I think there is great value to awareness training. To me, the content and delivery are key considerations. If the security messages are the same old, rehashed information then it will be hard to get people to pay attention, care and retain information. No one wants to see yet another dry review of an organization's security policies.
But there is a better way...
When creating content for, or delivering, security awareness training, I like to use a strategy I call "Bring It On Home". (which, of course, always reminds me of the great Led Zeppelin song!)
When creating content for, or delivering, security awareness training, I like to use a strategy I call "Bring It On Home". (which, of course, always reminds me of the great Led Zeppelin song!)
The idea is simply this... Information Security is a complicated topic. Our networks and infrastructure are complicated as are the policies we need to help protect them. Most people in the workplace are users of this technology and have far too many other things to worry about. So there isn't enough "mind-space" available to absorb all of this information out of context.
But almost everyone in your workplace has a computer at home. They shop online. Many bank online. They log in to websites. They have home email. Many participate on social networks. They own smartphones and some have tablets. And... many have children who are comfortable with consumer and online technology.
Many of these people want to, and need to, learn more about this consumer technology. They may have a wireless router installed by their internet provider and want to know if they are at risk. They want to know a bit more about their smartphones and social networks. They want to know if there are things they can do to avoid, or minimize problems from, Identity Fraud.
And that is how you can reach the masses.
I regularly give presentations on topics like: Internet Safety for Families; How to be a Tech-Smart Parent; Outsmarting your Smartphone; Identity Fraud, and; Home Wireless for Smart People. I've spoken on these topics at work, but also in the community. I've got slides for most of these presentations on my slideshare site.
One interesting thing is that while the technology advances and some things change, many things stay the same. I always have audience members who have never heard some of the core information. Also, different parts of the presentations become more relevant as a person's home situation changes, for instance as their kids get older.
And... here's the "trick"... Once people can understand a bit more about how security can help them at home in their private lives, it becomes much easier to relate that to situations in the workplace. I can practically see the light-bulbs go on when I make those connections.
Do you ever provide "consumer" information as part of your security awareness program? If so, what experiences can you share? If not... what are you waiting for????
Great write up, Barry, and I could not agree more than "bringing it on home" to help relate complex security ideas to security matters that the average person will be concerned about and want to learn about. Oddly enough, I also wrote on the topic of security awareness recently in one of my blog posts (http://www.thesecurityartist.com/337-a-huge-and-fundamental-flaw-in-all-security-awareness-programs/) and feel that security awareness, in general, falls short is many areas, so much so that I believe we should scrap the term "security awareness" and replace it with "security appreciation" which will also embrace a new mindset.
ReplyDelete