What does a security awareness training program need to include?

An effective security awareness training program can make a significant difference in enterprises security. Expert Mike O. Villegas discusses what makes a good program.

Mike O. Villegas, K3DES LLC

A recent report from Ponemon Institute and Wombat Security Technologies found an alarming number of phishing attacks...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

in enterprises. The report also found that after employees went through a security awareness training program, the number of phishing attacks significantly decreased. What types of information or advice would be effective in a security awareness training session? And what other threats besides phishing attacks should the training focus on?

Ignorance is not a control. As much as people may want to ignore security risks and vulnerabilities, they still exist. A security awareness training program is critical to ensure that employees at all skill levels understand basic security principles to minimize the risk of a breach, fraud or costly mistakes.

The report issued by the Ponemon Institute stated that employees going through a security awareness training program significantly reduces the number of security related incidents, such as phishing attacks.

An effective security awareness training program needs to be:

Informational: Stress the basics, like password controls, phishing emails, suspicious websites and downloads, privacy, physical security and more.
All-inclusive: All employees should go through and acknowledge in writing -- electronic or manual -- that they have undergone annual training and new employee orientation training on information security.
Relevant: Show the significance of not complying with security. Emphasize the risks to the organization, personal identity theft, disciplinary action and possible termination.
Fun: Use animated characters, puzzles, newsletters, contests for correct answers, free cybersecurity videos, cybersecurity posters and more.
Attention-getting: Send fake phishing emails to employees and post results. After being a victim once, they will be much more vigilant going forward.
Not overdone: Security awareness should be integrated in the business culture but with moderation. Schedule event weekly, monthly, quarterly and annual events but keep it light.

In addition to these qualities, ensure that management is familiar with and supportive of the security awareness training program. At least annually, have the CEO record a video or issue a communication for all employees where she stresses the importance of information security and the protection of critical information of its customers, stakeholders and employees. Lastly, make sure you have fun.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Discover how follow-on training can improve security awareness

Learn how user behavior analytics compares to security awareness training

Find out if a security pledge could replace awareness training programs

This was last published in June 2016

Dig Deeper on Security Awareness Training and Internal Threats-Information

Mike O. Villegas asks:

What do you think makes a security awareness program successful?

Join the Discussion

Related Q&A from Mike O. Villegas

What should be included in a social media security policy?

A social media security policy is necessary for most enterprises today. Expert Mike O. Villegas discusses what should be included in social media ... Continue Reading

What are the possible benefits of a cybersecurity training center?

A cybersecurity training center could help security professionals continue their education, but are the benefits worth the investment for enterprises... Continue Reading

Should a forced password reset be standard after a data breach?

Yahoo reportedly rejected a forced password reset after numerous data breaches compromised user data. Expert Mike O. Villegas discusses whether this ... Continue Reading

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

Meet all of our Information Security experts

View all Information Security questions and answers

SearchCloudSecurity

Lyft's open source asset tracking tool simplifies security

Security teams need information and context about data in order to keep it safe. Learn how Cartography, Lyft's open source asset ...

Understanding the CSA Cloud Controls Matrix and CSA CAIQ

Uncover how the CSA Cloud Controls Matrix and CSA CAIQ can be used to assess cloud providers' controls and risk models, ensure ...

5 steps to a secure cloud control plane

A locked-down cloud control plane is integral to maintaining cloud security, especially in multi-cloud environments. Here are ...

SearchNetworking

SD-WAN explained: The ultimate guide to SD-WAN architecture

Evaluating SD-WAN architecture can be confusing, especially as the market grows. This guide helps IT pros learn SD-WAN basics, ...

VMware acquisition of Nyansa combines LAN, WAN analytics

The VMware acquisition of Nyansa is expected to provide network traffic analytics that cover the SD-WAN and the wired and ...

The 5 steps to a successful MPLS-to-SD-WAN migration

A solid migration plan is necessary in order to successfully transfer MPLS to SD-WAN and avoid contract mishaps, unexpected costs...

SearchCIO

Preparing for the new forms of cybersecurity threats in 2020

In the first part of a series on the new forms of cyberthreats in 2020, we're diving into the many infiltration points being ...

What is the state of CIO tenure today?

CIO tenure remains significantly lower than other C-suite positions, and according to experts, it's a result of the age of ...

The evolution of RPA, from macros to process transformation

RPA evolved from technology debuted in the 1950s and '60s and was developed to today's standards by the industry's leading ...

SearchEnterpriseDesktop

New Ivanti CEO plans to stay close to the customer

New Ivanti CEO Jim Schaper is no stranger to the C-suite of an IT company. And he's got a plan to push the company forward.

With support for Windows 7 ending, a look back at the OS

With support for Windows 7 ending and Microsoft ushering in the end of life for the OS, tech experts and IT pros look back at its...

Image-level methods for Windows application deployment

Imaging is a crucial process, but IT must also consider application deployment. Here are methods to deploy different types of ...

SearchCloudComputing

Reduce cloud latency for remote employees and offices

Latency remains an issue for cloud users with remote facilities. See how SD-WAN and satellites can improve network performance ...

AWS multi-account management best practices with Control Tower

With the help of AWS Control Tower, organizations who own and operate multiple cloud accounts can manage them all under one roof ...

Beat vendor lock-in with a cloud exit strategy

Without a comprehensive cloud exit strategy, an organization might fall victim to vendor lock-in and find itself dependent on ...

ComputerWeekly.com

Canonical offers scalable mobile Android apps in the cloud

New Android technology allows enterprise users to offload compute, storage and energy-intensive applications from devices to the ...

Air New Zealand taps AI in airside operations

Air New Zealand has teamed up with Auckland Airport to test the use of computer vision to turn around its fleet faster

Data Literacy Project research finds UK workers putting off data work

Research from Qlik and Accenture finds a big majority of UK workers lack the data literacy skills and confidence to capture ...

Join the conversation

8 comments

Send me notifications when other members comment.

Oldest

[-]

Mike Villegas - 1 Jun 2016 5:00 AM

What do you think makes a security awareness program successful?

mcorum - 13 Jun 2016 8:20 AM

One training approach from martial arts says “train like you fight, fight like you train.” Along those lines, an effective security awareness program can only be successful if it trains employees like it expects them, to fight - by providing simulated situations that are representative of the real world. It’s also important to remember that the key to security awareness is awareness, so work on helping employees stay aware of security threats.

lattimm - 25 Aug 2016 6:03 PM

In order to obtain the maximum "buy"-in" from the trainees, the training course should also appeal to the "What's In It for Me" motivation and includes elements of enhancing the participants personal security posture.

Including information on home computer security and protecting personal information will help to make the user safer at home, consequently safer at work.

abuell - 1 Jun 2016 1:36 PM

I agree, all employees should be exposed to security awareness training. But ideally the training should also be tailored to employees who are going to be all over the place in terms of their technical knowledge. There should be follow up to ensure that the training is understood by all.

MikeOVillegas - 4 Jun 2016 2:50 PM

I agree. Specialized training in addition to just security awareness is essential. Example, customer service personnel should be trained on what they can or cannot say to a customer on the other end of the line regarding security and privacy. Developers should be trained on secure coding standards so they know how to develop secure code. Security administrators need to be trained on how to provision Users and groups with appropriate access. And the list continues. The point of the article is to emphasize everyone's need for some type of security awareness training. Experience has shown many times employees are exposed to security training during employee orientation and never hear about it again for years until audited or the company has experienced a breach. Thank you very much for your comment. That is the point well taken.

kb1000 - 12 Jun 2016 2:32 AM

One thing you should consider adding to the article is the security threats associated with BYOD. I don’t think most users understand the security risks that their personal devices add to the corporate network. This includes the obvious malware threats from attachments but could also Wi-Fi access to the corporate network.

mcorum - 13 Jun 2016 8:14 AM

It also needs to include or simulate real-life examples. Otherwise, you run the risk of the employees not making the link between the training they receive and their daily tasks. For example, we use a service that sends simulated phishing emails throughout the company which serve two purposes. First, it get’s the employees used to reporting suspected phishing emails. Second, if they click on the links in the email, it provides an opportunity to provide training and feedback in a realistic scenario without the risk.

TomPendergast - 5 Aug 2016 7:25 PM

Nice article, and I think you're right on with keeping it frequent, light, and engaging. I'm all for placing employees in safe situations that emulate the real world and let them practice good behaviors in a game-like environment.

Hospitality industry at highest risk of phishing

IT pros stress importance of security awareness training

What are the most important security awareness training topics?

Missouri hospital sued over medical records breach

Please create a username to comment.