What does a security awareness training program need to include?

An effective security awareness training program can make a significant difference in enterprises security. Expert Mike O. Villegas discusses what makes a good program.

Mike O. Villegas

K3DES LLC
Published: 01 Jun 2016

A recent report from Ponemon Institute and Wombat Security Technologies found an alarming number of phishing attacks...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

in enterprises. The report also found that after employees went through a security awareness training program, the number of phishing attacks significantly decreased. What types of information or advice would be effective in a security awareness training session? And what other threats besides phishing attacks should the training focus on?

Ignorance is not a control. As much as people may want to ignore security risks and vulnerabilities, they still exist. A security awareness training program is critical to ensure that employees at all skill levels understand basic security principles to minimize the risk of a breach, fraud or costly mistakes.

The report issued by the Ponemon Institute stated that employees going through a security awareness training program significantly reduces the number of security related incidents, such as phishing attacks.

An effective security awareness training program needs to be:

Informational: Stress the basics, like password controls, phishing emails, suspicious websites and downloads, privacy, physical security and more.
All-inclusive: All employees should go through and acknowledge in writing -- electronic or manual -- that they have undergone annual training and new employee orientation training on information security.
Relevant: Show the significance of not complying with security. Emphasize the risks to the organization, personal identity theft, disciplinary action and possible termination.
Fun: Use animated characters, puzzles, newsletters, contests for correct answers, free cybersecurity videos, cybersecurity posters and more.
Attention-getting: Send fake phishing emails to employees and post results. After being a victim once, they will be much more vigilant going forward.
Not overdone: Security awareness should be integrated in the business culture but with moderation. Schedule event weekly, monthly, quarterly and annual events but keep it light.

In addition to these qualities, ensure that management is familiar with and supportive of the security awareness training program. At least annually, have the CEO record a video or issue a communication for all employees where she stresses the importance of information security and the protection of critical information of its customers, stakeholders and employees. Lastly, make sure you have fun.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Discover how follow-on training can improve security awareness

Learn how user behavior analytics compares to security awareness training

Find out if a security pledge could replace awareness training programs

Dig Deeper on Security Awareness Training and Internal Threats-Information

All
News
Get Started
Evaluate
Manage
Problem Solve

Mike O. Villegas asks:

What do you think makes a security awareness program successful?

Join the Discussion

Related Q&A from Mike O. Villegas

What should be included in a social media security policy?

A social media security policy is necessary for most enterprises today. Expert Mike O. Villegas discusses what should be included in social media ... Continue Reading

What are the possible benefits of a cybersecurity training center?

A cybersecurity training center could help security professionals continue their education, but are the benefits worth the investment for enterprises... Continue Reading

Should a forced password reset be standard after a data breach?

Yahoo reportedly rejected a forced password reset after numerous data breaches compromised user data. Expert Mike O. Villegas discusses whether this ... Continue Reading

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

Meet all of our Information Security experts

View all Information Security questions and answers

SearchCloudSecurity

How to conduct proper AWS vulnerability scanning in 3 steps

Cloud vulnerability management can be complicated. Learn how to perform AWS vulnerability scans under the shared responsibility ...

Research shows cloud security vulnerabilities grow

Recent research shows the number of cloud security incidents are growing. Here are the biggest contributors to the complicated ...

4 necessary steps to evaluate public cloud security

The Capital One hack raised questions about public cloud security. Take these four steps to ensure your data is protected.

SearchNetworking

What is data center networking, and how can you get started?

This feature explores the basics of data center networks, such as how to plan for data center consolidation, the effects of cloud...

Gartner Hype Cycle deems software-defined networking obsolete

A Gartner report on enterprise networking has declared the definition of SDN and its architectural approach as deceased. Cause of...

The top 5 capabilities your edge infrastructure should have

The network edge plays a vital role in the future of networking and digital transformation. Make sure your infrastructure has ...

SearchCIO

How to deal with the lack of chatbot standards

A lack of standards around chatbot development has created a situation in which enterprises are building and rebuilding bots. But...

RPA journey: Schneider Electric's global plan taps Blue Prism, UiPath

Schneider Electric, a multinational energy management company, has embarked on a robotic process automation journey, establishing...

Blurring the lines between RPA platforms and APIs

RPA is quickly making itself known in the automation market, but the real game changer is utilizing the technology in an API-rich...

SearchEnterpriseDesktop

Windows 10 19H2 update brings few changes, more confusion

Windows 10 updates have plagued IT since the inception of the OS. Microsoft may be attempting to assuage IT's concerns with the ...

New Windows vulnerabilities reveal there is no rest for weary IT

The two latest Windows security vulnerabilities reiterate the importance for IT admins to stay diligent when updating and ...

7 questions to ensure UEM supports a Windows 10 migration

The right UEM platform will go a long way in streamlining a Windows 10 migration. Ask these questions to ensure your ...

SearchCloudComputing

VMware-Pivotal deal confirmed at $2.7 billion – what's next?

VMware will plunk down $2.7 billion for Pivotal in a deal that has hallmarks of a family reunion, but could help drive a broader ...

Use modern cloud security best practices

Enterprises still worry about the security of cloud and if migrating will put data at risk. Explore modern methods, technologies ...

VMware acquisition of Intrinsic denotes bigger strategic plan

VMware has acquired Intrinsic, a maker of virtualization technology that secures Node.js applications on serverless environments ...

ComputerWeekly.com

IR35 reforms: HMRC defends off-payroll rules guidance against "woeful" IPSE jibes

HMRC promises there are more preparatory materials in the pipeline to help the private sector prepare for the April 2020 IR35 ...

Three more identity providers to withdraw from troubled Gov.uk Verify programme

Three of the five companies supporting the government's troubled digital identity scheme are pulling out, raising further ...

How to bolster IAM strategies using automation

Identity and access management processes and technologies play an important role in security strategies, but organisations and IT...

Join the conversation

8 comments

Send me notifications when other members comment.

Oldest

[-]

Mike Villegas - 1 Jun 2016 5:00 AM

What do you think makes a security awareness program successful?

mcorum - 13 Jun 2016 8:20 AM

One training approach from martial arts says “train like you fight, fight like you train.” Along those lines, an effective security awareness program can only be successful if it trains employees like it expects them, to fight - by providing simulated situations that are representative of the real world. It’s also important to remember that the key to security awareness is awareness, so work on helping employees stay aware of security threats.

lattimm - 25 Aug 2016 6:03 PM

In order to obtain the maximum "buy"-in" from the trainees, the training course should also appeal to the "What's In It for Me" motivation and includes elements of enhancing the participants personal security posture.

Including information on home computer security and protecting personal information will help to make the user safer at home, consequently safer at work.

abuell - 1 Jun 2016 1:36 PM

I agree, all employees should be exposed to security awareness training. But ideally the training should also be tailored to employees who are going to be all over the place in terms of their technical knowledge. There should be follow up to ensure that the training is understood by all.

MikeOVillegas - 4 Jun 2016 2:50 PM

I agree. Specialized training in addition to just security awareness is essential. Example, customer service personnel should be trained on what they can or cannot say to a customer on the other end of the line regarding security and privacy. Developers should be trained on secure coding standards so they know how to develop secure code. Security administrators need to be trained on how to provision Users and groups with appropriate access. And the list continues. The point of the article is to emphasize everyone's need for some type of security awareness training. Experience has shown many times employees are exposed to security training during employee orientation and never hear about it again for years until audited or the company has experienced a breach. Thank you very much for your comment. That is the point well taken.

kb1000 - 12 Jun 2016 2:32 AM

One thing you should consider adding to the article is the security threats associated with BYOD. I don’t think most users understand the security risks that their personal devices add to the corporate network. This includes the obvious malware threats from attachments but could also Wi-Fi access to the corporate network.

mcorum - 13 Jun 2016 8:14 AM

It also needs to include or simulate real-life examples. Otherwise, you run the risk of the employees not making the link between the training they receive and their daily tasks. For example, we use a service that sends simulated phishing emails throughout the company which serve two purposes. First, it get’s the employees used to reporting suspected phishing emails. Second, if they click on the links in the email, it provides an opportunity to provide training and feedback in a realistic scenario without the risk.

TomPendergast - 5 Aug 2016 7:25 PM

Nice article, and I think you're right on with keeping it frequent, light, and engaging. I'm all for placing employees in safe situations that emulate the real world and let them practice good behaviors in a game-like environment.

Next Steps

Dig Deeper on Security Awareness Training and Internal Threats-Information

Related Q&A from Mike O. Villegas

Have a question for an expert?

Join the conversation

8 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.