Fotolia

Q
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Are third-party security awareness training programs effective?

Security awareness training can be effective, but how should enterprises select the right third-party program? Expert Joe Granneman offers some advice.

As a CISO I've been trying to implement an effective security awareness program to help educate my employees, but so far it's been ineffective. I'm really striving for a higher level of security awareness, which I hope will promote positive behaviors, so I'm strongly considering a third-party security awareness training firm. What are your recommendations on how to evaluate these providers?

The question everyone asks me after a security presentation is this -- "Which antivirus software should I use?" -- and my answer is always the same: "It doesn't matter, because it can't stop you from infecting your own machine." The cybercriminal is well aware of this fact and continues to send phishing emails hoping users will install malware. Some cybercriminals have even taken to calling the user on the phone and tricking them into installing their malware.

Antivirus protection is necessary, but it cannot prevent users from infecting their own computer, any more than a car can prevent its driver from piloting it into a brick wall. The normal operation of either device requires input from users, which creates just enough opportunity for the cybercriminal to influence their behavior.

The best defense against these types of attacks is an educated user who operates a computer with a healthy dose of suspicion. Yet this is where most information security programs fall short, as enterprises tend to focus on technical solutions like antivirus instead. One reason they do this is that it's far easier to change the technology than to change user behavior. The other reason is that the technologists who make up our field aren't always skillful at developing effective training programs that can effectively change that behavior. This is why third-party training programs can be so attractive.

There are a number of attributes that help make information security awareness training programs effective. Here are four of them:

User focus. Training programs need to focus on the material from the user's point of view. Some programs expound on the minutiae of a particular compliance rule without telling users how to change their day-to-day activities. Employees tend to do their work repetitively, with little change to their daily processes. Effective training programs will demonstrate ways to integrate secure behaviors into these daily processes.

Entertainment value: Training programs need to be engaging and entertaining to capture employees' attention. Advertising firms make comedic commercials for a reason. Training programs that focus only on the dry core material will be quickly forgotten. This is the No. 1 reason that most security training programs fail to be effective.

Multiple communications channels: The old adage says that if you want someone to remember something, you have to tell them three times. Training programs that use multiple forms of communication will have a higher success rate. Videos, classroom training and interactive websites are examples of ways to reinforce important training objectives. Creativity is key.

Behavioral test questions: Many training programs mandate that employees be tested when they complete the material. Unfortunately, the testing focuses on trivial questions that don't help the employees change their behavior. The year that GLBA was passed or how HIPAA was divided into safeguards and specifications are examples of facts that are useless to employees. Test questions should be based on a behavioral scenario such as this one: "What would you do if you get an email message with a link to reset your password?" Such questions that will aid employee retention of the subject matter far longer than the rote memorization of arcane facts.

These four attributes can be used as vendor selection criteria. It may be helpful to include representatives from other departments in the selection process who have experience in marketing or human resources. They can offer opinions about potential vendors on the effectiveness of their communication style.

Security awareness training can have a dramatic impact on an enterprise – and sometimes that impact can be greater than that of traditional security investments in technology products. While third-party security awareness training can be extremely helpful, it needs to be thoroughly evaluated for effectiveness. Properly educated users who possess a healthy dose of suspicion -- that should be the goal of any security awareness program, as well as the information security industry as a whole.

Next Steps

Expert Ernie Hayden explains why ICS security training is needed to boost awareness, response

Dig Deeper on Information security certifications, training and jobs

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

3 comments

Send me notifications when other members comment.

Please create a username to comment.

Been watching these trainings for 20+ years and they are always the same - rotate your passwords, use a strong password, don't share it with anybody, don't talk to strangers, don't click on that email attachment, etc. Security is a weakest-link business, and the training makes the weakest links fall asleep halfway thru. 
Cancel
I love the focus on tangible tips for everyday use and tailoring those to the needs of the particular people in the training program. Making changes in behavior is difficult, so a variety of approaches to improve recall of these day-to-day modificiations does sound promising. I think even more important than an entertaining, creative approach is including interaction with the material. Maybe something closer to home like scenarios that might come up in their real work lives could help? I also wonder how those who hire the vendors measure the effectiveness of the training.
Cancel
If people actually implement and use the details being provided, I think that's a great first step I'm not entirely convinced enough people actually are. Laziness is often the biggest reason, mixed with having to do it for multiple sites. I've opted to use a password management application and I run through it frequently. It's great for making sure I don't have to mentally keep track of dozens of passwords. 
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close