From the course: ISC2 Certified Information Systems Security Professional (CISSP) (2024) Cert Prep

Security awareness training

From the course: ISC2 Certified Information Systems Security Professional (CISSP) (2024) Cert Prep

Start my 1-month free trial Buy for my team

Security awareness training

- [Instructor] Security depends upon the behavior of individuals. An intentional or accidental misstep by a single user can completely undermine many security controls, exposing an organization to unacceptable levels of risk. Security training programs help protect organizations against these risks. In particular, they help educate users about how they can avoid falling victim to social engineering and phishing attacks. Security education programs include two important components. Security training provides users with the detailed information they need to protect the organization's security. These may use a variety of delivery techniques, but the bottom line goal is to impart knowledge. Security training takes time and attention from students. Security awareness is meant to remind employees about the security lessons that they've already learned. Unlike training, awareness doesn't require commitment of time to sit down and learn new material. Instead, it uses posters, videos, email messages, and similar techniques to keep security top of mind for those who've already learned the core lessons. Organizations may use a variety of different methods to deliver security training. These may include traditional classroom instruction providing dedicated information security course material, or it might insert security content into existing programs such as a new employee orientation program delivered by human resources. Students might also use online computer-based training providers to learn about information security or attend classes offered by vendors. Whatever methods an organization uses, the goal is to impart security knowledge that employees can put into practice on the job. Let's take a look at a couple of examples of security training and awareness methods. The SANS Institute's end user security awareness training program provides online training covering a wide range of security topics. Organizations can add their own customized introduction and then depend on the program to provide current updated security training on a variety of topics. Managers can pick and choose the security training modules that make the most sense for their organization's security and regulatory environment, customizing the training that each user receives. If we look at another provider, Cofense PhishMe, you'll find an interesting twist. Instead of simply providing security awareness training, PhishMe allows you to measure the success of your training efforts by actually conducting simulated phishing attacks. Users receive fake phishing campaigns in their inboxes, and if they respond, they're directed to training materials that warn them of the dangers of phishing and help prevent them from falling victim to a real attack. Backend reporting helps security professionals gauge the effectiveness of their security education efforts by measuring the percentage of users who fall victim to the simulated attack. Those are just two examples of security education providers. There are many more out there that can help you quickly build an effective security training and awareness program. The key is to use a diversity of training techniques to cater to different learning styles. These might include phishing simulations, gamification techniques that make learning fun and capture-the-flag exercises that train employees on attack techniques. Organizations may also designate security champions in different business units who have a side responsibility of helping to educate their peers about cybersecurity matters. This approach is often very effective because people are more willing to listen to a message from someone that they know and trust. These security champions can become a powerful tool for spreading and maintaining cybersecurity awareness throughout the organization. While all users should receive some degree of security education, organizations should also customize training to meet specific role-based requirements. For example, employees handling credit card information should receive training on PCIDSS requirements. Human resources team members should be trained on handling personally identifiable information. IT staffers need specialized skills to implement security controls. Training should be custom tailored to an individual's role in the organization. You'll also want to think about the frequency of your training efforts. You'll need to balance the time required to conduct training with the benefit from reminding users of their responsibilities. One approach used by many organizations is to conduct initial training whenever an employee joins the organization, or assumes new job responsibilities, and then use annual refresher training to cover the same material and update users on new threats and controls. Awareness efforts throughout the year then keep this material fresh and top of mind. We should also discuss some of the important topics that you should cover in security education programs. You should take time to cover issues that are important to the organization. For example, if you recently deployed a two factor authentication system that is causing users to become exasperated with the time required to log in, that's a situation known as two-factor authentication fatigue. Use your awareness efforts to remind users of the importance of this security control and ways that they can improve their experience. Similarly, if you're concerned about the insider threat in your organization, you can use awareness programs to remind employees of the importance of following good security practices and signs that they can watch for that might indicate someone is engaging in inappropriate insider activity. The team responsible for providing security training should review materials on a regular basis to ensure that the content remains relevant, changes in the security landscape and the organization's business may require updating the material to keep it fresh. These updates should include coverage of emerging technologies. For example, you might want to update your training program to cover cryptocurrency and blockchain technologies, the use of artificial intelligence in the workplace and the appropriate use of social media.

Contents