Determining Content

In deciding what content is needed to be learned in order to change end user behaviors, you will need to identify what is important to the organization in terms of security. You should use best practice guidelines and establish a baseline of knowledge from end users to understand where the weaknesses are in their knowledge base and where to start.

Use internal security policies and guidelines as well as best practice guidelines. Establish a baseline of knowledge – look at existing security training companies who have developed baseline tests.

In determining the content to be introduced, NIST provides some good guidelines (NIST SP 800-50) including:

Recent incidents - The assessment of recent security incidents (within the last one to two years) provides insight into weaknesses in employee knowledge of processes or security principles in general.

Regulatory issues - The awareness program is a good tool for supplementing regulatory compliance training efforts.

Employee concerns - Many employees are already aware of security fundamentals. They can be a good source of information about day-to-day problems related to information asset assurance.

Management concerns - Management’s perspective is usually more operational or strategic. More emphasis is placed on investor, vendor, customer, and employee welfare overall. Management’s input helps to complete the picture illustrating internal concerns about security.

Customer concerns - With today’s rising rate of identity theft, there is a growing concern among consumers about how companies protect their information. Addressing customer concerns isn’t just good business, it’s the right thing to do.

Investor concerns – The level of investor confidence in your organization’s ability to protect sensitive information (intellectual property, financial information, PII, etc.) is directly related to your level of working capital. Be sure to view your company’s level of protection from the investor perspective..

Developing content internally can be both time challenging as well as expensive. Look at on line training that can provide best practice knowledge for end-users, management and IT professionals. Look for courseware that can be delivered as-is, or customized to meet the needs of your organization’s unique culture.

An effective security program requires a solid awareness foundation. You need to ensure that your end users are aware of your organization’s policies and have learned how to adhere to those policies. The only way to ensure that you have an effective information security program is by implementing a solution that includes communication planning, training on the importance of security and reinforcing newly learned behaviors.