Rolling Out a Successful Information Security Awareness Training Program

You’ve identified the need for an ISATP, but now you’re trying to put together an effective plan that will ensure measured success and results for your organization. The success of your ISATP is in the planning of all stages of the training project. Training is a cyclical and ongoing process and should be treated as a project that has many phases and is continuous. Most organization’s engage in ISATP because they need to meet certain guidelines or compliancy standards. What many fail to realize is that in order to change employee behaviour within an organization you need to train continuously.

It is then essential to treat an ISATP program like any other information technology project. Behavioural change is not easy and requires continuous reinforcement. You need to create a project, assign a project manager, and recognize a project champion. Creating a project includes defining business objectives and scope (what’s included and what’s not) in a document. The document needs to be clearly defined and must appoint those who will be held accountable. The document will then act as a guide from planning to implementation to the effectiveness of ISATP outcomes.


Planning for Success


Your project plan document should include well defined business objectives and scope and should appoint those who will be held accountable. This document will become the guide for planning, implementation and ultimately measuring the effectiveness of the ISATP outcomes.

Ideally, the project objectives should track closely to those described in the business case presented to management to obtain approval and resource allocation. To ensure you are setting the right goals you will want to ask yourself some key questions, such as:

  • What is the company’s security strategy

  • What information needs to be protected and how sensitive is it?

  • What regulatory constraints apply (MITS, PCI, SOX?)

  • What are the company's security policies and how are they translated into daily activities?

  • How does security affect employee’s day to day activities?

  • What are the critical processes that need to be protected?


Identify the Project Team


The project team needs to consist of appropriate stakeholders within the organization or department and includes the following members:

  • Project Manager - responsible for coordinating project activities.

  • Project Champion - provides vision and management support for security awareness. This is typically the individual known to have ultimate authority and responsibility in regards to information security throughout the organization.


Determining Content


In deciding what content is needed to be learned in order to change end user behaviours, you will need to identify what is important to the organization in terms of security. You should use best practice guidelines and establish a baseline of knowledge from end users to understand where the weaknesses are in their knowledge base and where to start.

Use internal security policies and guidelines as well as best practice guidelines. Establish a baseline of knowledge – look at existing security training companies who have developed baseline tests.

In determining the content to be introduced, NIST provides some good guidelines (NIST SP 800-50) including:

  • Recent incidents - The assessment of recent security incidents (within the last one to two years) provides insight into weaknesses in employee knowledge of processes or security principles in general.

  • Regulatory issues - The awareness program is a good tool for supplementing regulatory compliance training efforts.

  • Employee concerns - Many employees are already aware of security fundamentals. They can be a good source of information about day-to-day problems related to information asset assurance.

  • Management concerns - Management’s perspective is usually more operational or strategic. More emphasis is placed on investor, vendor, customer, and employee welfare overall. Management’s input helps to complete the picture illustrating internal concerns about security.

  • Customer concerns - With today’s rising rate of identity theft, there is a growing concern among consumers about how companies protect their information. Addressing customer concerns isn’t just good business, it’s the right thing to do.

  • Investor concerns – The level of investor confidence in your organization’s ability to protect sensitive information (intellectual property, financial information, PII, etc.) is directly related to your level of working capital. Be sure to view your company’s level of protection from the investor perspective..


Developing content internally can be both time challenging as well as expensive. Look at on line training that can provide best practice knowledge for end-users, management and IT professionals. Look for courseware that can be delivered as-is, or customized to meet the needs of your organization’s unique culture.

An effective security program requires a solid awareness foundation. You need to ensure that your end users are aware of your organization’s policies and have learned how to adhere to those policies. The only way to ensure that you have an effective information security program is by implementing a solution that includes communication planning, training on the importance of security and reinforcing newly learned behaviours.

Five Steps of an Effective ISATP



  1. Plan
    a. Design the training to meet the company's specific needs.

  2. Deploy
    a. Deploy a communication strategy.
    b. Roll-out training that meets the objectives of the company's security policies.

  3. Reinforce
    a. Use tools to reinforce newly learned behaviours.

  4. Assess & Continuously Measure
    a. Measure the effectiveness of the project and incorporate changes.

  5. Maintain and Review
    a. Maintain and update the knowledge and repeat training continuously as new threats and new best practices are released.

Comments

Completely agree with your overall thesis that a security awareness training program needs to be treated as a project. From our experience with clients in rolling out a program such as this, it is impossible for the program to be successful unless it is managed as a project across the organization. Like all projects, this one also needs to have clear objectives at the onset and measurable goals in order to be successful.

Post new comment

The content of this field is kept private and will not be shown publicly.
Type the characters you see in this picture. (verify using audio)
Type the characters you see in the picture above; if you can't read them, submit the form and a new image will be generated. Not case sensitive.