How to Build a Security Awareness Training Program
With increased digitization of everything post-pandemic, cybersecurity has become a top concern for global CEOs with almost half planning to increase cybersecurity investment by 9%, according to PwC. Since 85% of breaches involve human error, throwing more money at the problem by buying the latest cybersecurity technology may hit a point of diminishing returns. At its core, cybersecurity isn’t just a technical problem, it’s a human problem. Organizations need more than technology—they need employees as both their first and last line of defense; employees who embrace security awareness and who identify, avoid and flag activities and items that are of a suspicious nature.
Where Security Awareness Programs Fall Short
It can be argued that businesses are increasingly investing in cybersecurity awareness, yet cyberattacks continue to rise by triple digits. The reality is that security awareness is multidimensional; blending education, upskilling and communications. Security awareness has become a check-the-box set of activities for many organizations, but what we really want is security-minded people—those who don’t just recite policies but who integrate security into their daily lives.
Foundational Components Of A Security Awareness Program
The phrase security awareness is built on an inherent (and incorrect) assumption. It assumes that just telling employees about the existence of cyberthreats will suddenly lead to an enlightened workforce. For any security awareness program to be successful, it should include the following foundational elements:
Passion for people: It’s important we acknowledge that the leader of this program should be people-oriented. They need to see people as the solution, not the problem. If the leader is biased against users, they’ll likely subvert the entire program. Program owners need to garner buy-in from upper management because such support has significant impact on communicating key messages across the organization.
Well-thought-out communications strategy: When it comes to security awareness, it’s obvious there’s a communication component because, depending on the audience, role or team, people can perceive messages in different ways based on how they receive them, the tool used to deliver the message and other factors like employment background, experience and culture.
Focus on behavioral change: Security awareness isn’t just an awareness problem, it’s a behavior problem. Awareness doesn’t naturally lend itself to behavioral change. Similar to the perception of speed limit signs as merely suggestions or a stop sign at which you only paused to check for the presence of a police vehicle, many people will attempt to skirt security measures that they find inconvenient or that slow them down, even if they are aware of them.
There’s also a gap between knowing something and intending to act on that information. Knowledge never stopped a breach. How people behave is the key. Even when we know something and have the best intentions to act on that knowledge, we don’t always do so. For example, we might see a suspicious email but we may not report it. This is what social-behavioral scientists refer to as the intention-behavior gap, and it’s important that businesses recognize this as a core element of their security awareness program.
Use A Maturity Model To Measure Your Security Awareness Level
You can’t improve what you don’t measure, and that’s why all leaders must start by measuring their level of security awareness prior to charting out a security awareness program.
Level One: Compliance-Driven Awareness
This is the lowest possible level of security awareness in any organization. It’s a program that’s only concerned with checking a box to meet a regulatory or a contractual mandate or comply with pending legislation.
Level Two: Information Dissemination
Information dissemination is a well-intentioned effort to ensure that people have the right information to make good security decisions. Organizations at this level have moved beyond simple box–checking and are sending out newsletters, making videos available, assigning learning management system modules and potentially even celebrating events like the annual Cybersecurity Awareness Month every October.
Level Three: Behavior Shaping
This goes beyond level two and involves an intentional effort to understand and direct human behavior; specifically working with, rather than against, human nature.
Level Four: Culture Shaping
This is the highest level of maturity where security-related values and beliefs are woven into the fabric of the organization and have become the established norm. Such values are regularly practiced by most employees and they can even be infectious to newcomers.
The ABCs of Cybersecurity Awareness Programs
Awareness (A), behavior (B) and culture (C) are the three main pivot points that can help businesses harness the full potential of a security awareness program. The more they learn about how they can measurably benefit by intentionally focusing on the ABCs, the more they will invest and the closer they will be to building a truly cyberresilient organization.
