Data Driven Security Awareness Training

Security awareness training can be a somewhat touchy subject. For those who administer it, it can often feel like just one more task to keep track of. It can feel similar to the employees who must undergo the training, especially for those who feel like their jobs don’t have a direct impact on the company’s information security. Though it can be difficult to figure out the best way to deploy this type of training, it has become the norm within the corporate landscape. This article aims to provide answers on what security awareness training is, how it can best be accomplished, and why it is important.

Before the best way to roll out a security awareness program can be explored, it must be determined what it is and why it is done. This discussion aims to be neither exhaustive, nor all-inclusive, but simply to provoke thought on why an organization does, or does not, take part in security awareness training.

So, what is security awareness training? The most commonly accepted definition is that it is an end-user-based training that is delivered on a regular basis, usually annually, which reduces the organization’s overall risk by ensuring that all employees are aware of information security best practices. It is widely accepted that employees are the most easily exploited attack vectors to an organization. One doesn’t need to look much further than the prevalence of phishing attacks and breaches caused by social engineering to verify this. To reduce this risk, security awareness training often covers several topics that include: basic security practices, company policy, and any relevant information related to regulations the company may have to adhere to. The hope is that equipped with this information, employees will both help strengthen the security posture of the organization through heightened awareness and be unable (Read more...)