Security awareness

Security Awareness Course Design Best Practices

Andrei Antipov
April 1, 2016 by
Andrei Antipov

A well-designed security awareness course on its own does not guarantee a success for your security awareness program. There are many other important factors, such as executive buy-in, or clearly defined goals, that should be in place. However, with a poorly designed course, your security awareness program is guaranteed to fail. Yes, you can still run the program for as long as your budget allows it. And your participation rates may be through the roof with the right incentive program. Research shows that 62% of organizations measure the effectiveness of their security awareness program by the fact that the course is completed. But you are not one of those 62%. You want to achieve what you really should want to achieve with your program, which is changing your employees' behavior. And that means that you want your training to "stick," so you better make sure your security awareness course is effectively designed.

While the exact definition of "well-designed" will differ for most organizations, there are some common factors that you should consider when developing your security awareness course. We will discuss are some practices that will greatly contribute to the effectiveness of such a course and how SecurityIQ AwareEd can help you with their implementation.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Role- and Group-Based Training

Your software developers never have to leave the office, while your salespeople work from home. Having the same security awareness course that includes modules for physical security and working remotely for both groups would mean wasted time, which they would rather spend developing and selling software (and, of course, you would want that, too). But there is another negative effect, one that is not so obvious: Including irrelevant modules will make your learners lose interest in the training itself; as a result, they will pay less attention to the topics that are relevant to their job responsibilities. Research shows that 48% of employees would like corporate training to be customized to their job function.

That is why as your first step in designing an effective security awareness course should be analyzing your employees' job functions as they relate to information security. Then you will be able to tailor your course for each role so it only contains the most relevant topics. Ultimately, as the PCI Security Standard Council points out, role-based security awareness training will allow you "to build a reference catalogue of various types and depths of training to help [your organization] deliver the right training to the right people at the right time."

Specific roles will vary for each organization; however, the simplified approach offered by PCI SSC should be suitable for most organizations. They suggest three types of roles:

  • All Personnel
  • Specialized Roles
  • Management

We can take this concept a step further and identify seven roles with information security responsibilities that will require specialized awareness content:

  • Executive/Manager
  • End-User
  • IT Staff
  • Software Developer
  • Industrial Control System (ICS) Operator
  • Information Security Professional
  • ICS/ SCADA Security Professional

Most organizations should be able to categorize their employees with information security responsibilities to fit into these seven roles. However, in certain situations such clear categorization may not be possible. For example, end-users in some departments may have some extended information security responsibilities [such as handling personally identifiable information (PII)] compared to other end-users. This is where the concept of groups comes in. For such users, a specialized group can be created, for which some additional awareness topics will be included in the training. Additionally, groups may be helpful in structuring your security awareness training even more effectively. Depending on the size and structure of your organization, groups may be the same as roles. However, there are many benefits in creating groups of learners within roles. For example, you can create separate groups for end-users in each department for better participation tracking, or for morning and evening shifts if you are planning on dedicating specific time slots for your training sessions.

SecurityIQ AwareEd makes creating and editing learner groups a simple task. You can quickly put together learner groups and send out custom notifications and reminders. All you need is the list of your employees' email addresses.

Interactivity

When comparing different training methods, 41% of employees consider interactive online courses an effective method. The same study showed that more than two-thirds of employees would choose to participate in more training if it were more interactive and engaging. It's a no-brainer, really: Would you rather watch a video with the only "interactive" feature being the ability to pause it, or participate in training where you are constantly and actively engaged in the process, and have to use your hands and your brain to progress. It is not just about your training not being "dull." The foremost objective of security awareness training is to educate, not entertain. And this is exactly why interactive training is the best tool for the job. Back in 2006, the Summit on Educational Games by the Federation of American Scientists reported that learners recall just 10% of what they read and 20% of what they hear. If there are visuals accompanying an oral presentation, the number rises to 30%, and if they observe someone carrying out an action while explaining it, 50%. But learners remember 90% if they do the job themselves, even if only as a simulation.

Interactivity also addresses the point we brought up earlier: How do we measure the effectiveness of our program? Of course, metrics would give you the most accurate idea, but interactive training offers an immediate result: You know for sure that your learner participated in the training, instead of hitting "play" on a video and walking away.

SecurityIQ AwareEd offers the highest-quality interactive content to ensure the maximum engagement of every learner. Audiovisual presentations are combined with short quizzes and gamification elements, allowing learners to test their knowledge as they progress through the module. Simple navigation features allow review of specific parts of the module without having to start over.

Branding

Customizing your security awareness course materials to have your company-wide look and feel may seem like an insignificant factor, but it can actually not only make your security awareness course much more effective, but also benefit your company as a whole. Internal branding promotes employee engagement. And high engagement means higher customer advocacy, higher productivity, and higher profitability. Branding demonstrates your commitment to the brand promise, which is particularly important for employees with primarily internal positions, who may not be exposed to your external branding efforts.

There are many customization options in SecurityIQ AwareEd. You can place your company logo in learning modules and custom notifications, change the theme color, and instantly preview the customized module.

Training Frequency for Groups

Security awareness training is a continuous effort. Your employees are not going to suddenly become perpetually aware upon completion of your course. It is critical to frequently repeat the awareness training so its message is reinforced. Besides, some regulations, such as PCI DSS, require periodic security awareness training for all personnel. The once-a-year frequency is common, and may work for some organizations; however, based on the existing best practices and research, reinforcing the awareness program every 90 days is the general recommendation. This frequency is especially effective for the specialized employee roles. Some end-user employees may be exposed to interactive awareness training less frequently if their job functions don't involve handling sensitive information assets. And this is another factor where you can benefit from the group-based training structure. You can set different training frequency for different groups, and keep tuning it until you find the schedule that best fits your organization's business needs. You may create groups with an irregular or on-demand training schedule, such as new hires.

With SecurityIQ AwareEd, you can create your learner groups, put together your courses, schedule your campaigns, and then just "fire and forget." Or not. You are in control: The campaign runs as you created it, but you can make any necessary changes at any time.

Training Frequency for Modules

This is closely related to training frequency, but is important enough to be discussed separately. For a more frequent training security awareness schedule, repeating all the same modules every time may result in decreasing effectiveness: Your employees will likely get tired of hearing, seeing, and doing (remember, our training is highly interactive!) the same things every three months. To keep things fresh (and also save some time), you should rotate modules, reinforcing different topics for every training session. Even if the annual security awareness training for all employees is all you need, it does not mean that the content of this training has to be the same every year. A lot can happen in year. Last year you did not have any telecommuters, this year you have three. Last year you didn't allow using mobile devices for work, now you can only reach your sales manager on her cell phone. Things happen; companies are merged and acquired, new industry regulations and internal policies come out, new technologies are implemented, and so on. In some instances you may need to reinforce some of the topics off-schedule (one of your vendors just got hit by a phishing campaign!) or run some of them on-demand (again, new hires).

[download]Download the BEST PRACTICES FOR DEVELOPING AN ENGAGING SECURITY AWARENESS PROGRAM whitepaper[/download]

As with the learner groups, SecurityIQ AwareEd gives as much administrative control over your course as you can possibly want. Create your courses, name and rename them, add, remove, and reorder modules (don't forget to preview them). Then, when you are satisfied, fire and forget.

Traceability and Reporting

Last but not least, you absolutely must have rich reporting capabilities built into your security awareness course. You want to be able to keep your finger on the pulse of your security awareness training program at all times. You want to know when your awareness campaign may need a boost, you want to have the "naughty and nice" lists of your learners, and you need to see what groups are struggling with participation to figure out why. And, of course, you want to be able to have a comprehensive, informative, and aesthetically pleasing report to present to your superiors at the end of the quarter without killing your entire weekend to create it.

Close your eyes and visualize the success of your security awareness campaign. Now open your eyes and see it visualized for you by SecurityIQ AwarEd reporting features. You can easily generate reports that show everyone enrolled in a course and their progress or see the summary of your entire campaign run.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Conclusion

Designing an effective security awareness course is hard, but not impossible. Following best practices and using the right tools will help you turn "not impossible" into "definitely possible." We discussed some of the best course design practices in this article; there are more out there, and some of them already exist in your organization's employee training program. For the right tools, come to SecurityIQ.

Andrei Antipov
Andrei Antipov

Andrei is a security engineer. He holds a cybersecurity degree from Bellevue University and is an Associate of (ISC)² toward CCFP and a Metasploit Pro Certified Specialist. Andrei is interested in reading and writing about all things cybersecurity, with a focus on security governance, penetration testing and digital forensics. In his spare time, he enjoys spending time with his family and talking about weird movies and trip-hop.