Alfonso Barreiro offers some practical tips on how to cover security awareness with employees without boring them to tears or ignoring opportunities for meaningful engagement.
Most security information strategies (and even some regulations) include some form of mandatory security awareness training. Unfortunately, as fellow blogger Dominic Vogel recently pointed out, mandatory training programs are sometimes seen by employees as distractions easily dismissed or ignored, and you risk losing your best opportunity to change perceptions or attitudes. Here are some tips you can use to help craft an engaging security awareness training session.
Have clear objectives
When crafting a security awareness presentation or session, you need to be clear on what is it you want your audience to learn. A clear objective can help you design your presentation, and it will be a reminder of where your focus should be. Always define you objectives in terms of what the participants will learn or the attitudes you wish to instill or change. For example, you could begin with the phrase "Upon completion of this presentation/seminar/training session, the participants..." and then complete the next part with your objectives, such as:
- "... will be able to create a secure password."
- "... will be able to spot a suspicious e-mail."
- "... will know the risks of carelessly posting private information on social sites"
Depending on the objective, it could also be used as a way to measure the success of the program.
Provide information that can be related to both work and home
with the increased blurring of the lines between work and personal lives, security practices should not be restricted to just within your organization; most of those practices can benefit your users in other areas of their lives. Try to relate the objective of your training not only to the security needs of the organization, but to their personal security needs and how they might benefit personally from the training. This way, you can make a greater impression and hopefully create a new attitude that can transcend your organization and improve their security wherever they go.
Give actionable information
Your security awareness training should not only provide cold facts and numbers, but also concrete steps your audience can perform to increase their security posture. For instance, if you wish instill the use of password best practices, you could provide your audience with a couple of strategies on how to create a strong password or pass-phrase; provide examples of secure password managers they can use to store their passwords; what to do or where to call if they suspect their password has been compromised (both in the organization and at home).
The resources you promote must be available
It is very important that whatever resources you provide your audience are ready. For instance, if you promote a company website for security awareness, make sure the site is up and running and at the very least the information you provided during the training is published there and up to date. If your audience cannot find the resources you provided, or think of as obsolete, they may lose interest and engagement.
Follow up on questions
Be always open to questions during the session, not just at the end. If members of your audience ask questions, you can take it as a good sign that you've managed to get their attention or better yet, get them engaged. It is also quite possible that you may not be able to answer all their questions due to time constraints or because you need to research the answers to the questions they. No matter the reason, always make sure to follow up and be open to an ongoing dialog.
A security awareness training program that can engage the users and inform them of how to protect themselves and their information can be a very important tool in preventing security incidents. Don't let that opportunity pass up your organization.