To go about developing a security education training and awareness (SETA) program, I would first brainstorm the design and execution of the program.
For the program design, ideally it would be a combination of the following: role-playing/simulation exercises, computer training exercises, classroom-format information sessions, webinars, etc. The reason that I would include a variety of different formats is to keep prevent boredom / complacency within the organization. If a SETA program only consists of hour-long webinars, employees will quickly grow bored with the program, and are more likely to pay less attention to the program, therefore retaining less information when it comes to the information security policy of the organization.
Next, I would identify the level of content that should be disseminated throughout the organization, and to who. For example, there should be a general information security program for all levels throughout the organization to establish a ‘baseline’ of sorts when it comes to information security. This would include information like do not click phishing emails, minimum password requirements, etc. Then, I would tailor the higher-level information security lessons based on an individuals position/role within the company. These can be taught by individuals who have the appropriate level of knowledge of the situation, or can be outsourced to a third-party.
After deciding what format the information should be presented in, and to who, I would put in a place a tentative schedule for the SETA program. For example, every month an individual must partake in the program to keep up to date. Having a schedule in place is preferred to ad hoc meetings, as it lets employees know that information security should always be considered when making decisions. With a consistent frequency an
Hi Andrew, you make a good point including a variety of formats for security awareness training. Although this is a serious topic, keeping it amusing and motivating makes it much easier for employees to want learn and understand.
Hello Andrew, well said from a project management and planning perspective. However, I think that the format, content to the disseminated, and to whom it is intended should be determined based on the need for training, i.e., tool-based and not just role/position-based. Even though the use of any tool falls under a job role, I have observed that we see more issues in the industry today due to SMEs lacking adequate training on how to properly manage newly purchased infrastructure for process enablement.
To develop a security education training and awareness program, one would first begin by assessing its employees’ current knowledge of security best practices. Once a baseline is established, we are able to assess where knowledge gaps may exist, what training would be best suited for the employees as well as understanding the industry in which the organization operates, which may require developing specific scenarios such as creating targeted phishing campaigns to train users to be on the lookout for malicious emails that mimic legitimate business communications (e.g. lawyers expect to receive emails with attached documents). For the program to be successful, it would need to be run yearly, if not quarterly, continuously incorporating current cyber-attacks so that the organization remains vigilant against potential threats.
Outside of phishing campaigns, requiring security awareness training as part of the onboarding process can instill a security mindset in employees from day one of joining the organization. A simple brief, cybersecurity newsletter sent regularly can also enhance awareness. Returning to the notion of ‘baselining’ the knowledge base of employees. We can create newsletters to help supplement learning as mandatory training can often be dry and employees will mindleslly click through just to mark the requirement as complete. Rather targeted tips can yield higher, sustained results over the long-term.
Hello Kelly. Well said. A Program of such a nature should be premised on initial groundwork to determine the need for the program. By assessing employees’ current knowledge of security best practices, an organization will identify what is needed and what is not. Once determined, the program should be designed as a control to perfectly address the gap. Once an organization can accurately establish where knowledge gaps may exist in training for employees, it can then proceed to set up an ideal program to fix that gap,
Kelly,
A newsletter is a great idea! Newsletters and “in the news” articles are sent to my fellow employees since technology is changing every single day. This feeds into more knowledge of an employee. The more technology tips we know, the more we can help our clients.
To develop a security education program for employees one must evaluate their knowledge on cybersecurity, this includes terminology, experience with technology, and technical understanding on how computers work. After a background summary of the audience has been captured, we can begin to address the program more efficiently. A guideline of the importance of security measures would include how social engineering works, what phishing emails looks and how they function, how to avoid getting scammed, permissions for downloading or uploading, what a safe website looks like against a malicious one, etc. With comparisons I believe it would instill much more thoroughly and monthly reminders on security tips as part of a general staff email. Every 6 months or year, a cybersecurity powerpoint presentation with Q&A can be held in the conference room for all employees would help clarify anything that they don’t understand from the guideline.
I like how you included that that the SETA program should have some sort of ‘schedule’ to it (ex. every 6 months to a year). This is really important for a SETA program to be effective – Having a schedule set in place for information security requirements makes employees always have information security at the back of their minds, and prevents them from getting complacent or simply forgetting things like not opening phishing emails, not leaving PII laying around, etc.
Hello Wilmar, I concur and agree that to develop a security education program for employees, one must first evaluate their knowledge of security practices and procedures. The level of awareness and training will determine if what is on the ground is adequate or not. A security education training and awareness program is created to prevent or mitigate risk once identified. As such, it must fit the gap it is intended to. The knowledge gap is one of the most significant risks we see in the industry today, leading to breaches and compromises.
Developing a SETA program requires an understanding of the organizational infrastructure by keeping in mind their mission and the culture. The purpose of it is to educate users on the dos and don’ts of relating to an information security system of the organization. To develop this program, the people in charge must come up with plans (strategies), trainings and policies to implement and innovate in a sense that is inclusive and understandable to all users within the company. In other words. this program must include everybody with no exceptions.
Policy is very important because it defines the rules and provides a roadmap for day-to-day operations. It also gives guidance for decision making and streamlines internal. processes. With that being said, top management or IT must create and define policies within the organization that directs employees to follow specific processes while working at the office and from home. These policies will be encouraged and enforced by management to employees within each department.
Proper trainings are also beneficial to guide employees on a daily basis and make them aware of new trends going on in information security. Trainings can include classrooms and meetings, but as of now online training is what most companies are using. Trainings must be included in the organization’s top priorities for security characteristics especially for new employees. The training will educate them about new skills and provides updates on existing skills to enhance their productivity. For existing employees, the management must enforce recurrent trainings to be completed every 3 to 6 months. The trainings should include the standards for security but also specifics to that particular organization depending on their line of work. Trainings should use basic language that is not too technical in regards to the explanations of why these security habits are important.
The strategy is to make sure SETA is developed based on the organization needs and applicable within all departments.
Great point highlighting the importance of interloping policies with the SETA program. How can we enforce adherence to these controls if we do not have clearly defined guidelines for information security, acceptable use, or BYOD? Unfortunately, even with classroom or mandatory video training, some employees resist security best practices because we often require users to change their behavior. Policies go hand-in-hand with a SETA program because they reinforce the organization’s security requirements and create accountability for employees who do not adopt the training as part of their daily routine. Very thought-provoking post!
I appreciate the points you made on culture and policy. An additional point I would add to your discussion on why policy is vital:
It’s essential to implement security by design and privacy by design. Effectively meaning when new projects are launched, they are designed with privacy and security in mind from their inception. A key way of making sure this is adopted across each business function is to implement comprehensive policies outlining these issues.
Developing a security education training and awareness program should begin with an assessment of the organization. This assessment would review company policies, organizational structure, business processes, IT governance, regulatory matters, and the current threat landscape. The outcome of the initial assessment should highlight areas of focus for the program that are informed by business priority. This will help structure the security education training and awareness program’s goals and objectives.
The training program scope should align to the objectives and goals that were identified during the assessment. For example, if the company set the objective of improving its email security they may establish the goal of reducing click rates from simulated phishing emails. The scope would include training modules on identifying malicious emails and simulated phishing tests. The program should be reviewed against the goals and objectives so that progress can be measured. Adjustments should be made to incorporate new information and to optimize the effectiveness of the program.
A clear message from senior leadership should be communicated to all employees on their roles and responsibilities in the program. This should be tied back to the company policies that were reviewed during the initial assessment. Employees should understand the implications of not fulfilling their duties within the program and how participating in such a program helps to protect everyone. Successes should be shared broadly as the company achieves its training objectives.
Inventorying what regulatory obligations the organization must adhere to is a valid point to raise. As data privacy laws continue to manifest, they often require training on handling customer and employee data properly. It certainly is not fun or exciting content to develop training around. Still, it is necessary given the level of fines imposed on businesses for failure to report or prevent breaches involving PII data. Thanks for sharing your thoughts.
Kelly
Matthew,
An idea to make training more fun is to have an award for an employee at the end of training. For example, for each employee who earns an eighty-five percent or above not their phishing quiz, will be entered to be drawn for a gift card.
I would first test my employees on their current knowledge on security. I would be able to set a starting point/ baseline for the organization. Next steps would be investing time and money setting up a security education training and awareness program. Courses and classes would be mandatory and education would be required on a monthly to quarterly basis depending on need. Everything from video training to setting up testing on employees would take place. Having cyber drills, fake phishing emails sent to employees and training exercises would be tested in the event of an actual breach. To keep security running smoothly, employees would have to adhere by security policies such as password changes, monthly software updates, the use of VPNs and mandatory backups of data. Being able to properly train and keep employees accountable will make security of the organization a lot safer of an environment.
Hi Corey,
I like the point about accountability that you make regarding a safer environment – I think this illustrates the idea that each individual has a part in the overall security of an organization regardless of their role. It is important that people can be held accountable for not adhering to policies for all of the obvious reasons. Employees should all be on the same page so that they grasp the concept that attackers want to take the path of least resistance, so if they don’t make it extra simple to be attacked, they aid in reducing the likelihood of the organization being targeted.
To develop a security training and awareness program, I believe you should start by figuring out how much knowledge the consensus of your employees has on cyber security and your company’s IT policies. I would start by having employees fill out a survey that asks them questions about standard IT policies, regulations, and terminology. Once you have a good idea of what topics your employees need more training and awareness in, training should be based around the goal of making sure every employee completes training with a better awareness and understanding of terminology and company policies. The program should be a requirement for current employees and all new employees should go through the program during their hiring.
Hi Michael,
Having a survey to figure out the overall knowledge of the employees is a great starting point. Once a baseline is developed, the company can know where to go with training and exercises to have their employees up to their standards.
In developing a security education training and awareness program, first have an understanding of the organization’s security awareness by evaluating staff’s security knowledge. Those that lack the proper knowledge, have them go through training, whether it be one-on-one, formal classroom setting, or computer-based (whatever way helps them to learn proficiently). Provide an exam once they have completed the training. Popup quizzes to test their knowledge, and sending random fake phishing emails throughout the year is also be good for training and necessary when presented with a possible security situation.
Exams are a great addition to the program to help encourage employees to actually study the course in order to pass and move onto the different chapters throughout the module instead of skimming through everything.
To effectively develop a security and education training program one first must design the SETA program in a memorable and engaging way for the end users. All the employees, from top to bottom, need to be considered when planning the various training opportunities. These individuals are the ones that will be tasked day to day with keeping security in their mind. It is imperative to have a program that keeps this information fresh and keeps them engaged. Like Vacca mentions, the ultimate goal of a SETA program is to change the behaviors of users. To ensure this is accomplished it is important to make sure everyone is fully engaged with the program. It starts and hinges on the employees learning and remembering.
I believe it is a great idea to have a SETA program set in place. Its important to have a program where the information is consistently being updated because IT regulations are changing as technology improves. Putting emphasis on the importance that employees stay fully engaged in these changing regulations is important to the future security of your company.
To design a Security education program, the first step would be to analyze the structure of the
organization. For example, number of employees, employee responsibilities, organization core
business, daily work routine etc, which is helpful in designing and developing a proper security
education training and awareness program. It is important for every employee to be aware about
information security rules and regulations at their employment. Having a thorough look at the
built up structure in the organization can be helpful in developing the SETA program.
The SETA program’s important aspect is to develop real world scenarios for training and to
create effective training programs that focus on the training approach and material, such as
network design security, system and application software security, social engineering attack
security, new age devices (Smartphone), data security, various malware programs etc. Based on
the responsibilities and daily job duties of the employee we can divide the training program into
two groups, functional group and skill based group.
Functional training focuses on employees who work on specific devices like Cisco, Juniper, Palo
Alto, IDS/IPS etc. Keeping track of employee behavioral analysis for identified employees who
may be prone to various insider attacks, and training and guiding them specifically will help in
mitigating most of the attacks. Security education training program is more beneficial when it is
customizable based on the various groups of the organization. Having different training material
that focus on the same issue will be helpful for employees that have different skill sets, and helps
in creating awareness about security issues.
Once the analysis and design is complete this effective program can be delivered to employees.
The training program will often include topics related to password security, phishing attacks,
social engineering, mobile device security, sensitive data security, business communication and
more. Finally proper implementation and deliverance of the training program using technologies
and various platforms can result in much safer organization.
The first step to developing a security awareness and training program should be assessing the organization’s processes, policies, structure, threat landscape, amongst others, related to all critical business activities and the focus areas. These elements identify the essential business function and direction of the enterprise. Once duly recognized, the awareness and training program’s goals and objectives should be according to the enterprise’s.
The scope of the training program should then align with the identified enterprise’s objectives and goals. Secondly, program effectiveness should be improved to meet organizational goals and objectives. Third, the KPI of such a program should be what the organization looks to achieve. Finally, enhancements should be made to improve the effectiveness because organization goals and threat landscapes evolve.
The tone at the top always determines the success of any program enterprise-wide. The effectiveness of the awareness and training program will be determined by the level of compliance and adherence to practices that should be in line with organizational goals and objectives. The effort that management is willing to put in achieving the program’s success will always determine whether the program will succeed or fail.
I appreciate your comment on assessing the organization’s current situation before progressing. They may have ad hoc policies in place or other resources that can be used to enhance and refine the SETA program. If you don’t know where you’re starting, you won’t know where to go next, so this is a fundamental step, but very necessary.
How do you go about developing a security education training and awareness program?
I would personally choose a more top-down approach and identify organizational components to generate general basic and fundamental Cybersecurity philosophy for the general user. To start; identifying what policies the organization and all of it’s sub-components should follow on a daily basis for best practices. Typically this is things such as preventing piggy-backing from people using their CAC cards or restricting users from sharing work computers. Having general policy across the board makes it much easier to distribute to different divisions as well without having the complexity of waivers or exceptions by other groups within the organization. This policy should also be made centralized, publicly available, and also should be one of the things the end-user is notified of upon their onboarding process. After policy is finalized; I would implement required trainings via learning management systems and have management track annual trainings to ensure that employees are kept up-to-date with latest knowledge bases oriented towards general employees. I would also encourage the organization to send weekly emails covering different security best practices to promote active engagement in security. These could range anywhere from specific topics, examples of outcomes involving poor Cybersecurity hygiene, or in the news articles. The goal is to not only make sure that employees are doing their annual trainings; but are actively engaged in security as well.
Next I would do an assessment of what operations exist within the organization and determine if any additional or specific education/training should be identified. For example; the IT auditors group might receive additional trainings than the HR department due to their roles. An example Vacca uses is if you have an Network Firewall Administrator you might want to encourage or enroll them into an advance course oriented with particular companies such as Ciso or Palo Alto. Essentially; the organization should undergo an top-down behavioral analysis to determine personnel and their goals in-order to specialize them with adequate training towards cybersecurity.
To summarize; the SETA program would start very generically and evolve fluently as different groups and individuals are identified. It is also important that SETA programs are not static; and that at any particular time things are subject to change due to the nature of cybersecurity as well as the personal goals and objectives that change with each individual that is a part of that program.
You raise excellent points on how policy drives an effective SETA program. Without clear consistent policy, it’s difficult to build a training curriculum. Limiting exceptions makes designing the training content easier and sets a consistent tone across the organization. I am not sure it’s possible to have an effective SETA program without good policies that are adopted across the organization.
The first step to developing a security education training and awareness program (SETA) is to acknowledge that, unless you are developing it for an information security company or otherwise technical organization, there is likely someone in your organization who doesn’t think about information security at all and is not good with technology (assessment). It is imperative to make employees with this level of knowledge/care about IS, and all other employees, aware of the consequences of an IS breach on the organization and implications this has on the security of their job. It may seem overboard at first, but if a company has an IS breach and loses millions of dollars or takes a reputational hit, any person contributing to the breach is likely to lose their job anyways. For this reason, it is also critical to reiterate that most IS breaches can be attributed to (at least in part) some source of human error.
Once the importance of IS is embedded in the organization, I would create and publish an IS policy created by company executives and the IS/IT team. I would aim to make the policy concise, definitive, easily understandable to non-technical employees, and easily available. It should include the most popular methods of successful breaches (for example, phishing emails, bad passwords, social engineering, etc), and the best remedies for these potential risks. I would also mention that employees should not be hesitant to ask questions about things they are unsure of, because going against their intuition just one time could result in a vulnerability/breach.
After developing or updating the IS policy, I would go over this policy in an initial training session and also reiterate the possible repercussions to both the business and the employee if a breach were to take place. Next, I would mention the scope of ramifications based on the industry the company is in, because if the organization is a bank, government entity, etc, it is even more imperative to maintain strong IS policy for the general good of the public. Giving examples of popular breach methodology and potential phishing emails is key, because it shows first-hand what to be on the lookout for. I would also create a program that sends fake phishing emails to employees and inform them to be on the lookout, and that if they end up clicking the fake link/download, they will be required to attend another training session aside from the regularly scheduled ones that are quarterly or semi-annual. It would also be helpful to include an example or two of security breaches that have happened to other organizations in the past.
Lastly, i would continuously update the policy and training methods to keep up with the ever-changing methods that hackers use to reduce the chance a breach occurs due to outdated policy or training, as this would be the executives/IS departments fault.
I really like how you take into account that there may (will) be employees that either do not think about information security or are not good with technology. This is really important in creating an effective SETA program! The program must take into account differing levels of knowledge and technical skills, and should establish a ‘baseline’ level of awareness throughout the organization, even if an employee doesn’t understand a whole lot about information security, at least initially.
Creating an effective security awareness and training (SETA) program proves to be quite the difficult task for a number of reasons. The main issues that make it difficult are that information security professionals are often faced with end user apathy and ignorance, so the first step in creating an effective SETA program would be to address this heavily in different ways. First, it should be made known that information security is important to all end users and not solely IT personnel, or just observed as a problem when there is a data breach. These misconceptions need to be eradicated initially for the program to succeed.
The program should include a mix of security awareness training so that people are more easily able to retain the information by seeing it multiple times in different ways; there should be both a formal training that discusses and essentially teaches end users the important relevant security concepts to the organization or business, as well as some sort of training events based on a time interval: a monthly discussion for example. After this, the general level of security-related knowledge should be assessed for the overall target group whether it is employees, students, etc. The result of the assessment should be used to design, develop, and implement the goals of the security program that are specifically relevant to the particular business in question.
The program should be able to convince the end users who rely on their computers to perform their work that each of them must care about information security in order for it to be successful for the whole business, as they represent the largest user group. Next, it should be decided which particular security topics or concepts that all users must know, based on the issues relevant to the business at that particular time, as well as the issues that information security as a whole is currently facing. The criteria must, like all other policies should be, regularly reviewed for success, and monitored based on measurable performance indicators. As the global security landscape changes, adjustments could be made to generate awareness and provide training as needed if deemed necessary and relevant to the organization. All of this together, would in my opinion be a sound methodology in implementing a strong SETA program.
I think it is an important point that you emphasized the struggle of IT professionals working with non-IT coworkers in educating them about information security, threats, and prevention methods. Unless these employees have (at least) a brief understanding of the potential ramifications of a breach, they will be apathetic in regards to any type of training or policy that forces them to behave differently than they currently do. This is one of the main struggles in any company attempting to create a SETA program.
How do you go about developing a security education training and awareness program?
Creating and establishing a SETA program demands an objective assessment of the organizational infrastructure on the coattails of its overall mission and the culture. And this is therefore meant to educate users on the resultant repercussions of lack of adequate security awareness relating to an information security system of the organization. To develop this program effectively and efficiently, then the category of people responsible for those training, programs, and policies to implement and educate on effective security education program. Security awareness, education and training program provides guidance for building an effective information technology security and supports requirements. And we go about developing security making sure that everyone has a role to play in the success of security awareness , education and
training program . We need to make sure once again that the scope and content of program must be tied to existing program directives and therefore establish security policies in place. Within IT security program, there must exist clear requirements for the awareness and training program. And it also identify four critical life cycle of IT security awareness and training program.
In the first place, awareness and training program design, awareness and training material development and program implementation. and finally post-implementation.
we usually go about developing security training once again by making sure that most security and IT professionals understand the importance of workforce security awareness and training for organizational cybersecurity. the best ways to educate employees and even the most important cybersecurity standards is by creating security framework that can be used to educate people. Hence, . the NIST Cybersecurity Framework is a voluntary set of standards, guidelines and best practices to help organizations manage and educate people about cybersecurity-related risk that can pose a potential risk to business .Protecting your organization with security awareness and training would certainly help the organization to achieve its focus. And NIST framework highlights security awareness and training as a core component of the Protect function of the Cybersecurity Framework.
Some of the goals of my SETA (security education training and awareness) program would be to improve employee behavior, educating the end users on how to identify what is normal and what is abnormal within the organization, and making them aware of the many threats that threaten the organization on a daily basis. This will enable the organization to hold employees accountable for their actions.
I believe utilizing classroom-style training could prove to be very beneficial, one that consists of a lecture followed by a Q&A. There should be ample time for this, and a full work day can be dedicated to this effort if it is absolutely necessary. It is imperative that everyone in the organization is engaged in this SETA program so that they can have the education and training that will make them more aware and knowledgeable of security best practices. In addition to that, I also believe a security awareness website will also help in these initiatives.
To develop a security education training and awareness program, there are a few things that need to happen.
1. Create internal policies surrounding training frequency, requirements, and tracking. Develop plans for information dissemination via posters, meetings, emails, formal trainings, and other methods. You may consider referencing industry standards.
2. Acquire a vendor that can implement phishing awareness training and phishing simulation training. This vendor should also test the success/fail rate of these tests and target those employees who did poorly more often with additional training and simulations.
3. Acquire a vendor for cybersecurity and privacy awareness training. This should cover how to handle PII, common attack vectors, and how to recognize and report incidents.
4. You may receive push-back from employees if you are implementing new policies. Make sure employees are educated on why these policies are being put in place. Emphasize that cybersecurity starts at the individual level and each person in the organization is a key player in preventing and reporting cyber incidents. Cybersecurity should not be siloed.
Hi Madalyn. I like how you addressed using vendors for security awareness campaigns. Although in-house programs can be equally useful, mitigating and allocating this risk to professionals is a smart move for any organization. Great analysis!
Hello Madalyn,
That’s a great post. I do agree with the first one to have a posters and mentioning that during the meeting. By having the posters it would remind the end users that they are also part of the security team to protect the network as an by potentially identifying the phishing email and not clicking on it. Also, by discussing during the meeting it would help the management to inform the end users regarding the key points of the security trainings and the users would also get chance to ask any question if they might have.
I think you nailed the point with number four. A lot of individuals chalk up cybersecurity to be of the concern from someone from “IT”. I believe in one of the Vacca readings the author points out the shocking lack of technical skills within the general population leaving these easy targets for attackers via social engineering. Security should be a concern at a basic level for every individual; and I would argue that not only through an organizational-wide approach but from day-to-day personal life as well.
Vacca explains the fundamentals of the SETA (security education, training, awareness) as helping all users in organization to become more aware of information security principles. The program also eliminates the risk levels, its insurance premium, and helping to meet regulatory standards.
During the process of development program, the design and training should target all users that has responsibility to secure the business processes and assets. The program should be designed and thought well before application. Since, the goal is to change the behavior of users towards security, the leadership roles should understand the user behavior and motivation well. The process should first deliver the awareness to all users and continue with general knowledge considering that all users are critical to the defense and protection of sensitive data and operations. Once, all users are aware of the culture of security, they can focus on individual/group responsibilities based on their specific tasks performed. All users need to understand the roles and responsibilities clearly so they engage effectively and behavior adjusted right.
Then, targeted and tactical training should be implemented into the program. Training should help employees to develop more advanced skills, increasing understanding and improve both functional (based on role of the employee) and skill-based performance (based on technical level). Even though design and development of the program is the key success, implementation and delivery are important as well. The company policy and standards should be reviewed well and communicated correctly so it delivers effectively to the users. Before delivering the program, program details such as scope and objectives; training staff and audience and motivate management should be discussed well.
I like the way you highlighted the importance of creating a ‘culture of security’. This culture of security seems to be fundamental to achieving the outcome of a security aware organization. Having employees complete training but not be actively applying the underlying principles to their everyday work will likely not generate the desired outcome!
Security program should be one of the priority programs for any company as it would get the end users familiar with the basic types attacks such as phishing attack. Which could then help them to identify the phishing email if they receive any. The training should also include on they can report those type of phishing email so the IT department could investigate and block the similar email from reaching to another user’s mail box. Security program should also include how the end users could report other incidents that could occurs by providing them with the contact information which they could use to report it.
In initiating a security education training and awareness (SETA) program, there are three key concepts to consider: design, development and implementation.
Design refers to the overall program structure (centralized versus decentralized) and the security training cadence. According to John R. Vacca’s Computer and Information Security Handbook, 3rd Edition, information security training should be delivered during new hire orientation, during an initial security briefing (3-6 months into employment), through refresher training every 3-6 months, and during employee termination briefings. In addition, SETA program design should be interactive, inclusive and customized to be applicable, and of interest, to all users in an organization.
Development of a SETA program relates to the materials discussed in the training. Topics at the general security awareness level should be overarching to the entire organization, such as password security or desktop security; for more advanced forms of training, specialized topics such as how to monitor vulnerabilities on a specific software should be included. More security awareness topics should stem from the organization’s policies and procedures applicable to the users engaging in the program. Developing the program should also determine the media used to convey SETA topics, such as web-based lectures, phishing awareness campaigns, and corporate events.
Lastly, SETA implementation refers to reviewing the entire SETA program, approving of training materials, and determining result delivery. The SETA program should be reviewed and confirm that it meets the organization’s needs in terms of goals/objectives, identifying proper training staff/audience, motivating management/employees, and managing administration/evaluation of the program. The organization should coordinate a proper key performance indicator (KPI) review for the program, to determine it is reaching its security awareness goals. The program material should also be applicable for the targeted audience (ie security awareness training delivered to the general employee population, and more in-depth certification training delivered to IT professionals in the organization). Training at both the ground level and advanced level is equally important to preserve the welfare of a company.
I like how you mentioned that the implementation process not only includes approving and distributing training material but also understanding the effectiveness. In my past organizations’, security training was seen as nuance, and KPI standards were never set which ultimately meant there was no proper understanding of how effective the training was. Determining the results of the delivery is often overlooked, but is a key piece in the SETA implementation process.
The first step would be to determine the organization’s current security awareness level. This, as others have said will allow you to establish a baseline, and gain an understanding of where the security gaps exist. The easiest way to determine an organization’s current security awareness level is to send out a survey with questions related to the existence of certain security policies or their understanding of social engineering and phishing scams.
Once a baseline has been established through the survey method or other means, the next step would be to determine what content to include in the program. As Vacca stated there are a significant amount of topics that can be selected for information security training, so the best practice would be to create a shortlist with the topics that can be applicable organization-wide. These topics can be generated based on the responses from the survey or whichever means were used to establish the baseline. Developing trainings by referencing the baseline will allow any security knowledge gaps to be filled.
The final step would be to implement the program. At this point, the organization has an understanding of what security gaps exist and with that information, they know what topics need to be applied company-wide, and at the role level. Implementing would involve determining what method to supply the training. Will it be virtual pre-recorded slides with a quiz, an in-person seminar, or a mix of both. Ideally, these trainings would be required quarterly to keep the employees knowledgeable and aware of the security policies and practices in place.
Vacca, J. R. (2017). Computer and information security handbook.
I agree that sending a survey would be the best way to create a security baseline. Getting to your point about implementing and determining the training method, what if users were also asked about that in the survey? It could include some questions about the individuals preferred method of learning, as some people are more visual learners where some might prefer reading the material themselves. This could help ensure the methods implemented are best suited to the most amount of people as possible.
It’s essential for an organization to define security as it relates specifically to their organization. An organization should establish security requirements/best practices for a number of reasons, such as a need to meet a regulatory requirement or to protect confidential/financial customer data. The first step in establishing a security education training and awareness program would be to assess the business and IT users current understanding of the existing organizational security requirements. Specifically, it would be helpful to first identify users who are responsible for managing an organizations most critical as well as sensitive data to determine what procedures are in place to secure said data. From there, the organization can assess the already established security processes/procedures (if there are any) and subsequently develop policies to inform users on organizational security best practices and how the best practices can be applied to their specific job function or role. From there, it can be determined based on the user or groups of users as to whether functional or skills based training will be required. These actions will lay the foundation for establishing a security awareness and training program for critical users and from there the organization can continue to develop processes/procedures for any other areas which require enhanced security for a more layered security approach.
How do you go about developing a security education training and awareness program?
I believe the first step in developing an SETA would be understanding the business functions, and then assessing the security needs of the business. Once that is done, and we have a blue print or sort map of what the users should be trained on, we can start assessing the users themselves.
Assessing the users is an important step, we want to make sure each user will get the proper training they need depending on their assessment. We would not want to waste resources training someone who already knows the material inside and out. And on the flip side we do not want to not train someone enough who truly needs it. Once everyone is properly assessed we can start implementing Functional and Skill based training accordingly.
As Vacca explained, it is critical to the SETA that real world scenarios and job functions be mapped in areas high in demand. It is also critical that the SETA should be an evolving program. Always being updated and refreshed as the industry introduces new factors.
Hi Jason thanks for sharing – I too agree that an assessment is necessary and I believe it’s the most important component when it comes to establishing a SETA program. However, I believe it’s the most difficult part of the process because it’s hard to actually measure user security awareness within an organization. I think distributing security awareness surveys and requiring users to fill them out is a good start but I don’t think the SETA implantation can rely solely on this data because some users could report they are adequately aware of the necessity to secure organizational data and when in reality they aren’t. I think it’s necessary to seek out solutions to measure the overall user security awareness, such as a tool to try and actively trick users into clicking on fake malicious links that are logged. This data would certainly be more reliable and would more adequately measure their user’s security awareness. That being said it’s important to stress to users they will not get in trouble for clicking on a fake malicious link but rather the focus should be on raising awareness and educating the user.
How do you go about developing a security education training and awareness program?
In general the first step should be a determination of the level of security knowledge the organization desires it’s members to achieve. Next would be to assess the current level of knowledge through a test or other means that will define the baseline of where the members are currently at in their knowledge and awareness. A SETA program can then be developed and put in place to close that gap with periodic measurement.
An example of this is often seen with Phishing. An organization will define the level of awareness and training they want their members to achieve – 100% awareness and the ability to identify and not respond to phishing emails. A phishing campaign can then be orchestrated against an organization and the results will reflect the current awareness level of the organization. E.g. – Anything less than 100% pass rate of the phishing campaign will result in supplemental training for those individuals who failed.
How do you go about developing a security education training and awareness program?
First, in order to create a security education training and awareness program, is to find out what the business objectives and what needs the business needs to excel in. According to Vacca, there are 3 components to take into consideration while designing a program. Policy, strategy, and implementation. Knowing what the business’s policies are and how they apply is extremely important to ensure the employees’ skills are strengthened. Additionally, this would design the awareness program as efficiently as possible to bring more knowledge to the employee.
Secondly, training is another important asset. Understanding where an employee’s knowledge is can help the user gain more knowledge of what the employee is not familiar with. If an employee has been at the organization for several years & earns a percentage over eighty-five percent, developing a much harder and advanced training would be more successful.
Another question would be, how often does the company hand out phishing training? As it mentions in the Computer and Information Security Handbook, training should be delivered during new hire orientation, during an initial security briefing (3-6 months into employment), and during employee termination briefings.
To help along with training, within my organization, current events are sent out to all employees of the company to gain more knowledge.
Most importantly is to implement the awareness program. There is an understanding of the business’ policies, employee’s knowledge, and what role level the employees are on. The training can include quizzes to be over a certain percentage. If an employee receives that percentage, a reward will be handed. As it mentions in the Computer Information Security Handbook, it only takes one person to cost the company thousands, even millions of dollars and ruin its reputation. As an example, the Target breach case. Was that person who clicked on the phishing attempt, received enough training…. Or little to none?
In order to create a Security Education Training & Awareness (SETA) program, I would begin by deciding what I am trying to achieve, and how I am going to implement it. I would also take into consideration the audience I am targeting with my program, and the nature of the threats I would be focusing on. For example, if I was working for an organization that was constantly being targeted by phishing attacks, then the goal would be to train employees on how to not fall for them. To achieve this, I would set up training programs. Again using phishing as an example, these programs would be designed to educate employees on what phishing attacks are, why they are so dangerous, etc. These programs would go on for as long as they need to, until the threat has been reduced to a manageable level, and even then, there would be future tests set up. At a previous job the IT Department would occasionally send out emails designed to look like phishing attacks. If they employee fell for the attack by clicking the link, they would have to take another short, 15 minute or so video/quiz to reeducate them on the matter. Once the organization seems fully educated, trained, and aware on the current security threat, I would start at square one focusing on the next largest threat the organization is facing.
Step 1: establish the goal of cyber security education; before contacting cyber security experts and arranging seminars for speakers in the company’s office, one must first determine the specific goals that the company’s security education program will achieve. Please ensure that these goals are specific, measurable, achievable, realistic, timely, and timely-such as the SMART goal framework.
Step 2: Assess My Audience, When it comes to cybersecurity, not all employees have the same level of knowledge. When starting a SETA program, begin by assessing my organization’s overall cybersecurity knowledge, sending out surveys asking people how comfortable they are with cybersecurity topics, or even actively testing employees by sending fake phishing emails or handing out quizzes if necessary.
Step 3: Develop SETA program topics based on critical issues. After identifying the most vital cybersecurity knowledge gaps in your organization, you can only begin to create program topics designed to address those gaps. For example, if many people are attracted to fake phishing emails, I can start preparing cases on phishing email prevention to prevent actual attacks from occurring in the future.
I couldn’t agree more with the three steps you mentioned. Establishing goals for safety education before we begin can give us direction to implement our program. By assessing the audience, the scope of the audience can be pinpointed and will be more efficient. This is a good facilitation method for starting a SETA program to make people with a basic understanding of cybersecurity more knowledgeable. The most important thing is to develop SETA program topics based on key issues. This is the most critical step, the process is as important as the result, and finally the contact person of each department needs to be coordinated to implement according to the SETA plan.
Excellent input, Xi. Also, keeping all employees on their toes with security top of mind, by continued testing. Sending a simulated phishing attack once a week is extremely effective to keep them alert.
When I need to develop a safety education training and awareness program, I think I need to be prepared before I start. I need to develop a process to identify the topic of this SETA, design the SETA program and advertise and promote it so that employees are aware enough to implement it. First of all, it is necessary to discuss with the IT security team about the topic and the audience, targeted publicity can be twice as effective. Second, for employees to educate the basics of data security-related knowledge, in the general content of the understanding of the basis of publicity for the later theme of education to play a role in promoting. At the same time, an educational planning workshop is organized to announce the SETA objectives of the conference and to launch the training by providing the best way of data security training. During the meeting, the SETA theme and learning objectives are explained, and the importance of security education training is explained. For example, conduct face-to-face training on ITS or self-directed learning through handouts, websites, and checklists. Since participants usually do not like mandatory training, optional training is more efficient. Finally, develop an education plan. Based on the preliminary survey preparation, a relevant face-to-face training plan can be summarized and developed. When implementing the plan, contacts from various departments need to be coordinated, and strategies need to be continuously improved and enhanced during the course of the campaign. The process is as important as the results, and the step-by-step approach to designing SETA helped us design an effective program while enhancing outreach efforts.
A Step-by-Step Approach to Creating a Security Education, Training, and Awareness Program should follow:
• Determine a Topic and Audience. Prioritize topics.
• Determine a Baseline.
• Hold Education Planning Workshops.
• Develop the Education Program.
• Implement the Education Program.
• Conclusions.
A Step-by-Step Approach to Creating a Security Education, Training, and Awareness Program should follow:
Step 1: Establish a security policy.
Step 2: Implement a Security Awareness Training.
Step 3: Add Security Awareness Training in Employee Onboarding.
Step 4: Continuous Security Testing of Employees.
Step 5: Take Action for Successful or Failed Phishing Simulation.
Andrew Nguyen says
To go about developing a security education training and awareness (SETA) program, I would first brainstorm the design and execution of the program.
For the program design, ideally it would be a combination of the following: role-playing/simulation exercises, computer training exercises, classroom-format information sessions, webinars, etc. The reason that I would include a variety of different formats is to keep prevent boredom / complacency within the organization. If a SETA program only consists of hour-long webinars, employees will quickly grow bored with the program, and are more likely to pay less attention to the program, therefore retaining less information when it comes to the information security policy of the organization.
Next, I would identify the level of content that should be disseminated throughout the organization, and to who. For example, there should be a general information security program for all levels throughout the organization to establish a ‘baseline’ of sorts when it comes to information security. This would include information like do not click phishing emails, minimum password requirements, etc. Then, I would tailor the higher-level information security lessons based on an individuals position/role within the company. These can be taught by individuals who have the appropriate level of knowledge of the situation, or can be outsourced to a third-party.
After deciding what format the information should be presented in, and to who, I would put in a place a tentative schedule for the SETA program. For example, every month an individual must partake in the program to keep up to date. Having a schedule in place is preferred to ad hoc meetings, as it lets employees know that information security should always be considered when making decisions. With a consistent frequency an
Christopher Clayton says
Hi Andrew, you make a good point including a variety of formats for security awareness training. Although this is a serious topic, keeping it amusing and motivating makes it much easier for employees to want learn and understand.
Olayinka Lucas says
Hello Andrew, well said from a project management and planning perspective. However, I think that the format, content to the disseminated, and to whom it is intended should be determined based on the need for training, i.e., tool-based and not just role/position-based. Even though the use of any tool falls under a job role, I have observed that we see more issues in the industry today due to SMEs lacking adequate training on how to properly manage newly purchased infrastructure for process enablement.
Kelly Sharadin says
To develop a security education training and awareness program, one would first begin by assessing its employees’ current knowledge of security best practices. Once a baseline is established, we are able to assess where knowledge gaps may exist, what training would be best suited for the employees as well as understanding the industry in which the organization operates, which may require developing specific scenarios such as creating targeted phishing campaigns to train users to be on the lookout for malicious emails that mimic legitimate business communications (e.g. lawyers expect to receive emails with attached documents). For the program to be successful, it would need to be run yearly, if not quarterly, continuously incorporating current cyber-attacks so that the organization remains vigilant against potential threats.
Outside of phishing campaigns, requiring security awareness training as part of the onboarding process can instill a security mindset in employees from day one of joining the organization. A simple brief, cybersecurity newsletter sent regularly can also enhance awareness. Returning to the notion of ‘baselining’ the knowledge base of employees. We can create newsletters to help supplement learning as mandatory training can often be dry and employees will mindleslly click through just to mark the requirement as complete. Rather targeted tips can yield higher, sustained results over the long-term.
Olayinka Lucas says
Hello Kelly. Well said. A Program of such a nature should be premised on initial groundwork to determine the need for the program. By assessing employees’ current knowledge of security best practices, an organization will identify what is needed and what is not. Once determined, the program should be designed as a control to perfectly address the gap. Once an organization can accurately establish where knowledge gaps may exist in training for employees, it can then proceed to set up an ideal program to fix that gap,
Victoria Zak says
Kelly,
A newsletter is a great idea! Newsletters and “in the news” articles are sent to my fellow employees since technology is changing every single day. This feeds into more knowledge of an employee. The more technology tips we know, the more we can help our clients.
Wilmer Monsalve says
To develop a security education program for employees one must evaluate their knowledge on cybersecurity, this includes terminology, experience with technology, and technical understanding on how computers work. After a background summary of the audience has been captured, we can begin to address the program more efficiently. A guideline of the importance of security measures would include how social engineering works, what phishing emails looks and how they function, how to avoid getting scammed, permissions for downloading or uploading, what a safe website looks like against a malicious one, etc. With comparisons I believe it would instill much more thoroughly and monthly reminders on security tips as part of a general staff email. Every 6 months or year, a cybersecurity powerpoint presentation with Q&A can be held in the conference room for all employees would help clarify anything that they don’t understand from the guideline.
Andrew Nguyen says
Hey Wilmer,
I like how you included that that the SETA program should have some sort of ‘schedule’ to it (ex. every 6 months to a year). This is really important for a SETA program to be effective – Having a schedule set in place for information security requirements makes employees always have information security at the back of their minds, and prevents them from getting complacent or simply forgetting things like not opening phishing emails, not leaving PII laying around, etc.
Thanks for sharing your thoughts!
Best,
Andrew
Olayinka Lucas says
Hello Wilmar, I concur and agree that to develop a security education program for employees, one must first evaluate their knowledge of security practices and procedures. The level of awareness and training will determine if what is on the ground is adequate or not. A security education training and awareness program is created to prevent or mitigate risk once identified. As such, it must fit the gap it is intended to. The knowledge gap is one of the most significant risks we see in the industry today, leading to breaches and compromises.
Ornella Rhyne says
Developing a SETA program requires an understanding of the organizational infrastructure by keeping in mind their mission and the culture. The purpose of it is to educate users on the dos and don’ts of relating to an information security system of the organization. To develop this program, the people in charge must come up with plans (strategies), trainings and policies to implement and innovate in a sense that is inclusive and understandable to all users within the company. In other words. this program must include everybody with no exceptions.
Policy is very important because it defines the rules and provides a roadmap for day-to-day operations. It also gives guidance for decision making and streamlines internal. processes. With that being said, top management or IT must create and define policies within the organization that directs employees to follow specific processes while working at the office and from home. These policies will be encouraged and enforced by management to employees within each department.
Proper trainings are also beneficial to guide employees on a daily basis and make them aware of new trends going on in information security. Trainings can include classrooms and meetings, but as of now online training is what most companies are using. Trainings must be included in the organization’s top priorities for security characteristics especially for new employees. The training will educate them about new skills and provides updates on existing skills to enhance their productivity. For existing employees, the management must enforce recurrent trainings to be completed every 3 to 6 months. The trainings should include the standards for security but also specifics to that particular organization depending on their line of work. Trainings should use basic language that is not too technical in regards to the explanations of why these security habits are important.
The strategy is to make sure SETA is developed based on the organization needs and applicable within all departments.
Kelly Sharadin says
Hi Ornella,
Great point highlighting the importance of interloping policies with the SETA program. How can we enforce adherence to these controls if we do not have clearly defined guidelines for information security, acceptable use, or BYOD? Unfortunately, even with classroom or mandatory video training, some employees resist security best practices because we often require users to change their behavior. Policies go hand-in-hand with a SETA program because they reinforce the organization’s security requirements and create accountability for employees who do not adopt the training as part of their daily routine. Very thought-provoking post!
Kelly
Madalyn Stiverson says
Hi Ornella,
I appreciate the points you made on culture and policy. An additional point I would add to your discussion on why policy is vital:
It’s essential to implement security by design and privacy by design. Effectively meaning when new projects are launched, they are designed with privacy and security in mind from their inception. A key way of making sure this is adopted across each business function is to implement comprehensive policies outlining these issues.
Matthew Bryan says
Developing a security education training and awareness program should begin with an assessment of the organization. This assessment would review company policies, organizational structure, business processes, IT governance, regulatory matters, and the current threat landscape. The outcome of the initial assessment should highlight areas of focus for the program that are informed by business priority. This will help structure the security education training and awareness program’s goals and objectives.
The training program scope should align to the objectives and goals that were identified during the assessment. For example, if the company set the objective of improving its email security they may establish the goal of reducing click rates from simulated phishing emails. The scope would include training modules on identifying malicious emails and simulated phishing tests. The program should be reviewed against the goals and objectives so that progress can be measured. Adjustments should be made to incorporate new information and to optimize the effectiveness of the program.
A clear message from senior leadership should be communicated to all employees on their roles and responsibilities in the program. This should be tied back to the company policies that were reviewed during the initial assessment. Employees should understand the implications of not fulfilling their duties within the program and how participating in such a program helps to protect everyone. Successes should be shared broadly as the company achieves its training objectives.
Kelly Sharadin says
Hi Matthew,
Inventorying what regulatory obligations the organization must adhere to is a valid point to raise. As data privacy laws continue to manifest, they often require training on handling customer and employee data properly. It certainly is not fun or exciting content to develop training around. Still, it is necessary given the level of fines imposed on businesses for failure to report or prevent breaches involving PII data. Thanks for sharing your thoughts.
Kelly
Victoria Zak says
Matthew,
An idea to make training more fun is to have an award for an employee at the end of training. For example, for each employee who earns an eighty-five percent or above not their phishing quiz, will be entered to be drawn for a gift card.
Corey Arana says
I would first test my employees on their current knowledge on security. I would be able to set a starting point/ baseline for the organization. Next steps would be investing time and money setting up a security education training and awareness program. Courses and classes would be mandatory and education would be required on a monthly to quarterly basis depending on need. Everything from video training to setting up testing on employees would take place. Having cyber drills, fake phishing emails sent to employees and training exercises would be tested in the event of an actual breach. To keep security running smoothly, employees would have to adhere by security policies such as password changes, monthly software updates, the use of VPNs and mandatory backups of data. Being able to properly train and keep employees accountable will make security of the organization a lot safer of an environment.
Antonio Cozza says
Hi Corey,
I like the point about accountability that you make regarding a safer environment – I think this illustrates the idea that each individual has a part in the overall security of an organization regardless of their role. It is important that people can be held accountable for not adhering to policies for all of the obvious reasons. Employees should all be on the same page so that they grasp the concept that attackers want to take the path of least resistance, so if they don’t make it extra simple to be attacked, they aid in reducing the likelihood of the organization being targeted.
Michael Galdo says
To develop a security training and awareness program, I believe you should start by figuring out how much knowledge the consensus of your employees has on cyber security and your company’s IT policies. I would start by having employees fill out a survey that asks them questions about standard IT policies, regulations, and terminology. Once you have a good idea of what topics your employees need more training and awareness in, training should be based around the goal of making sure every employee completes training with a better awareness and understanding of terminology and company policies. The program should be a requirement for current employees and all new employees should go through the program during their hiring.
Jason Burwell says
Hello Michael,
I think the survey is a good idea, it will let the company know where everyone stands and just how much training each person will require.
Corey Arana says
Hi Michael,
Having a survey to figure out the overall knowledge of the employees is a great starting point. Once a baseline is developed, the company can know where to go with training and exercises to have their employees up to their standards.
Christopher Clayton says
In developing a security education training and awareness program, first have an understanding of the organization’s security awareness by evaluating staff’s security knowledge. Those that lack the proper knowledge, have them go through training, whether it be one-on-one, formal classroom setting, or computer-based (whatever way helps them to learn proficiently). Provide an exam once they have completed the training. Popup quizzes to test their knowledge, and sending random fake phishing emails throughout the year is also be good for training and necessary when presented with a possible security situation.
Wilmer Monsalve says
Exams are a great addition to the program to help encourage employees to actually study the course in order to pass and move onto the different chapters throughout the module instead of skimming through everything.
Ryan Trapp says
To effectively develop a security and education training program one first must design the SETA program in a memorable and engaging way for the end users. All the employees, from top to bottom, need to be considered when planning the various training opportunities. These individuals are the ones that will be tasked day to day with keeping security in their mind. It is imperative to have a program that keeps this information fresh and keeps them engaged. Like Vacca mentions, the ultimate goal of a SETA program is to change the behaviors of users. To ensure this is accomplished it is important to make sure everyone is fully engaged with the program. It starts and hinges on the employees learning and remembering.
Michael Galdo says
Hello Ryan,
I believe it is a great idea to have a SETA program set in place. Its important to have a program where the information is consistently being updated because IT regulations are changing as technology improves. Putting emphasis on the importance that employees stay fully engaged in these changing regulations is important to the future security of your company.
Mohammed Syed says
To design a Security education program, the first step would be to analyze the structure of the
organization. For example, number of employees, employee responsibilities, organization core
business, daily work routine etc, which is helpful in designing and developing a proper security
education training and awareness program. It is important for every employee to be aware about
information security rules and regulations at their employment. Having a thorough look at the
built up structure in the organization can be helpful in developing the SETA program.
The SETA program’s important aspect is to develop real world scenarios for training and to
create effective training programs that focus on the training approach and material, such as
network design security, system and application software security, social engineering attack
security, new age devices (Smartphone), data security, various malware programs etc. Based on
the responsibilities and daily job duties of the employee we can divide the training program into
two groups, functional group and skill based group.
Functional training focuses on employees who work on specific devices like Cisco, Juniper, Palo
Alto, IDS/IPS etc. Keeping track of employee behavioral analysis for identified employees who
may be prone to various insider attacks, and training and guiding them specifically will help in
mitigating most of the attacks. Security education training program is more beneficial when it is
customizable based on the various groups of the organization. Having different training material
that focus on the same issue will be helpful for employees that have different skill sets, and helps
in creating awareness about security issues.
Once the analysis and design is complete this effective program can be delivered to employees.
The training program will often include topics related to password security, phishing attacks,
social engineering, mobile device security, sensitive data security, business communication and
more. Finally proper implementation and deliverance of the training program using technologies
and various platforms can result in much safer organization.
Olayinka Lucas says
The first step to developing a security awareness and training program should be assessing the organization’s processes, policies, structure, threat landscape, amongst others, related to all critical business activities and the focus areas. These elements identify the essential business function and direction of the enterprise. Once duly recognized, the awareness and training program’s goals and objectives should be according to the enterprise’s.
The scope of the training program should then align with the identified enterprise’s objectives and goals. Secondly, program effectiveness should be improved to meet organizational goals and objectives. Third, the KPI of such a program should be what the organization looks to achieve. Finally, enhancements should be made to improve the effectiveness because organization goals and threat landscapes evolve.
The tone at the top always determines the success of any program enterprise-wide. The effectiveness of the awareness and training program will be determined by the level of compliance and adherence to practices that should be in line with organizational goals and objectives. The effort that management is willing to put in achieving the program’s success will always determine whether the program will succeed or fail.
Madalyn Stiverson says
Hi Olayinka,
I appreciate your comment on assessing the organization’s current situation before progressing. They may have ad hoc policies in place or other resources that can be used to enhance and refine the SETA program. If you don’t know where you’re starting, you won’t know where to go next, so this is a fundamental step, but very necessary.
Michael Duffy says
How do you go about developing a security education training and awareness program?
I would personally choose a more top-down approach and identify organizational components to generate general basic and fundamental Cybersecurity philosophy for the general user. To start; identifying what policies the organization and all of it’s sub-components should follow on a daily basis for best practices. Typically this is things such as preventing piggy-backing from people using their CAC cards or restricting users from sharing work computers. Having general policy across the board makes it much easier to distribute to different divisions as well without having the complexity of waivers or exceptions by other groups within the organization. This policy should also be made centralized, publicly available, and also should be one of the things the end-user is notified of upon their onboarding process. After policy is finalized; I would implement required trainings via learning management systems and have management track annual trainings to ensure that employees are kept up-to-date with latest knowledge bases oriented towards general employees. I would also encourage the organization to send weekly emails covering different security best practices to promote active engagement in security. These could range anywhere from specific topics, examples of outcomes involving poor Cybersecurity hygiene, or in the news articles. The goal is to not only make sure that employees are doing their annual trainings; but are actively engaged in security as well.
Next I would do an assessment of what operations exist within the organization and determine if any additional or specific education/training should be identified. For example; the IT auditors group might receive additional trainings than the HR department due to their roles. An example Vacca uses is if you have an Network Firewall Administrator you might want to encourage or enroll them into an advance course oriented with particular companies such as Ciso or Palo Alto. Essentially; the organization should undergo an top-down behavioral analysis to determine personnel and their goals in-order to specialize them with adequate training towards cybersecurity.
To summarize; the SETA program would start very generically and evolve fluently as different groups and individuals are identified. It is also important that SETA programs are not static; and that at any particular time things are subject to change due to the nature of cybersecurity as well as the personal goals and objectives that change with each individual that is a part of that program.
Matthew Bryan says
You raise excellent points on how policy drives an effective SETA program. Without clear consistent policy, it’s difficult to build a training curriculum. Limiting exceptions makes designing the training content easier and sets a consistent tone across the organization. I am not sure it’s possible to have an effective SETA program without good policies that are adopted across the organization.
Michael Jordan says
The first step to developing a security education training and awareness program (SETA) is to acknowledge that, unless you are developing it for an information security company or otherwise technical organization, there is likely someone in your organization who doesn’t think about information security at all and is not good with technology (assessment). It is imperative to make employees with this level of knowledge/care about IS, and all other employees, aware of the consequences of an IS breach on the organization and implications this has on the security of their job. It may seem overboard at first, but if a company has an IS breach and loses millions of dollars or takes a reputational hit, any person contributing to the breach is likely to lose their job anyways. For this reason, it is also critical to reiterate that most IS breaches can be attributed to (at least in part) some source of human error.
Once the importance of IS is embedded in the organization, I would create and publish an IS policy created by company executives and the IS/IT team. I would aim to make the policy concise, definitive, easily understandable to non-technical employees, and easily available. It should include the most popular methods of successful breaches (for example, phishing emails, bad passwords, social engineering, etc), and the best remedies for these potential risks. I would also mention that employees should not be hesitant to ask questions about things they are unsure of, because going against their intuition just one time could result in a vulnerability/breach.
After developing or updating the IS policy, I would go over this policy in an initial training session and also reiterate the possible repercussions to both the business and the employee if a breach were to take place. Next, I would mention the scope of ramifications based on the industry the company is in, because if the organization is a bank, government entity, etc, it is even more imperative to maintain strong IS policy for the general good of the public. Giving examples of popular breach methodology and potential phishing emails is key, because it shows first-hand what to be on the lookout for. I would also create a program that sends fake phishing emails to employees and inform them to be on the lookout, and that if they end up clicking the fake link/download, they will be required to attend another training session aside from the regularly scheduled ones that are quarterly or semi-annual. It would also be helpful to include an example or two of security breaches that have happened to other organizations in the past.
Lastly, i would continuously update the policy and training methods to keep up with the ever-changing methods that hackers use to reduce the chance a breach occurs due to outdated policy or training, as this would be the executives/IS departments fault.
Andrew Nguyen says
Hi Michael,
I really like how you take into account that there may (will) be employees that either do not think about information security or are not good with technology. This is really important in creating an effective SETA program! The program must take into account differing levels of knowledge and technical skills, and should establish a ‘baseline’ level of awareness throughout the organization, even if an employee doesn’t understand a whole lot about information security, at least initially.
Thanks for sharing your thoughts!
Best,
Andrew
Antonio Cozza says
Creating an effective security awareness and training (SETA) program proves to be quite the difficult task for a number of reasons. The main issues that make it difficult are that information security professionals are often faced with end user apathy and ignorance, so the first step in creating an effective SETA program would be to address this heavily in different ways. First, it should be made known that information security is important to all end users and not solely IT personnel, or just observed as a problem when there is a data breach. These misconceptions need to be eradicated initially for the program to succeed.
The program should include a mix of security awareness training so that people are more easily able to retain the information by seeing it multiple times in different ways; there should be both a formal training that discusses and essentially teaches end users the important relevant security concepts to the organization or business, as well as some sort of training events based on a time interval: a monthly discussion for example. After this, the general level of security-related knowledge should be assessed for the overall target group whether it is employees, students, etc. The result of the assessment should be used to design, develop, and implement the goals of the security program that are specifically relevant to the particular business in question.
The program should be able to convince the end users who rely on their computers to perform their work that each of them must care about information security in order for it to be successful for the whole business, as they represent the largest user group. Next, it should be decided which particular security topics or concepts that all users must know, based on the issues relevant to the business at that particular time, as well as the issues that information security as a whole is currently facing. The criteria must, like all other policies should be, regularly reviewed for success, and monitored based on measurable performance indicators. As the global security landscape changes, adjustments could be made to generate awareness and provide training as needed if deemed necessary and relevant to the organization. All of this together, would in my opinion be a sound methodology in implementing a strong SETA program.
Michael Jordan says
Antonio,
I think it is an important point that you emphasized the struggle of IT professionals working with non-IT coworkers in educating them about information security, threats, and prevention methods. Unless these employees have (at least) a brief understanding of the potential ramifications of a breach, they will be apathetic in regards to any type of training or policy that forces them to behave differently than they currently do. This is one of the main struggles in any company attempting to create a SETA program.
-Mike
kofi bonsu says
How do you go about developing a security education training and awareness program?
Creating and establishing a SETA program demands an objective assessment of the organizational infrastructure on the coattails of its overall mission and the culture. And this is therefore meant to educate users on the resultant repercussions of lack of adequate security awareness relating to an information security system of the organization. To develop this program effectively and efficiently, then the category of people responsible for those training, programs, and policies to implement and educate on effective security education program. Security awareness, education and training program provides guidance for building an effective information technology security and supports requirements. And we go about developing security making sure that everyone has a role to play in the success of security awareness , education and
training program . We need to make sure once again that the scope and content of program must be tied to existing program directives and therefore establish security policies in place. Within IT security program, there must exist clear requirements for the awareness and training program. And it also identify four critical life cycle of IT security awareness and training program.
In the first place, awareness and training program design, awareness and training material development and program implementation. and finally post-implementation.
we usually go about developing security training once again by making sure that most security and IT professionals understand the importance of workforce security awareness and training for organizational cybersecurity. the best ways to educate employees and even the most important cybersecurity standards is by creating security framework that can be used to educate people. Hence, . the NIST Cybersecurity Framework is a voluntary set of standards, guidelines and best practices to help organizations manage and educate people about cybersecurity-related risk that can pose a potential risk to business .Protecting your organization with security awareness and training would certainly help the organization to achieve its focus. And NIST framework highlights security awareness and training as a core component of the Protect function of the Cybersecurity Framework.
Joshua Moses says
Some of the goals of my SETA (security education training and awareness) program would be to improve employee behavior, educating the end users on how to identify what is normal and what is abnormal within the organization, and making them aware of the many threats that threaten the organization on a daily basis. This will enable the organization to hold employees accountable for their actions.
I believe utilizing classroom-style training could prove to be very beneficial, one that consists of a lecture followed by a Q&A. There should be ample time for this, and a full work day can be dedicated to this effort if it is absolutely necessary. It is imperative that everyone in the organization is engaged in this SETA program so that they can have the education and training that will make them more aware and knowledgeable of security best practices. In addition to that, I also believe a security awareness website will also help in these initiatives.
Madalyn Stiverson says
To develop a security education training and awareness program, there are a few things that need to happen.
1. Create internal policies surrounding training frequency, requirements, and tracking. Develop plans for information dissemination via posters, meetings, emails, formal trainings, and other methods. You may consider referencing industry standards.
2. Acquire a vendor that can implement phishing awareness training and phishing simulation training. This vendor should also test the success/fail rate of these tests and target those employees who did poorly more often with additional training and simulations.
3. Acquire a vendor for cybersecurity and privacy awareness training. This should cover how to handle PII, common attack vectors, and how to recognize and report incidents.
4. You may receive push-back from employees if you are implementing new policies. Make sure employees are educated on why these policies are being put in place. Emphasize that cybersecurity starts at the individual level and each person in the organization is a key player in preventing and reporting cyber incidents. Cybersecurity should not be siloed.
Lauren Deinhardt says
Hi Madalyn. I like how you addressed using vendors for security awareness campaigns. Although in-house programs can be equally useful, mitigating and allocating this risk to professionals is a smart move for any organization. Great analysis!
Vraj Patel says
Hello Madalyn,
That’s a great post. I do agree with the first one to have a posters and mentioning that during the meeting. By having the posters it would remind the end users that they are also part of the security team to protect the network as an by potentially identifying the phishing email and not clicking on it. Also, by discussing during the meeting it would help the management to inform the end users regarding the key points of the security trainings and the users would also get chance to ask any question if they might have.
Michael Duffy says
I think you nailed the point with number four. A lot of individuals chalk up cybersecurity to be of the concern from someone from “IT”. I believe in one of the Vacca readings the author points out the shocking lack of technical skills within the general population leaving these easy targets for attackers via social engineering. Security should be a concern at a basic level for every individual; and I would argue that not only through an organizational-wide approach but from day-to-day personal life as well.
Miray Bolukbasi says
Vacca explains the fundamentals of the SETA (security education, training, awareness) as helping all users in organization to become more aware of information security principles. The program also eliminates the risk levels, its insurance premium, and helping to meet regulatory standards.
During the process of development program, the design and training should target all users that has responsibility to secure the business processes and assets. The program should be designed and thought well before application. Since, the goal is to change the behavior of users towards security, the leadership roles should understand the user behavior and motivation well. The process should first deliver the awareness to all users and continue with general knowledge considering that all users are critical to the defense and protection of sensitive data and operations. Once, all users are aware of the culture of security, they can focus on individual/group responsibilities based on their specific tasks performed. All users need to understand the roles and responsibilities clearly so they engage effectively and behavior adjusted right.
Then, targeted and tactical training should be implemented into the program. Training should help employees to develop more advanced skills, increasing understanding and improve both functional (based on role of the employee) and skill-based performance (based on technical level). Even though design and development of the program is the key success, implementation and delivery are important as well. The company policy and standards should be reviewed well and communicated correctly so it delivers effectively to the users. Before delivering the program, program details such as scope and objectives; training staff and audience and motivate management should be discussed well.
Richard Hertz says
I like the way you highlighted the importance of creating a ‘culture of security’. This culture of security seems to be fundamental to achieving the outcome of a security aware organization. Having employees complete training but not be actively applying the underlying principles to their everyday work will likely not generate the desired outcome!
Vraj Patel says
Security program should be one of the priority programs for any company as it would get the end users familiar with the basic types attacks such as phishing attack. Which could then help them to identify the phishing email if they receive any. The training should also include on they can report those type of phishing email so the IT department could investigate and block the similar email from reaching to another user’s mail box. Security program should also include how the end users could report other incidents that could occurs by providing them with the contact information which they could use to report it.
Lauren Deinhardt says
In initiating a security education training and awareness (SETA) program, there are three key concepts to consider: design, development and implementation.
Design refers to the overall program structure (centralized versus decentralized) and the security training cadence. According to John R. Vacca’s Computer and Information Security Handbook, 3rd Edition, information security training should be delivered during new hire orientation, during an initial security briefing (3-6 months into employment), through refresher training every 3-6 months, and during employee termination briefings. In addition, SETA program design should be interactive, inclusive and customized to be applicable, and of interest, to all users in an organization.
Development of a SETA program relates to the materials discussed in the training. Topics at the general security awareness level should be overarching to the entire organization, such as password security or desktop security; for more advanced forms of training, specialized topics such as how to monitor vulnerabilities on a specific software should be included. More security awareness topics should stem from the organization’s policies and procedures applicable to the users engaging in the program. Developing the program should also determine the media used to convey SETA topics, such as web-based lectures, phishing awareness campaigns, and corporate events.
Lastly, SETA implementation refers to reviewing the entire SETA program, approving of training materials, and determining result delivery. The SETA program should be reviewed and confirm that it meets the organization’s needs in terms of goals/objectives, identifying proper training staff/audience, motivating management/employees, and managing administration/evaluation of the program. The organization should coordinate a proper key performance indicator (KPI) review for the program, to determine it is reaching its security awareness goals. The program material should also be applicable for the targeted audience (ie security awareness training delivered to the general employee population, and more in-depth certification training delivered to IT professionals in the organization). Training at both the ground level and advanced level is equally important to preserve the welfare of a company.
Dhaval Patel says
Hi Lauren,
I like how you mentioned that the implementation process not only includes approving and distributing training material but also understanding the effectiveness. In my past organizations’, security training was seen as nuance, and KPI standards were never set which ultimately meant there was no proper understanding of how effective the training was. Determining the results of the delivery is often overlooked, but is a key piece in the SETA implementation process.
Dhaval Patel says
The first step would be to determine the organization’s current security awareness level. This, as others have said will allow you to establish a baseline, and gain an understanding of where the security gaps exist. The easiest way to determine an organization’s current security awareness level is to send out a survey with questions related to the existence of certain security policies or their understanding of social engineering and phishing scams.
Once a baseline has been established through the survey method or other means, the next step would be to determine what content to include in the program. As Vacca stated there are a significant amount of topics that can be selected for information security training, so the best practice would be to create a shortlist with the topics that can be applicable organization-wide. These topics can be generated based on the responses from the survey or whichever means were used to establish the baseline. Developing trainings by referencing the baseline will allow any security knowledge gaps to be filled.
The final step would be to implement the program. At this point, the organization has an understanding of what security gaps exist and with that information, they know what topics need to be applied company-wide, and at the role level. Implementing would involve determining what method to supply the training. Will it be virtual pre-recorded slides with a quiz, an in-person seminar, or a mix of both. Ideally, these trainings would be required quarterly to keep the employees knowledgeable and aware of the security policies and practices in place.
Vacca, J. R. (2017). Computer and information security handbook.
Team, ideaB. O. X. (n.d.). How to build a security education training and awareness program (+faqs). ideabox. Retrieved September 28, 2021, from https://www.ideabox.com/blog/cybersecure-employee-training.
Ryan Trapp says
Hi Dhaval,
I agree that sending a survey would be the best way to create a security baseline. Getting to your point about implementing and determining the training method, what if users were also asked about that in the survey? It could include some questions about the individuals preferred method of learning, as some people are more visual learners where some might prefer reading the material themselves. This could help ensure the methods implemented are best suited to the most amount of people as possible.
Bryan Garrahan says
It’s essential for an organization to define security as it relates specifically to their organization. An organization should establish security requirements/best practices for a number of reasons, such as a need to meet a regulatory requirement or to protect confidential/financial customer data. The first step in establishing a security education training and awareness program would be to assess the business and IT users current understanding of the existing organizational security requirements. Specifically, it would be helpful to first identify users who are responsible for managing an organizations most critical as well as sensitive data to determine what procedures are in place to secure said data. From there, the organization can assess the already established security processes/procedures (if there are any) and subsequently develop policies to inform users on organizational security best practices and how the best practices can be applied to their specific job function or role. From there, it can be determined based on the user or groups of users as to whether functional or skills based training will be required. These actions will lay the foundation for establishing a security awareness and training program for critical users and from there the organization can continue to develop processes/procedures for any other areas which require enhanced security for a more layered security approach.
Jason Burwell says
How do you go about developing a security education training and awareness program?
I believe the first step in developing an SETA would be understanding the business functions, and then assessing the security needs of the business. Once that is done, and we have a blue print or sort map of what the users should be trained on, we can start assessing the users themselves.
Assessing the users is an important step, we want to make sure each user will get the proper training they need depending on their assessment. We would not want to waste resources training someone who already knows the material inside and out. And on the flip side we do not want to not train someone enough who truly needs it. Once everyone is properly assessed we can start implementing Functional and Skill based training accordingly.
As Vacca explained, it is critical to the SETA that real world scenarios and job functions be mapped in areas high in demand. It is also critical that the SETA should be an evolving program. Always being updated and refreshed as the industry introduces new factors.
Bryan Garrahan says
Hi Jason thanks for sharing – I too agree that an assessment is necessary and I believe it’s the most important component when it comes to establishing a SETA program. However, I believe it’s the most difficult part of the process because it’s hard to actually measure user security awareness within an organization. I think distributing security awareness surveys and requiring users to fill them out is a good start but I don’t think the SETA implantation can rely solely on this data because some users could report they are adequately aware of the necessity to secure organizational data and when in reality they aren’t. I think it’s necessary to seek out solutions to measure the overall user security awareness, such as a tool to try and actively trick users into clicking on fake malicious links that are logged. This data would certainly be more reliable and would more adequately measure their user’s security awareness. That being said it’s important to stress to users they will not get in trouble for clicking on a fake malicious link but rather the focus should be on raising awareness and educating the user.
Richard Hertz says
How do you go about developing a security education training and awareness program?
In general the first step should be a determination of the level of security knowledge the organization desires it’s members to achieve. Next would be to assess the current level of knowledge through a test or other means that will define the baseline of where the members are currently at in their knowledge and awareness. A SETA program can then be developed and put in place to close that gap with periodic measurement.
An example of this is often seen with Phishing. An organization will define the level of awareness and training they want their members to achieve – 100% awareness and the ability to identify and not respond to phishing emails. A phishing campaign can then be orchestrated against an organization and the results will reflect the current awareness level of the organization. E.g. – Anything less than 100% pass rate of the phishing campaign will result in supplemental training for those individuals who failed.
Victoria Zak says
How do you go about developing a security education training and awareness program?
First, in order to create a security education training and awareness program, is to find out what the business objectives and what needs the business needs to excel in. According to Vacca, there are 3 components to take into consideration while designing a program. Policy, strategy, and implementation. Knowing what the business’s policies are and how they apply is extremely important to ensure the employees’ skills are strengthened. Additionally, this would design the awareness program as efficiently as possible to bring more knowledge to the employee.
Secondly, training is another important asset. Understanding where an employee’s knowledge is can help the user gain more knowledge of what the employee is not familiar with. If an employee has been at the organization for several years & earns a percentage over eighty-five percent, developing a much harder and advanced training would be more successful.
Another question would be, how often does the company hand out phishing training? As it mentions in the Computer and Information Security Handbook, training should be delivered during new hire orientation, during an initial security briefing (3-6 months into employment), and during employee termination briefings.
To help along with training, within my organization, current events are sent out to all employees of the company to gain more knowledge.
Most importantly is to implement the awareness program. There is an understanding of the business’ policies, employee’s knowledge, and what role level the employees are on. The training can include quizzes to be over a certain percentage. If an employee receives that percentage, a reward will be handed. As it mentions in the Computer Information Security Handbook, it only takes one person to cost the company thousands, even millions of dollars and ruin its reputation. As an example, the Target breach case. Was that person who clicked on the phishing attempt, received enough training…. Or little to none?
Victoria Zak says
Vacca, J. R. (2017). Computer and Information Security Handbook
Alexander William Knoll says
In order to create a Security Education Training & Awareness (SETA) program, I would begin by deciding what I am trying to achieve, and how I am going to implement it. I would also take into consideration the audience I am targeting with my program, and the nature of the threats I would be focusing on. For example, if I was working for an organization that was constantly being targeted by phishing attacks, then the goal would be to train employees on how to not fall for them. To achieve this, I would set up training programs. Again using phishing as an example, these programs would be designed to educate employees on what phishing attacks are, why they are so dangerous, etc. These programs would go on for as long as they need to, until the threat has been reduced to a manageable level, and even then, there would be future tests set up. At a previous job the IT Department would occasionally send out emails designed to look like phishing attacks. If they employee fell for the attack by clicking the link, they would have to take another short, 15 minute or so video/quiz to reeducate them on the matter. Once the organization seems fully educated, trained, and aware on the current security threat, I would start at square one focusing on the next largest threat the organization is facing.
zijian ou says
Step 1: establish the goal of cyber security education; before contacting cyber security experts and arranging seminars for speakers in the company’s office, one must first determine the specific goals that the company’s security education program will achieve. Please ensure that these goals are specific, measurable, achievable, realistic, timely, and timely-such as the SMART goal framework.
Step 2: Assess My Audience, When it comes to cybersecurity, not all employees have the same level of knowledge. When starting a SETA program, begin by assessing my organization’s overall cybersecurity knowledge, sending out surveys asking people how comfortable they are with cybersecurity topics, or even actively testing employees by sending fake phishing emails or handing out quizzes if necessary.
Step 3: Develop SETA program topics based on critical issues. After identifying the most vital cybersecurity knowledge gaps in your organization, you can only begin to create program topics designed to address those gaps. For example, if many people are attracted to fake phishing emails, I can start preparing cases on phishing email prevention to prevent actual attacks from occurring in the future.
Dan Xu says
I couldn’t agree more with the three steps you mentioned. Establishing goals for safety education before we begin can give us direction to implement our program. By assessing the audience, the scope of the audience can be pinpointed and will be more efficient. This is a good facilitation method for starting a SETA program to make people with a basic understanding of cybersecurity more knowledgeable. The most important thing is to develop SETA program topics based on key issues. This is the most critical step, the process is as important as the result, and finally the contact person of each department needs to be coordinated to implement according to the SETA plan.
Bernard Antwi says
Excellent input, Xi. Also, keeping all employees on their toes with security top of mind, by continued testing. Sending a simulated phishing attack once a week is extremely effective to keep them alert.
Dan Xu says
When I need to develop a safety education training and awareness program, I think I need to be prepared before I start. I need to develop a process to identify the topic of this SETA, design the SETA program and advertise and promote it so that employees are aware enough to implement it. First of all, it is necessary to discuss with the IT security team about the topic and the audience, targeted publicity can be twice as effective. Second, for employees to educate the basics of data security-related knowledge, in the general content of the understanding of the basis of publicity for the later theme of education to play a role in promoting. At the same time, an educational planning workshop is organized to announce the SETA objectives of the conference and to launch the training by providing the best way of data security training. During the meeting, the SETA theme and learning objectives are explained, and the importance of security education training is explained. For example, conduct face-to-face training on ITS or self-directed learning through handouts, websites, and checklists. Since participants usually do not like mandatory training, optional training is more efficient. Finally, develop an education plan. Based on the preliminary survey preparation, a relevant face-to-face training plan can be summarized and developed. When implementing the plan, contacts from various departments need to be coordinated, and strategies need to be continuously improved and enhanced during the course of the campaign. The process is as important as the results, and the step-by-step approach to designing SETA helped us design an effective program while enhancing outreach efforts.
Bernard Antwi says
A Step-by-Step Approach to Creating a Security Education, Training, and Awareness Program should follow:
• Determine a Topic and Audience. Prioritize topics.
• Determine a Baseline.
• Hold Education Planning Workshops.
• Develop the Education Program.
• Implement the Education Program.
• Conclusions.
Bernard Antwi says
A Step-by-Step Approach to Creating a Security Education, Training, and Awareness Program should follow:
Step 1: Establish a security policy.
Step 2: Implement a Security Awareness Training.
Step 3: Add Security Awareness Training in Employee Onboarding.
Step 4: Continuous Security Testing of Employees.
Step 5: Take Action for Successful or Failed Phishing Simulation.