Introduction

Cybersecurity professionals possess many tools to reduce risk. However, it is no accident in a field so concerned with technology that technological tools are often prioritized over others: as the Law of Instrument says, “if the only tool you have is a hammer, it is tempting to treat everything as if it were a nail.” Therefore, cybersecurity professionals should not neglect the other tools, such as awareness and training. This article covers how organizations can build successful awareness and training programs that reduce cybersecurity risks.

Our Topics –

• What cybersecurity awareness and training are
• Where they appear in cybersecurity frameworks
• How to build a successful awareness and training program

What is Awareness and Training

The purpose of awareness and training is to reduce human risks. All users are susceptible to creating a security incident by sharing their password, falling victim to social engineering, or downloading malicious software. Awareness and training give users the cybersecurity knowledge and skills they need to perform their jobs without posing excess risk to the organization.

It’s telling that the cybersecurity field has settled on the need for “awareness” and “training” for all users as opposed to other pedagogical terms, such as “education” and “teaching.” Users do not need a formal cybersecurity education or possess rigorous cybersecurity knowledge to reduce their risk. While formal education is helpful for cybersecurity professionals, awareness and training efforts should suffice for most users.

Awareness means developing a familiarity or perception about something, ideally with the intent to affect behavior. For example, we can make users aware of the harmful effects of malware. Users who are aware of what malware is and how it commonly spreads do not need to know how the malware actually works to make positive behavioral choices, such as not clicking unknown links or downloading unknown programs.

Training means to teach a skill. For example, we can train users in how to authenticate to systems using unique, entropic passwords and a multi-factor authentication solution.

Overall, we should think of awareness and training efforts as “what do we want our users to know (i.e., awareness) and be able to do (i.e., training)?” When done well, awareness and training programs improve organizational culture by enabling users to see the value of their cybersecurity program and how everyone has agency in protecting their services and data.

Awareness and Training in Cybersecurity Frameworks

Awareness and training activities are required in most cybersecurity frameworks. For example, the following common frameworks include awareness and training controls:

• NIST CSF 2.0 | Category PR.AT
• NIST 800-53 | Control 3.2
• NIST 800-171 | Control 3.2
• CIS v8 | Control 14

While each framework has its subtle take on awareness and training controls, there are common elements, including:

• Documenting an awareness and training policy and procedure
• Offering awareness and training at least annually
• Offering more in-depth awareness and training for more privileged users
• Covering topics such as social engineering, secure authentication, data handling, and incident reporting

Creating a Successful Awareness and Training Program

Successful awareness and training programs reduce human risks and improve organizational cybersecurity culture. Here are tips to create sustainable and impactful awareness and training programs.

1.     Identify your outcomes

Start by identifying what you want your users to know and be able to do. Document around 10 learning targets users should achieve once they review your awareness and training content. The learning targets should be specific and actionable. For example:

• Users will be able to describe relevant laws and regulations governing their appropriate handling of sensitive data.
• Users will be able to differentiate between appropriate and inappropriate types of devices they can plug into their workstations.
• Users will be able to identify common elements of malicious phishing emails and report suspected phishing emails to the IT department.
• Users can create unique passwords for their digital accounts that adhere to the organization’s password policy.

You may also want to create learning targets specific to different user groups. For example, privileged users, executive-level users, and third-party or contractor users may have increased or specialized awareness and training requirements.

2.   Include other stakeholders

Cybersecurity professionals have a unique opportunity to remove barriers between their department and the rest of the organization due to the need to provide awareness and training to all users. However, the cybersecurity department should not own this task alone: leadership and HR should also support the awareness and training program. Leadership can approve an awareness and training policy and officially announce the program to the rest of the organization, legitimizing it for all users. HR can help administer the program through a learning management system (LMS) and hold users accountable for completing the content. These stakeholders’ support is integral to the long-term success of awareness and training efforts.

3.   Select your training modalities

You can use a variety of modalities to get your users to achieve your identified learning targets. For example, awareness and training activities can be conducted through:

• Learning Management System (LMS)
• In-person or remote facilitation
• Phishing simulation
• Gamified activities
• Tabletop exercises
• Informative emails
• Posters

Awareness and training programs should use several modalities, as learning outcomes are more straightforward to achieve when users are exposed to content in more than one way.

4.   Schedule your awareness and training activities

The most common error organizations make with cybersecurity awareness and training programs is only offering the content once a year. This approach leads to a “check the box” mentality where users seek to get the training “out of the way.” A short, annual training is not robust enough for users to retain the content and demonstrably affect their behavior in a way that reduces human risk and improves culture. Therefore, awareness and training efforts should be proactively scheduled over the entire year. While this may sound heavy-handed, awareness and training efforts do not need to burden users’ time; instead, users should be commonly and intentionally exposed to awareness and training content through various modalities throughout the year.

One of the best ways to do this is by structuring your awareness and training activities into two parts: primary and ongoing. Your primary awareness and training is formal, happens once a year, and is often administered through a LMS. Through primary awareness and training, you seek to provide all of the information necessary for your users to achieve your identified learning targets. User completion should be tracked and enforced. On the other hand, your ongoing awareness and training should happen for the remainder of the year, such as once a month, and it should reinforce the topics your users learned in the primary training. Ongoing training modalities may include phishing simulations, informative emails, and gamified activities.

Scheduling awareness and training activities to occur throughout the year is more likely to result in positive results that reduce human risk than the “check the box” model.

5.   Track and report results

Awareness and training program effectiveness should be tracked and reported to leadership. SANS provides a helpful inventory of security metrics in its Security Awareness Toolkit, linked below. Sample metrics to track and report include:

• Percent of users who fall victim to or successfully report a simulated phishing exercise
• Percent of users who complete the primary awareness and training content
• Percent of users who create secure passwords (as measured through a simulated brute force attack)
• Percent of users who perceive cybersecurity in a favorable way (as measured through a culture survey)

Conclusion

Cybersecurity awareness and training are requirements in most cybersecurity frameworks because they are powerful ways to reduce human risk. While cybersecurity professionals often think about technology solutions, the effectiveness of awareness and training programs should not be forgotten, especially when they provide a unique opportunity for cybersecurity teams to build rapport with the rest of their organizations.

Effective cybersecurity awareness and training programs identify what users should know and be able to do. Information should be communicated using multiple modalities, and awareness and training activities should be carried out throughout the year, not just annually. Cybersecurity teams should also include other stakeholders, such as leadership and HR, to champion and facilitate awareness and training efforts.

We Can Help

Sedara’s Cybersecurity Development Program (CDP) and its trained virtual Chief Information Security Officers (CIOs) can help you build a successful cybersecurity program that reduces risk. Our vCISOs serve as your expert, trusted advisors on all things cyber, including building your own awareness and training program.

More Reading on This Topic

• NIST SP 800-50 – Building an Information Technology Security Awareness and Training Program: https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-50.pdf
• SANS Security Awareness Planning Kit: https://www.sans.org/security-awareness-training/demos/security-awareness-planning-kit/
• What is a Cybersecurity Development Program: https://www.sedarasecurity.com/what-is-a-cybersecurity-development-program/
• Introduction to Information Security: What is a CISO: https://www.sedarasecurity.com/chief-information-security-officer-ciso/
• 5 Tips for Improving Your Organization’s Security Awareness: https://www.sedarasecurity.com/improving-organizations-security-awareness/