Organizations should provide their own training when regarding general training for issues such as phishing and password protection, issues that impact every end user. Resources such as FISMA guidelines and ISO classifications can be useful for creating these ISO programs, as they do not require advanced technical knowledge but rather a basic understanding of the subject matter. Organizations such as SANS also provide free and easily available security documents on a number of topics. As for more advanced, higher level training, Vacca recommends both SANS and ISC2 as external resources for training employees who need to acquire knowledge outside of the existing knowledge base
I agree with you, but I also feel it is important to create a culture of security within the organization as well. Employees need to feel empowered and encouraged to ask questions or to ask for help when they may not understand the concept completely. No one should fear asking questions on any given training. By making security training accessible to all employees and by creating a culture of security within the organization, organizations can help to protect themselves (again, going back to multiple layers of security) from security threats.
One cost effective way to supplement training would be utilizing visual aids. Posters in high traffic areas or signage strategically placed in conference rooms and common areas. When IT staff is working with users, make security part of the conversation. “Are you familiar with how to back up your data?” or “Did you have any questions about the recent security training?” Keep the conversation going in via promotions. A company where I was a consultant, all the conference rooms had small desktop with a large television and the screensaver were different electronic advertisements surrounding security awareness. These are just a few clever and cost-effective ways companies can train as well as saves time. We must keep in mind that these methods are not a substitute for training, but it assists to keep the conversations around security in the forefront and not an afterthought.
I didn’t think about visuals in conference rooms and commons areas as this will minimally brink awareness to employees that are not aware of information security. What stood out to me in the text for this section was corporate events. If events are already in budget, then you could lure more people in with catered food as that brings people together and they are able to then see the visuals all without making a huge chunk into the budget.
I like how you pointed out that organizations must endeavor to keep the conversation going. All hands must be on deck to keep company’s information systems as secured as possible. With my company, you are expected to complete a security training every quarter and post your certificate on the internal portal.
Employees are part of an organization’s attack surface, and ensuring they have the know-how to defend themselves and the organization against threats is a critical part of a healthy security program. If an organization needs to comply with different government and industry regulations, such as FISMA, PCI, HIPAA or Sarbanes-Oxley, it must provide security awareness training to employees to meet regulatory requirements.
Classroom training: This allows instructors to see whether learners are engaged throughout the process and adjust accordingly. It also allows participants to ask questions in real time. Online training: This scales much better than in-person training, and it will likely be less disruptive to employee productivity since learners can work through the content from any location at their own convenience. This can also allow learners to work through the material at their own pace. Visual aids: Posters in the break room cannot be a lone source of security awareness training, but when done effectively, they can serve as helpful reminders. Phishing campaigns: Nothing captures an learner’s attention quite like the realization that they’ve fallen for a phish. Of course, learners who fail the phishing test should be automatically enrolled in further training. In some cases, a combination of these may be the best option.
Security awareness training is not a one-and-done exercise. Regular security training through multiple media is ideal, especially if the organization has high turnover rates. Organizations should do their best to respect time—ideally, training should be customized based on an employee’s role to ensure all of the training content is relevant.
I didn’t think about classroom training until I read your post. This method will be effective because the trainer will be able to witness the reactions of the trainees in order to see if they understand the importance of security in an organization and have the opportunity to test them. The trainees also could ask questions and collaborate with others. This will make the training more interactive and less boring.
I would first reach out to different groups like the Information security forum or the Internet society. The Internet society is an organizational home for groups responsible for internet infrastructure standards which includes internet engineering task force and internet architecture board. The information security forum is a global nonprofit organization composed of several hundred leading organizations in financial services, manufacturing, telecommunications etc. and ask both these groups how they approach a cost-effective training program for their organization. From meeting with those two groups, you will get a good amount of useful information to start a program without spending anymore. You then could promote awareness internally on various training programs that can be done remotely vs in person.
Well said, Jeffrey. Using the information you gathered from talking to these groups, you can create a cost-effective training suitable for your organization. Also, the NIST Framework provides the structure we need to intricately curate a less expensive training for the organization.
Yes! It does cost to have a conversation. So reaching out to different stakeholders is a great way to get started. Doing to discovery helps you to get a view from different sides of the house to address those concerns. What is paramount to one user is trivial to another and figuring out that balance is the challenge right?
Finding cost-effective training for an organization will depend on the goals of the organization, skills level of the employees, and available resources. For a small to medium sized organization, I would recommend learning platforms such as LinkedIn learning, Coursera, Udemy, and so on. NIST.gov also offers a lot of resources that could help any organization. Organizations can also contact the vendors of the equipment they use in order to confirm if they offer free or cost-effective training.
I like your recommendations; I would also state that most of these classes come with practical labs for hands on experience. Personally, I have used the practical online labs in some of the Udemy classes that I took some months ago.
Like I mentioned in my previous answer, there are a number of companies that offer cybersecurity training. There are free and subscription-based training as well. The government provides a number of resources, NIST is an excellent free government resource. There are also a number of non-profit organizations, SANs org comes to mind as they offer free and paid resources. And last but not least most of the security vendors (Norton, Trend, Fireeye, Cisco, IBM, etc.) offer both paid and free training. When choosing a training program, it is important to consider your specific needs and budget.
The phrase “cost-effective” is subjective in that what company A will consider costly may be cost-effective to company B. There is a ton of affordable training platforms online but after a careful study, I would recommend the following in no particular order – LinkedIn Learning, Udemy, Pluralsight, Cybrary. Usually, you get better pricing or discount when you approach these online classes as a business. They will give you a business license for your employees which will save you some money and still provide updated cybersecurity skills to the company. Coursera is also highly recommended by most higher institutions and companies.
I was planning to share my thoughts on LinkedIn Learning too! It’s an excellent resource offering a wide range of cybersecurity topics. However, while it’s beneficial for individuals, it can potentially set unrealistic expectations for newcomers to cybersecurity. LinkedIn Learning provides certificates upon course completion, which some individuals may use to promote themselves. Unfortunately, these certificates often lack significant value in the corporate world and also discourage new candidates. I hope that it could be promoted more accurately to ensure people have realistic expectations.
I totally agree with you, but the essence of the certificate is proof that you understand the basic cybersecurity concept. I don’t think anybody can become proficient in any skill simply by going through an online course with labs; it requires time, dedication and discipline which comes with years of hard work. Some companies will bring you in and gradually train you to become an experienced cybersecurity professional.
I like your comment. Let’s keep the conversation going.
In a corporate environment, an organization can look to a variety of avenues in order to find practical, cost-effective training for its employees. The pivotal element in any successful business structure is the strength of its workforce and investing in their growth and development is crucial. Consequently, continuous employee training can, over time, boost the overall productivity and competence of the organization. This article, therefore, aims to provide guidelines on selecting suitable cost-effective training methods for employees.
The cost-effective strategy should not only be attributed to the economical aspect but it should also incorporate the practicality of the training methods. Hence, a mostly remote or digitally based training solution could be seen as the most advantageous, as it saves on costs related to travel, accommodation, and trainers’ fees.
One of the most effective and economical methods of training is the use of online training platforms. These platforms cater to a variety of learning styles often inclusive of video tutorials, interactive quizzes, and live webinars. They also enable flexible access to learning materials, allowing employees to learn at their own pace and time. Websites such as Coursera, Lynda, and Udemy offer thousands of courses across numerous fields, many of which are inexpensive or even free.
Secondly, businesses can form strategic partnerships with educational institutions. Many universities and other educational establishments offer corporate training programs tailored to specific industries. For instance, the Harvard Business School offers bespoke executive education programs that cater to an organization’s unique development needs. Although such partnerships can require significant investment, the return can be substantial in terms of employee upskilling and the value they bring to the organization.
Additionally, the option of internal training programs should not be overlooked. Senior employees or those with a specific set of skills can train their colleagues, sharing knowledge and expertise without the organization incurring additional costs. This type of training not only improves team bonding but also fosters a culture of continuous learning and knowledge sharing within the organization.
Also, Employee Shadowing is an effective form of internal, practical training. It allows an employee to learn the job by walking through the workday as a shadow to a competent worker. The process is beneficial, in-depth, and often a cost-effective method of learning about the practicalities of job responsibilities.
Moreover, attending conferences, webinars, and industry trade shows can also be beneficial. These opportunities allow individuals to learn about the latest industry trends and techniques, speak with experts, and network with others in their field. However, these events can sometimes be expensive, so it’s important that businesses carefully calculate the potential return on their investment before committing.
Finally, the investment in off-the-shelf training programs can be a practical and cost-effective employee training approach. Off-the-shelf programs are ready-made courses designed for general business processes and functions. While they may not offer detailed customization, they are usually inexpensive and can cover a broad range of skills that are beneficial to most employees.
In line with Vaccas’ work, practice-oriented and cost-effective training is crucial for the success and the improvement of the efficiency and competence of an organization’s workforce. As businesses navigate an era of rapid technological advancements, it is more critical than ever to regularly appraise available training avenues. Investing in strategic learning and development will equip employees for the future and contribute significantly to the organization’s ultimate success.
Michael, you’ve provided a comprehensive overview of cost-effective training methods for employees. I’d like to emphasize the importance of aligning training programs with the organization’s specific needs and goals. One additional consideration could be measuring the effectiveness of these training methods through key performance indicators (KPIs) to ensure they are delivering the expected outcomes. How do you think organizations can best assess the impact of their chosen training strategies on employee performance and overall business success?
An organization needs to comply with different government and industry regulations, such as FISMA, PCI, HIPAA or Sarbanes-Oxley, it must provide security awareness training to employees to meet regulatory requirements. The following are the typical types of training:
• Classroom training: This allows instructors to see whether learners are engaged throughout the process and adjust accordingly.
• Online training: Is easier to put in place than in-person training, and it will likely be less disruptive to employee productivity since learners can work through the content from any location at their own convenience.
• Visual aids: Posters and on line screens in the in the office cannot be a lone source of security awareness training, but when done effectively, they can serve as helpful reminders.
• Phishing campaigns: Nothing captures a learner’s attention quite like the
realization that they’ve fallen for a phish. Of course, learners who fail the phishing test should be automatically enrolled in further training.
In some cases, a combination of these may be the best option. Security awareness training is not a one-and-done exercise. Regular security training through multiple media is ideal, especially if the organization has high turnover rates.
Hi Marc, great answer! I like that you have provided multiple opportunities/options for training, however, regarding online training – I personally feel it is not as effective.
It may be a cost-effective solution, but it is easy to get distracted while completing these kinds of training online/not absorb the material or gauge its importance on a realistic level. I have personally observed people simply clicking “next” through the material just to complete it instead of paying attention to the material.
Organizations are able to find cost effective online trainings through NIST: https://www.nist.gov/itl/smallbusinesscyber. Through this site, organizations are able to learn about cybersecurity basics, incident response, and other trainings. CISA also provides free cybersecurity training through: https://www.cisa.gov/resources-tools/training. Furthermore, they also conduct Cyber Security Awareness month every year and it assists organizations to spread helpful information about cybersecurity.
NIST and CISA are valuable resources for cybersecurity education due to their expertise, authoritative guidelines, free training programs, and commitment to cybersecurity awareness. They provide accessible and up-to-date information and collaborate with industry and government for a holistic approach to cybersecurity.
This was my thinking as well based on the reading. I also wonder what general cost-effective material can be used to enhance the learning experience. Outside of external sources such as NIST, I wonder what changes to internal company structure and training approaches can be used to give employees a greater understanding of the content provided. I generally would use things like interactive training and PowerPoints to institute knowledge gained from NIST and other external sources in an approachable and easy to understand manner. Sometimes the hardest part of SETA is taking concepts that may be difficult to understand for users not versed in IT language and adapting them for a common understanding.
I would recommend that companies consider using the following resources to develop cost-effective security training for their employees:
* In-House Training: Start by developing security training in-house. This approach allows organizations to customize the training content to align with their specific business, platform, size, and employee base. It ensures that the training is tailored to meet the unique needs of the company.
* NIST Resources: Utilize the free training and awareness resources provided by NIST (National Institute of Standards and Technology). NIST offers valuable materials that can serve as a foundational resource for developing security training programs.
* Online Training Providers: Explore well-known online training providers such as LinkedIn Learning and Coursera. These platforms offer a wide range of courses that can be selected and customized to meet the company’s training requirements. This allows organizations to choose courses that are most relevant to their needs.
* Leverage External Resources: Take advantage of available external resources. Open-source communities and vendors often provide free training materials that companies can use as low-cost resources. These materials can be adapted and tailored to suit the specific needs of the organization.
By combining these approaches, companies can create a comprehensive and cost-effective security training program that is both tailored to their unique requirements and draws upon valuable external resources.”
The in-house will be really helpful and save costs on training since training is tailored to the specific need in the organization security appetite and culture. Thank you for this answer.
Well depending on the organization, there are plenty of free and open-source organizations out there that provide free resources and training materials, some such being OWASP and SANS. But for high cost-effective training, there are a bunch of online platforms which offer courses and training which can often be packaged with cybersecurity insurance for a lower rate. But most of the basic training can be taught in-house or with a guest speaker to explain basic concepts such as phishing, social engineering, business communications, password, desktop and email security, as well as explain the organization’s specific policies. Besides the initial training simple supplements such as posters, regular newsletters, emails with tips and reminders help reinforce the training getting more bang for your buck.
I never thought of of the insurance aspect aspect of it, so good point. I would also consider the different government regulations which need to be thought about.
Basic training aspects for classroom training, online training, visual aids, and Phishing campaigns: Each of these can be used or a combination. The frequency is also important as new employees and different roles need to be considered.
The first thing that would need to be determined would be what exactly is cost-effective for an organization. Once there is a set budget, the organization can opt for multiple training methods. They can opt for classroom-style training, which benefits the style of teaching. They can also utilize security awareness websites, helpful hints, and visual aids, such as posters or infographics in the high-footfall areas of the office. It is also important to conduct phishing training where certain employees can be focused on who fell for the phishing emails. There are multiple free resources available online on websites that are made for the purpose of security training and a lot of educational videos can also be found on websites like YouTube.
For practical cost-effective training for an organization’s employees, I would recommend an organization utilize a behavioral management tool or Learning Management System (LMS) so that user activity can be measured and monitored when executing trainings. According to Vacca’s chap 33, “This allows you to evaluate vulnerability to different threat vectors based on user groups and regions. It is also possible to deliver standard or customized teachable moments to employees who fall for mock attacks. This allows for brief, focused, just in time teaching with messages that focus practical guidance in avoiding future threats.” Some environments in addition to Wombat Security and Infosec Institute are KnowBe4, Inspired eLearning, and Barracuda PhishLine, and, of course, SANS Institute for security education.
Andrew Young says
Organizations should provide their own training when regarding general training for issues such as phishing and password protection, issues that impact every end user. Resources such as FISMA guidelines and ISO classifications can be useful for creating these ISO programs, as they do not require advanced technical knowledge but rather a basic understanding of the subject matter. Organizations such as SANS also provide free and easily available security documents on a number of topics. As for more advanced, higher level training, Vacca recommends both SANS and ISC2 as external resources for training employees who need to acquire knowledge outside of the existing knowledge base
Kelly Conger says
I agree with you, but I also feel it is important to create a culture of security within the organization as well. Employees need to feel empowered and encouraged to ask questions or to ask for help when they may not understand the concept completely. No one should fear asking questions on any given training. By making security training accessible to all employees and by creating a culture of security within the organization, organizations can help to protect themselves (again, going back to multiple layers of security) from security threats.
Erskine Payton says
One cost effective way to supplement training would be utilizing visual aids. Posters in high traffic areas or signage strategically placed in conference rooms and common areas. When IT staff is working with users, make security part of the conversation. “Are you familiar with how to back up your data?” or “Did you have any questions about the recent security training?” Keep the conversation going in via promotions. A company where I was a consultant, all the conference rooms had small desktop with a large television and the screensaver were different electronic advertisements surrounding security awareness. These are just a few clever and cost-effective ways companies can train as well as saves time. We must keep in mind that these methods are not a substitute for training, but it assists to keep the conversations around security in the forefront and not an afterthought.
Jeffrey Sullivan says
I didn’t think about visuals in conference rooms and commons areas as this will minimally brink awareness to employees that are not aware of information security. What stood out to me in the text for this section was corporate events. If events are already in budget, then you could lure more people in with catered food as that brings people together and they are able to then see the visuals all without making a huge chunk into the budget.
Chidi Okafor says
I like how you pointed out that organizations must endeavor to keep the conversation going. All hands must be on deck to keep company’s information systems as secured as possible. With my company, you are expected to complete a security training every quarter and post your certificate on the internal portal.
Ikenna Alajemba says
Employees are part of an organization’s attack surface, and ensuring they have the know-how to defend themselves and the organization against threats is a critical part of a healthy security program. If an organization needs to comply with different government and industry regulations, such as FISMA, PCI, HIPAA or Sarbanes-Oxley, it must provide security awareness training to employees to meet regulatory requirements.
Classroom training: This allows instructors to see whether learners are engaged throughout the process and adjust accordingly. It also allows participants to ask questions in real time. Online training: This scales much better than in-person training, and it will likely be less disruptive to employee productivity since learners can work through the content from any location at their own convenience. This can also allow learners to work through the material at their own pace. Visual aids: Posters in the break room cannot be a lone source of security awareness training, but when done effectively, they can serve as helpful reminders. Phishing campaigns: Nothing captures an learner’s attention quite like the realization that they’ve fallen for a phish. Of course, learners who fail the phishing test should be automatically enrolled in further training. In some cases, a combination of these may be the best option.
Security awareness training is not a one-and-done exercise. Regular security training through multiple media is ideal, especially if the organization has high turnover rates. Organizations should do their best to respect time—ideally, training should be customized based on an employee’s role to ensure all of the training content is relevant.
Akintunde Akinmusire says
I didn’t think about classroom training until I read your post. This method will be effective because the trainer will be able to witness the reactions of the trainees in order to see if they understand the importance of security in an organization and have the opportunity to test them. The trainees also could ask questions and collaborate with others. This will make the training more interactive and less boring.
Jeffrey Sullivan says
I would first reach out to different groups like the Information security forum or the Internet society. The Internet society is an organizational home for groups responsible for internet infrastructure standards which includes internet engineering task force and internet architecture board. The information security forum is a global nonprofit organization composed of several hundred leading organizations in financial services, manufacturing, telecommunications etc. and ask both these groups how they approach a cost-effective training program for their organization. From meeting with those two groups, you will get a good amount of useful information to start a program without spending anymore. You then could promote awareness internally on various training programs that can be done remotely vs in person.
Chidi Okafor says
Well said, Jeffrey. Using the information you gathered from talking to these groups, you can create a cost-effective training suitable for your organization. Also, the NIST Framework provides the structure we need to intricately curate a less expensive training for the organization.
Erskine Payton says
Yes! It does cost to have a conversation. So reaching out to different stakeholders is a great way to get started. Doing to discovery helps you to get a view from different sides of the house to address those concerns. What is paramount to one user is trivial to another and figuring out that balance is the challenge right?
Akintunde Akinmusire says
Finding cost-effective training for an organization will depend on the goals of the organization, skills level of the employees, and available resources. For a small to medium sized organization, I would recommend learning platforms such as LinkedIn learning, Coursera, Udemy, and so on. NIST.gov also offers a lot of resources that could help any organization. Organizations can also contact the vendors of the equipment they use in order to confirm if they offer free or cost-effective training.
Chidi Okafor says
I like your recommendations; I would also state that most of these classes come with practical labs for hands on experience. Personally, I have used the practical online labs in some of the Udemy classes that I took some months ago.
Kelly Conger says
Like I mentioned in my previous answer, there are a number of companies that offer cybersecurity training. There are free and subscription-based training as well. The government provides a number of resources, NIST is an excellent free government resource. There are also a number of non-profit organizations, SANs org comes to mind as they offer free and paid resources. And last but not least most of the security vendors (Norton, Trend, Fireeye, Cisco, IBM, etc.) offer both paid and free training. When choosing a training program, it is important to consider your specific needs and budget.
Chidi Okafor says
The phrase “cost-effective” is subjective in that what company A will consider costly may be cost-effective to company B. There is a ton of affordable training platforms online but after a careful study, I would recommend the following in no particular order – LinkedIn Learning, Udemy, Pluralsight, Cybrary. Usually, you get better pricing or discount when you approach these online classes as a business. They will give you a business license for your employees which will save you some money and still provide updated cybersecurity skills to the company. Coursera is also highly recommended by most higher institutions and companies.
Alyanna Inocentes says
Hey Chidiebere,
I was planning to share my thoughts on LinkedIn Learning too! It’s an excellent resource offering a wide range of cybersecurity topics. However, while it’s beneficial for individuals, it can potentially set unrealistic expectations for newcomers to cybersecurity. LinkedIn Learning provides certificates upon course completion, which some individuals may use to promote themselves. Unfortunately, these certificates often lack significant value in the corporate world and also discourage new candidates. I hope that it could be promoted more accurately to ensure people have realistic expectations.
Chidi Okafor says
I totally agree with you, but the essence of the certificate is proof that you understand the basic cybersecurity concept. I don’t think anybody can become proficient in any skill simply by going through an online course with labs; it requires time, dedication and discipline which comes with years of hard work. Some companies will bring you in and gradually train you to become an experienced cybersecurity professional.
I like your comment. Let’s keep the conversation going.
Michael Obiukwu says
In a corporate environment, an organization can look to a variety of avenues in order to find practical, cost-effective training for its employees. The pivotal element in any successful business structure is the strength of its workforce and investing in their growth and development is crucial. Consequently, continuous employee training can, over time, boost the overall productivity and competence of the organization. This article, therefore, aims to provide guidelines on selecting suitable cost-effective training methods for employees.
The cost-effective strategy should not only be attributed to the economical aspect but it should also incorporate the practicality of the training methods. Hence, a mostly remote or digitally based training solution could be seen as the most advantageous, as it saves on costs related to travel, accommodation, and trainers’ fees.
One of the most effective and economical methods of training is the use of online training platforms. These platforms cater to a variety of learning styles often inclusive of video tutorials, interactive quizzes, and live webinars. They also enable flexible access to learning materials, allowing employees to learn at their own pace and time. Websites such as Coursera, Lynda, and Udemy offer thousands of courses across numerous fields, many of which are inexpensive or even free.
Secondly, businesses can form strategic partnerships with educational institutions. Many universities and other educational establishments offer corporate training programs tailored to specific industries. For instance, the Harvard Business School offers bespoke executive education programs that cater to an organization’s unique development needs. Although such partnerships can require significant investment, the return can be substantial in terms of employee upskilling and the value they bring to the organization.
Additionally, the option of internal training programs should not be overlooked. Senior employees or those with a specific set of skills can train their colleagues, sharing knowledge and expertise without the organization incurring additional costs. This type of training not only improves team bonding but also fosters a culture of continuous learning and knowledge sharing within the organization.
Also, Employee Shadowing is an effective form of internal, practical training. It allows an employee to learn the job by walking through the workday as a shadow to a competent worker. The process is beneficial, in-depth, and often a cost-effective method of learning about the practicalities of job responsibilities.
Moreover, attending conferences, webinars, and industry trade shows can also be beneficial. These opportunities allow individuals to learn about the latest industry trends and techniques, speak with experts, and network with others in their field. However, these events can sometimes be expensive, so it’s important that businesses carefully calculate the potential return on their investment before committing.
Finally, the investment in off-the-shelf training programs can be a practical and cost-effective employee training approach. Off-the-shelf programs are ready-made courses designed for general business processes and functions. While they may not offer detailed customization, they are usually inexpensive and can cover a broad range of skills that are beneficial to most employees.
In line with Vaccas’ work, practice-oriented and cost-effective training is crucial for the success and the improvement of the efficiency and competence of an organization’s workforce. As businesses navigate an era of rapid technological advancements, it is more critical than ever to regularly appraise available training avenues. Investing in strategic learning and development will equip employees for the future and contribute significantly to the organization’s ultimate success.
Alex Ruiz says
Michael, you’ve provided a comprehensive overview of cost-effective training methods for employees. I’d like to emphasize the importance of aligning training programs with the organization’s specific needs and goals. One additional consideration could be measuring the effectiveness of these training methods through key performance indicators (KPIs) to ensure they are delivering the expected outcomes. How do you think organizations can best assess the impact of their chosen training strategies on employee performance and overall business success?
Marc Greenberg says
An organization needs to comply with different government and industry regulations, such as FISMA, PCI, HIPAA or Sarbanes-Oxley, it must provide security awareness training to employees to meet regulatory requirements. The following are the typical types of training:
• Classroom training: This allows instructors to see whether learners are engaged throughout the process and adjust accordingly.
• Online training: Is easier to put in place than in-person training, and it will likely be less disruptive to employee productivity since learners can work through the content from any location at their own convenience.
• Visual aids: Posters and on line screens in the in the office cannot be a lone source of security awareness training, but when done effectively, they can serve as helpful reminders.
• Phishing campaigns: Nothing captures a learner’s attention quite like the
realization that they’ve fallen for a phish. Of course, learners who fail the phishing test should be automatically enrolled in further training.
In some cases, a combination of these may be the best option. Security awareness training is not a one-and-done exercise. Regular security training through multiple media is ideal, especially if the organization has high turnover rates.
Unnati Singla says
Hi Marc, great answer! I like that you have provided multiple opportunities/options for training, however, regarding online training – I personally feel it is not as effective.
It may be a cost-effective solution, but it is easy to get distracted while completing these kinds of training online/not absorb the material or gauge its importance on a realistic level. I have personally observed people simply clicking “next” through the material just to complete it instead of paying attention to the material.
Alyanna Inocentes says
Organizations are able to find cost effective online trainings through NIST: https://www.nist.gov/itl/smallbusinesscyber. Through this site, organizations are able to learn about cybersecurity basics, incident response, and other trainings. CISA also provides free cybersecurity training through: https://www.cisa.gov/resources-tools/training. Furthermore, they also conduct Cyber Security Awareness month every year and it assists organizations to spread helpful information about cybersecurity.
NIST and CISA are valuable resources for cybersecurity education due to their expertise, authoritative guidelines, free training programs, and commitment to cybersecurity awareness. They provide accessible and up-to-date information and collaborate with industry and government for a holistic approach to cybersecurity.
Andrew Young says
This was my thinking as well based on the reading. I also wonder what general cost-effective material can be used to enhance the learning experience. Outside of external sources such as NIST, I wonder what changes to internal company structure and training approaches can be used to give employees a greater understanding of the content provided. I generally would use things like interactive training and PowerPoints to institute knowledge gained from NIST and other external sources in an approachable and easy to understand manner. Sometimes the hardest part of SETA is taking concepts that may be difficult to understand for users not versed in IT language and adapting them for a common understanding.
Akiyah says
I would recommend that companies consider using the following resources to develop cost-effective security training for their employees:
* In-House Training: Start by developing security training in-house. This approach allows organizations to customize the training content to align with their specific business, platform, size, and employee base. It ensures that the training is tailored to meet the unique needs of the company.
* NIST Resources: Utilize the free training and awareness resources provided by NIST (National Institute of Standards and Technology). NIST offers valuable materials that can serve as a foundational resource for developing security training programs.
* Online Training Providers: Explore well-known online training providers such as LinkedIn Learning and Coursera. These platforms offer a wide range of courses that can be selected and customized to meet the company’s training requirements. This allows organizations to choose courses that are most relevant to their needs.
* Leverage External Resources: Take advantage of available external resources. Open-source communities and vendors often provide free training materials that companies can use as low-cost resources. These materials can be adapted and tailored to suit the specific needs of the organization.
By combining these approaches, companies can create a comprehensive and cost-effective security training program that is both tailored to their unique requirements and draws upon valuable external resources.”
Ikenna Alajemba says
The in-house will be really helpful and save costs on training since training is tailored to the specific need in the organization security appetite and culture. Thank you for this answer.
Alex Ruiz says
Well depending on the organization, there are plenty of free and open-source organizations out there that provide free resources and training materials, some such being OWASP and SANS. But for high cost-effective training, there are a bunch of online platforms which offer courses and training which can often be packaged with cybersecurity insurance for a lower rate. But most of the basic training can be taught in-house or with a guest speaker to explain basic concepts such as phishing, social engineering, business communications, password, desktop and email security, as well as explain the organization’s specific policies. Besides the initial training simple supplements such as posters, regular newsletters, emails with tips and reminders help reinforce the training getting more bang for your buck.
Marc Greenberg says
I never thought of of the insurance aspect aspect of it, so good point. I would also consider the different government regulations which need to be thought about.
Basic training aspects for classroom training, online training, visual aids, and Phishing campaigns: Each of these can be used or a combination. The frequency is also important as new employees and different roles need to be considered.
Unnati Singla says
The first thing that would need to be determined would be what exactly is cost-effective for an organization. Once there is a set budget, the organization can opt for multiple training methods. They can opt for classroom-style training, which benefits the style of teaching. They can also utilize security awareness websites, helpful hints, and visual aids, such as posters or infographics in the high-footfall areas of the office. It is also important to conduct phishing training where certain employees can be focused on who fell for the phishing emails. There are multiple free resources available online on websites that are made for the purpose of security training and a lot of educational videos can also be found on websites like YouTube.
Ashley A. Jones says
For practical cost-effective training for an organization’s employees, I would recommend an organization utilize a behavioral management tool or Learning Management System (LMS) so that user activity can be measured and monitored when executing trainings. According to Vacca’s chap 33, “This allows you to evaluate vulnerability to different threat vectors based on user groups and regions. It is also possible to deliver standard or customized teachable moments to employees who fall for mock attacks. This allows for brief, focused, just in time teaching with messages that focus practical guidance in avoiding future threats.” Some environments in addition to Wombat Security and Infosec Institute are KnowBe4, Inspired eLearning, and Barracuda PhishLine, and, of course, SANS Institute for security education.