Agent Smith 4
Procedural and people security controls
The course is part of this learning path
Training and awareness
A crucial part of fostering a positive and effective security culture is creating a training suite that’s informative, engaging, and tailored to the target audience.
It might seem simple, but there’s a lot that goes into creating a solution that delivers success, so let’s spend some time looking through some hints, tips, and best practices now.
Who needs security training?
Anyone with access to the enterprise’s information systems should receive some form of information security education and training. The level of training needed can vary with their role, but it should ensure that they can carry out essential assurance procedures. It should also give the recipient an understanding of the correct use of their information systems. It should always make the individual aware of the acceptable use policy, no matter who they are.
Security training should:
- Help individuals to understand their assurance responsibilities
- Explain how the organisations information assets can be put at risk and how this can be avoided
- Be tailored to the role of the recipients
So, how do you make sure you get your training right? Let’s move on to look at some different approaches
A great way to get people on board with security measures is by using case studies. Essentially, stories that are realistic and seem as though they could happen to anyone. Security incidents that may have occurred previously within the organisation or within other similar organisations are the perfect place to start.
Audio-visual training provides input via two senses - improving and reinforcing learning. PowerPoint and audio training provides positive reinforcement.
Security awareness and training should be seen as a mandatory, continuous process rather than a once-only exercise. Its overall objective is to reduce information assurance risk by developing a positive security culture. This happens when individuals and the organisation understand and respect what’s required from them as a whole.
There are two broad approaches to improving levels of knowledge:
- Through specific information security training - Instruction should be focused and addresses specific issues. Its primary aim is to give the user a certain level of competence in a given area.
- Through raising awareness of information security - Awareness is more general and aims to create a change in user behaviour and influence the perception of risk.
Here are some best practice tips to take forward with you if you’re ever implementing training within your own organisation:
- Use a tone of voice appropriate for your target audience
- Use simple and concise language, avoiding jargon wherever possible
- Use a mixture of audio and visual training assets like video, animation, or podcast style interviews to reinforce learning
- Keep learning blended by using a mixture of active and passive experiences – i.e., not just reading and watching, but taking part and answering too
Before moving on to the next Learning Path, which will look at Technical security controls, our experts Mark and David will be discussing acceptable use policy, practice, and restriction in computer technologies.
Procedural and people security is a key part of Information Assurance. Threats are not only external; they may also originate with or involve staff/ex-staff members. Therefore, it’s essential that all staff follow correct policies and procedures so they foster an appropriate security culture.
A world-leading tech and digital skills organization, we help many of the world’s leading companies to build their tech and digital capabilities via our range of world-class training courses, reskilling bootcamps, work-based learning programs, and apprenticeships. We also create bespoke solutions, blending elements to meet specific client needs.