How would you approach improving the security education training and awareness in an organization you know well (e.g. Temple as a student) but you will not name in your answer post and comments?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
Justin Chen says
My home university to my knowledge, wasn’t a very security aware environment from multiple perspectives looking at its security system. The university lacks security measures that are very common and critical, such as multi-factor authentication (MFA) for logins of student information system and many other university systems which contains critical information such as PII, health situation, student ID, GPA and even scholarship of students and its employees. My home university was known for its beautiful campus and a famous 60+ year-old chapel which attracted people from all over my country and the world. But the university has free Wi-Fi that is used by students and employees that is also open to the public, which means it is always exposed to potential malicious activities.
To improve the environment, I would implementing general security education for all staffs and specific SETA programs for departments within the university. The university systems are important for the organization and need stronger protection, I believe the IT staffs are not yet aware of the importance of the system’s security measures. Invest in the leaderships of IT to acquire certifications such as CISA and CISSP will be cost-effective for the university. Security shouldn’t just be about compliance, but about fostering a mindset where everyone feels responsible for the organization’s security. Incorporating cybersecurity into orientations of every new employee, faculty members and even students to go through basic security trainings is a fundamental way of facilitating awareness of security. Last but not least, continue monitoring with metrics that help track the program’s effectiveness, and updating the program to make sure the knowledges of the stakeholders are up-to-date.
Daniel Akoto-Bamfo says
Hello Justin
I appreciate the background story you gave about your university which painted a clear picture of its state of security awareness and your recommendations to improve it are commendable. However, how will your recommendation cater to outside stakeholders such as potential students?
Clement Tetteh Kpakpah says
I will take the steps below to improve the security education training and awareness in an organization that I know.
a. Assess the existing landscape
It is prudent to gather the feedback of all key stakeholders, probably through a survey, to establish concerns and challenges about security and to assess the existing training and awareness to identify the areas that need to be worked on.
b. Define objectives
Setting and defining a clear objective is the next strategic step after determining the concerns and areas for improvement.
c. Design engaging content
Create interesting and engaging content that pertains to the industry using diverse formats including videos, interactive modules, infographics, and in-person training to meet the diverse learning styles.
d. Improve training delivery
Enforce annual and mandatory training for employees. Provide specialized training for diverse groups each year and incorporate security training into new hire orientations.
e. Build a culture of security
There is a need to establish a culture of security awareness by using relatable examples, incidents, and successes through social media, posters, emails, and all available effective means to emphasize the importance of security practices in daily operations.
f. Utilize technology
Create accessible and highly engaging security training modules online, which can be accessed through a portal or website for obtaining relevant security materials and updates consistently.
g. Support peer involvement
Appoint and train employees or individuals as security advocates within their units, and arrange security awareness weeks and contests to encourage ongoing security education.
h. Consistently evaluate and adapt
There is a need to consistently assess the effectiveness of the security education training through diverse metrics and update the content in order for the training to stay relevant
i. Collaborate with Industry experts
Always collaborate with industry experts to give out expert pieces of training whenever needed.
j. Broadcast the progress and success of the program
Consistently communicating the relevance of security education training and how it has helped in diverse situations and the progress made will help sustain the program.
Justin Chen says
Hi Clement,
I appreciate how you develop a very useful and general steps that I believe most of the organization can follow. The one I wrote is about university, so students and outsiders are also big part of weaknesses compare to regular company. Do you think this will fit well in an educational environment where not only staffs are potential vulnerabilities but students could also be a big hole where breach may occur? Will budget be a huge problem since it is hard to implement education for all students not to mention their willingness to comply?
Clement Tetteh Kpakpah says
Hello Justin,
The above steps can be used in an educational environment where students can be a special point of focus. The budget will not necessarily be much of a problem however, the willingness of students to comply will be a bit of challenge to tackle.
Lily Li says
As stated in the SANS article “people will always be the weakest link in the security chain – all it takes is one user with poor behavior or one uneducated mistake to jeopardize your security”. To improve security education, organizations must determine who the Target audience is and what the goals of the program are. For universities whose goals are to inform students of data security, they might implement regulatory courses and activities related to these topics. For example, at the University of Missouri Columbia (MU), formal awareness training and activities are held to ensure students are up to date with the latest security concepts. Security education courses should be specialized so students can retain the information as well as apply it to their daily lives. However, the course should be comprehensive enough that it will be understood by the average end user.
Steven Lin says
Lily, you’ve captured a key point from the SANS article—people are often the weakest link, and it’s essential to target the right audience with tailored training. Of course, universities like MU are perfect examples of how regular training can keep students up-to-date on critical security concepts. I agree that making courses both specialized and comprehensive is crucial; it’s about finding that balance where the material is digestible yet impactful. Ensuring that students can apply what they learn in their everyday activities is the most effective way to reinforce these security behaviors.
Steven Lin says
I would first perform a deep awareness assessment to understand the existing knowledge level of the recognition of critical vulnerabilities and/or knowledge gaps for diverse users at an organizational level. This could be possible through surveys, quizzes, or even simulated phishing tests and mock phishing attacks to see how employees would react to common threats.
I would therefore develop a bespoke SETA program involving face-to-face workshops, online modules, and interactive content. Scenarios likely to come up in an organizational situation or as case studies would be outlined to make this more appropriate relevant and interesting. Training regularly scheduled along with monthly security awareness subjects would key in concepts. It would incorporate security tips in the natural flow of communication, be it via email, company newsletters, or other digital displays. Examples of game-like elements used are quizzes and incentives for active participation. Key metrics to track that continuous improvement is occurring include training completed and a reduction in security incidents, adjusting accordingly based on feedback and new emerging threats.
Haozhe Zhang says
Hey Steven
Your approach to improving SETA is well thought out, especially with the focus on tailoring the program to specific knowledge gaps and incorporating engaging elements like quizzes and incentives. How would you handle resistance from employees who may be reluctant to participate in the training or who see it as unnecessary?
Daniel Akoto-Bamfo says
To improve the security education training and awareness in an organization, one must do the following:
Assessment of the Organization
The organization must be assessed to identify the security awareness knowledge and skills of the employees and take into account their proficiency levels and the organizational culture. Compare this with the existing security education training and awareness program to identify areas where the employees are lacking that will need to be improved.
Develop Training Program
A training program must be developed based on the assessment made which showed areas that need to be improved. The training can take the form of simulations, case studies, or quizzes and this must be a continuous form of learning concerning emerging threats and best practices.
Continuous Monitoring
After the training has been done, the employees must be monitored to identify adherence to the training program they receive. Continuous monitoring and adherence will create a culture of security awareness and alertness.
Evaluate Progress
The progress of trained employees on security education training and awareness programs must be evaluated to identify areas that will need improvement to refine the training program to ensure successful implementation.
Sara Sawant says
In order to improve security awareness and education, I would start by evaluating the gaps in present knowledge to find vulnerabilities. Utilizing the knowledge gained from the SANS readings and the “Computer and Information Security Handbook,” I would develop customized training materials highlighting pertinent dangers such as phishing. I would use an LMS for interesting, interactive lessons and conduct frequent simulated phishing exercises for practical experience. Creating an online community of security champions would encourage peer learning and best practices. Security would be continuously communicated through newsletters and workshops, and program efficacy would be assessed through metrics and feedback. This strategy guarantees ongoing development and cultivates a proactive security culture inside the company.
Charles Lemon says
Hey Sara,
I agree with your answer when you state that it is first necessary to identify gaps the organization has in present knowledge. I also mentioned something similar in my post when I stated an organization I knew could be educated on social engineering attacks. Do you think educating users on social engineering attacks would be best taught by fake phishing emails designed to test them or more interactive live lecture style trainings?
Charles
Sara Sawant says
Hi Charles,
I believe a combination of both approaches would be ideal. Fake phishing emails can effectively test users’ ability to recognize and respond to threats in real-world scenarios, providing valuable insights into their awareness and reaction to social engineering attacks. On the other hand, interactive live lecture-style training allows for a deeper understanding of the tactics used in these attacks, enabling participants to ask questions and engage in discussions. Using both methods ensures that users not only have the theoretical knowledge but also the practical skills needed to identify and handle such threats effectively.
Rohith says
First Step would be Assessment and setting up Frameworks, policies and Procedures in the known Organization.
Next Steps would be:-
Find existing Vulnerabilities and Check Risk Exposure and Risk landscape and apply SANS reading methods.
Ensure that SETA aligns with the organization’s overall business objectives and risk management strategy.
Focusing on training that directly addresses the most significant security threats and vulnerabilities facing the organization.
Online courses, workshops, webinars to keep employees interested. Incorporate quizzes, games, activities for learning.
Assess employees knowledge and understanding before and after training to measure effectiveness.
Peer-Peer Mentorship and also staying updated with the latest Security news. Teaching employees usage of Latest Security tool and technology in the Organization.
Lili Zhang says
When I was searching for items on a shopping platform in China, I noticed something interesting. After I searched for a specific product, I opened another search engine, and related recommendations appeared almost instantly. This experience made me realize how interconnected these platforms are, likely due to data sharing and tracking algorithms.
From this, I believe it highlights the growing concern over user privacy. While personalized recommendations can enhance the shopping experience, they also raise questions about how much of our data is being used and shared without our explicit consent. To address these privacy concerns, I think e-commerce organizations should prioritize employee training on data security and privacy awareness. Here are a few suggestions:
1) Regular Training Sessions: Implement ongoing training programs that focus on data privacy laws, best practices for data handling, and the ethical implications of user data use.
2) Data Access Protocols: Establish clear protocols on who can access user data and under what circumstances. Limiting access can reduce the risk of unauthorized data use.
3) User-Centric Privacy Policies: Encourage employees to think from the user’s perspective when designing features or algorithms. This can help create a culture that values user privacy.
Parth Tyagi says
Hi Lili,
Interesting example that you’ve shared here. On that note, I believe on a personal level, we should all be careful when we visit a website particularly asking for “Allowing Cookies, Agreeing to privacy notice/terms & conditions”. Since organizations have a bad habit of capturing our data and then selling it to third-parties, we cybersecurity enthusiasts should find innovative ways to raise awareness about this particular aspect while also covering data subject rights.
Rohith says
Your Point about User Centric Privacy Policies are a great method, by understanding the consumer. It does help the Organization in the long Run as the Consumer always has trust within them. In the Era of Data leaks and information it is wiser for Organizations to safeguard and Encrypt the Data.
Sarah Maher says
An organization I know well gives employees access to records and current data of every students in their system. They do this because it is information necessary for the employees work. However there is a lack of training and regulations on how employees access this information and a lack of awareness on how sensitive it all is. I would recommend this organization create classroom-style training that is added onto the training for the job itself. The employees already have to sit in on trainings when they first start the job and for refresher trainings throughout their time at the organization. Looping the training into the existing training will lessen the chances of employees viewing it as a burden as they are already required to attend the training. The organization could also utilize visual aids in places like behind the front desk (only visible to employees) and in the employee separate office. These can serve as reminders to not leave computers logged in and unattended, and to make sure not to access information unless genuinely needed for the work at hand. The training should also cover phasing emails as the employee’s emails and contact info are publicly posted and could make them a target to access the system. Not much customization is needed as the employees all have the same level of access, but office management should lead the training to create an overall culture of security awareness. Involving management that directly run the office and its employees instead of bringing in an external trainer will solidify security as a priority in the organization.
Lily Li says
Hi Sarah,
I liked your suggestion of looping the training into existing training sessions; I think this can benefit and engage the employees. To build on your ideas, I think it would be great if the organization incorporated case studies or information sessions that allow employees to understand what will happen if this type of data breach occurs. What security concerns do you think the organization should address that would be the most beneficial?
Sarah Maher says
Hi Lily,
I like your suggestion, and building off of it how could the organization effectively use case studies for training? We study them in a very traditional classroom setting, but how could the company ensure that the training session they are paying for isn’t just employees sitting through a case study and not truly absorbing the material? I think one way could be turning it into almost a game of leading questions to get answers from employees to ensure they are understanding the point the org is trying to convey.
Charles Lemon says
One previous organization I was a part of lacked training in social engineering techniques and phishing emails. I would approach the SETA of this organization with an emphasis on informing its members of common social engineering attacks. This could be done with mandating computer trainings, phishing awareness emails, and lectures/conferences. This previous organization I was a part of was responsible for the handling of sensitive data and if a simple phishing attack was able to steal the credentials of a user, serious damage could be made. Many of the users of this organization lacked basic awareness of possible social engineering attacks they could be victim to. That is why I would approach the SETA of this organization with an emphasis on increasing the awareness and knowledge of social engineering attacks.
Aaroush Bhanot says
Hi Charles,
Your emphasis on social engineering awareness is crucial, especially for an organization handling sensitive data. One suggestion would be to implement real-world simulations of phishing attacks as part of the training. These simulations not only test employees’ awareness but also provide hands-on learning, helping them recognize and respond to threats in a controlled environment. You could consider incorporating bite-sized, ongoing learning—for example, short monthly videos or interactive quizzes that reinforce social engineering defense strategies. Another layer to consider would be training employees on reporting suspicious activity quickly and securely, as well as creating a reward system for identifying phishing attempts.
Yash Mane says
To raise security awareness at a university, I would start by reviewing existing understanding and finding gaps among students, teachers, and staff. Based on this, I would construct role-specific training: students learning about safe online behaviors and phishing, teachers concentrating on data protection, and IT workers getting advanced training on system security. Engaging tactics like phishing simulations and seminars would make the training more dynamic and successful.
In addition, continual awareness efforts employing emails, posters, and security recommendations would assist reinforce learning beyond formal training. Leadership support is vital to promote participation and underline the significance of security. With frequent reminders and rewards, the institution can establish a culture where security is part of daily activities for everyone engaged.
Sara Sawant says
Hi Yash,
I completely agree that addressing each group’s specific needs and using interactive methods like phishing simulations can make a big impact. Continuous efforts through emails and posters are also great for keeping security top of mind. Have you considered any metrics or feedback methods to assess the effectiveness of these training initiatives?
Elias Johnston says
To improve the security training and awareness inside of an organization, I would first begin by assessing the current training program. After this, I would determine if the current training fits with the organization’s security policy. I would also determine if there are any redundancies or laps in the current training that can be fixed to improve both the target audience’s knowledge as well as the continued practice of the administered knowledge. To ensure that all employees understand and continue best security practices, I would start with a new hire security orientation, if one is not already in place. If the new employee is in a position that requires security clearance, this orientation should be more rigorous and conducted over a longer period of time. A refresher training should be required semiannually, at the very least, for all employees. Monitoring of the security training should also be conducted. These performance indicators should track which employees are security risks, and should be compared against their performances in the training. Through the use of these indicators, the security training should be updated in an attempt to fix any lapses in the training.
Parth Tyagi says
1. To improve the security education training and awareness in an organization, first we need to understand the context of the organization, its business model, and landscape. Organization’s goals for the security training program need to be considered as well.
2. Next would be to understand the budget and efforts the organization is able to commit towards making the necessary changes.
3. A detailed review shall be performed to understand the existing security controls and monitoring/reporting measures in place.
4. Once the security controls are reviewed, we can proceed to finally assess the training and awareness program materials being employed for the organization. It is essential to also review the previous training reports, feedbacks to understand areas for improvement.
5. Any observations/gaps shall be documented and presented to management for discussion.
6. Recommendations provided to remediate the observations/gaps shall be affordable, scalable and reliable. These should be presented to the risk management/information security department for approval.
Elias Johnston says
Hi Parth,
I liked that you added in the step of understanding the organizations budget in regards to training. As ITACS students, a lot of us assume that everybody takes information security as seriously as we do, when in reality, a lot of smaller organizations rarely budget for training their employees. It’s one thing to recommend a bunch of high level procedures, however most companies cannot even begin to afford those changes. It’s a small detail to add to your post, but it’s very important in the long run of improving an organizations training structure.
Aaroush Bhanot says
An organization I know well gives employees access to student records and does not have protocols in place to remove access after termination of an employee. To fix this, I would focus on addressing this critical gap through both policy changes and enhanced training efforts.
First, it’s crucial to implement strong access control policies to ensure that access to sensitive student records is terminated immediately after an employee leaves. This would involve integrating automated access revocation into the off boarding process which is tied to HR systems so that when an employee is terminated, their access to all systems is automatically removed. I would advocate for regular access reviews to ensure only current employees have the appropriate levels of access. The organization should adopt Role-Based Access Control (RBAC) to limit access to student records based on job roles and responsibilities. Training should include awareness of least privilege principles so employees understand why access should be limited and specific. I would design a specific training module with an emphasis on legal and regulatory requirements such as FERPA (Family Educational Rights and Privacy Act) in the U.S., making employees aware of their obligations to protect student privacy. An integral part of security awareness would involve educating all managers, HR staff, and IT personnel on the critical importance of secure off boarding. This training would outline the risks of failing to revoke access promptly and provide step-by-step guides on how to remove credentials immediately upon termination.
By focusing on these areas, the organization would improve its data security and reduce risks associated with unauthorized access, therefore creating a more secure environment for handling sensitive student records.
Haozhe Zhang says
To improve security education, training, and awareness (SETA) in an organization, I would start with a thorough awareness assessment to understand the current knowledge levels, identify gaps, and gauge the recognition of critical vulnerabilities across different user groups. This can be achieved through surveys, quizzes, and simulated phishing tests to evaluate how employees react to common security threats. Based on the results of the assessment, I would design a tailored SETA program that combines various learning formats, such as face-to-face workshops, online modules, and interactive content. These training sessions would incorporate real-world scenarios and case studies relevant to the organization’s specific context, ensuring the material remains engaging and applicable.
Regularly scheduled training sessions, combined with monthly security awareness topics, would reinforce key concepts. Security tips would be seamlessly integrated into everyday communication channels like email, newsletters, or digital displays. Incorporating game-like elements such as quizzes, challenges, and incentives would help motivate participation and engagement. To measure effectiveness and ensure continuous improvement, I would track key metrics such as training completion rates and the reduction in security incidents. Regular feedback from participants, coupled with monitoring emerging threats, would allow for adjustments to the program, ensuring it remains relevant and effective.