Beyond Security Awareness Training
November 2, 2015 As featured in in the National Cyber Security Alliance blog (staysafeonline.org)

When I travel by air, I ask for an exit row seat. Of course, the privilege of having extra room for my long legs comes with the responsibility to open the exit door in the event of an emergency. Like most passengers, when the flight attendant asks if I can open the exit door, I always respond “yes” — even though I’ve never actually opened an exit door.  Of course, I’d feel more confident saying “yes” if they’d allow me to tear the door from its hinges and throw it onto the tarmac, but I’ve never asked or been offered the opportunity to do so. Practice, it seems, isn’t always practical.

If you train others at your school or organization on matters of cybersecurity, or if you’re generally responsible for managing the security of your organization’s networks and computer systems, you might wonder what training and support you should provide to promote the skills users need to practice safe computing. It isn’t always practical to expose people to real threats, so you might try to make users aware of the threats by giving them some general principles to prevent or manage them if they can’t be averted.

But you might wonder if this sort of training is sufficient. How might users react when they’ve been informed of various threats but are not truly equipped to handle them? A natural reaction might be fear and anxiety. Or after frequent exposure, they might simply become numb or indifferent to the threats.

A Three-Pronged Approach to Promoting Security Skills
Security training should foster not only the desire but also the ability to practice safe computing. Training experiences should reach beyond awareness to help users develop real skills that will help them to be cyber-safe. Make sure your training and communications provide learners with:

  • Ways to identify specific security threats
  • Strategies and tactics to avoid or handle the threats
  • Opportunities to practice these strategies and tactics in real-world scenarios

It may not be safe or practical for you to immerse students in real-world scenarios for practice, but you can often simulate such experiences. Provide learners with repeated opportunities to make real-world decisions and determine how they will act under various circumstances. They may make some incorrect decisions at first, but with practice they will improve, develop skills and confidence.

Applying a Multi-Layered Strategy to the Human Element
When implementing security protections, organizations often follow a defense in depth strategy. Essentially, this means that the company’s IT security team installs numerous layers of technology barriers and protections throughout the company’s systems. If one layer fails, hopefully the next layer provides enough additional protection to prevent a costly exploit.

Unfortunately, a misstep by a single employee can compromise even the strongest technology protections, so ensuring that people are capable of avoiding and managing security threats is as important as ensuring that technology provides a suitable barrier against attacks.

In your organization, consider employing a multi-layered security strategy through people similar to the multi-layered strategy you provide through technology. Awareness training that provides learners with real-world practice in avoiding and managing security threats is an important first step. But while training is critical, considering providing other layers of support for your users, such as:

  • Policies to guide users toward cyber-safe behavior
  • Performance support tools, such as reminders, checklists and dashboards to help employees to perform tasks securely
  • Communities of practice to help employees help each other
  • Company culture that promotes cyber-safe practices

The human element is often identified as the most frequent cause of costly security breaches, so developing security awareness, skills and multiple layers of support throughout your entire organization will produce significant improvements in your organization’s security posture.

About the Author
Logical Operations helps organizations and individuals maximize training with an adaptable expert-facilitated learning experience. Its more than 5,100 titles are available globally through flexible delivery platforms that are designed for any learning environment. Logical Operations also offers a growing portfolio of high-stakes certifications such as Logical Operations Certified CyberSec First Responder and assessments including Logical Operations Certified CyberSAFE. Logical Operations' CEO, Bill Rosenthal, is a board member of the National Cyber Security Alliance (NCSA) and works alongside representatives from organizations such as AT&T, Bank of America, Facebook, Google, Intel, Microsoft, Verizon, Visa, and more, to make sure that everyone has the education and resources needed to stay safe and secure online. For more information, connect with Logical Operations at logicaloperations.com and on Twitter @logicalops.