Industry View: Security Training With Style
Perimeter eSecurity VP Jason Miceli offers some tips on how to give employees a true understanding of security
By Jason Miceli
September 03, 2008 — CSO —
Industry professionals agree that the most significant security threat to an organization is its own employees. Controls can be implemented to help combat this problem and some would argue that such controls are sufficient on their own. However, the strongest security measures can be circumvented by a single incident of creative social engineering. Only by taking a balanced approach to technical control and employee training can organizations adequately secure themselves.
The best defense to human-based threats, such as social engineering and phishing is true understanding. Your environment is ever changing in terms of people, technology, and points of exposure and you need to manage these elements in a volatile landscape. Risk control processes must be enforced to prepare your employees for the threats that target them as vulnerabilities. The SANS Institute recommends organizations educate their employees about security issues and regularly test to ensure they retain what they learn. In recent years the Information Security industry has begun implementing automated training and testing facilities, known as Learning Management Systems (LMS), to accomplish this task. According to a recent study by Bersin & Associates more than 40 percent of all organizations and more than 70 percent of large enterprises have an LMS.
Building an effective training program where appropriate retention and understanding occur is challenging. Not only is the choice and development of the right content important, but its proper delivery is paramount to the program's success. This article aims to provide a renewed sense of purpose with regard to employee training.
Beyond WHAT and on to HOW
While Information Security specialists consider many aspects in building and launching a complete training program, I will focus on those areas that are often overlooked, yet critical to a program's success. The key question is, "How can we turn the world of Information Security, an uninteresting topic for many, into an effective and enjoyable learning process?" In response, we will look not only at the raw content but also consider three additional strategies: expanding the framework for the LMS, emphasizing the relevance of the training material and creatively using humor where appropriate.
Raw Content: The foundation of any LMS is the content. Countless articles and white-papers are available that detail how to choose or develop content for your awareness program. Here are a few quick tips:
- Use rich content: Include as much rich content as possible, such as animation, pictures, video, and voice-overs. The more multimedia you add the more you will grab and hold your employees' attention throughout the learning process.
- Structure test questions: You can design test questions and answers in many ways. One approach is first to ask all the questions, providing no feedback in between, and then show students how they performed. Alternatively, you can ask a single question immediately followed by a slide containing an explanation of the answer and then proceed to the next question. The latter approach provides stronger reinforcement of the material, adding context and meaning to the topic. The goal is to ensure people understand the spirit of the material and how to apply it to their daily routines, rather than knowing the exact answers to specific questions.
- Keep the content fresh: Refresh content on a regular basis - outdated content that does not align with current trends and issues will seem out of place. This lack of credibility will negatively impact the program's ability to mitigate the security threat posed by your employees.
- Framework: Choosing the right content is fundamental but it is only the first step. Look beyond the content to consider the larger framework into which the content is placed.
Tools and tips, stories and strategies, for building security awareness throughout your organization
9 infamous social engineers
3 reasons employees ignore security rules
Clean desk test: what's wrong with this picture?
Social media risks: the basics
Build an effective security awareness program
- Balancing Increasing Security Requirements with Decreasing Budgets
- Gain Control of the New Threat Landscape
- Securing Your BYOD Strategy: Cisco Secure Mobility Solutions
- Securing Your BYOD Strategy: Cisco Secure Mobility Solutions
- Introduction to VMware vCenter Site Recovery Manager 5
- Reliable Disaster Protection with VMware vCenter Site Recovery Manager
- Beyond SFTP: Five Ways Secure Managed File Transfer Can Improve Your Business
- Secure Managed File Transfer: Bringing Coherence & Control to Compliance
- The TCO of FTP: Hidden Costs of "Free" File Sharing
- Streamline, Speed and Secure the Supply Chain with Managed File Transfer
- Identity Governance: The Business Imperatives
- CA Technology Brief: CA Point of View: Content Aware Identity & Access Management
- Patch Tuesday preview, February 2012
Microsoft published its Patch Tuesday Preview for February of 2012 a few minutes ago. IT admins can expect nine bulletins to address 21 security vulnerabilities.
It looks like four bulletins will be rated critical while the rest are designated as important.
Affected Microsoft products are:
- M86 report proves water is wet
- Actor, banker, soldier, spy: Suits and Spooks Anti-Conference aims to redefine security
More Salted Hash with Bill Brenner
