Building an Information Security Awareness Program in 5 Easy Steps
When we think of information security, we usually think of encryption, vulnerability management and other more technical subjects that my colleagues already covered. But, as you might know, information security is way more human and alive that we might think — People need to be aware of possible security risks and must be trained accordingly to react successfully to security threats.
What’s an Information Security Awareness Program ?
One way to promote security and train users is through Information Security Awareness, Education and Training (Control 7.2.2 for those familiar with ISO 27001/27002:2013). Directly from ISO 27002:2013:
An Information Security Awareness Program should aim to make employees and, where relevant, contractors aware of their responsibilities for information security and the means by which those responsibilities are discharged.
Those trainings need to be meaningful and adapted to the users’ reality to be successful. Difficult, but not impossible.
What’s this article about ?
We will walk through the five main steps we follow to build and publish awareness trainings at Poka, and advices on what to do. For those used to it, you will see it follows the PDCA process(Plan-Do-Check-Act)
Who’s this article for ?
Anyone who works in Security, Privacy, Governance, Risk or Compliance (you get the idea) and has to implement an Information Security Awareness Program, this article is for you.
1. Pick a Subject
It might be tempted to only do awareness trainings on what is currently popular like phishing/spear phishing/ransomware (which are good subjects to address nonetheless), but there’s also a great source of subject right within your company: your own Risks.
The very reason why you want to do awareness trainings is because you sense that there are risks in your company that need to be controlled and mitigated.
Even if you do not (yet) engage in Risk Management, it’s quite possible and simple to identify high-level risks in your company.
Let’s take for example phishing, which is a risk for most companies, if not all. I won’t go into the details of explaining all the possible risks of phishing because they have been well documented, but one way to mitigate the risks of phishing is to educate your employees on how to detect and report attempted phishing attempts.
You may also have a set of policies on different subjects, and even though all your employees are required to read and understand all of them, it’s unrealistic to believe that they will remember and follow 100% of policies. Awareness trainings can then be created to cover more specifically an entire policy or a part of it that you deem more important and crucial.
You should also choose a fixed schedule (e.g. each month/each 3 months) for publishing new awareness trainings. It’s better to do it in small doses over time than only one time in the year. By doing it in small doses over time, it encourages a better information security culture in the company, and employees are trained/reminded on pertinent subjects continuously.
Also, depending of your reality, you should try to create and design metrics so that you can measure the success of the awareness training that you want to do. Though, it’s not always possible to have statistically significant metrics because of the size of your organisation; (e.g. pertinent difference of reported phishing attempts in a small organisation might be difficult to observe). But if you do and if it’s done correctly, it will help you determine if the training has really changed positively the behavior of employees, and if yes, then it can be presented to the upper management to justify the program (if it’s a concern in your organisation). It’s a win-win situation.
What we do
We mainly choose subjects based on risks we identified within our Risk Management process. Employees’ feedback is also considered for choosing a new subject. In the end, awareness trainings need to cater to their needs and worries(more details in the fourth and fifth section)
For example, we made an awareness training on phishing/spear phishing because when we evaluated the risks of a successful phishing attempt to be real, and one of the mitigation controls that we chose to implement was to better train and instruct all Poka employees on phishing.
Similarly, we have a policy at Poka on how to report security incidents. Even though all employees are required to read and understand all policies (let’s be honest, that impossible), we also decided to do an awareness training on how to detect and report security incidents.
Right now, we’re doing awareness training every 3 months, but at the moment of writing this article, we are looking into the possibility of doing it each month. We also track a small set of metrics because we are a small organisation, but again, we are planning to expand the number metrics that we used.
2. Create your Awareness Training
Now that you have chosen a subject, it’s time to think about how you are going to build your awareness trainings.
First, I would advise, if possible, to construct your own awareness trainings so that it will be more adapted to your own culture and better suited to your needs instead of relying on generic training materials found online. It might costs more initially, but if done correctly, it will pay off.
While developing your awareness trainings, think more like a marketer/designer as you need to sell the content of your training, not just tell them what to do. If you have a Design and/or a Marketing team in your company, consult them to promote and improve the flow of your message, and maybe add some entertainment value to an otherwise boring presentation. It needs to be interesting to your audience. Information security objectives and employee’s objectives should be both aligned, because let’s face it, information security is not a priority for everyone, and many believe that information security is not in their responsibility.
What we do
Right now, all of our awareness trainings are created with Google Slides. We really try to make it lightweight, straight to the point, and fun to consult to avoid Death by Powerpoint. Some (a lot) of memes, Gifs (maybe to the dismay of some of my coworkers) and even games are incorporated into each awareness trainings. Each of them can be done in a short timespan of 5 to 10 minutes.
Our Design team developed a Google Slides template that we reuse most of the time.
When the awareness training is completed, it gets peer-reviewed by the rest of the Information Security Team, and when it’s adequate, it also gets peer-reviewed by 2–3 employees from different teams to gather general feedback. This serves to reduce the risk of a major problem/error with the awareness training, and to ensure that it is comprehensive.
3. Communicate your Awareness Training
Now that everything is ready, you should publish your awareness training on an official channel that is consulted by everyone in your company (Slack, HipChat, emails, intranet, etc.). Don’t be scared to use multiples channels, if necessary, to effectively reach all employees, but don’t harass them either.
Clear and concise indications should also be given of what is intended from all employees (e.g deadline to do the trainings).
What we do
Our official channel of communication at Poka is the #general channel in Slack where all major announcements are published, and where the noise is mostly limited. All awareness trainings are published in that channel, and we give indications on the deadline (2 weeks is given).
4. Gather Confirmations & Feedback
If you want good awareness trainings (and compliant with most security standards), you need to gather and keep a proof of confirmation from all employees.
And at the same time, why not gather some feedback from your audiance about the awareness training? Keep it short and sweet with only a few pertinent questions. This feedback will help improve actual and future trainings, and your overall information security.
What we do
At the end of each awareness trainings, there is a link to a Google Form that each employee must fill to confirm that they have completed the required training. Three optional questions are then available :
- On which security and/or privacy subject(s) do you feel you lack information/training ?
- What subject/training would you like to see in the future ?
- Any other comments/improvements ?
You can consult our Google Forms template here. Feel free to copy/adapt it.
We study those feedback to see what we could improve in regards to information security. Maybe there’s a subject that we thought was not a risk or we thought that a subject was well understood by all, but was not.
In the future, we want to share a summary of the feedback on Slack, so that everyone can get an idea of what we need to improve and plan, and that we listen to their feedback.
5. Check & Act
Now is the time to check the progress and the effectiveness of the awareness training that you’ve published. If you need everyone to complete the awareness training (e.g. for compliance purposes), you might need to contact directly those who still have not done it after the deadline.
Like said earlier, you should study all feedback and plan future corrective actions, if necessary.
But for really checking the success of your awareness training, there are mainly 2 ways (both can be used):
- Quizzes: It‘s a good opportunity to develop a way to test the newly acquired knowledge of your employees. Maybe either doing a follow-up quiz/test, or if you do multiple awareness trainings in the year, maybe just propose one or two quizzes that will cover more than one training. You could also explore the idea of incentives to promote knowledge retention(that’s another subject).
- Metrics:If you designed metrics before (see 1. Pick a Subject), you should definitely compare the metrics before and after the awareness training over a designated time frame. For example, one of your metrics could be to track the reporting of phishing attempts by employees, and your goal was to increase the reporting by 30% in a 4 months period.
You can now start thinking about your next awareness training. Rinse and repeat!
What we do
We track the completion of each training with the help of Google Forms and Google Sheets. Also, as you will see, we use G Suite as our identity manager.
To summarize our process, we import the email addresses of all employees from G Suite in a Google Sheet with the help of a Google Script. Even if a new employee arrives or quits, the column will automatically be updated, thanks to the Google Script. For each new awareness training, each time an employee has completed the awareness training by filling the Google Forms, his/her email address is then imported in the Google Sheet for comparison. You can consult a copy of our Google Sheet with added information and details.
I did a small summary of its inner working, if you have any question, just ask in the comments.
That way, we can easily see who has completed the awareness training and who has not. We then remind those who have not done their awareness training. We then use a Zap from Zapier to alert us on a monthly basis if someone has not done their awareness training (if you want more details, just ask in the comments).
As for evaluation, we currently don’t test Poka employees on their knowledge, but we are currently exploring ways to do just that :)
Summary
The five steps that we recommend to follow are :
- Pick a Subject that is meaningful and needs to be addressed to reduce your security risks.
- Create your Awareness Training that is well suited to your company culture and reality. Don’t rely on generic awareness trainings and build your own.
- Communicate your awareness trainings in an official channel and give clear indications
- Gather Confirmations & Feedback to ensure that you have the proof that every relevant person has done the required awareness training, and to help you improve your awareness trainings.
- Check & Act to plan future corrective actions to improve your awareness trainings. Think about how you are going to check your users’ knowledge.
Conclusion
As I searched for best practices for developing an Information Security Awareness program, I was surprised by the lack of articles/blogs/resources — not that there are none, but they are somewhat rare. I hope this can be useful and help you.
Feel free to share your advices and findings on Information Security Awareness Training in the comments!
