Back

Creating Compelling Security Training and Awareness Programs

People in IT know the importance of security training If employees dont know how to avoid crucial mistakes the result could be an expensive breach...

5 min read
Published on Jan 21, 2019
Creating Compelling Security Training and Awareness Programs

People in IT know the importance of security training. If employees don’t know how to avoid crucial mistakes, the result could be an expensive breach. Knowing that training is important, though, isn’t enough. Too many programs do little or nothing to improve people’s security habits. Successful security training requires a clear purpose and effective techniques.

Know Your Goals

It’s common to talk about “security awareness and training,” but that conflates two different goals. Awareness is just the first step. It means knowing that there are problems to deal with, but not necessarily having the ability to deal with them. Employees need to know that spam, password theft, and malware pose serious risks. Awareness motivates training and keeps its results from going stale. But it isn’t a substitute for acquiring the necessary skills and habits.

NIST 800-16 describes awareness and training as a continuum. The training aims at “relevant and needed security skills and competencies”. In a short session, instilling some awareness may be the best you can hope for. If the aim is a serious reduction in incidents stemming from user error, you need to train people in some real security skills.

Making the aim as specific as possible lets you determine the kind of training which is needed. It might include one or more of these goals:

  • Protection of user accounts against hijacking.
  • Prevention of malware downloads resulting from a phishing email.
  • Compliance with regulations, contracts, and policies.
  • Protection of confidential personal information and business trade secrets.
  • Avoiding information leaks through insecure communication and data transfers.

When you have a list of goals, you can decide what changes in employee behavior will achieve them. That defines what the training needs to cover.

Know Your Audience

You know how important the technical details are. You’d love it if the employees understood them. But for the most part, they don’t care, and it would take too long to get them to understand. A “salted hash” is what they hope the cafeteria isn’t serving.

The narrative is what gets them interested. Start with stories that are exciting and frightening. Red Riding Hood would have been safer if she hadn’t told the wolf where she was going. The people in accounting will be safer if they don’t give information to spammers. That’s just awareness, perhaps, but it’s the awareness that will pull them in to learn more. They’ll want to know how to spot the big nose, big eyes, and especially the big teeth in time.

The story can start with a common mistake, such as logging in on a look-alike site. It doesn’t need a full explanation of how domain spoofing works, just a plausible example. From there it can go on to show how the bad guys gain a foothold in the network. The aim here should be to show a succession of consequences, not a detailed explanation. Think of the military’s “Loose Lips Sink Ships” training videos.

It doesn’t hurt if the villains are cartoonish and melodramatic. However, the person making the mistake shouldn’t look blatantly stupid. Doing that will just make people think, “Oh, I’d never do that.” The message should be that even smart people will make mistakes if they aren’t careful.

Recruit Your Champions

security training meeting in progress

Making a security training program work requires getting key people on your side. If employees are just yanked away from their desks for training and then go back to doing what they did before, it won’t have much of a long-term effect. Long-term improvements come from a change in the business’s culture.

Usually, the HR department is responsible for training programs, so working closely with them is valuable. Can they offer incentives for good work, and are there consequences for allowing data leaks? An ongoing awareness program will help to make the training stick.

The marketing department has the know-how to create an internal security campaign. Posters help people to keep security in mind. Having a “security awareness week” for the whole company doesn’t hurt. It has to be engaging and perhaps a little scary, but it must never be boring.

In the course of the training, you’ll find that some people really get it. Work with them so they can become security champions in their departments. They’re the key to building a security-oriented culture.

Carrots or Sticks?

The threat of punishment isn’t a very effective training method. It teaches people to cover up their mistakes and not get caught. They should be encouraged to report any slip-ups they think they’ve made so that IT can quickly check for problems.

Shaming is just as bad as punishment. It promotes resentment, not better security habits. This doesn’t mean people shouldn’t be taken off tasks when they show a lack of responsibility, but that’s a matter of the company protecting itself, not a way to teach better work habits. Short of serious matters, it’s more useful to point out issues quietly and encourage people to avoid future mistakes.

Even better is rewarding accomplishments. Gamification is a good way to motivate people. As a simple example, a password meter gives people a sense of gratification when they create a new password and see it go from “Weak” to “Super Strength” as they type.

Sample phishing emails help to test people’s habits. They should vary in what they test, with traps such as enabling macros on an unknown file, logging in to a spoofed site, or requesting confidential information by email. Those who get tricked need to get a reminder. Equally important, the ones who report the “scam” should get visible recognition. Departments can have contests for who has the lowest percentage falling for the trick. (Sorry, IT doesn’t get to play.)

Having the Best Training

However good your current security training methods are, there’s always room to make them better. AgileSecurity covers onboarding, reporting, training, and vulnerability testing. We offer education and workshops, or we can help you to set up the most effective security training program if you refer to run your own. To learn how we can help you to secure your business, schedule a call with a cloud advisor.

This post has matured and its content may no longer be relevant beyond historical reference. To see the most current information on a given topic, click on the associated category or tag.

Related Posts

CMMC Documentation Requirements: Avoid Assessment Failure

GIGO: Garbage In, Garbage Out: Why Documentation Can Make or Break Your CMMC Success

Strong documentation is critical to CMMC success. Learn the key evidence assessors expect and how to avoid common documentation failures.

Jul 24, 2025
5 min read
Fast-Track CMMC Certification for Urgent Contracts

How to Fast-Track CMMC Certification for Urgent Contracts with AgileThrive JumpStart

Need urgent CMMC certification? AgileThrive JumpStart accelerates compliance for DoD contractors with fast-track assessments, gap analysis, and rapid audit readiness.

Jul 21, 2025
5 min read
Defending Against Email Compromise

Defending Against Email Compromise: Safeguarding Accounting & Procurement

Discover how to defend accounting and procurement teams from email compromise in the Defense Industrial Base. Learn CMMC-aligned best practices using Microsoft 365.

Jul 15, 2025
4 min read
Technical vs. Process Controls in CMMC Compliance

Understanding Technical vs. Process Controls for CMMC Compliance

Understand the difference between technical and process controls in CMMC compliance. Learn how both work together to protect FCI and CUI data effectively.

Jul 14, 2025
4 min read
20 Essential Questions to Ask a Managed Service Provider

Top Questions to Ask Your Managed Service Provider (MSP)

Looking for a new MSP? Stay ahead with the top questions to ask—from security and scalability to pricing and offboarding. Vet your provider with confidence.

Jul 12, 2025
5 min read
Overview of CMMC 2.0 and Its Levels: DoD Compliance Guide

CMMC 2.0 Explained: Levels, Compliance Requirements, and Key Changes

CMMC 2.0 simplifies cybersecurity requirements for DoD contractors. Explore an overview of its levels, key changes from CMMC 1.0, and what each level means for compliance.

Jul 11, 2025
6 min read

Ready to Secure and Defend Your Data
So Your Business Can Thrive?

Fill out the form to see how we can protect your data and help your business grow.

Loading...
Secure. Defend. Thrive.

Let's start a conversation

Discover more about Agile IT's range of services by reaching out.

Don't want to wait for us to get back to you?

Schedule a Free Consultation

Location

Agile IT Headquarters
4660 La Jolla Village Drive #100
San Diego, CA 92122

Secure. Defend. Thrive.

Don't want to wait for us to get back to you?

Discover more about Agile IT's range of services by reaching out

Schedule a Free Consultation