There is no silver bullet in security awareness.
What I mean by that is there is not a right or wrong way to teach people about cyber security. Just like any other type of education, you must surround yourself with it. You cannot expect to show a once-a-year “death by Powerpoint” presentation and have your staff become cyber experts. This is something that is wrong with the majority of programs I’ve seen.
Security awareness training should be an ongoing effort that builds upon the successes and challenges of security within the organization.
I have seen a lot of security awareness programs in my career. In one situation, I witnessed rewarding staff by paying a bonus of hundreds of dollars for not falling victim to phishing, tailgating and other security tests. The goal was to convince everyone that security is important by paying them a reward.
Another program disincentivized poor behaviors by docking pay for a day on the first offense. Then pay was docked for a week on the second and third offense. If you’re a contractor, the punishment was even more severe: immediate termination upon your first offense.
It shocked me to see an organization take this drastic of a measure, especially when people often don’t understand what is right and wrong. However, that’s more so because they truly don’t connect to the “why.” In most of these cases, training is usually used and treated as a penalty, which is also confusing to learners.
What do you think happened in both of these scenarios? Was positive or negative reinforcement dramatically better than the other? In both cases, the answer is “no.” Those types of reinforcement actually wound up causing more problems in the short run.
The key is building a cultural awareness similar to how we treat health or saving for your future – employees talk about that all the time. They understand the risks of eating poorly or spending too much money, and they feel the need to discuss these common challenges with one other. Security awareness is no different; it’s just not as well developed within organizations today.
Building a security awareness program should start with the following two major initiatives.
First, create a team that includes executive management support and initiative leaders. This team will ensure the program has legs to continue to receive ongoing funding and support, as well as remain a priority within the organization.
Second, the team needs to create a strategic plan for the security awareness program. Having a plan will help outline both short- and long-term goals and at a minimum create a qualitative measurement of an organization’s goals.
As someone in charge of security education, your focus should be on long-term solutions and on not short-term gains. Focus on developing a security culture and encourage those behaviors. Sure, giving a bonus will incentivize for a short-term goal, but behaviors will return right to where they are expected without it. You’re changing the behavior of short-term success when your focus should be on long-term cultural changes.
When you start to look at this problem differently, you can open the door to many more solutions.
About the Author: Nick Santora is the CEO of Curricula, a cyber security education company located in Atlanta, GA. Curricula provides cyber security awareness training and NERC CIP compliance training solutions using an innovative story based learning approach. You can follow Curricula on Twitter @Curricula or check out their website at www.GetCurricula.com
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.