Security Awareness Training for the Workforce
Moving beyond “check-the-box” compliance for cybersecurity.
By Julie Haney and Wayne Lutters
In the face of high stakes and dynamic threats in cybersecurity, orienting an organizational workforce towards sound security practices is an essential, but non-trivial, undertaking. A starting point is security awareness training, which seeks to educate employees about security threats and provide them the skills and tools to practice good security hygiene. Most public and private organizations mandate at least cursory annual security awareness training for their workforce. The hope is that compliance with these training requirements will result in long-term, positive impacts on security behaviors. But does compliance-based training really live up to its promise?
Compliance is not enough
Despite its honorable intent, security awareness training can develop a bad reputation. Training may be stereotypically boring with the same generic content every year and may be susceptible to diminishing learning effects when not regularly reinforced. Furthermore, those tasked with managing security awareness programs may be at a disadvantage as they often lack knowledge of human behavior change, may have insufficient guidance or resources to perform their duties, and may be doing security awareness as an “add-on” duty on top of other, already-taxing security responsibilities .
Compliance activity can be beneficial as it provides a minimum baseline for exposing the workforce to security concepts and practices. However, security awareness training should never just be a “check the box” exercise measured in completion rates. Rather, training should work toward sustainably changing security attitudes and behaviors.
Taking it to the next level
Based on best practices collected during our prior research studying security advocacy and awareness, we offer the following suggestions for organizations to move beyond compliance and take their programs to the next level.
Become an advocate: Security awareness professionals should not just be compliance managers. Rather, their main role should be advocacy — promoting and facilitating an understanding of security issues and the adoption of security best practices. Security advocacy requires a different set of competencies beyond the technical skills possessed by most security professionals. Non-technical competencies — such as interpersonal skills, communication skills (including being able to translate highly technical concepts into plain language), an appreciation of their audience and context of use, a customer-service orientation, and creativity — are all essential for this role.
Make security relatable: Employees need a reason to care about security. Awareness training should communicate the business value of security best practices to the organization. But, perhaps most importantly, people will be more apt to thoughtfully make security decisions when they have a sense of personal responsibility and view security as relevant to their day-to-day lives in and outside of the office. Therefore, security awareness training should show not just the linkage between security and work duties but also how security relates to employees’ personal lives.
Get their attention: To engage the workforce and reinforce training concepts, the security awareness program should go beyond the common, once-and-done canned presentations to disseminate security information by using a variety of communication channels and techniques periodically throughout the year. Training should ideally be tailored to the local culture of the organization, be memorable, and be entertaining when appropriate. In our studies, we have come across numerous examples of creative approaches: a security-themed food truck event; security information fairs with seasonal themes; security-themed coloring books and calendars; and a Shakespeare-themed play entitled “To send or not to send” that educated employees about proper email use. Employing a variety of communication methods provides something for everyone, since employees will have different preferences on how they receive and best retain security-awareness information.
Empower Users: Raising awareness of security threats does not necessarily lead to behavior change. Doing so without advice or appropriate tools on how to confront those threats may leave employees feeling anxious and powerless. Therefore, employees should be provided with practical, prioritized, and actionable steps they can take to protect themselves and their organization. Remember that security is more of a journey, so start off by giving employees small, but impactful, steps they can immediately implement. In addition, positive and constructive feedback and incentives can be effective in encouraging desired behaviors and increasing employee confidence.
Measure impact: Compliance metrics (i.e., training completion rates) provide little insight into whether awareness training has made any real difference in employee attitudes and behaviors. Rather, we suggest a few approaches for measuring impact that other organizations have found helpful.
If live training events are held, attendance can be an indicator of reach. But it’s not just about how many attend but who is attending. This can lend insight into whether the program is reaching the right people with local influence and where additional effort should be focused.
Employee feedback is another way to quantitatively and qualitatively assess program effectiveness by gauging overall satisfaction, tracking perceived takeaways, and identifying suggestions for future topics or formats. Informal feedback can be valuable, but anonymous surveys may provide more structured, honest data.
Perhaps the most revealing measure of effectiveness is manifested via trends in user-generated security incident data aggregated from multiple sources. For example, after security awareness training regarding the sending of sensitive information via email, are the number of personal data disclosures going down? Trends can also help identify issues that might be ripe for additional emphasis in the training program. Indicators of positive behaviors should be considered as well, such as increased reporting of suspicious emails or other security incidents to the help desk.
Organizations should be cautious about the potential pitfalls of having a strict compliance mentality. Rather, security awareness programs should strive to go beyond compliance to engage and empower employees to be informed, responsible cyber citizens no matter where they are or what they’re doing.
Citation:
- Haney, J., & Lutters, W. (2020). Security Awareness Training for the Workforce: Moving Beyond “Check-the-Box” Compliance. Computer, 53(10), 91–95.
Written by:
- Julie Haney, Usable Cybersecurity Program Lead, National Institute of Standards and Technology
- Wayne Lutters, Associate Professor, College of Information Studies, University of Maryland
