We explored the relationship between awareness and training, and learned how to define outcomes for an Information Security Awareness Training Program (ISATP). In this final post in the security awareness series, we'll walk through lesson plan creation as well as roll out and continuous reinforcement activities. Finally we'll examine approaches to assessment, to ensuring expected outcomes were achieved.
Creating lesson plans
Lesson plans are tools for achieving desired awareness and training outcomes. They help ensure the right material is provided to the target audience, even if the delivery method is not instructor-led. Before sitting down to write a plan, you need to understand the parameters surrounding the training session, including:
- Amount of time available for the session. Managers are not usually willing to lose key personnel for several hours at a time. In addition, all of us have a tendency to go "glassy-eyed" if a large amount of information is thrown at us all at once. So it's better to break your material into smaller lessons of about one hour. The lesson plan for each session must take into account this time constraint.
- List of required materials. In addition to providing handouts which provide quick reference to material covered in training, consider exercises that reinforce the message you're delivering. Exercises may require materials not usually found in your training room.
- List of objectives. Every training session must have as its goal a set of outcomes taken from the training needs assessments conducted earlier in the ISATP process. Keep the list small. It's better to build awareness and skill sets incrementally. The content of the lesson plan should be focused on achieving these outcomes.
- Evaluation. As we saw in previous posts, student evaluations are an important part of ensuring we are presenting the right message in an effective manner.
If you've never written a lesson plan, or if you'd like to brush up on your skills, The Educator's Reference Desk has a great how-to guide with examples. Specific examples of security lesson plans, targeting functional roles within an organization, are found in NIST SP 800-1.
While employees attend awareness and training sessions, consider a security awareness campaign. A campaign helps build and maintain enthusiasm for working safely. Remember, the ultimate objective of an ISATP is to change employee behavior. Supporting skills enhancement with continuous awareness reinforcement is a great way to make this happen.
Campaign content should be based on support lesson plan objectives. Activities should be memorable—and fun. Use your imagination. In addition to activities, use posters, table tents, and other material to keep employee attention on security. Microsoft provides free templates in its Security Awareness Program Material. The American Bankers Association site contains excellent resources and links to additional free awareness and training materials, including resources that continue to reinforce key messages.
Continuous awareness materials
After the initial campaign, the message can't disappear. Continuous efforts must be made to maintain an acceptable level of employee focus on safeguarding information assets. Materials for this ongoing effort are often an extension of those used during the campaign, delivered via one or more of the following methods:
- New hire training
- Annual refresher/update sessions
- Monthly or quarterly email alerts/messages
Measuring outcomes is an important aspect of any project. This is no different. If the training objectives were properly defined in earlier stages of this process, they should be measurable. Examples of areas that often provide useful information about improvements in security-related behavior include:
- Changes in incident frequency. Tracking security incidents should already be part of your everyday activities. For example, use that information to determine if frequency of events caused by human error is decreasing.
- Audit improvements. The results of key control testing by internal audit or by the security team can be a great way to determine whether things are getting better. This is one of the best ways to measure whether technical staff is applying what they learned to system configuration and change control.
- Management questionnaires. An effective approach to ensure you meet management expectation is to ask. These don't have to be lengthy documents. They should simple ask whether the manager believes the intended outcomes have been met. If not, why not. Negative responses provide valuable gap remediation information.
The final word
Information Security Awareness Training Programs are an essential part of an effective security program. Helping management understand that unwanted employee behavior can account for up to 80 percent of security incidents is a good start to making a business case.
Before designing training materials, assess your audience and determine outcomes. Include managers and non-managers. This information determines who to train, training delivery methods, and lesson plan content.
Training must be reinforced with continuous awareness methods. The train-and-forget approach leads to diminishing effectiveness over time.
Finally, be sure to measure results. Like all ongoing processes, metrics help you understand weaknesses in the ISATP. Incremental improvements as metrics are collected and assessed are a great way to reach and maintain acceptable employee attention to information asset security.
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.