Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Are third-party security awareness training programs effective?

Security awareness training can be effective, but how should enterprises select the right third-party program? Expert Joe Granneman offers some advice.

As a CISO I've been trying to implement an effective security awareness program to help educate my employees, but so far it's been ineffective. I'm really striving for a higher level of security awareness, which I hope will promote positive behaviors, so I'm strongly considering a third-party security awareness training firm. What are your recommendations on how to evaluate these providers?

The question everyone asks me after a security presentation is this -- "Which antivirus software should I use?" -- and my answer is always the same: "It doesn't matter, because it can't stop you from infecting your own machine." The cybercriminal is well aware of this fact and continues to send phishing emails hoping users will install malware. Some cybercriminals have even taken to calling the user on the phone and tricking them into installing their malware.

Antivirus protection is necessary, but it cannot prevent users from infecting their own computer, any more than a car can prevent its driver from piloting it into a brick wall. The normal operation of either device requires input from users, which creates just enough opportunity for the cybercriminal to influence their behavior.

The best defense against these types of attacks is an educated user who operates a computer with a healthy dose of suspicion. Yet this is where most information security programs fall short, as enterprises tend to focus on technical solutions like antivirus instead. One reason they do this is that it's far easier to change the technology than to change user behavior. The other reason is that the technologists who make up our field aren't always skillful at developing effective training programs that can effectively change that behavior. This is why third-party training programs can be so attractive.

There are a number of attributes that help make information security awareness training programs effective. Here are four of them:

User focus. Training programs need to focus on the material from the user's point of view. Some programs expound on the minutiae of a particular compliance rule without telling users how to change their day-to-day activities. Employees tend to do their work repetitively, with little change to their daily processes. Effective training programs will demonstrate ways to integrate secure behaviors into these daily processes.

Entertainment value: Training programs need to be engaging and entertaining to capture employees' attention. Advertising firms make comedic commercials for a reason. Training programs that focus only on the dry core material will be quickly forgotten. This is the No. 1 reason that most security training programs fail to be effective.

Multiple communications channels: The old adage says that if you want someone to remember something, you have to tell them three times. Training programs that use multiple forms of communication will have a higher success rate. Videos, classroom training and interactive websites are examples of ways to reinforce important training objectives. Creativity is key.

Behavioral test questions: Many training programs mandate that employees be tested when they complete the material. Unfortunately, the testing focuses on trivial questions that don't help the employees change their behavior. The year that GLBA was passed or how HIPAA was divided into safeguards and specifications are examples of facts that are useless to employees. Test questions should be based on a behavioral scenario such as this one: "What would you do if you get an email message with a link to reset your password?" Such questions that will aid employee retention of the subject matter far longer than the rote memorization of arcane facts.

These four attributes can be used as vendor selection criteria. It may be helpful to include representatives from other departments in the selection process who have experience in marketing or human resources. They can offer opinions about potential vendors on the effectiveness of their communication style.

Security awareness training can have a dramatic impact on an enterprise – and sometimes that impact can be greater than that of traditional security investments in technology products. While third-party security awareness training can be extremely helpful, it needs to be thoroughly evaluated for effectiveness. Properly educated users who possess a healthy dose of suspicion -- that should be the goal of any security awareness program, as well as the information security industry as a whole.

Next Steps

Expert Ernie Hayden explains why ICS security training is needed to boost awareness, response

This was last published in January 2015

Dig Deeper on Information security certifications, training and jobs