It’s a big temptation to jump right to how-to and policy training when implementing an Information Security Awareness Training Program (ISATP). However, you need to prepare your target audience first. Each person in your organization must understand why security is important. They must also realize management commitment to information asset assurance. Finally, each employee should understand the impact—both personal and organizational—if security best practices (as defined in policies, standards and guidelines) are not followed.
Once you have their attention, you can ask them to accept requests to sit through security training sessions, sessions that drag them away from their normal job of actually running or supporting business operations. A more important effect of awareness might be employee willingness to listen and learn.
Wednesday, February 29, 2012
Thursday, February 23, 2012
Security begins with employee understanding and acceptance
Security awareness and training are typically covered under the single heading of Information Security Awareness Training. In fact, that’s the approach I took in the previous two posts on this topic, covering how to change employee behavior at a high level. This high-level approach is appropriate for many organizations, especially those with tenuous management commitment and a meager budget. However, awareness and training, when part of a formal methodology for employee behavior modification, are actually two different activities.
In future posts I will look at creating secure behavior in our organizations with a process for preparing users for more focused training.
In future posts I will look at creating secure behavior in our organizations with a process for preparing users for more focused training.
Subscribe to:
Comments (Atom)