As Vacca states, SETA programs must be constructed around real world scenarios but also take into account the level of institutional importance the trainees positions entail. SETA training should be carried out for ALL faculty and staff, but the details and how advanced this training is should vary by position and job. This can be first done by determining user roles within an organization. Once roles are determined and assigned, a designer can then take organizational need into account. What is the organization, what risks does it face and how can we better prepare and protect against them are all questions that should be considered in this evaluation. Once both of these determinations have been made, one can then create a general outline for what should be covered and at what level. Though there are always very specific top level training procedures for security that will vary from organization to organization, there are always general topics that should be covered with all staff, such as phishing security and password protections. Finally, after identifying who should receive what training, on what topics, and on what matters, the organization can then focus on implementation. This can vary from online required training, in-person hands on training, newsletters, or other methods. Once the program has been implemented, the organization should then seek out feedback, not only from participants, but from their systems, to determine if the training has been effective in preventing future incidents
I feel that the text was pretty straight forward on how to set up awareness and training, especially when it pointed out they methodologies of the trainings. You pointed out the same when you stated roles are defined as these falls within the functionality methodology which is specialized training based on the role of the employee and also skill based which takes into account the current skill level of the employee when delivering technical training. This way people are getting actual training that sinks in on all levels of the organization and helps with continued support through the years as it should always be present on all levels.
I like the way you broke down how you would develop a training program. Everyone should have a basic level of awareness around a computer training. From there you filter who needs what depending on their job function. You don’t want your finance people sitting in a training class on grant making. But security training is agnostic and it is something we all can benefit from. You have to have input from the people you serve so soliciting feedback is vital. It is important to know what is working and what needs improving.
I believe establishing a feedback mechanism would allow employees to ask questions or share security-related concerns, ensuring that they feel heard and valued.
I think it would also be a great idea to include interactive elements into the training session so that they employees feel engaged and a part of the process.
The goal would be to create a security-aware environment where employees understand the importance of their role in safeguarding the organization’s data and assets.
I would start with a three-tier approach starting with training and tools. Training is the most important aspect as users need to know how to use the tools given to them in a safe and secure manner. Next, I will focus on policy and what we need to do as a team working with the users to ensure they have what they need to assist in not only securing their device but others as well. Lastly, we implement the policy by developing procedures surrounding security awareness. How to report an incident, how to spot a phishing email, or what questions to ask and what to say when someone calls asking intrusive questions. I would emphasize that security awareness should be an ongoing year-round effort.
Great post. A top down approach to the development of operational policies which ensures consistency across the organization is key here. Most of security awareness policies seem as if they were created for some employees while others do not care about such policies, especially those at top management ladder.
I really appreciate your focus on security awareness, Erskine. This part of the program is so important as day-to-day dynamics within an organization can have such an effect on employees. There are simply employees who may not feel as though they are being compensated properly or even treated fairly within organization so why should they worry about the betterment of the company? I believe that security practices are a good way to bring everything to the forefront and security awareness can help to bring to light certain aspects of a company that may not be so ideal and now the upper management has to think about it because now, this could have enormous implications that go beyond simply treating or compensating employees fairly. And while this is what should be the norm, unfortunately, the economy is in an odd place right now.
Security isn’t just a technical problem but also a people problem, that is why security awareness programs are also important. A security awareness program is a way to ensure that everyone at your organization has an appropriate level of know-how about security along with an appropriate sense of responsibility. To help develop a security awareness program, I will develop these three key components.
Communication: The upper management must regularly communicate to all employees that security is essential to running the business via company-wide emails or presentations.
Checklist(s): The checklist could include: • What to do when a new hire starts (and when an employee leaves) • When and how often to remind employees of security protocols • What to do when an incident takes place • How to communicate with customers or partners in the event of a breach.
Content: A cache of relevant content about security, this could include a security handbook, Role-based guidelines, training programs, a special chat channel (e.g., #security on Slack).
Security, as a fundamental notion in today’s digital age, concerns far more than just the technical aspects. It is not merely confined to cutting-edge firewalls, encryption algorithms, and other technological solutions. The element of people’s behavior, perception, and awareness plays an equally critical role, if not more, in shaping a comprehensive security landscape across public and private sectors.
It is often said that ‘a chain is only as strong as its weakest link’. In the realm of security, people often happen to be that ‘weak link’. Well-meaning but unaware individuals can unwittingly open doors to data breaches, thus jeopardizing system security. This is where security awareness programs come into play. These programs are aimed at educating employees, users, and even the general public about potential risks, necessary precautions, and adherence to security protocols.
Security awareness programs can address various aspects such as password security, phishing attempts, social engineering threats, and more. With regular training and updates, these programs ensure that individuals stay vigilant. Moreover, they also foster a culture of shared responsibility, transforming an organization’s employees from potential security liabilities into active defenders of data resources. This human-centric approach towards security complements the technological measures in place, reinforcing overall system security.
In conclusion, achieving a secure environment isn’t just about investing in state-of-the-art security technologies. It demands a simultaneous focus on people and their understanding of security practices. It underlines why security awareness programs are not only necessary but integral for effective cybersecurity. Emphasizing the human aspects of security isn’t a choice but rather a prerequisite in today’s interconnected and interdependent digital world.
First you would need to be educated in IT security management. As stated in Chapter 27 this week, there are several standards that have specific guidelines for implementing certain acts. For example, The National Institute of Standards and Technology (NIST) has specific guidelines for implementing the Federal Information Security Management Act (FISMA). ISO and IEC have standards established and guiding principles that will help you develop and start a training awareness program.
I would first look at the Federal Information Security Management Framework which is recommended by the National Institute of Standards and Technology. Here you can categorize, select, supplement, document, implement, access, authorize and monitor security controls on an information system. You will also want to go over the agenda for action for contingency planning process that is listed in chapter 27, this gives you a good idea on disaster recovery institute international associates eight takes with contingency planning process. Now that you have a good idea, framework and contingency planning would then move forward with an awareness and training program by implementing SETA which stands for Security, education, training, and awareness. SETA targets all users in an organization to help them become more aware of information security principles as is appropriate for their job. I’d create a culture of awareness across the whole organization, and it should speak to all users focusing on individual accountability so that everyone maintains a certain level of skepticism when finding themselves in a situation that is unorthodox or out of the ordinary. I would then implement training based off two methodologies: Functional and Skill based. Functional example” is a network firewall admin gets training on different types of firewalls and skill based, which takes into account the current skill level of the employee when delivering technical training. For example, a firewall admin who has been in the field for many years will likely benefit from advanced courses in firewall Harding tactics etc. Keep in mind that the higher the level of risk that the individual managers have, the higher the level of awareness and training must be provided. I would
The importance of education in IT security management cannot be overstated. As noted in Chapter 27 of Vaca’s renowned book, a sound understanding of information technology security principles is indispensable in today’s rapidly evolving digital landscape.
IT security management encompasses more than simply installing antivirus software. It extends to ensuring organizational resilience against cyber threats, safeguarding confidential data from unauthorized access or disruption, and maintaining the integrity and availability of systems and networks. Continuous education in this field improves one’s ability to anticipate, prevent, detect, and respond to security incidents.
The dynamic nature of the cyber world continually alters the vulnerability landscape, rendering some security tactics obsolete. Staying abreast of the latest threats, security measures, and regulatory changes requires continuous education in IT security management.
With cyber threats becoming increasingly sophisticated and pervasive, the need for competent IT security professionals continues growing. This demand underscores the pertinence of Vaca’s book’s postulation; an education in IT security management is paramount. This is indeed very true and reflects the reality of current technology sectors.
In conclusion, education in IT security management equips individuals with the necessary knowledge and skills to implement and manage robust security measures, ultimately contributing to the protection of sensitive information and sustaining trustworthy digital environments. Therefore, its prominence, as stated in Vaca’s book, cannot be underestimated.
Developing a security education training and awareness (SETA) program is essential in order to ensure employees are informed and equipped to protect the organization’s assets. In order to develop SETA, the first step is to understand the organization’s objectives and conduct a risk assessment for the employees. Risk assessment will provide information about the level of security training required. After the assessment has been completed, training should be developed addressing the risk. Employees should be required to take the training periodically in order to stay updated. The organization should also randomly test the employees.
Excellent answer! I especially like your emphasis on the importance of conducting a risk assessment and understanding the organization’s objectives before developing a SETA program. This is essential for ensuring that the training is tailored to the specific needs of the organization and its employees. Remember, it is also important to regularly update the SETA program to reflect the latest security threats and trends.
These steps are all certainly important when creating a SETA program. I would also add that it’s important to set up a system for receiving and calculating the effectiveness of the program. To determine the effectiveness of the security training I would add that there should be a system to determine not only employee feedback, as in how informative the employees believed the training to be, but also using monitoring and auditing practices to attempt to document any improvements in overall security within an organization after training is complete
To develop a SETA program, you should first identify your goals and objectives. What do you want to achieve with your SETA program? Do you want to reduce the number of phishing attacks? Improve password hygiene? Increase awareness of insider threats? Once you know your goals, you can tailor your program accordingly. Next, you need to assess your audience. Who are you trying to reach with your SETA program? What are their current knowledge and skill levels? What are their job roles and responsibilities? Understanding your audience will help you create a relevant and engaging program. Once you have identified your goals and assessed your audience, you can choose the right training methods. There are many ways to deliver SETA training, such as in-person workshops, online courses, and interactive games. Consider the needs of your audience and the resources you have available when choosing training methods. Next, you need to develop your training content. Your training content should be informative, engaging, and relevant to your audience. It should also be updated with the latest security threats and best practices. Once you have developed your training content, you must implement your SETA program. This may involve scheduling training sessions, sending email reminders, or creating a learning management system (LMS) to track employee progress. Finally, evaluating your SETA program regularly is important to ensure it meets your goals and objectives. You can do this by surveying employees, tracking employee behavior, or conducting phishing simulations. My last company used a product call KnowBe4 to send out test phishing emails. In the beginning stages a large percentage of users failed, but as the training progressed more and more users were catching the phishing emails. We hit our goal of <3% of the company clicking on the test phishing emails. We setup training and incentive programs for the users that repeatedly fell into the 3% of users failing the test until eventually they started recognizing the phishing emails.
Kelly,
I believe that identifying and reeducating users who consistently do not meet the security training standards is an effective method to ensure their proper education. This approach could also be extended to users who demonstrate a lack of security awareness in their day-to-day activities. When identified, these users can receive periodic, unannounced security training sessions. I find this strategy to be brilliant and recommend that all companies consider adopting it. Personally, I would certainly include it in any training program that I develop.
Developing a SETA (Security Education, Training, and Awareness) program is crucial and requires a deep understanding of the organization’s structure, mission, and culture. The primary goal is to educate all users about the dos and don’ts related to the organization’s information security system. This involves creating inclusive and understandable plans, trainings, and policies that apply to everyone in the company.
Policies play a pivotal role in setting rules and providing a roadmap for daily operations, guiding decision-making, and streamlining internal processes. Top management or IT teams should establish and define policies that instruct employees on specific processes, whether they are working in the office or remotely. These policies should be actively encouraged and enforced by departmental management.
Effective training is essential to keep employees informed about daily security practices and emerging security trends. While training can take various forms, online training is becoming increasingly common. It should be a top priority, especially for new employees, as it equips them with necessary skills and updates existing ones for enhanced productivity. For existing employees, recurring training sessions every 3 to 6 months should be enforced. Training content should cover general security standards and organization-specific details relevant to the company’s industry. It’s crucial to use straightforward language to explain the importance of these security practices.
Ultimately, the strategy behind developing a SETA program should be tailored to the organization’s unique needs and should be applicable across all departments.
In the era of digital transformation, cybersecurity has rapidly ascended to become a vital aspect of successful business operations. Hence, the importance of developing a robust Security Education, Training, and Awareness (SETA) program cannot be overstated.
Studies show that human errors account for a significant proportion of security breaches. Therefore, creating a secure environment requires not only advanced technological solutions but also a well-established SETA program to educate employees, making them the first line of defense against potential cyber threats.
Organizations should approach SETA programs not as a one-off exercise but continuous education and reinforcement developing an understanding and awareness amongst employees. This requires a deep understanding of the organization’s structure, mission, and culture.
Identically, the structure of an organization directly influences the development of a SETA program. A SETA strategy requires designing in a way that it suffices unique business processes, hierarchies, and roles in the organization. The adherence to the company structure ensures that the SETA program effectively equips every layer of the organization, making sure that there are no weak links in the cybersecurity chain.
Additionally, aligning the SETA program with the organization’s mission is equally essential. The program should support the overall mission of the organization. For instance, if an organization’s mission is innovation through technology, the SETA program should prioritize training employees on security measures for the latest technologies and risks associated with them.
Lastly, considering the cultural aspect of the organization is pivotal in the creation of a successful SETA program. The program should accommodate cultural diversity and influences in the organization to ensure maximum participation and comprehension. Employees will be more receptive to the training if it is presented in a manner that resonews with their values and working styles.
In essence, SETA is not just about educating employees about cybersecurity but about embedding a security-conscious culture within the organization. It entails fostering an environment where every employee understands the value of information assets and the risks associated with mishandling them.
In conclusion, developing a robust SETA program is no longer optional but a crucial component of operational success in the current cyberspace. It requires a deep understanding of the organization’s structure, mission, and culture to effectively mitigate risks and stay head of evolving cybersecurity threats. A well-executed SETA program can transform employees from potential risk elements to the greatest assets in the cybersecurity framework. Hence, the efforts and resources invested in developing a sophisticated SETA program will always yield significant returns in enhancing the organization’s security stature
Developing an effective security education training and awareness (SETA) program is a crucial aspect for any organization. The aim of a SETA program is to ensure employees are informed about the security measures in place and can act vigilantly to prevent potential threats. According to John Vacca, an IT expert and author of several books on computer security, there are structured steps that an organization should follow when developing a SETA program to guarantee effectiveness and success.
Vacca emphasizes the importance of conducting a needs assessment as the initial step. This involves identifying potential security risks that an organization is likely to face, the measures that are currently in place to mitigate these risks, and areas where employee education and training could improve overall security. The carefully conducted assessment will establish a foundation that will guide the creation of the SETA program.
Once the needs assessment is done, the next step according to Vacca is to define the objectives of the SETA program. These objectives should be aligned with the organization’s overall security policy. Objectives might include enhancing employees’ understanding of security protocols, facilitating the development of skills to identify and respond to security risks, or promoting a proactive security culture within the organization.
The third stage involves developing the training materials for the SETA program. According to Vacca, the materials should be easy to understand and relevant to the potential security risks identified during the needs assessment. They could include handbooks, e-learning modules, videos, and quizzes, among others. Vacca also recommends the use of real-life examples and case studies to make the training more engaging and impactful.
Vacca further proposes that implementing the SETA program should be a continuous process involving regular updates and evaluations. This not only ensures that the program remains relevant, but it also emphasizes the importance of security to all staff.
Lastly, Vacca suggests that the effectiveness of the SETA program should be evaluated regularly. This is achieved through mechanisms such as employee feedback, security tests, and analyzing security incident reports. These assessments help in identifying areas of the program that need improvement and ensuring that the program is delivering the desired results.
In conclusion, developing a successful SETA program involves conducting a needs assessment, defining objectives, creating relevant and engaging training materials, implementing the program as a continuous process, and regularly evaluating its effectiveness. Following Vacca’s recommendations can significantly enhance an organization’s security posture by equipping employees with the necessary skills and knowledge to identify and tackle potential security threats.
When developing a SETA program, it is important to understand the organization. The purpose to educate employees on what they should and shouldn’t do related to information security. Policies and training should encompass the entire company, of course this probably won’t be at the same time depending on the size of the company and how access to training can be provided.
The policies are key as they are the written rules and guidelines addressing both current and know future operations. Senior Management and even C-level needs to be behind what is stated and even help in the creation of these policies. As we know policies only go so far without the training. No matter if the training is done in person, on-line, or with some sort of computer-based training, it needs to occur.
Security is both a technical and people problem. Programs are important for that reason. Security programs are a way to ensure that everyone in the organization has the appropriate level of understanding. The keys are communications and information provided to the people in the organization.
You’re absolutely right, Marc. Understanding the organization’s unique needs and tailoring the security education training and awareness program accordingly is crucial. I’d like to add that ongoing communication and feedback loops with employees are also vital to ensure the program remains effective and adapts to evolving threats. How do you think organizations can strike the right balance between comprehensive coverage and practicality when implementing such programs?
Before launching a Security Education, Training, and Awareness (SETA) program, it’s crucial to familiarize ourselves with the organization’s current policies and standards. This step not only allows us to educate users about cybersecurity awareness but also ensures they are well-informed about the organization’s specific policies and standards. Once we implement the policies and standards as part of the SETA program, we can start to identify possible gaps that could exist and improve the program from there.
I firmly believe that we should make security education, training, and awareness a yearly requirement for all departments in our organization. Since phishing is the most common way an attacker can get into an organization, phishing training should be conducted monthly. To ensure the program’s success, it’s essential not only to conduct phishing simulations but also to incentivize users for reporting genuine phishing emails. Implementing a gamification strategy will not only reward proactive users but also inspire others to actively participate. This gamification program could include a monthly leaderboard and the distribution of prizes on a monthly, quarterly, and annual basis. As the continues, the organization should always find ways for improvement through trial and error.
I think you make a great point on starting with familiarizing with the organization’s current policies and standards. In addition to the highlights that you stated, I believe that this step could also help with trust within an organization. There has never been an employee who enjoys being told what to do by the new person who just stepped in no matter their rank in the organization or what their relationship is with important staff. To an extent empathizing with the current habits of the organization just enough to expand on its efforts can help gain the organization’s trust so that they are more inclined to move when it is time to..
I would follow the steps below when developing a security education training and awareness program
Identify Stakeholders:
*Reach out to key stakeholders including the security team, IT department, and business leaders to form a braintrust. This group will review the latest risk analysis and discuss high-level security concerns.
Create Content:
*Identify relevant content by collaborating with stakeholders. Focus on key security topics and determine the target audience. While the program should reach all employees, specific security areas may apply more to certain roles.
Choose Delivery Methods:
*Evaluate and select appropriate delivery methods for training and awareness campaigns based on the needs of your organization and workforce.
Launch Awareness Campaigns:
*Utilize security awareness posters and other communication tools to ensure that information is consistently visible to employees.
Add Fun Elements:
*Consider adding incentives to make the program engaging. For example, offer rewards such as a free lunch or entry into a contest for the first 10 people who complete required security training. A prize like an iPad could serve as motivation.
A well-rounded security education, training, and awareness program can enhance the overall cybersecurity posture of your organization while engaging and educating employees effectively.
I love the way you laid out your security plan. I feel like if I had an organization where security education wasn’t implemented, your plan would assist me in creating one.
I do have a question in regards to one of your elements.
How often would you run the awareness campaigns?
What types of topics would be included in the security campaigns?
I believe a clear, well-structured and recurring security awareness campaign is essential for promoting a strong security culture within the organization. I would run the security campaign two to three times a year to ensure that security practices remain top of mind for employees.
I would include the following:
Data Protection=> Emphasizing the importance of safeguarding sensitive data and explaining data classification.
Phishing Awareness=> Educating employees on how to recognize phishing emails and providing practical tips for safe email practices.
Password Management=>Promoting strong password practices, multi-factor authentication (MFA), and the use of password manager tools.
Remote Work Security=> Offering guidance on secure remote work practices, including the use of VPNs and securing home workspaces.
Security Policy Review=> A refresher and update on the organization’s security policies and procedures.
Additional Topics=> In addition to the core topics, I would cover other relevant security areas, such as physical security, secure device management, and compliance with industry-specific regulations.
Visual Reminders=>To reinforce key messages, I would utilize visual aids like posters strategically placed throughout the workplace. For example, a poster with a message like “If you wouldn’t open the door for a stranger, why would you click on an email from one?” 🙂 can serve as a constant reminder of phishing email safety.
Security, education, training, and awareness programs must be both thought out and cover all aspects of the company. The plan should be designed in such a way that it is inclusive at all levels of the organization from the interns all the way to upper management. It is important to understand the increasing amount of risks that are accompanied at each job level in order to develop a SETA program we must focus on important software components, such as password security, access management, confidentiality, integrity, and availability of data, how data can be stolen through phishing emails or other online social engineering means.
We must also focus on hardware components, such as hardware security, and the use of third-party devices or networks within an organization. The program should be focused on interactive and inclusive exercises for all employees that are both informative and educative in a fun way. It is important to have the contribution of all employees to the training program in order to attain success. It is also important to keep a regular cycle of training in order to continue building and raising awareness every few months.
You bring up some very good points. I would do many of the same things. Keep in mind you need to get the support of management even the C- Level and Board level as well. When developing a SETA program, it is important to understand the organization. The keys are communications and information provided to the people in the organization along with established policies which all must be accountable to adhere.
Thank you Marc! I agree that the support of C-Level management would be key to the success of this program, I would also like to add that it’s important that the employees also understand why these policies are so important when they are implemented.
Developing a SETA program will involve a few key steps. To start I’d first understand what my organization’s unique situation needs and set clear objectives then establish a structure and assess what currently threatens the organization. I’d then create training that is relevant and engaging whether that be in person training classes or web-based online courses. The training should be slightly different for different roles within the organization, the higher and more risk involved with their role more training would be required. Testing and assessing training should administered on a regular basis. Security awareness should be promoted through various methods like visual aids, email tips and reminders. The training should be regularly evaluated and changed to reflect changes and development in the field.
I agree with the steps you listed. Before one can develop a SETA program, the organization’s objectives and security need to be assessed. Assessing the organization and its weaknesses will determine how to proceed. Also, it is important for employees to be trained to recognize and avoid threats. With the training, most of the employees will know not to click on any unrecognized link.
In order to develop a robust and effective SETA program, you must include these fundamentals for implementing any training program since this will align you with the organization’s mission. These fundamentals include:
a. Identifying program scope, goals, and objectives,
b. Identifying the training staff and target audiences,
c. Motivating management and employees, and
d. Administering, maintaining, and evaluating the program.
The main goal of a SETA program is for user participation and motivation and should consist of two parts: formal awareness training(s) and activities centered around monthly security topics. While activities help to keep the concepts fresh in the users’ minds, the added confidence provided by the training will keep the users empowered to continually digest the information. It is important to abide by the IT Security Learning Continuum according to NIST since according to Vacca’s chap 24, “Among the principal goals and benefits of SETA are to enhance the protection of assets, improve the morale and motivation of individuals, and increase executive awareness in the importance of fostering a security culture within the organization.” I believe that improving morale and motivation of users i.e., employees could greatly save a company’s expense costs. In many ways, this starts with HR and building an organization that truly values their employees. The IT Security Learning Continuum could help to illustrate to employees that a company is intentional and focused on everyone’s growth. Employees will appreciate this. Based on the organization and what topics are most important to their environment, I, along with upper management, will determine the basic concepts to cover in the SETA program. We could start with these basic topics: Password security, Email phishing, Social engineering, Mobile device security, Sensitive data security, business communications incorporating the two best methodologies for effectively delivering these kinds of trainings according to Vacca’s chap 33: functional and skill-based. Security awareness messages should be executed on a regular basis and in a variety of mediums to capture the many minds of the target audience. Repetition is key to getting the message across. Again, with the goal of participation and motivation, a combination of these mediums are ideal for the SETA program depending on the associated costs: computer-based training, phishing awareness emails, video campaigns, posters and banners, lectures and conferences, and regular newsletters. The overall SETA program and policy should be rolled out with executive support frequently as employee status changes within the company such as new hire orientation, initial security briefing within 3 to 6 months, refresher briefing every 3 to 6 months, and termination briefings. Along with this and the decision of a centralized or decentralized implementation strategy, a communication plan should be delivered by business unit, department, and geolocation. Finally, evaluating the program will ultimately assist in making sure that the program grows dynamically as the business grows and new technological advancements are uncovered. Performing a needs assessment and having this in mind when drafting the SETA program policy language will uncover needs and improve the program through tracking.
Andrew Young says
As Vacca states, SETA programs must be constructed around real world scenarios but also take into account the level of institutional importance the trainees positions entail. SETA training should be carried out for ALL faculty and staff, but the details and how advanced this training is should vary by position and job. This can be first done by determining user roles within an organization. Once roles are determined and assigned, a designer can then take organizational need into account. What is the organization, what risks does it face and how can we better prepare and protect against them are all questions that should be considered in this evaluation. Once both of these determinations have been made, one can then create a general outline for what should be covered and at what level. Though there are always very specific top level training procedures for security that will vary from organization to organization, there are always general topics that should be covered with all staff, such as phishing security and password protections. Finally, after identifying who should receive what training, on what topics, and on what matters, the organization can then focus on implementation. This can vary from online required training, in-person hands on training, newsletters, or other methods. Once the program has been implemented, the organization should then seek out feedback, not only from participants, but from their systems, to determine if the training has been effective in preventing future incidents
Jeffrey Sullivan says
I feel that the text was pretty straight forward on how to set up awareness and training, especially when it pointed out they methodologies of the trainings. You pointed out the same when you stated roles are defined as these falls within the functionality methodology which is specialized training based on the role of the employee and also skill based which takes into account the current skill level of the employee when delivering technical training. This way people are getting actual training that sinks in on all levels of the organization and helps with continued support through the years as it should always be present on all levels.
Erskine Payton says
I like the way you broke down how you would develop a training program. Everyone should have a basic level of awareness around a computer training. From there you filter who needs what depending on their job function. You don’t want your finance people sitting in a training class on grant making. But security training is agnostic and it is something we all can benefit from. You have to have input from the people you serve so soliciting feedback is vital. It is important to know what is working and what needs improving.
Akiyah says
I believe establishing a feedback mechanism would allow employees to ask questions or share security-related concerns, ensuring that they feel heard and valued.
I think it would also be a great idea to include interactive elements into the training session so that they employees feel engaged and a part of the process.
The goal would be to create a security-aware environment where employees understand the importance of their role in safeguarding the organization’s data and assets.
Erskine Payton says
I would start with a three-tier approach starting with training and tools. Training is the most important aspect as users need to know how to use the tools given to them in a safe and secure manner. Next, I will focus on policy and what we need to do as a team working with the users to ensure they have what they need to assist in not only securing their device but others as well. Lastly, we implement the policy by developing procedures surrounding security awareness. How to report an incident, how to spot a phishing email, or what questions to ask and what to say when someone calls asking intrusive questions. I would emphasize that security awareness should be an ongoing year-round effort.
Ikenna Alajemba says
Great post. A top down approach to the development of operational policies which ensures consistency across the organization is key here. Most of security awareness policies seem as if they were created for some employees while others do not care about such policies, especially those at top management ladder.
Ashley A. Jones says
I really appreciate your focus on security awareness, Erskine. This part of the program is so important as day-to-day dynamics within an organization can have such an effect on employees. There are simply employees who may not feel as though they are being compensated properly or even treated fairly within organization so why should they worry about the betterment of the company? I believe that security practices are a good way to bring everything to the forefront and security awareness can help to bring to light certain aspects of a company that may not be so ideal and now the upper management has to think about it because now, this could have enormous implications that go beyond simply treating or compensating employees fairly. And while this is what should be the norm, unfortunately, the economy is in an odd place right now.
Ikenna Alajemba says
Security isn’t just a technical problem but also a people problem, that is why security awareness programs are also important. A security awareness program is a way to ensure that everyone at your organization has an appropriate level of know-how about security along with an appropriate sense of responsibility. To help develop a security awareness program, I will develop these three key components.
Communication: The upper management must regularly communicate to all employees that security is essential to running the business via company-wide emails or presentations.
Checklist(s): The checklist could include: • What to do when a new hire starts (and when an employee leaves) • When and how often to remind employees of security protocols • What to do when an incident takes place • How to communicate with customers or partners in the event of a breach.
Content: A cache of relevant content about security, this could include a security handbook, Role-based guidelines, training programs, a special chat channel (e.g., #security on Slack).
Michael Obiukwu says
Security, as a fundamental notion in today’s digital age, concerns far more than just the technical aspects. It is not merely confined to cutting-edge firewalls, encryption algorithms, and other technological solutions. The element of people’s behavior, perception, and awareness plays an equally critical role, if not more, in shaping a comprehensive security landscape across public and private sectors.
It is often said that ‘a chain is only as strong as its weakest link’. In the realm of security, people often happen to be that ‘weak link’. Well-meaning but unaware individuals can unwittingly open doors to data breaches, thus jeopardizing system security. This is where security awareness programs come into play. These programs are aimed at educating employees, users, and even the general public about potential risks, necessary precautions, and adherence to security protocols.
Security awareness programs can address various aspects such as password security, phishing attempts, social engineering threats, and more. With regular training and updates, these programs ensure that individuals stay vigilant. Moreover, they also foster a culture of shared responsibility, transforming an organization’s employees from potential security liabilities into active defenders of data resources. This human-centric approach towards security complements the technological measures in place, reinforcing overall system security.
In conclusion, achieving a secure environment isn’t just about investing in state-of-the-art security technologies. It demands a simultaneous focus on people and their understanding of security practices. It underlines why security awareness programs are not only necessary but integral for effective cybersecurity. Emphasizing the human aspects of security isn’t a choice but rather a prerequisite in today’s interconnected and interdependent digital world.
Jeffrey Sullivan says
First you would need to be educated in IT security management. As stated in Chapter 27 this week, there are several standards that have specific guidelines for implementing certain acts. For example, The National Institute of Standards and Technology (NIST) has specific guidelines for implementing the Federal Information Security Management Act (FISMA). ISO and IEC have standards established and guiding principles that will help you develop and start a training awareness program.
I would first look at the Federal Information Security Management Framework which is recommended by the National Institute of Standards and Technology. Here you can categorize, select, supplement, document, implement, access, authorize and monitor security controls on an information system. You will also want to go over the agenda for action for contingency planning process that is listed in chapter 27, this gives you a good idea on disaster recovery institute international associates eight takes with contingency planning process. Now that you have a good idea, framework and contingency planning would then move forward with an awareness and training program by implementing SETA which stands for Security, education, training, and awareness. SETA targets all users in an organization to help them become more aware of information security principles as is appropriate for their job. I’d create a culture of awareness across the whole organization, and it should speak to all users focusing on individual accountability so that everyone maintains a certain level of skepticism when finding themselves in a situation that is unorthodox or out of the ordinary. I would then implement training based off two methodologies: Functional and Skill based. Functional example” is a network firewall admin gets training on different types of firewalls and skill based, which takes into account the current skill level of the employee when delivering technical training. For example, a firewall admin who has been in the field for many years will likely benefit from advanced courses in firewall Harding tactics etc. Keep in mind that the higher the level of risk that the individual managers have, the higher the level of awareness and training must be provided. I would
Michael Obiukwu says
The importance of education in IT security management cannot be overstated. As noted in Chapter 27 of Vaca’s renowned book, a sound understanding of information technology security principles is indispensable in today’s rapidly evolving digital landscape.
IT security management encompasses more than simply installing antivirus software. It extends to ensuring organizational resilience against cyber threats, safeguarding confidential data from unauthorized access or disruption, and maintaining the integrity and availability of systems and networks. Continuous education in this field improves one’s ability to anticipate, prevent, detect, and respond to security incidents.
The dynamic nature of the cyber world continually alters the vulnerability landscape, rendering some security tactics obsolete. Staying abreast of the latest threats, security measures, and regulatory changes requires continuous education in IT security management.
With cyber threats becoming increasingly sophisticated and pervasive, the need for competent IT security professionals continues growing. This demand underscores the pertinence of Vaca’s book’s postulation; an education in IT security management is paramount. This is indeed very true and reflects the reality of current technology sectors.
In conclusion, education in IT security management equips individuals with the necessary knowledge and skills to implement and manage robust security measures, ultimately contributing to the protection of sensitive information and sustaining trustworthy digital environments. Therefore, its prominence, as stated in Vaca’s book, cannot be underestimated.
Akintunde Akinmusire says
Developing a security education training and awareness (SETA) program is essential in order to ensure employees are informed and equipped to protect the organization’s assets. In order to develop SETA, the first step is to understand the organization’s objectives and conduct a risk assessment for the employees. Risk assessment will provide information about the level of security training required. After the assessment has been completed, training should be developed addressing the risk. Employees should be required to take the training periodically in order to stay updated. The organization should also randomly test the employees.
Kelly Conger says
Excellent answer! I especially like your emphasis on the importance of conducting a risk assessment and understanding the organization’s objectives before developing a SETA program. This is essential for ensuring that the training is tailored to the specific needs of the organization and its employees. Remember, it is also important to regularly update the SETA program to reflect the latest security threats and trends.
Andrew Young says
These steps are all certainly important when creating a SETA program. I would also add that it’s important to set up a system for receiving and calculating the effectiveness of the program. To determine the effectiveness of the security training I would add that there should be a system to determine not only employee feedback, as in how informative the employees believed the training to be, but also using monitoring and auditing practices to attempt to document any improvements in overall security within an organization after training is complete
Kelly Conger says
To develop a SETA program, you should first identify your goals and objectives. What do you want to achieve with your SETA program? Do you want to reduce the number of phishing attacks? Improve password hygiene? Increase awareness of insider threats? Once you know your goals, you can tailor your program accordingly. Next, you need to assess your audience. Who are you trying to reach with your SETA program? What are their current knowledge and skill levels? What are their job roles and responsibilities? Understanding your audience will help you create a relevant and engaging program. Once you have identified your goals and assessed your audience, you can choose the right training methods. There are many ways to deliver SETA training, such as in-person workshops, online courses, and interactive games. Consider the needs of your audience and the resources you have available when choosing training methods. Next, you need to develop your training content. Your training content should be informative, engaging, and relevant to your audience. It should also be updated with the latest security threats and best practices. Once you have developed your training content, you must implement your SETA program. This may involve scheduling training sessions, sending email reminders, or creating a learning management system (LMS) to track employee progress. Finally, evaluating your SETA program regularly is important to ensure it meets your goals and objectives. You can do this by surveying employees, tracking employee behavior, or conducting phishing simulations. My last company used a product call KnowBe4 to send out test phishing emails. In the beginning stages a large percentage of users failed, but as the training progressed more and more users were catching the phishing emails. We hit our goal of <3% of the company clicking on the test phishing emails. We setup training and incentive programs for the users that repeatedly fell into the 3% of users failing the test until eventually they started recognizing the phishing emails.
Akiyah says
Kelly,
I believe that identifying and reeducating users who consistently do not meet the security training standards is an effective method to ensure their proper education. This approach could also be extended to users who demonstrate a lack of security awareness in their day-to-day activities. When identified, these users can receive periodic, unannounced security training sessions. I find this strategy to be brilliant and recommend that all companies consider adopting it. Personally, I would certainly include it in any training program that I develop.
Chidi Okafor says
Developing a SETA (Security Education, Training, and Awareness) program is crucial and requires a deep understanding of the organization’s structure, mission, and culture. The primary goal is to educate all users about the dos and don’ts related to the organization’s information security system. This involves creating inclusive and understandable plans, trainings, and policies that apply to everyone in the company.
Policies play a pivotal role in setting rules and providing a roadmap for daily operations, guiding decision-making, and streamlining internal processes. Top management or IT teams should establish and define policies that instruct employees on specific processes, whether they are working in the office or remotely. These policies should be actively encouraged and enforced by departmental management.
Effective training is essential to keep employees informed about daily security practices and emerging security trends. While training can take various forms, online training is becoming increasingly common. It should be a top priority, especially for new employees, as it equips them with necessary skills and updates existing ones for enhanced productivity. For existing employees, recurring training sessions every 3 to 6 months should be enforced. Training content should cover general security standards and organization-specific details relevant to the company’s industry. It’s crucial to use straightforward language to explain the importance of these security practices.
Ultimately, the strategy behind developing a SETA program should be tailored to the organization’s unique needs and should be applicable across all departments.
Michael Obiukwu says
In the era of digital transformation, cybersecurity has rapidly ascended to become a vital aspect of successful business operations. Hence, the importance of developing a robust Security Education, Training, and Awareness (SETA) program cannot be overstated.
Studies show that human errors account for a significant proportion of security breaches. Therefore, creating a secure environment requires not only advanced technological solutions but also a well-established SETA program to educate employees, making them the first line of defense against potential cyber threats.
Organizations should approach SETA programs not as a one-off exercise but continuous education and reinforcement developing an understanding and awareness amongst employees. This requires a deep understanding of the organization’s structure, mission, and culture.
Identically, the structure of an organization directly influences the development of a SETA program. A SETA strategy requires designing in a way that it suffices unique business processes, hierarchies, and roles in the organization. The adherence to the company structure ensures that the SETA program effectively equips every layer of the organization, making sure that there are no weak links in the cybersecurity chain.
Additionally, aligning the SETA program with the organization’s mission is equally essential. The program should support the overall mission of the organization. For instance, if an organization’s mission is innovation through technology, the SETA program should prioritize training employees on security measures for the latest technologies and risks associated with them.
Lastly, considering the cultural aspect of the organization is pivotal in the creation of a successful SETA program. The program should accommodate cultural diversity and influences in the organization to ensure maximum participation and comprehension. Employees will be more receptive to the training if it is presented in a manner that resonews with their values and working styles.
In essence, SETA is not just about educating employees about cybersecurity but about embedding a security-conscious culture within the organization. It entails fostering an environment where every employee understands the value of information assets and the risks associated with mishandling them.
In conclusion, developing a robust SETA program is no longer optional but a crucial component of operational success in the current cyberspace. It requires a deep understanding of the organization’s structure, mission, and culture to effectively mitigate risks and stay head of evolving cybersecurity threats. A well-executed SETA program can transform employees from potential risk elements to the greatest assets in the cybersecurity framework. Hence, the efforts and resources invested in developing a sophisticated SETA program will always yield significant returns in enhancing the organization’s security stature
Michael Obiukwu says
Developing an effective security education training and awareness (SETA) program is a crucial aspect for any organization. The aim of a SETA program is to ensure employees are informed about the security measures in place and can act vigilantly to prevent potential threats. According to John Vacca, an IT expert and author of several books on computer security, there are structured steps that an organization should follow when developing a SETA program to guarantee effectiveness and success.
Vacca emphasizes the importance of conducting a needs assessment as the initial step. This involves identifying potential security risks that an organization is likely to face, the measures that are currently in place to mitigate these risks, and areas where employee education and training could improve overall security. The carefully conducted assessment will establish a foundation that will guide the creation of the SETA program.
Once the needs assessment is done, the next step according to Vacca is to define the objectives of the SETA program. These objectives should be aligned with the organization’s overall security policy. Objectives might include enhancing employees’ understanding of security protocols, facilitating the development of skills to identify and respond to security risks, or promoting a proactive security culture within the organization.
The third stage involves developing the training materials for the SETA program. According to Vacca, the materials should be easy to understand and relevant to the potential security risks identified during the needs assessment. They could include handbooks, e-learning modules, videos, and quizzes, among others. Vacca also recommends the use of real-life examples and case studies to make the training more engaging and impactful.
Vacca further proposes that implementing the SETA program should be a continuous process involving regular updates and evaluations. This not only ensures that the program remains relevant, but it also emphasizes the importance of security to all staff.
Lastly, Vacca suggests that the effectiveness of the SETA program should be evaluated regularly. This is achieved through mechanisms such as employee feedback, security tests, and analyzing security incident reports. These assessments help in identifying areas of the program that need improvement and ensuring that the program is delivering the desired results.
In conclusion, developing a successful SETA program involves conducting a needs assessment, defining objectives, creating relevant and engaging training materials, implementing the program as a continuous process, and regularly evaluating its effectiveness. Following Vacca’s recommendations can significantly enhance an organization’s security posture by equipping employees with the necessary skills and knowledge to identify and tackle potential security threats.
Marc Greenberg says
When developing a SETA program, it is important to understand the organization. The purpose to educate employees on what they should and shouldn’t do related to information security. Policies and training should encompass the entire company, of course this probably won’t be at the same time depending on the size of the company and how access to training can be provided.
The policies are key as they are the written rules and guidelines addressing both current and know future operations. Senior Management and even C-level needs to be behind what is stated and even help in the creation of these policies. As we know policies only go so far without the training. No matter if the training is done in person, on-line, or with some sort of computer-based training, it needs to occur.
Security is both a technical and people problem. Programs are important for that reason. Security programs are a way to ensure that everyone in the organization has the appropriate level of understanding. The keys are communications and information provided to the people in the organization.
Alex Ruiz says
You’re absolutely right, Marc. Understanding the organization’s unique needs and tailoring the security education training and awareness program accordingly is crucial. I’d like to add that ongoing communication and feedback loops with employees are also vital to ensure the program remains effective and adapts to evolving threats. How do you think organizations can strike the right balance between comprehensive coverage and practicality when implementing such programs?
Alyanna Inocentes says
Before launching a Security Education, Training, and Awareness (SETA) program, it’s crucial to familiarize ourselves with the organization’s current policies and standards. This step not only allows us to educate users about cybersecurity awareness but also ensures they are well-informed about the organization’s specific policies and standards. Once we implement the policies and standards as part of the SETA program, we can start to identify possible gaps that could exist and improve the program from there.
I firmly believe that we should make security education, training, and awareness a yearly requirement for all departments in our organization. Since phishing is the most common way an attacker can get into an organization, phishing training should be conducted monthly. To ensure the program’s success, it’s essential not only to conduct phishing simulations but also to incentivize users for reporting genuine phishing emails. Implementing a gamification strategy will not only reward proactive users but also inspire others to actively participate. This gamification program could include a monthly leaderboard and the distribution of prizes on a monthly, quarterly, and annual basis. As the continues, the organization should always find ways for improvement through trial and error.
Ashley A. Jones says
I think you make a great point on starting with familiarizing with the organization’s current policies and standards. In addition to the highlights that you stated, I believe that this step could also help with trust within an organization. There has never been an employee who enjoys being told what to do by the new person who just stepped in no matter their rank in the organization or what their relationship is with important staff. To an extent empathizing with the current habits of the organization just enough to expand on its efforts can help gain the organization’s trust so that they are more inclined to move when it is time to..
Akiyah says
I would follow the steps below when developing a security education training and awareness program
Identify Stakeholders:
*Reach out to key stakeholders including the security team, IT department, and business leaders to form a braintrust. This group will review the latest risk analysis and discuss high-level security concerns.
Create Content:
*Identify relevant content by collaborating with stakeholders. Focus on key security topics and determine the target audience. While the program should reach all employees, specific security areas may apply more to certain roles.
Choose Delivery Methods:
*Evaluate and select appropriate delivery methods for training and awareness campaigns based on the needs of your organization and workforce.
Launch Awareness Campaigns:
*Utilize security awareness posters and other communication tools to ensure that information is consistently visible to employees.
Add Fun Elements:
*Consider adding incentives to make the program engaging. For example, offer rewards such as a free lunch or entry into a contest for the first 10 people who complete required security training. A prize like an iPad could serve as motivation.
A well-rounded security education, training, and awareness program can enhance the overall cybersecurity posture of your organization while engaging and educating employees effectively.
Alyanna Inocentes says
Hey Akiyah,
I love the way you laid out your security plan. I feel like if I had an organization where security education wasn’t implemented, your plan would assist me in creating one.
I do have a question in regards to one of your elements.
How often would you run the awareness campaigns?
What types of topics would be included in the security campaigns?
Akiyah says
Hi Alyanna,
I believe a clear, well-structured and recurring security awareness campaign is essential for promoting a strong security culture within the organization. I would run the security campaign two to three times a year to ensure that security practices remain top of mind for employees.
I would include the following:
Data Protection=> Emphasizing the importance of safeguarding sensitive data and explaining data classification.
Phishing Awareness=> Educating employees on how to recognize phishing emails and providing practical tips for safe email practices.
Password Management=>Promoting strong password practices, multi-factor authentication (MFA), and the use of password manager tools.
Remote Work Security=> Offering guidance on secure remote work practices, including the use of VPNs and securing home workspaces.
Security Policy Review=> A refresher and update on the organization’s security policies and procedures.
Additional Topics=> In addition to the core topics, I would cover other relevant security areas, such as physical security, secure device management, and compliance with industry-specific regulations.
Visual Reminders=>To reinforce key messages, I would utilize visual aids like posters strategically placed throughout the workplace. For example, a poster with a message like “If you wouldn’t open the door for a stranger, why would you click on an email from one?” 🙂 can serve as a constant reminder of phishing email safety.
Unnati Singla says
Security, education, training, and awareness programs must be both thought out and cover all aspects of the company. The plan should be designed in such a way that it is inclusive at all levels of the organization from the interns all the way to upper management. It is important to understand the increasing amount of risks that are accompanied at each job level in order to develop a SETA program we must focus on important software components, such as password security, access management, confidentiality, integrity, and availability of data, how data can be stolen through phishing emails or other online social engineering means.
We must also focus on hardware components, such as hardware security, and the use of third-party devices or networks within an organization. The program should be focused on interactive and inclusive exercises for all employees that are both informative and educative in a fun way. It is important to have the contribution of all employees to the training program in order to attain success. It is also important to keep a regular cycle of training in order to continue building and raising awareness every few months.
Marc Greenberg says
You bring up some very good points. I would do many of the same things. Keep in mind you need to get the support of management even the C- Level and Board level as well. When developing a SETA program, it is important to understand the organization. The keys are communications and information provided to the people in the organization along with established policies which all must be accountable to adhere.
Unnati Singla says
Thank you Marc! I agree that the support of C-Level management would be key to the success of this program, I would also like to add that it’s important that the employees also understand why these policies are so important when they are implemented.
Alex Ruiz says
Developing a SETA program will involve a few key steps. To start I’d first understand what my organization’s unique situation needs and set clear objectives then establish a structure and assess what currently threatens the organization. I’d then create training that is relevant and engaging whether that be in person training classes or web-based online courses. The training should be slightly different for different roles within the organization, the higher and more risk involved with their role more training would be required. Testing and assessing training should administered on a regular basis. Security awareness should be promoted through various methods like visual aids, email tips and reminders. The training should be regularly evaluated and changed to reflect changes and development in the field.
Akintunde Akinmusire says
I agree with the steps you listed. Before one can develop a SETA program, the organization’s objectives and security need to be assessed. Assessing the organization and its weaknesses will determine how to proceed. Also, it is important for employees to be trained to recognize and avoid threats. With the training, most of the employees will know not to click on any unrecognized link.
Ashley A. Jones says
In order to develop a robust and effective SETA program, you must include these fundamentals for implementing any training program since this will align you with the organization’s mission. These fundamentals include:
a. Identifying program scope, goals, and objectives,
b. Identifying the training staff and target audiences,
c. Motivating management and employees, and
d. Administering, maintaining, and evaluating the program.
The main goal of a SETA program is for user participation and motivation and should consist of two parts: formal awareness training(s) and activities centered around monthly security topics. While activities help to keep the concepts fresh in the users’ minds, the added confidence provided by the training will keep the users empowered to continually digest the information. It is important to abide by the IT Security Learning Continuum according to NIST since according to Vacca’s chap 24, “Among the principal goals and benefits of SETA are to enhance the protection of assets, improve the morale and motivation of individuals, and increase executive awareness in the importance of fostering a security culture within the organization.” I believe that improving morale and motivation of users i.e., employees could greatly save a company’s expense costs. In many ways, this starts with HR and building an organization that truly values their employees. The IT Security Learning Continuum could help to illustrate to employees that a company is intentional and focused on everyone’s growth. Employees will appreciate this. Based on the organization and what topics are most important to their environment, I, along with upper management, will determine the basic concepts to cover in the SETA program. We could start with these basic topics: Password security, Email phishing, Social engineering, Mobile device security, Sensitive data security, business communications incorporating the two best methodologies for effectively delivering these kinds of trainings according to Vacca’s chap 33: functional and skill-based. Security awareness messages should be executed on a regular basis and in a variety of mediums to capture the many minds of the target audience. Repetition is key to getting the message across. Again, with the goal of participation and motivation, a combination of these mediums are ideal for the SETA program depending on the associated costs: computer-based training, phishing awareness emails, video campaigns, posters and banners, lectures and conferences, and regular newsletters. The overall SETA program and policy should be rolled out with executive support frequently as employee status changes within the company such as new hire orientation, initial security briefing within 3 to 6 months, refresher briefing every 3 to 6 months, and termination briefings. Along with this and the decision of a centralized or decentralized implementation strategy, a communication plan should be delivered by business unit, department, and geolocation. Finally, evaluating the program will ultimately assist in making sure that the program grows dynamically as the business grows and new technological advancements are uncovered. Performing a needs assessment and having this in mind when drafting the SETA program policy language will uncover needs and improve the program through tracking.