The ‘Human OS’ isn’t built to hold big data. So if you want to embed security into the DNA of your workers, keep it simple and brief Lance Spitzer has a short list for teaching security awareness. At the top of it is this: If you want people to take security seriously, personalize it.“Don’t talk about how it affects the corporation,” he said. “Start with how they can protect their kids online and their own mobile device. Let them see what’s in it for them.”Spitzer, training director for the SANS Securing the Human Program, wove that thread through his brief presentation at the SANS Security Leadership Summit Wednesday in Boston titled “Your Security Awareness To-Do List.”[Related: The 7 elements of a successful security awareness program] Brevity, he said, is one of the elements of training that appeals to employees. While most organizations have security awareness programs, they are both unpopular and “immature, because they were developed by auditors for compliance. We want to take it to the next level and change behavior and, ultimately, culture,” he said.That, he said, involves three key principles: Focus on limited key topics.“The ‘Human OS’ is not very good at remembering a lot of different things, and you have limited time and resources,” Spitzer said, “so focus on the fewest behaviors that will have largest impact.”For his program, he said, a “human risk analysis” yielded a “top seven” list: Vulnerability to phishing attacks; poor password security (not that they are too simple, but that they are being shared or re-using the same one for various sites); failing to patch or update devices; sharing too much on social media; not realizing you are a target; and accidental data loss or exposure.That last one, he said, is caused frequently by auto-complete on email. “You meant to email Dave in accounts payable, but instead you accidentally emailed Dave, your kid’s soccer coach,” he said.Spitzer said the latest Verizon Data Breach Incident Report, released just recently, “matches perfectly with what we have here when it comes to human risks. The key is that with fewer topics, you’re more likely to change behavior.Engagement A primary question he gets from organizations, Spitzer said, is: “How do we reach people?”And the simple, effective answer, he said, is to, “focus on how people benefit – 70%-80% of an awareness program also applies to people’s personal lives.”The reality, he said, is that in the modern work environment, where people are working in multiple locations (including their homes) with multiple devices, their personal information is also at risk.“Bad guys are targeting people at home,” he said, “so it’s not like they need one set of behaviors at home and a different one at work. It’s the same across both. You want to make security part of their DNA.” ReinforceAwareness takes repetition, Spitzer said, but it won’t be effective it it’s overdone. “You need to communicate regularly through the year to reinforce key behaviors,” he said, “and we recommend that you touch people monthly. Quarterly is not enough, but weekly is too much – it start to become noise.”The other key, he said, is to offer different ways for workers to consume that training. Different generations have different preferences, he said – boomers might want lunch-and-learn events or newsletters, while younger workers would prefer webcasts and social media.Also, let workers consume training on their own schedule. “If you schedule an event, 10% might show up – everybody’s busy,” he said, “but when you offer it on their own schedule, it’s more successful.Finally, don’t ignore awareness updates either, he said. “Your technology, standards and threats are constantly changing, “ he said, “so you should update your content at least once a year, or more often if there’s something critical.” Related content news UK government plans 2,500 new tech recruits by 2025 with focus on cybersecurity New apprenticeships and talent programmes will support recruitment for in-demand roles such as cybersecurity technologists and software developers By Michael Hill Sep 29, 2023 4 mins Education Industry Education Industry Education Industry news UK data regulator orders end to spreadsheet FOI requests after serious data breaches The Information Commissioner’s Office says alternative approaches should be used to publish freedom of information data to mitigate risks to personal information By Michael Hill Sep 29, 2023 3 mins Government Cybercrime Data and Information Security feature Cybersecurity startups to watch for in 2023 These startups are jumping in where most established security vendors have yet to go. By CSO Staff Sep 29, 2023 19 mins CSO and CISO Security news analysis Companies are already feeling the pressure from upcoming US SEC cyber rules New Securities and Exchange Commission cyber incident reporting rules don't kick in until December, but experts say they highlight the need for greater collaboration between CISOs and the C-suite By Cynthia Brumfield Sep 28, 2023 6 mins Regulation Data Breach Financial Services Industry Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe