Awareness and training program design

The first task when preparing any awareness content is to determine the objectives. What are you hoping to achieve here? What is the point and purpose? What's the scope? What would success or failure even look like?

There are several possible approaches. 

You might for instance set out to raise security awareness 'in general', with no particular focus. That's a naive objective given the variety of things that fall within or touch on the realm of 'security'. Surely some aspects are more pertinent than others, more likely to benefit the workforce and hence the organization? Trying to raise awareness of everything all at once spreads your awareness, training and learning resources very thin, not least the attention spans of your audiences. It risks bamboozling people with far too much information to take in, perhaps confusing them and turning them off the whole subject. 

It's not an effective educational strategy. We know it doesn't work and yet, strangely, there are still people talking in terms of an "annual security awareness training session" as if that solves the problem. 

[Shakes head in despair, muttering incoherently]

Instead, you might identify a few topic areas that are more deserving of effort, 'just the basics' you might say. OK, that's better but now there's the issue of deciding what constitutes 'the basics'. One of the complicating, challenging  and fascinating aspects of information risk and security is the mesh of overlapping and interlocking concerns. Security isn't achieved by doing just a few things well. We need to do a lot of things adequately and simultaneously.

Take 'passwords' for example, one of the security controls that most organizations would consider basic. You could simply instruct workers on choosing passwords that meet your organization's password-related policies or standards ... but wouldn't it be better to explain why those policies and standards exist, as well as what they require? Why do we have passwords anyway? What are they for? Addressing those supplementary issues is more likely to lead to understanding and acceptance of the password rules. As you scratch beneath the surface, you'll encounter several important things relating to passwords such as:
  • access control;
  • accountability and responsibility;
  • biometrics and multi-factor authentication;
  • identification and authentication;
  • malware and hacking attacks;
  • password length and complexity;
  • password memorability and recall;
  • password sharing and disclosure;
  • password vaults;
  • phishing and other social engineering attacks;
  • the password change process ...
... and more. Similar considerations apply to any other form of 'basic' security: I challenge you to name any 'basic' security topic so narrowly-scoped that it doesn't touch or depend on related matters. 

A third approach, then, is to acknowledge those touch points and the mesh of interrelated topics, planning a sensible sequence of awareness topics that meander through the entire field. Maybe cover accountability first, then passwords, then access control ... and so on. Now you're starting to get somewhere! 

Oh but hang on, at this level of analysis there is such a variety of potential topics that the sequence takes some thought, especially as there are only so many awareness and training opportunities in the year. Planning is like plate-spinning: in order to raise awareness, you need to re-cover each topic periodically, reminding people before they forget, each awareness and training episode building on previous ones (especially the most recent and/or the most memorable). That's all very well, provided you don't let the plates fall. If your security awareness people move on, listen for the clatter of broken crockery.

A fourth approach is our way. Every month since 2003, we've picked a topic and gone into some depth on it. We've brought up other relevant topics but only briefly, since they are all explored in depth when their time comes. We've picked up on new topics as they emerged (making the content fresh and topical - literally), sometimes combining topics or deliberately taking different perspectives in successive passes. As plummet towards the 200th awareness module in December, we've steadily accumulated a security awareness and training portfolio covering ~70 topics, all of them designed and prepared to a consistently high standard by a small team of experts. On average, every module has passed three times through the mill, meaning they are all quite stable and mature.

Aside from the topic-based monthly deliveries, there's another innovation in that our awareness materials address three parallel audiences: general employees, managers and professionals. Complementing the breadth and depth of the awareness content, the three-streams lead to cultural changes across the entire organization. We think of this as socializing security within the corporation, informing the three audience groups about matters that concern them in terms they can understand, while encouraging them to interact and communicate both among and between themselves. 

With our monthly subscription service drawing to a close in just a few months, we're thinking about how best to continue maintaining and updating the portfolio of materials, tracking the ever-evolving field of information risk and security. We'll probably make fewer, irregular updates just a few times a year.

Meanwhile, we're gradually loading-up the SecAware eStore with additional awareness modules and ramping-up the marketing. If you need top-notch content for an effective security awareness and training program, please browse SecAware's virtual shelves and grab yourself a bargain. There's something strangely motivating about sales!