Tips for creating effective security awareness programs
The following tips are essential to creating an effective security awareness program:
- Remember that awareness is a cybersecurity function. The purpose of a security awareness program is to reduce risk by modifying user behaviors. Risk reduction through awareness is just one part of a comprehensive cybersecurity program.
- Avoid claims of perfection and platitudes. Never claim that you’re creating the human firewall or other forms of perfection. No security countermeasure has delivered perfection, and claims to that effect ruin your credibility — especially when the inevitable happens. You are simply reducing risk.
- Deserve more. Prove that you’re providing a return on investment and reducing losses while enabling capabilities. You prove the worth of an awareness program by collecting and reporting metrics.
- Consider subcultures. Many awareness programs are created as a monolith — a single program for everyone. Different parts of your organization, such as people from different demographics, might need different communications tools. You determine this need by knowing whether parts of your organization have different communication styles and different business interests.
Basic components of a security awareness program
A security awareness program has three basic components:
- Topics are the specific awareness issues you’re trying to improve — for example, phishing, physical security, and password security.
- Communications tools are how you deliver messages — for example, posters, phishing simulations, newsletters, and security ambassador programs.
- Metrics are tools to determine whether and where the awareness program is having success, and they can come in many forms, such as the number of incidents experienced, attendance at events, likeability measures, or phishing messages reported.
Metrics that show what's working, and what isn't
Metrics are critical for showing the success of an awareness program, especially when competing for funding and resources. In a mature program, metrics are used to constantly tune a program by showing what’s working and what isn’t.
Metrics come in these four categories, each one with a different purpose and value:
- Likeability metrics: Fundamentally, this metric measures how much users like your content. To collect likeability metrics, survey users about how much they like the materials you produce.
- Engagement metrics: This metric shows how users consume the data provided in a program. How many read the newsletters? How many show up at events? How many complete the required or recommended training?
- Behavioral metrics: This metric demonstrates actual changes of behaviors and the success of awareness efforts. To collect this metric, measure specific behaviors and track improvement over time. How many users report phishing messages? What is the percentage of secured desks at the end of the day? What are the number of links blocked on web content filters?
- Return on investment (ROI): ROI are the most valuable metrics. These metrics assign a financial value to the savings of improved behaviors. For example, if improved awareness reduced phishing incidents by 10 percent, what is the cost savings for the response and recovery? If improved awareness reduces lost computers and USB drives, what are the savings from the reduced losses?
Gamification to reward effective behavior
Gamification is a reward system that rewards people for practicing desired behaviors. Frequent flier programs and other loyalty programs are examples of gamification. People buy from an organization and receive rewards for it. This encourages the behaviors.
Get more from your awareness program by incorporating gamification to reward positive security related behaviors.
Security ambassadors to promote awareness efforts
Security ambassadors, frequently called security champions, are other employees who work in parts of the company and serve as representatives for the awareness program and support awareness efforts locally. They can organize events, spread awareness program messages, answer questions, and otherwise serve as an extension of the awareness team.
Security ambassadors can be quite valuable for a security awareness program, so invest first in identifying the right people to fill the role and then training them and providing the appropriate resources to support and communicate with them.
Quarterly awareness programs that reinforce knowledge
Most awareness programs have an annual schedule, where an awareness manager generally plans for the year and features one topic per month over the course of the year. This straightforward strategy allows for more than sufficient planning. Instead, plan three months at a time.
Also, as opposed to focusing one topic per month, distribute information about three topics throughout the three-month period. This serves to reinforce the topics for an extended period. Shorter plans also allow for more versatility, such as updating the topics and tools used.