6 essential components for security awareness programs
There's more to security awareness programs than just computer-based training and phishing exercises. Ira Winkler and Samantha Manke outline the six must-haves to ensure your program is effective
By Ira and Samantha Manke
September 18, 2013 — Our past article describing Security Awareness program failures created some controversy. We stated that one reason programs fail is because they rely on a single component, such as phishing exercises or Computer Based Training (CBT). Apparently, for many organizations either of those two elements is both the beginning and the end of Security Awareness efforts. This generated the question as to what else organizations should include to build an impactful Security Awareness program that creates the desired behavior changes.
The last statement is the most critical. Security Awareness programs should intend to create behavior change. Admittedly phishing simulations can create what is known as a teachable moment, and can have a lasting impact. However, it only addresses a single awareness concern. CBT involves watching a single video and as any armchair advertising expert will tell you, it takes constant reinforcement for the message to sink in.
So how do you get the message to sink in? Research shows that you need to present the information on at least 3 occasions, and ideally in multiple formats, as different people prefer different formats. To create a successful Security Awareness program, you should therefore use as many formats as possible. This article identifies the categories of formats to consider incorporating into your programs. For a more detailed listing you will find it on our website.
Collateral is a broad term for internally distributed materials. These are things like newsletters, blogs, and other internal communications. These types of internal communication serve as a simple reminder to your users that security is important and gives you an opportunity to educate them once you have their attention. Try to keep these communications bite-sized but give them a link back to a lengthier article if they want more information. Work within acceptable corporate guidelines, but be aware of limitations. If newsletters are the only way, still go for it, but try to appeal to different demographics.
For example, while older people tend to respond to traditional newsletters, Millennials might respond better to a blog or Twitter like activities. Also consider the possibility that some media types might be too congested. For example, newsletters might be deleted unread out of habit by many employees, so they might not be the best choice of venue for your Security Awareness program. Whichever formats you choose, make sure you set up your process to enable you to capture metrics on readership and click throughs. Metrics will allow you to determine where to focus future efforts.