The SANS Security Awareness Roadmap
by Lance Spitzner
Humans operate a lot like computers by storing, processing, and transferring information. The biggest difference, however? Very little has been done to secure the “human” operating system within the workplace. This makes people the primary attack vector for cyber attacks and easy targets for social engineering scams like phishing. Security awareness training has become the most effective way to identify, combat, and overcome these risks. But how effective is your program?
Designed to help your organization build, maintain, and measure a thriving security awareness program, over 200 awareness professionals collaborated to develop the Security Awareness Maturity Model. This model enables organizations to easily identify where their security awareness program is currently at, where a qualified leader can take it, and outlines the path to get to where they want to be. The model is based on five distinct stages, each building upon the previous stage.
- Non-Existent
- Compliance Focused
- Promoting Awareness & Behavior Change
- Long-Term Sustainment & Culture Change
- Robust Metrics Framework
So, how do you take your program from non-existent to promoting a robust metrics framework? Or, on a realistic scale, what actions should be taken to simply move your program up to the next level, such as going from having a compliance-focused security awareness program to promoting awareness and behavior change? The outlined steps below serve as a roadmap to effectively maturing your security awareness program to the different levels as described in the Maturity Model.
(Looking for the poster version of this information? You can find the Security Awareness Roadmap Poster here.)
No Awareness Program
Program is non-existent. The workforce has no idea that they are a target, do not know or understand organizational security policies, and can easily fall victim to attacks or their own mistakes.
Compliance Focused
Program is designed primarily to meet specific compliance or audit requirements. Training is limited to annual or ad-hoc basis. The workforce is unsure of organizational policies, their role in protecting their organization’s information assets, and how to prevent, identify, or report a security incident.
How to Get There:
- Identify your organization’s compliance or audit standards.
- Identify security awareness requirements for those standards, which likely requires coordination with compliance or audit officer.
- Develop or purchase a training program to meet those requirements.
- Deploy security awareness training.
- Track who completes training, and when.
Deliverables:
- Annual training materials, such as videos, newsletters, and on-site presentations.
- Reports of who has and who has not completed the required training.
Standards Requiring Awareness Training
ISO/IEC 27002 §8.2.2
PCI DSS §12.6
SOX §404(a).(a).(1)
GLBA §6801.(b).(1).(3)
FISMA §3544.(b).(4).(A),(B)
HIPAA §164.308.(a).(5).(i)
CIP-004–5.1 R1
General Data Protection Regulation (GDPR) Article 39(b)
Promoting Awareness & Behavior Change
The program identifies the training topics that have the greatest impact in supporting the organization’s mission and focuses on those key topics. The program goes beyond annual training and includes continual reinforcement throughout the year. Content is addressed in an engaging and positive manner that encourages behavior change at work and at home. This helps the workforce understand and follow organizational policies and actively recognize, prevent, and report incidents.
How to Get There:
- Identify key stakeholders to making your program a success.
- Build and execute a plan to gain their support. This could include:
* a human risk survey
* awareness assessments
* root cause analysis of recent incidents
* industry reports or cost-benefit analysis. - Create a baseline of your organization’s security awareness level, such as a human risk survey or phishing assessment.
- Create a Project Charter to give you the authorization to begin the planning process. The Project Charter should set key expectations, including identifying the project manager, cost estimates, program scope, goals, milestones, and assumptions.
- Establish an Advisory Board to assist in planning, executing, and maintaining the awareness program. This should include 5–10 volunteer advisors from different departments or business units within your organization.
- Identify who you will target in your program. Different roles may require different or additional training, including employees, help desk, IT staff, developers, and senior leadership.
- Identify what you will communicate to the different targeted groups. Begin with a risk analysis to identify the different human-based risks to your organization, document those risks in a matrix, and then prioritize the risks from high to low. Then select which risks you will address in your program by priority. Then create a separate Learning Objectives document for each topic and identify the key behaviors you need to change to manage those risks.
- Once you have determined who the target of your awareness program is and what you will teach, determine how you will communicate content. When teaching a specific topic, refer to that topic’s Learning Objectives to determine what content to communicate. There are two categories of training:
* Primary training: teaches new content and is usually taught annually or semi-annually and either on-site or online.
* Reinforcement training: employed throughout the rest of the year to reinforce key topics. - Create an execution plan in coordination with your Advisory Board. The plan should begin with why you are launching a security awareness program, your goals, and overall scope. Document who you will target in your awareness program, what you will teach them, and how. Include a timeline that identifies key milestones and the launch date of the program, critical resources involved, and any other relevant information.
- Once the plan is approved by management, execute your program. Have the most senior stakeholder (such as your CEO) announce the program to the organization, such as by email, blog posting, or taped video.
Deliverables:
- Stakeholder and Advisory Board matrices
- Human risk survey
- Project Charter
- Risks matrix
- Learning objectives document for each risk
- Execution plan
Long-Term Sustainment
Program has processes and resources in place for a long-term life cycle, including (at a minimum) an annual review and update of both training content and communication methods. The program goes beyond just changing behaviors and begins to change the culture of the organization.
How to Get There:
- Identify when you will review your awareness program each year.
- Identify new or changing technologies, threats, business requirements, or compliance standards that should be included in your annual update.
- Conduct an assessment of your organization’s security awareness level and compare that to the baseline.
- Survey staff for feedback, including what elements they liked best about the program, what needs to be changed, which topic they found most interesting, and which behaviors they changed.
- Conduct a human risk analysis and compliance review to determine if there are any new risks that need to be added or updated in your program.
- Review and update the learning objectives for each risk.
- Review how the risks are communicated, which methods have had the greatest impact, and which methods need to be updated or dropped.
- Conduct an annual review and update of the budget to address changing business objectives.
Deliverables:
- Content tracking matrix used to document which risks and learning objectives were updated, by whom, and when.
Metrics Framework
Program has a robust metrics framework to track progress and measure impact. As a result, the program is continuously improving and able to demonstrate return on investment.
How to Get There:
- There are two categories of metrics for security awareness programs:
*Compliance metrics: measures the compliance of your program. They are used by auditors to ensure your program is compliant with specific regulations and standards.
* Impact metrics: measures the impact your awareness program is having, specifically, what behaviors have been changed and the impact that has to your organization. - Identify key human risks you are attempting to manage, then identify metrics that best measure those risks.
- Document how and when you intend to measure the metrics.
- Identify who to communicate results to, when, and how.
- Execute metrics measurement.
Deliverables:
Metrics matrix
Compliance Metrics:
- Number of people who have completed the training.
- Number of employees who have signed the Acceptable Use Policy.
- Number of newsletters or posters distributed.
- Number of on-site training sessions.
Impact Metrics:
- Number of employees who fall victim to phishing simulations.
- Number of sensitive documents in the dumpster.
- Number of mobile devices with a screen lock.
- Number of infected systems each month.
- Percentage of people sampled with a positive attitude towards information security.
- Percentage of people who believe their coworkers have shared passwords with others.
Want this info in visual form? To get the poster version of this roadmap, download the SANS Security Awareness Roadmap poster.
For more information about starting, growing, and maturing a security awareness program, I highly suggest you review our reports page. The 2019 SANS Security Awareness Report is a wealth of information — provided directly from over 1,500 of your security awareness peers to help you benchmark and build your program and career.
About the Author
Lance Spitzner
Director, SANS Security Awareness
Lance has over 20 years of security experience in cyber threat research, security architecture, awareness and training. He helped pioneer the fields of deception and cyber intelligence and founded the Honeynet Project. In addition, Lance has published three security books, consulted in over 25 countries and helped over 350 organizations build programs to manage their human risk. Lance is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. Mr. Spitzner served as an armor officer in the Army’s Rapid Deployment Force and earned his MBA from the University of Illinois.
