What does a security awareness training program need to include?

An effective security awareness training program can make a significant difference in enterprises security. Expert Mike O. Villegas discusses what makes a good program.

Mike O. Villegas, K3DES LLC

A recent report from Ponemon Institute and Wombat Security Technologies found an alarming number of phishing attacks...

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

in enterprises. The report also found that after employees went through a security awareness training program, the number of phishing attacks significantly decreased. What types of information or advice would be effective in a security awareness training session? And what other threats besides phishing attacks should the training focus on?

Ignorance is not a control. As much as people may want to ignore security risks and vulnerabilities, they still exist. A security awareness training program is critical to ensure that employees at all skill levels understand basic security principles to minimize the risk of a breach, fraud or costly mistakes.

The report issued by the Ponemon Institute stated that employees going through a security awareness training program significantly reduces the number of security related incidents, such as phishing attacks.

An effective security awareness training program needs to be:

Informational: Stress the basics, like password controls, phishing emails, suspicious websites and downloads, privacy, physical security and more.
All-inclusive: All employees should go through and acknowledge in writing -- electronic or manual -- that they have undergone annual training and new employee orientation training on information security.
Relevant: Show the significance of not complying with security. Emphasize the risks to the organization, personal identity theft, disciplinary action and possible termination.
Fun: Use animated characters, puzzles, newsletters, contests for correct answers, free cybersecurity videos, cybersecurity posters and more.
Attention-getting: Send fake phishing emails to employees and post results. After being a victim once, they will be much more vigilant going forward.
Not overdone: Security awareness should be integrated in the business culture but with moderation. Schedule event weekly, monthly, quarterly and annual events but keep it light.

In addition to these qualities, ensure that management is familiar with and supportive of the security awareness training program. At least annually, have the CEO record a video or issue a communication for all employees where she stresses the importance of information security and the protection of critical information of its customers, stakeholders and employees. Lastly, make sure you have fun.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Discover how follow-on training can improve security awareness

Learn how user behavior analytics compares to security awareness training

Find out if a security pledge could replace awareness training programs

This was last published in June 2016

Dig Deeper on Security Awareness Training and Internal Threats-Information

Mike O. Villegas asks:

What do you think makes a security awareness program successful?

Join the Discussion

Related Q&A from Mike O. Villegas

What should be included in a social media security policy?

A social media security policy is necessary for most enterprises today. Expert Mike O. Villegas discusses what should be included in social media ... Continue Reading

What are the possible benefits of a cybersecurity training center?

A cybersecurity training center could help security professionals continue their education, but are the benefits worth the investment for enterprises... Continue Reading

Should a forced password reset be standard after a data breach?

Yahoo reportedly rejected a forced password reset after numerous data breaches compromised user data. Expert Mike O. Villegas discusses whether this ... Continue Reading

SearchCloudSecurity

Privacy-preserving machine learning assuages infosec fears

Implementing privacy-preserving machine learning controls, such as federated learning and homomorphic encryption, can address top...

How Azure, AWS, Google handle data destruction in the cloud

Data destruction is a topic that has been poorly covered until recently. Regardless of which cloud service provider you use, this...

Multi-cloud security strategies rely on visibility, uniformity

More companies are instituting a multi-cloud strategy that creates unforeseen security challenges. In this tip, get answers to ...

SearchNetworking

How the cloud fractures application delivery infrastructure ops

Within a single IT organization, traditional network teams may clash with cloud teams over application delivery infrastructure ...

Why network configuration templates are useful in automation

If a network team automates network configuration templates, it can save time and eliminate redundant activities in order to ...

An automation-first approach enables network predictability

For an organization to prioritize network automation, it needs an automation-first approach. This strategy involves understanding...

SearchCIO

Return-to-office plans stress safety, security, collaboration

As offices reopen amid myriad safety measures in COVID-19's wake, companies work to maintain continuity and productivity with ...

6 cognitive automation use cases in the enterprise

Businesses are increasingly adopting cognitive automation as the next level in process automation. These six use cases show how ...

5 digital transformation strategies embracing the new normal

Here is a look at five digital transformation strategies companies should consider implementing now to overcome any setbacks ...

SearchEnterpriseDesktop

Citrix microapps look to ease office reopening

With new Workspace microapps, Citrix is looking to make it easier for offices to reopen. Company representatives said the tools ...

VMware Workspace One unifies reshaped digital workforces

As companies struggle to rebalance their on-site and remote digital workforces in the wake of COVID-19, Workspace One helps ...

Macs to run on Apple silicon, leaving Intel behind

Future Macs will not run on Intel processors but on Apple silicon chips. The change could present compatibility issues, although ...

SearchCloudComputing

Review the top sessions from recent cloud conferences

Build your own cloud conference from home. Watch sessions from the past year to learn about modern application architecture, ...

Test your cloud knowledge: VMs vs. containers vs. serverless

Take this quiz to help guide your choice between virtual machines, containers and serverless functions. Identify the uses, ...

Cloud lock-in fears aren't as prevalent as you might think

Enterprises are using multiple clouds, but not because they're afraid of lock-in. See why they're being smarter about cloud ...

ComputerWeekly.com

IR35 private sector reforms: Finance Bill vote denies further delays to April 2021 start date

Another push by MPs to get the start date for the IR35 private sector reforms delayed until a thorough impact assessment into the...

Locked-down teens flock to NCSC CyberFirst training scheme

A record number of 14 to 17-year-olds have signed up to the National Cyber Security Centre’s CyberFirst summer school

Police secrecy over ‘IMSI-catcher’ mass surveillance of mobile phones

Following a tribunal ruling, constabularies in England and Wales can refuse to confirm or deny whether they use mass surveillance...

Join the conversation

8 comments

Send me notifications when other members comment.

Oldest

[-]

Mike Villegas - 1 Jun 2016 5:00 AM

What do you think makes a security awareness program successful?

mcorum - 13 Jun 2016 8:20 AM

One training approach from martial arts says “train like you fight, fight like you train.” Along those lines, an effective security awareness program can only be successful if it trains employees like it expects them, to fight - by providing simulated situations that are representative of the real world. It’s also important to remember that the key to security awareness is awareness, so work on helping employees stay aware of security threats.

lattimm - 25 Aug 2016 6:03 PM

In order to obtain the maximum "buy"-in" from the trainees, the training course should also appeal to the "What's In It for Me" motivation and includes elements of enhancing the participants personal security posture.

Including information on home computer security and protecting personal information will help to make the user safer at home, consequently safer at work.

abuell - 1 Jun 2016 1:36 PM

I agree, all employees should be exposed to security awareness training. But ideally the training should also be tailored to employees who are going to be all over the place in terms of their technical knowledge. There should be follow up to ensure that the training is understood by all.

MikeOVillegas - 4 Jun 2016 2:50 PM

I agree. Specialized training in addition to just security awareness is essential. Example, customer service personnel should be trained on what they can or cannot say to a customer on the other end of the line regarding security and privacy. Developers should be trained on secure coding standards so they know how to develop secure code. Security administrators need to be trained on how to provision Users and groups with appropriate access. And the list continues. The point of the article is to emphasize everyone's need for some type of security awareness training. Experience has shown many times employees are exposed to security training during employee orientation and never hear about it again for years until audited or the company has experienced a breach. Thank you very much for your comment. That is the point well taken.

kb1000 - 12 Jun 2016 2:32 AM

One thing you should consider adding to the article is the security threats associated with BYOD. I don’t think most users understand the security risks that their personal devices add to the corporate network. This includes the obvious malware threats from attachments but could also Wi-Fi access to the corporate network.

mcorum - 13 Jun 2016 8:14 AM

It also needs to include or simulate real-life examples. Otherwise, you run the risk of the employees not making the link between the training they receive and their daily tasks. For example, we use a service that sends simulated phishing emails throughout the company which serve two purposes. First, it get’s the employees used to reporting suspected phishing emails. Second, if they click on the links in the email, it provides an opportunity to provide training and feedback in a realistic scenario without the risk.

TomPendergast - 5 Aug 2016 7:25 PM

Nice article, and I think you're right on with keeping it frequent, light, and engaging. I'm all for placing employees in safe situations that emulate the real world and let them practice good behaviors in a game-like environment.

How effective security training goes deeper than ‘awareness’

End-user security ignorance laid bare in new report

Hospitality industry at highest risk of phishing

IT pros stress importance of security awareness training

Please create a username to comment.