The ‘Human OS’ isn’t built to hold big data. So if you want to embed security into the DNA of your workers, keep it simple and brief Lance Spitzer has a short list for teaching security awareness. At the top of it is this: If you want people to take security seriously, personalize it.“Don’t talk about how it affects the corporation,” he said. “Start with how they can protect their kids online and their own mobile device. Let them see what’s in it for them.”Spitzer, training director for the SANS Securing the Human Program, wove that thread through his brief presentation at the SANS Security Leadership Summit Wednesday in Boston titled “Your Security Awareness To-Do List.”[Related: The 7 elements of a successful security awareness program] Brevity, he said, is one of the elements of training that appeals to employees. While most organizations have security awareness programs, they are both unpopular and “immature, because they were developed by auditors for compliance. We want to take it to the next level and change behavior and, ultimately, culture,” he said.That, he said, involves three key principles: Focus on limited key topics.“The ‘Human OS’ is not very good at remembering a lot of different things, and you have limited time and resources,” Spitzer said, “so focus on the fewest behaviors that will have largest impact.”For his program, he said, a “human risk analysis” yielded a “top seven” list: Vulnerability to phishing attacks; poor password security (not that they are too simple, but that they are being shared or re-using the same one for various sites); failing to patch or update devices; sharing too much on social media; not realizing you are a target; and accidental data loss or exposure.That last one, he said, is caused frequently by auto-complete on email. “You meant to email Dave in accounts payable, but instead you accidentally emailed Dave, your kid’s soccer coach,” he said.Spitzer said the latest Verizon Data Breach Incident Report, released just recently, “matches perfectly with what we have here when it comes to human risks. The key is that with fewer topics, you’re more likely to change behavior.Engagement A primary question he gets from organizations, Spitzer said, is: “How do we reach people?”And the simple, effective answer, he said, is to, “focus on how people benefit – 70%-80% of an awareness program also applies to people’s personal lives.”The reality, he said, is that in the modern work environment, where people are working in multiple locations (including their homes) with multiple devices, their personal information is also at risk.“Bad guys are targeting people at home,” he said, “so it’s not like they need one set of behaviors at home and a different one at work. It’s the same across both. You want to make security part of their DNA.” ReinforceAwareness takes repetition, Spitzer said, but it won’t be effective it it’s overdone. “You need to communicate regularly through the year to reinforce key behaviors,” he said, “and we recommend that you touch people monthly. Quarterly is not enough, but weekly is too much – it start to become noise.”The other key, he said, is to offer different ways for workers to consume that training. Different generations have different preferences, he said – boomers might want lunch-and-learn events or newsletters, while younger workers would prefer webcasts and social media.Also, let workers consume training on their own schedule. “If you schedule an event, 10% might show up – everybody’s busy,” he said, “but when you offer it on their own schedule, it’s more successful.Finally, don’t ignore awareness updates either, he said. “Your technology, standards and threats are constantly changing, “ he said, “so you should update your content at least once a year, or more often if there’s something critical.” Related content feature Top cybersecurity M&A deals for 2023 Fears of recession, rising interest rates, mass tech layoffs, and conservative spending trends are likely to make dealmakers cautious, but an ever-increasing need to defend against bigger and faster attacks will likely keep M&A activity steady in By CSO Staff Sep 22, 2023 24 mins Mergers and Acquisitions Mergers and Acquisitions Mergers and Acquisitions brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe