cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Three Principles To Guide Your Security Awareness Training Program

Level 10

After the network perimeter is locked down, servers are patched, and password policies enforced, end-users themselves are the first line of defense in IT security. They are often the target for a variety of attack vectors making them the first step of triage when a security incident is suspected. Security awareness training, which should be a part of any serious IT security program, should be based in common sense, but what security professionals consider common sense isn’t necessarily common sense for the average end-user.

In order to solve this problem and get everyone on the same page, end-users need the awareness, knowledge, and tools to recognize and prevent security threats from turning into security breaches. To that end, a good security awareness program should be guided by these three basic principles:

First, security awareness is a matter of culture.

Security awareness training should seek to change or create a culture of awareness in an organization. This means different things to different security professionals, but the basic idea is that everyone in the organization should have a common notion of what good security looks like. This doesn’t mean that end-users know how to spot suspicious malformed packets coming into a firewall, but it does mean that it’s part of company culture to be suspicious of email messages from unknown sources or even from known sources but with unusual text.

The concerns of the organization’s security professionals need to become part of the organization's culture. This isn’t a technical endeavor but a desire to create a heightened awareness of security concerns among end-users. They don’t need to know about multi-tenant data segmentation or versions of PHP, but they should have an underlying concern for a secure environment. This is definitely somewhat ambiguous and subjective, but this is awareness.

Second, security awareness training should empower end-users with knowledge.

After a culture of security awareness has been established, end-users need to know what to actually look for. A solid security awareness program will train end-users on what current attacks look like and what to do when facing one. This may be done simply with weekly email newsletters or required quarterly training sessions.

End-users need to actually learn why it’s not good to plug a USB stick found in the parking lot into their computer, and users need to get a good feel for what phishing emails look like. They should know that they can hover over a suspicious link and sometimes see the actual hidden URL, and they should know that even that can be faked.

Ultimately, they need to know what threats look like. The culture of awareness makes them concerned, and knowledge gives them the ability to identify actual problems in the real world.

Third, security awareness training is concerned with changing behavior.

The whole point here is that end-users take action when there is suspicion of malicious activity. Security awareness training is useless if no one takes action and actually acts like the first line of defense they really are (or can be).

A good security awareness program starts with culture, empowers end-users with knowledge, and seeks to change behavior. This means making significant effort to provide end-users with clear directions for what to do when encountering a suspected security incident. Telling users to simply “create a ticket with the helpdesk” is just not enough. End-users need clear direction as to what they can actually do in the moment when they are dealing with an issue. This is where the whole “first line of defense” becomes a reality and not just a corporate platitude.

For example, what should end-users actually do (or not do) when they receive a suspected phishing email? The directions don’t need to be complicated, but they need to exist and be communicated clearly and regularly to the entire organization.

Security awareness training is the most cost-effective part of a security program in that it doesn’t require purchasing millions of dollars of appliances and software licenses. There is a significant time investment, but the return on investment is huge if done properly. A strong security awareness training program needs to be based in common sense, change culture, empower end-users with knowledge, and change behavior.

28 Comments

My organization regularly sends random phishing test e-mails at our users, simulating bad guys masquerading as our company, requesting users to click on links or download attachments.

For those users who don't recognize this as phishing, when they click on the links or try to download the attachment, they are sent to a page that explains the security test, and helps them understand what they should have done instead of clicking the link or trying to open the attachment.

As hackers become more sophisticated our security team steps up the training to match--hopefully to stay ahead.

Obviously, none of this applies to protecting a company or person against someone trusted violating that trust.  But that's another issue to keep track of in another thread.

Security staff have job security, and will, for the foreseeable future.

Level 10

That's an interesting method to test and teach end-users. It's very difficult to stay ahead with end-user training, but I've found that the cultural awareness is a huge benefit in and of itself. It's a lot of work creating regular training sessions and literature which I know turns off many network security folks, but that regular exposure is so important to maintaining a good culture of security awareness.

My organization also assigns all our staff quarterly online videos to train them and refresh them about various policies, including security and phishing recognition.  I wish all users everywhere could take these same simple sessions, with brief 3-question quizzes at the end of each, which must be answered successfully to receive credit for the training.

My kids and my mother-in-law could really benefit from this information.

Level 10

That's a pretty common method, and I think the key is consistency. I like your idea of doing it for our friends and family!

Level 21

This one really is a challenge.  One of the challenges I have seen is that non-technical departments tend to not take this stuff as seriously as they think it's just stuff for the geeks to worry about.  This is why my non-technical departments are also the most common people to end up with viruses on their systems.  Changing the culture in such a way to get them to care and to get them to realize it isn't just something for the geeks to worry about is both a challenge and not something that happens quickly.

Level 10

I completely agree. For example. I have literally a one full year plan to change the culture where I am, and we're talking about 3,100 people. Even then I think it won't become entrenched in the consciousness of the org for more like a few years and that's assuming I stick with it and have company buy-in. Yikes....what a daunting task....

Level 20

I have two sets of security awareness training I have to do both each annually.  I'm a CISSP so it's sort of a simple security awareness training but it's good for all users to be reminded annually.  A lot of newer information about spear fishing and examples go into it.  I have to do annually CPE's every year to maintain the CISSP and go through re-certification every three years.

Level 10

I'm re-doing our current one now and hoping do get something out there quarterly even if it's a recorded webcast or something.

MVP
MVP

We also get the phishing test emails...some are well crafted to look like a scan from a printer sent as an email with attached document except for the fact that we don't have that brand of printer here at the office. 

For the IT world, this can generally be accomplished even though you will have those that "know better".  In the general ranks of the company, fewer will get it and most think everything is protected so why should they make the effort or they take the gamble that it can't happen to them.

The problem is that most don't know what a threat looks like or have the impression that it won't happen to them.

Level 10

I agree with you for sure. That's why I think consistency is important and actually honing in on what end-users will likely see day-to-day like sample phishing emails or common social engineering attacks. I've seen presentations for end-users that discussed encryption, etc and frankly they were just a complete waste of time. 

Level 14

Pen testing Layer Eight.  The higher you go in the OSI model, more attack vectors become available.  Layer Eight (humans) are no exception.  Pen test with phishing e-mails.  If the user fails, they get remedial training.  Whether the pass or fail, you can use this to further refine your Incident Handling process. 

MVP
MVP

indeed - administrators without security capability are mercifully being evolved out of a job

Level 13

The only truly secure network is one that is turned off...

🙂

Don't forget to include your "turned off systems" must physically secured, too.

Turning a PC or server or switch off isn't enough if someone has unsupervised access to it.  It's why we factory-default switches and routers before we recycle them, and why we remove hard drives and portable media and shred them via a professional service when the PC or server or CD or jump drive or floppy are taken out of service permanently.

MVP
MVP

As the article says - Users are the first line of defense, but they are also the first line of attack

Trust no-one

MVP
MVP

Very good suggestions.

Level 10

Great post!

Our company requires yearly security training but it's pretty basic stuff... Don't give out your password...watch out for phishing emails...etc.

Level 13

i agree that culture is a huge part of it...however, when developers keep churning out flaw after flaw...

Level 9

I just love it, yes that is sarcasm, when non-technical users get a virus and the first thing out of their mouths is "I thought you were in charge of the firewall!" Ugggggg.......

And you thought they were in charge of their keyboard....go figure

MVP
MVP

But isn't giving out your password kind of like a "spare key," If you forget you can phone a friend? It's surprising how many people will violate the simplest things like that. I had a boss, yes a full fledged manager, with a notebook in her top desk drawer with all of her passwords.

Level 20

Yep this also means paying extra to say Dell for the keep your hard drive option if the servers are leased.  Our destruction is even worse... our comsec people have to goto the location where they throw all the stuff into an incinerator and they have stay and witness that the hard drives and other material is destroyed!  Imagine what that's like in the middle of the summer in Arizona!

MVP
MVP

About 20 years ago I had a friend that had been with FEMA. He was responsible for destroying the hard drives in his group. The procedure was a DoD wipe of the drive with 3 passes. Then he had to physically drill holes in the drive. Then beat it repeatedly with a sledgehammer. And finally incinerate them. I'm thinking that one or more of those steps could have safely been eliminated.

MVP
MVP

ecklerwr1​, well at least it is a dry heat

Level 20

It's just now starting to get up into triple digits right around 100-102... When it's dry that's actually not too bad if you aren't in the direct sun... it's around July August when then temp sometimes hits 120 that it's just really hot.  The longer I've lived here though the less I have much tolerance for cold, rain, ice, and snow.

That sounds about right.  I've lived in Minnesota all my life, and I have similar acclimatization, except towards cold and away from heat.  I don't do well in 85F+.  It's even worse with high humidity.  My wife wants to retire to someplace south, and I confess, there are days when the driving / biting wind makes me a bit more irritable than it used to when I was a kid in the '60's. 

I think my decreased mental tolerance for windy cold may come from thinking I have the ability to move south and spend less time bundling up & dealing with icy roads.  Especially as I approach 60 years of age.  That ability to leave the coldest weather, particularly when I think of a retirement plan that allows me to chase 70F south & north through becoming financially independent, appeals more and more.

Level 20

I like the desert because it's warm and dry!  I've really taken to it after growing up in southern Ohio.  I sure don't miss that 90F and 90% humidity o.O that was the worst!  The freezing rain and ice before the snow wasn't too great either.

MVP
MVP

This week in Rutland Vermont

pastedImage_0.png