Designing a good security awareness program

Don’t try to teach people too much says Gartner research director Andrew Walls

Badly designed security awareness programs can damage the relationship between the user population and the security team instead of educating people about security according to Gartner research director Andrew Walls.

“I would estimate that about 95 per cent of the security awareness programs that I review are not worth the money spent on them,” he said at the analyst firm’s Security & Risk Management Summit in Sydney.

“The programs that people have put together to train their users are so badly designed and constructed that they actually damage the relationship between the user population and the security team,”

Walls said that having objectives is critical for an awareness program to succeed because if you don’t have objectives that are well defined and can be measured, than you are going to have bad training.

Objectives include the disciplinary base line, regulatory compliance and direct behaviour management.

For example there are anti-phishing solutions which send users into a training session if they click a bad link.

“After they have been pushed into those training sessions a few times, they stop clicking links and attachments. That’s user behaviour management,” he said.

Walls suggested that end users should not be bombarded with dos and don’ts.

“What we have found is that people can learn five to seven new behaviours a year. A typical security program will cover 20 to 100 different things that you expect people to learn,” he said.

The essential test for security skills is retention and erosion over time.

“Check it [skills] in three months or six months and see how much they have retained. Don’t rely on a single training event or audit once a year.”

Walls also said people should ditch PowerPoint presentations if they are not effective.

He shared the example of one CISO who ditched their training program and recruited an advertising agency to run security campaigns across the entire organisation. This had proven more effective, with end users now better informed of good cyber security practices.

Read more: OAIC investigates Ashley Madison data breach

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU, or take part in the Computerworld conversation on LinkedIn: Computerworld Australia

Join the Computerworld newsletter!

Error: Please check your email address.

Tags Gartnersecuritysecurity awareness

More about GartnerTwitter

Show Comments