From theory to practice: Designing a successful security awareness training program
Cybersecurity is a team sport; everyone plays their part — from HR to finance to IT. That's why I've never liked the term "human error" or "humans are your weakest link."
Is it true? Probably. But if it is a team sport, much of the blame should fall on the coach. Someone needs to educate your employees and empower them with the knowledge and tools to be effective. And to be a good coach, you need a security awareness training plan that drives true employee change.
Strengthen security awareness with human risk management
Infosec HRM, powered by Right-Hand Cybersecurity, provides alert-based training nudges to minimize human risk at your organization.
We just asked our Infosec IQ clients about their security awareness programs, and ninety percent of them told us they've created a "strong cybersecurity culture" that has "made their organization more secure and cyber-resilient." At a larger scale, the Verizon DBIR also indicates progress (if three data points make a trend). In 2021, 85% of breaches involved the human element. In 2022, it was 82%. This year, it's down to 74%.
So, what goes into creating a security awareness program? And what are those security awareness best practices coaches should be building into their programs? Let's break it down into five key steps.
How to build a security awareness training program
1. Assessing your organization’s security culture
One of the key goals of a security awareness training program is to shift your cybersecurity culture. That's why we recommend doing a security culture survey as soon as possible. Metrics like phish rate and training completion are good KPIs, but a quick survey can help quantify employee perceptions across your organization — both before and after a cyber awareness plan is launched. You may be surprised how widely security threat awareness can differ across your organization, and this can help inform how you roll out your training plan.
You should also assess your current training efforts and what you hope to get from future programs. Think about what a successful program would be to you and your leadership team. Every organization is different. Those with sensitive medical data have different requirements and concerns than those who work in higher education or e-commerce. Different industries can be prone to different security threats, and all of that information should inform how you design a security awareness training plan that hits your organizational goals.
2. Crafting a tailored security awareness training program
Now that you’ve assessed the unique cybersecurity factors at your organization, you can create a security awareness training plan that fits the needs of all employees. Here are some things to keep in mind when creating your plan.
- Segmentation: Training isn't one size fits all. Just as every organization has different needs, each department likely does as well. The sales team's cyber threats will likely differ from those facing the C-suite. Build a cyber awareness plan that aligns with each employee's role requirements, duties and current level of security awareness.
- Learning design best practices: Training doesn't have to be boring. It should be short, engaging and ongoing. Studies show that once a year, hour-long trainings are not as effective as micro-learning done throughout the year. Use real-life scenarios that apply directly to each employee to make training memorable and relevant.
- Gamification: Use interactive training, whether the training modules themselves or the pieces around the awareness training. Competitions, leaderboards and small rewards can go a long way toward driving engagement.
- Language: Before you decide on training materials, consider what languages are used by members of your organization. Multi-national companies may be better served by materials offered in every language instead of selecting different materials in different languages.
Also, don't forget the basics. While parts of your security awareness program may cover different topics, there are a few awareness subjects in which all employees need to be trained. We call them the NIST Core Behaviors, which include topics like password security, phishing attacks, mobile security and social engineering.
See Infosec IQ in action
3. Overcoming common challenges
While you may have a clear path for your security awareness program, sometimes you’ll experience some pushback from others in your organization. Several causes exist, but starting with the shared goals (in step 1) is one of the most effective ways to gain buy-in for the initial roll-out. If higher-ups think your security awareness training plan takes too much time or money, use real data to make your case. For example, Infosec customers reported a 75% improvement in phishing report times after using the Infosec IQ security awareness platform. How would an improvement like that impact your security efforts?
If they don’t seem to value organization-wide cybersecurity efforts, explain how potential damage to the company’s reputation could cause ripple effects throughout the organization. For example, the IBM Cost of a Data Breach report quantifies 27 different cost factors that go into a data breach to help provide a full picture of the risk.
Lastly, be sure to explain your vision of the organization’s security culture and how your goals align with the larger business goals.
4. Effective implementation strategies
Now that you’ve crafted an approved security awareness training plan, you must work closely with your organization’s HR manager or director to implement it effectively. They can help ensure that your program becomes mandatory for all employees instead of just being a suggested activity. All stakeholders should also be thoroughly briefed on the program. Clearly articulate the program's goals, cadence and steps that will be taken throughout the year. This can help you ensure all program parts are consistent and clear.
We recommend monthly (or quarterly, if you must) training updates, regular communications on security awareness training best practices (Infosec provides posters, emails and other resources to help reinforce each month's training) and updates on new, prominent threats. You can also employ periodic simulated phishing attacks to keep your coworkers sharp.
Finding security champions across different departments is another effective strategy. Not everyone will immediately embrace another training program. These champions can help keep training front-of-mind and serve as a point person for cybersecurity questions. These champions can effectively turn your security awareness program from just training into something that provides a true culture shift.
5. Monitoring and evaluation
Tracking your key metrics (from step 1) is vital to determining the success of your program and deciding when to make updates or changes. Infosec offers proven, turnkey security awareness campaigns for those who want to get launched quickly, but everyone should set aside some time to regularly evaluate your program and ensure that it's helping you hit your security awareness goals.
Networking with other security awareness program administrators is another great way to level up your training program. Don't try to reinvent the wheel. Connect with others in the Infosec community, through webinars or via your CSM, and leverage their wins to add to your program.
See Infosec IQ in action
Want more security awareness training advice? Check out our free security awareness resources. Or speak to an expert directly.