Designing a good security awareness program
- 25 August, 2015 15:45
Badly designed security awareness programs can damage the relationship between the user population and the security team instead of educating people about security according to Gartner research director Andrew Walls.
“I would estimate that about 95 per cent of the security awareness programs that I review are not worth the money spent on them,” he said at the analyst firm’s Security & Risk Management Summit in Sydney.
“The programs that people have put together to train their users are so badly designed and constructed that they actually damage the relationship between the user population and the security team,”
Walls said that having objectives is critical for an awareness program to succeed because if you don’t have objectives that are well defined and can be measured, than you are going to have bad training.
Objectives include the disciplinary base line, regulatory compliance and direct behaviour management.
For example there are anti-phishing solutions which send users into a training session if they click a bad link.
“After they have been pushed into those training sessions a few times, they stop clicking links and attachments. That’s user behaviour management,” he said.
Walls suggested that end users should not be bombarded with dos and don’ts.
“What we have found is that people can learn five to seven new behaviours a year. A typical security program will cover 20 to 100 different things that you expect people to learn,” he said.
The essential test for security skills is retention and erosion over time.
“Check it [skills] in three months or six months and see how much they have retained. Don’t rely on a single training event or audit once a year.”
Walls also said people should ditch PowerPoint presentations if they are not effective.
He shared the example of one CISO who ditched their training program and recruited an advertising agency to run security campaigns across the entire organisation. This had proven more effective, with end users now better informed of good cyber security practices.
Follow Hamish Barwick on Twitter: @HamishBarwick