Get started Bring yourself up to speed with our introductory content.

What does a security awareness training program need to include?

An effective security awareness training program can make a significant difference in enterprises security. Expert Mike O. Villegas discusses what makes a good program.

A recent report from Ponemon Institute and Wombat Security Technologies found an alarming number of phishing attacks...

in enterprises. The report also found that after employees went through a security awareness training program, the number of phishing attacks significantly decreased. What types of information or advice would be effective in a security awareness training session? And what other threats besides phishing attacks should the training focus on?

Ignorance is not a control. As much as people may want to ignore security risks and vulnerabilities, they still exist. A security awareness training program is critical to ensure that employees at all skill levels understand basic security principles to minimize the risk of a breach, fraud or costly mistakes.

The report issued by the Ponemon Institute stated that employees going through a security awareness training program significantly reduces the number of security related incidents, such as phishing attacks.

An effective security awareness training program needs to be:

  • Informational: Stress the basics, like password controls, phishing emails, suspicious websites and downloads, privacy, physical security and more.
  • All-inclusive: All employees should go through and acknowledge in writing -- electronic or manual -- that they have undergone annual training and new employee orientation training on information security.
  • Relevant: Show the significance of not complying with security. Emphasize the risks to the organization, personal identity theft, disciplinary action and possible termination.
  • Fun: Use animated characters, puzzles, newsletters, contests for correct answers, free cybersecurity videos, cybersecurity posters and more.
  • Attention-getting: Send fake phishing emails to employees and post results. After being a victim once, they will be much more vigilant going forward.
  • Not overdone: Security awareness should be integrated in the business culture but with moderation. Schedule event weekly, monthly, quarterly and annual events but keep it light.

In addition to these qualities, ensure that management is familiar with and supportive of the security awareness training program. At least annually, have the CEO record a video or issue a communication for all employees where she stresses the importance of information security and the protection of critical information of its customers, stakeholders and employees. Lastly, make sure you have fun.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Discover how follow-on training can improve security awareness

Learn how user behavior analytics compares to security awareness training

Find out if a security pledge could replace awareness training programs

This was last published in June 2016

Dig Deeper on Security Awareness Training and Internal Threats-Information

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What do you think makes a security awareness program successful?
One training approach from martial arts says “train like you fight, fight like you train.” Along those lines, an effective security awareness program can only be successful if it trains employees like it expects them, to fight - by providing simulated situations that are representative of the real world. It’s also important to remember that the key to security awareness is awareness, so work on helping employees stay aware of security threats.

In order to obtain the maximum "buy"-in" from the trainees, the training course should also appeal to the "What's In It for Me" motivation and includes elements of enhancing the participants personal security posture.

Including information on home computer security and protecting personal information will help to make the user safer at home, consequently safer at work.

I agree, all employees should be exposed to security awareness training. But ideally the training should also be tailored to employees who are going to be all over the place in terms of their technical knowledge. There should be follow up to ensure that the training is understood by all. 
I agree. Specialized training in addition to just security awareness is essential. Example, customer service personnel should be trained on what they can or cannot say to a customer on the other end of the line regarding security and privacy. Developers should be trained on secure coding standards so they know how to develop secure code. Security administrators need to be trained on how to provision Users and groups with appropriate access. And the list continues. The point of the article is to emphasize everyone's need for some type of security awareness training. Experience has shown many times employees are exposed to security training during employee orientation and never hear about it again for years until audited or the company has experienced a breach. Thank you very much for your comment. That is the point well taken.
One thing you should consider adding to the article is the security threats associated with BYOD. I don’t think most users understand the security risks that their personal devices add to the corporate network. This includes the obvious malware threats from attachments but could also Wi-Fi access to the corporate network.
It also needs to include or simulate real-life examples. Otherwise, you run the risk of the employees not making the link between the training they receive and their daily tasks. For example, we use a service that sends simulated phishing emails throughout the company which serve two purposes. First, it get’s the employees used to reporting suspected phishing emails. Second, if they click on the links in the email, it provides an opportunity to provide training and feedback in a realistic scenario without the risk.
Nice article, and I think you're right on with keeping it frequent, light, and engaging. I'm all for placing employees in safe situations that emulate the real world and let them practice good behaviors in a game-like environment.