Welcome to this short video on training and awareness.

Training and awareness are critical elements of a security culture – starting when the individual joins an organization and running throughout their career to ensure compliance with regulations and vigilance against changing threats.

This video will identify how organizations can raise security awareness and the different approaches they can take to deliver security-related training.

The aim of an information assurance training programme is to reduce the likelihood of assurance-related incidents occurring in an organization. Appropriate and targeted training for different groups helps individuals understand their responsibilities know how the organization’s information assets can be put at risk through mishandling and understand the actions they can take to avoid incidents occurring.

If they understand the risks they’re exposed to, users are more likely to remember what to do in a situation that could potentially lead to a data breach or security incident. We all know not to leave our phone or handbag on the front seat of the car, and we would never go out for the day and leave the windows and doors of our house open. Information assurance training needs to embed similar behaviours.

Training includes formal security awareness events, which can be augmented by communication campaigns to reinforcing messages through emails, leaflets, newsletters and briefings. For example, a security awareness course might warn computer administrators of the danger of people tailgating into the computer room. This can be augmented with posters and further reinforced in the monthly information assurance newsletter.

Users can also be required to read a guidance notes when they log into a system and confirm that they’ve read and understood the information before they can progress any further.

Every individual in an organization requires training, regardless of how senior they are. However, the training does need to be tailored to the needs of each group in the organization:

·        There’s a general level of security awareness that everyone needs, including an understanding of the security policies and the principles of acceptable use

·        There will also be threats that senior managers are exclusively subject to, and

·        Some of the threats the IT department could face are very specific and of a more technical nature

To ensure security training is relevant to each group of users, the following questions should be answered during the design phase:

·        What’s the purpose of the training?

·        What does the training need to cover?

·        Who are the learners?

·        Which training methods are available and appropriate?

Staff training doesn’t necessarily require a formal classroom event which is often expensive to run and difficult for staff to attend. Modularised online training or e-learning can be a quick and effective way to share knowledge and illustrate best practice. The more interactive the better, so individuals can engage with the learning and think about what they’re doing. Quizzes and assessments can be included to check progress and prove competence.

General awareness information can also be distributed by security guards at the building entrance, or electronically via email or login scripts. And some organizations put up posters to warn of relevant issues like tailgating and social engineering threats.

Measurement of training is important to illustrate that it’s been completed, and individuals have reached the desired competency level. Assessments or quizzes are useful ways to prove competence and scores can be retained in a learning management system. Individuals who repeatedly fail an assessment can be identified for remedial action.

Be careful with the pass mark on assessments. 100% is generally too high and can demotivate learners – it should be a more realistic level with guidance provided for questions answered incorrectly.

There’s a vast amount of publicly available security awareness information. Organizations such as CPNI and NIST provide useful information assurance resources relating to areas like cyber, personal and physical security. They also publish posters and educational films that can be used within an organization.

When sourcing information, vendor-neutral websites are less likely to be biased towards a product or service, and likely to be up to date. They’re also often free to use.

The budget for awareness training should be agreed with senior management before the training is designed. Depending on the approach to the training, costs could include:

·        Any hardware or software required to deliver it

·        Printing costs

·        Courseware costs

·        Training administrative costs, and

·        The time required for staff to complete the training

If the training is being outsourced to an external training provider, checks should confirm they can meet the required quality requirements.

Training will help to develop positive behaviour, but it shouldn’t be the only approach. Organizations that actively encourage staff to report security issues on the understanding that reported breaches or incidents are seen as positive progress, will develop a security culture in a shorter period of time.

Spot-checks by security guards or information assurance staff to check if individuals remember key messages can also be helpful.

An improvement plan can be created when the security awareness training is being evaluated to take advantage of ideas raised during the training and feed these into the overall security management process.

That’s the end of this video on training and awareness.