Determining Content

In deciding what content is needed to be learned in order to change end user behaviors, you will need to identify what is important to the organization in terms of security. You should use best practice guidelines and establish a baseline of knowledge from end users to understand where the weaknesses are in their knowledge base and where to start.

Use internal security policies and guidelines as well as best practice guidelines. Establish a baseline of knowledge – look at existing security training companies who have developed baseline tests.

In determining the content to be introduced, NIST provides some good guidelines (NIST SP 800-50) including:

Recent incidents - The assessment of recent security incidents (within the last one to two years) provides insight into weaknesses in employee knowledge of processes or security principles in general.

Regulatory issues - The awareness program is a good tool for supplementing regulatory compliance training efforts.

Employee concerns - Many employees are already aware of security fundamentals. They can be a good source of information about day-to-day problems related to information asset assurance.

Management concerns - Management’s perspective is usually more operational or strategic. More emphasis is placed on investor, vendor, customer, and employee welfare overall. Management’s input helps to complete the picture illustrating internal concerns about security.

Customer concerns - With today’s rising rate of identity theft, there is a growing concern among consumers about how companies protect their information. Addressing customer concerns isn’t just good business, it’s the right thing to do.

Investor concerns – The level of investor confidence in your organization’s ability to protect sensitive information (intellectual property, financial information, PII, etc.) is directly related to your level of working capital. Be sure to view your company’s level of protection from the investor perspective..

Developing content internally can be both time challenging as well as expensive. Look at on line training that can provide best practice knowledge for end-users, management and IT professionals. Look for courseware that can be delivered as-is, or customized to meet the needs of your organization’s unique culture.

An effective security program requires a solid awareness foundation. You need to ensure that your end users are aware of your organization’s policies and have learned how to adhere to those policies. The only way to ensure that you have an effective information security program is by implementing a solution that includes communication planning, training on the importance of security and reinforcing newly learned behaviors.

The Project Plan

Creating a project includes defining business objectives and scope (what’s included and what’s not) in a project plan document. Before diving into the planning process for a security awareness training project, it’s important to assign a project manager and appoint a communications champion as part of the project. 

Creating a project includes defining business objectives and scope (what’s included and what’s not) in a project plan document.

Ideally, the project objectives will closely mirror those described in the business case that was either verbally provided or put into an actual written document to obtain the approvals needed to ensure program success. If you haven't completed the business case yet, then it is imperative you do this first. Ensure you have complete management buy-in before proceeding to the planning stages. To ensure you are working toward the right goals, you should start by answering the following questions:

• How sensitive is the information stored, processed, and exchanged outside entities?

• What regulatory constraints apply (e.g., HIPAA and SOX)?

• What is the company’s security strategy?

• What are the company’s security policies? How do they translate to practical, day-to-day activities?

• What are the company’s critical business processes?

• How does security affect employees’ day-to-day activities?

• How would a major security incident affect the health of the business?

Answering these questions helps focus the training on the ISATP message. A message unique to the combination of company culture, the industry in which the company operates, the regulatory climate, and the kinds of sensitive information processed or stored. The communication of this message and the method of communicating it is the responsibility of the communication champion.

Although the project manager is responsible for coordinating project activities, it’s the communication champion who provides vision and works with management to gain and maintain support for security awareness.