Key success criteria for an information security awareness programme

27

In one of our recent blogs, we identified the essential role that organisation-wide awareness programmes play in addressing user-related threats to information security.  As URM has been involved in reviewing and developing countless awareness programmes, we thought it will be useful to share our thoughts on what we see as the key success criteria (as well as some of the pitfalls to avoid!).

Less is more

One of the big pitfalls to avoid, and one we see far too often, is organisations ‘throwing the kitchen sink’ at the sessions leaving users to digest and assimilate unrealistic amounts of information.  We believe it’s more effective to keep sessions short and sharp, with an assessment at the end to ensure understanding.  In our opinion, it’s far better to ‘nail’ 2 or 3 key messages than dilute or confuse your users with numerous ones.  We strongly recommend that topics are prioritised, based on your latest risk assessment and address your most significant current threats.  The natural consequence of this is to replace the ‘all-singing-all-dancing’ one-off training awareness session with a series of short, sharp directed modules.

Relevant and engaging

Another common weakness is not tailoring awareness training to your audience.  We often see training content which users struggle to relate to, e.g. statistics on the average cost of an information security breach to UK industry plc.  Always ensure you make content relevant to your users – provide material that can help them personally, such as keeping them and their families safe online.  A good example of this is advising them how they can avoid identity fraud through improved password management.  You can then link to your corporate message stressing you aren’t asking them to behave any differently at work to at home.  When talking about the impact of any security breach, try to relate it back to them.  With cyber threats, the most effective approach has been to conduct a mock phishing attempt on an organisation prior to training and then, within the training, state how many people clicked on the phishing link – can be 40% or more – and stress the potential impact of that click.

Keep ‘calls to action’ simple

This success criteria links back to ‘less is more’ and the need for simplicity.  It is essential that you keep any calls to action simple and straight forward.  For instance, what should users do when reporting an incident.  We have come across situations where users have been given a number of different instructions depending on the nature of the incident, e.g. report personal data breaches to the DP Manager, IT related issues to the Help Desk, physical security issues to Facilities etc etc.  If your users aren’t sure what type of incident it is, they may just not report it for fear of getting it wrong or it being too complicated.  Try and keep it simple, have one reporting mechanism and once reported the incident can be assessed and directed to the most appropriate individual/s.  Regularly reinforce this with other media and forms of communication, which leads on very nicely to….

 Take a multi-media approach for message reinforcement

How often do we all fall into the trap of delivering an induction or annual training session and saying ’that’s good, we’ve now addressed awareness’?  The problem with this approach is that our users are very likely to be thinking exactly the same thing and moving on to something else.  URM has worked on some really innovative and effective campaigns, where training messages and calls to action are reinforced by other media, such as posters, mugs, mouse mats, sign on messages and post-it notes.  Constant reminders are vital in influencing behavioural change, which in turn leads to our next key success criteria.

 Continuous programme required

Just like a dog, awareness training is not just for Christmas.  Your awareness programme needs to be more than just a one-off event when someone joins or as an annual organisation-wide event.  In addition to keeping awareness sessions short and relevant to your users, they need to be kept topical and focussed on the latest threats or weaknesses identified in your risk assessment or those things that would cause the greatest impact on the business if something went wrong.  Also, don’t fall into the trap of committing to monthly or quarterly updates.  It’s far better to deliver updates as and when needed.  This will ensure awareness sessions are fresh and meaningful.

 Measure for effectiveness and continuous improvement

Last but definitely not least!  If you’re looking to create an effective and varied ongoing awareness programme, you need to be looking at ways of continuously improving the effectiveness of your training.  This can only be achieved by measuring and monitoring the effectiveness in order to shape future sessions.  Tests at the end of the training to assess whether users have understood key facts or policies are a great starter for ten, but you should also consider conducting tests after a period of time to see whether those messages have really stuck.  There is an argument that the best measurement is to monitor behaviour, after all, the key goal is to influence a permanent change in behaviour.  For example, if one of the key messages from your training sessions is to introduce a clear desk or clear screen policy, schedule an office walk around a few weeks later to review compliance.  Or, taking the mock phishing exercise referred to earlier, conduct a before and after experiment and see if there have been any improvements.  If you’re complying with or are certified to ISO 27001, this type of exercise makes a great and relevant audit.

Summary

So, before we fall foul of our own advice and try to deliver too many messages(!), let’s take stock and summarise what we, at URM, believe makes for a really effective infosec awareness training programme.

In a nutshell, an ongoing programme of short sessions with simple, clear and relevant messages based on current and/or high impact risks and concerns.  These should be reinforced with other media and continuously measured for effectiveness and improvement.

LEarn More - Official 3