How would you approach improving the security education training and awareness in an organization you know well (e.g. Temple as a student) but you will not name in your answer post and comments?
Reader Interactions
Comments
Leave a Reply
You must be logged in to post a comment.
James Nyamokoh says
To improve security education in an organization, I would first assess the current program’s effectiveness through employee surveys, security incident trends, and simulated attacks like phishing tests. Based on the results, I’d recommend shifting from static, one-size-fits-all training to more dynamic, role-specific content that resonates with employees’ actual responsibilities. Interactive sessions and bite-sized learning modules can maintain engagement and ensure that the program stays relevant. Continuous reinforcement through regular updates, monthly newsletters, or brief digestible security tips could ensure ongoing awareness without overwhelming staff.
Christopher Williams says
I really like your suggestion to move away from static, one-size-fits-all training and focus on more dynamic, role-specific content. Tailoring the training to fit employees’ actual responsibilities makes the material more relevant and engaging for them. When people see how the information applies to their day-to-day work, they’re more likely to stay interested and retain what they’ve learned. It’s a great way to make security education more effective. Plus, adding interactive and ongoing training really helps keep things fresh and engaging for everyone.
Benjamin Rooks says
The main issue that is currently a problem in the organization I am a part of is the utilization of 3rd party applications that have not been vetted by our security team and that have a sanctioned replacement already. The biggest problem that we currently have is that there is no known list of approved applications and the way to download approved applications is not something that employees are made aware of when they are onboarded. I personally went two years before realizing that there was an approved portal for downloading applications and had been manually installing the ones I needed myself. In order to fix this I would have a consistently updated location of approved applications that employees would be instructed on how to access as part of their onboarding.
Nelson Ezeatuegwu says
Hi Benjamin
It is scary to see how organizations ignore important security procedures that should be embedded in the security education training and awareness, i guess it is over reliance on intrusion detection systems.
Tache Johnson says
Hey Benjamin, The need for more information about approved applications is a significant concern when workers use unvetted third-party software. The fact that you went two years before discovering the approved application portal highlights communication and onboarding problems. Im sure you were not the only one! I agree that a central, updated site for embraced applications is necessary, but how would you guarantee that staff visit the portal for changes and new tools? Introducing this at onboarding is fantastic, but it might be forgotten. Would you consider ongoing reminders or perhaps integrating this into annual security training to reinforce the importance of sticking to approved apps? Overall, I think this is something a lot of people face at companies unaware of the tools and how to use them securely.
Benjamin Rooks says
I would say that the best way to continue awareness of the portal is just to make it useful. If the portal contains many useful tools that an employee could use, photoshop, PDF readers, productivity tools, ect. then it would become the first place that users go to when they need a new tool.
Aisha Ings says
It’s interesting to see how other companies operate. At my previous job, we had a list of approved software that could be installed on computers if it wasn’t already available through SCCM. Any software not on the approved list had to go through an approval process. By restricting unauthorized software, companies can better manage potential vulnerabilities, ensure compliance with licensing agreements, and avoid unnecessary risk.
Nelson Ezeatuegwu says
I would assess the existing security education training and awareness by auditing the various security platforms for intrusion detections, log and vulnerability management, to determine if the training is giving the desired results. In my current organization we get a lot of security alerts for users login from different geographical location especially during summer, I have watched the security awareness training for two years and did not find any topic that educates the users on that. I would recommend a topic that emphasizes on educating the users on risks, and the importance of informing IT personnel; the duration of time they will be working from a different country, so that VPN tunnel will be created to avoid security breach through unsecured networks.
Ericberto Mariscal says
For my organization, I would implement a learning portal where you can find training materials. The materials would be in the form of documents, modules, courses, and recording webinars. I would ensure that the material is fresh, engaging, and issued to end users frequently. Certain training materials would have a quiz at the end where you would need a passing score to pass to ensure that the training is being absorbed appropriately, one of the major concerns in my organization is that training material is most often in the form of a PDF document which you can just open and mark as complete as soon as the document been opened. I would also implement a company-wide phishing test as a method to monitor and evaluate end user response, the results can be conveyed to the company as a whole quarterly for training and awareness.
Tache Johnson says
Hi Ericberto, I like the idea of a learning site with interactive and interesting information, particularly contrasted to PDF-based training, which is ineffective. Quizzes to reinforce knowledge are fantastic. If quarterly phishing test results are revealed, workers may get comfortable. Consider randomizing phishing testing throughout the year so consumers are always tested without knowing when?
Ericberto Mariscal says
Hi Tache,
Great point about the phishing test being revealed amongst the company as a whole, this would make it easier for the end users to spot thus making it ineffective. I would instead suggest that the results just be shared within the IS team and upper management.
Vincenzo Macolino says
This is a great idea, having easy access to tools that can teach employees / students as well give them quizzes would make a positive impact on any organization. Utilizing online resources also eliminates the need for in person training, and also gives 24/7 access, allowing employees to always have updated information and resources on hand.
Gbolahan Afolabi says
Where my organization needs to improve is the delivery of context on why certain controls and mechanisms are used to secure our systems. We employ various mechanisms to secure the management of information on devices and the networks they’re part of. These controls may be seen as counterproductive at times and would probably lead to many hours of wasted labor per employee over the course of a year. For example, an employee would need to enter a series of passwords and codes when turning on a laptop from the bitlocker program, to the Windows sign-on screen, and to the RSA code required to access the internet. Another example is the requirement to sign in with company credentials on mobile phones before reading work notifications.
While these mechanisms and controls strengthen the security of Confidentiality and Integrity, they are seen as roadblocks of efficiency by staff. I believe more users would appreciate the controls more if they understood the reasoning behind them and would make less attempts to try to circumvent them.
Dawn Foreman says
I agree! The firm I am familiar with utilizes a virtual machine that requires credentials and RSA codes. At first, this can seem a bit annoying and time consuming when one is trying to log on. However, if employees knew how 30extra seconds would save millions if there was an attack, they may have a different attitude. Prior to this program, multifactor authentification would irritate me at times for certain apps. However, after reading about how individuals who did not have this were targeted, my attiude changed. Transparency is key.
Tache Johnson says
If I were to improve the security education, training, and awareness program in the company I currently work for, I’d start by addressing a key issue I’ve noticed with our phishing email tests. Currently, these emails are sent to everyone at the same time, which can lead to coworkers warning each other not to click on them. This defeats the purpose of the test. To make the exercise more effective, I would randomize the timing and recipients of the phishing emails so that employees don’t receive them simultaneously. This would create a more authentic test environment where people can’t easily tip each other off. Additionally, I’d enhance the program by providing role-specific training, so technical staff receive more in-depth education, while general staff focus on basic but crucial topics like email phishing and secure data handling. Regular refreshers and interactive exercises like these phishing simulations would help reinforce learning and make security awareness more ingrained in everyday work.
Vincenzo Macolino says
Hey Tache, I had a really similar answer to you, and I find it funny how the same issue is affecting different companies. It’s so simple to just randomize the phishing emails and make it more realistic, and for whatever reason our companies do not want to put in the extra effort to make it happen. I also like how you mentioned using interactive exercises, I think that this is a great solution and would make a positive impact.
Brittany Pomish says
I worked for a company with a similar tactic in the past. We would all receive the same pizza coupon around lunch time, and you could hear the notifications across everyone’s computers in the room. All it took was 1 person to be like “Dang it I fell for it. Don’t click it.” and the point of the test is ruined. I think randomizing the tests is a great idea. My current organization has even gotten really good at the phishing emails and will even do department style emails, such as “John Smith (fellow department team member) shared a document with you.” Knowing that it is likely John Smith shares documents with me all the time and it makes the phishing email really difficult to determine if it is valid or not.
Vincenzo Macolino says
To improve my organizations security education and awareness program I would focus on phishing attacks, which seems to be the most common security incident that we face. To combat phishing attacks IT sends out fake phishing emails in hopes of getting an employee to click on one. However, the issue that I have noticed, similar to Tache’s answer, is that employees just tell each other that a fake phishing email has been sent out. In order to optimize phishing emails, we need to send them out to separate employees at random times, not to the entire company all at once. Furthermore, instead of just sending out phishing emails, we also need to be trained on why phishing emails are a problem. I feel that many employees do not understand that by clicking on a phishing email, they are potentially exposing themselves and our company to a serious cyber-attack.
Dawn Foreman says
Hi Vincenzo,
The firm I am familiar with sends out phishing emails as a test and I agree with you, they can be effective. Employees are sent out emails randomly once a year. In my response, I wrote to combat this, send out random emails more frequently to keep employees on guard. Additionally, more training should be implemented around the effects that being victim to a phishing attack could have on a firm.
Neel Patel says
Hi Vincenzo!
Nice response – I like how you talk about sending phishing emails to employees at different times. Following up with employees about their results and what happened is extremely helpful. Also, this allows for them to ask questions. This allows for a space to have continuous learning.
Christopher Williams says
I would focus on making the process more interactive and collaborative by introducing group training sessions. Currently, our security training consists of annual videos, tests, and reviewable documents that employees complete individually. While this method ensures compliance, it often lacks engagement, and employees may not give it their full attention.
My approach would involve shifting from purely individual-based training to more group-based sessions. These could include interactive workshops, team discussions, and the usual uncomfortable role-playing scenarios that focus on real-life security threats. With that, employees would have the opportunity to share experiences, ask questions, and learn from one another, making the content more engaging and memorable. I would ensure these group sessions include hands-on activities like phishing simulations and incident response drills. This kind of active learning approach could help individuals retain critical security information and apply it in their daily work.
Cyrena Haynes says
To improve security education, training, and awareness in an organization I know, I would start by assessing the current level of awareness and identifying specific security risks, such as employees leaving their laptops unattended. Next, I would introduce more interactive training, as most current programs rely on self-paced videos. This approach would incorporate gamified learning and simulations that highlight the vulnerabilities and consequences of unsafe behaviors. To ensure engagement and retention, I would include questions after each section. Additionally, I would advocate for mandatory, periodic training sessions tailored to different roles within the organization, ensuring both technical and non-technical personnel understand their responsibilities in maintaining security.
Jocque Sims says
My experience with employment organizational security education training and awareness has always been top-notch. This is due to the organization implementing all of the suggested general and skill-based training I have studied in this week’s assigned readings, as well as other measures and training not discussed.
However, the approach to improving security education training and awareness should reflect the needs of the organization as outlined in the Metrics Defining Training Effectiveness module on page 502 of the Computer and Information Security Handbook. It outlines operational and training program metrics to follow to improve training effectiveness based on commonly identified security issues. It also provides indicators to look for when checking training effectiveness.
Andrea Baum says
To reinforce quarterly security training, I would implement regular phishing simulations to test employees’ awareness in real time. For those who fall for simulated attacks, I’d provide just in time, targeted training to address gaps immediately. Additionally, I’d foster a culture of ongoing education by organizing engaging, interactive workshops that focus on practical security best practices and emerging threats. These workshops would be tailored to different roles within the organization, ensuring relevance and encouraging active participation
Brittany Pomish says
One flaw I see in an organization’s security education, training, and awareness program is the lack of clear expectations, relevance, and published materials. Often, training is completed and then forgotten because it doesn’t feel relevant to the user. Training must be engaging and applicable to the user’s role.
As an internal auditor, I frequently observe a lack of clearly defined expectations for users. Without understanding the end goal or purpose, users lack ownership and engagement. Lastly, I must emphasize the importance of published documents. All training materials should be available on the organization’s intranet to serve as a reference for all users on an ongoing basis.
Cyrena Haynes says
Hi Brittany,
I completely agree with the flaws you’ve highlighted. There’s often a lack of clear expectations and relevance in training programs. I believe organizations could benefit from more role-based training, allowing end users to better understand their specific responsibilities in data security. Making training more relevant to day-to-day tasks can increase ownership and engagement. I’ve also noticed that end users tend to rush through mandatory training while multitasking to meet deadlines. If the content were more engaging, it could improve knowledge retention across the organization.
Jocque Sims says
Good afternoon, Britanny,
Can you provide a better context for the type of organizations you are referring to (e.g., government organization (GO), non-GO (NGO), corporation, small business, etc.)?
To follow up on the type of organizations, I’d like to know if there’s a noticeable trend or pattern of a lack of expectations, relevance, and published material in these contexts.
Lastly, do you think there should be a way of better training employees to based on the type of organization in which they are employed?
Neel Patel says
As a student worker at Temple University, there are a few areas in which I can identify a lack of security in relation to access controls. Without dropping any names of any departments, I can see how students who work in different areas of the University can access almost all records of any student. They can look up their classes, schedules, personal information, where they are currently residing, etc. This vulnerability can be abused by someone with access. Implementing strict access so students can’t access alumni or other students’ data is imperative. If there is no need to have access to classified records, it should be restricted or audited if someone does view them. Having regular audits for when certain actions are taken by those with authorized access is necessary. I would also issue strict documents that state if behaviors and actions are used outside of the scope of the position, it can lead to greater consequences such as termination, academic probation, or etc. I would also mandate learning modules about safety and security. Educating those with power about the tools they have can minimize errors or mistakes from occurring.
Dawn Foreman says
To improve the SETA programs in a comapny that I am familiar with, I would first assess where the company currently stands. Assuming I have done the assessment, I would reccomend updating the required videos. By using the same videos, employees already know the answer to the quiz and they are trying to rush through the videos without actually absorbing the knowledge. I would also reccomend more phishing tests. I believe the policy is one phishing email a year as a test but if you are tested more frequently and randomly, you may be more alert. Lastly, I would reccomend more support from management about the importance of security awareness.
Aisha Ings says
When it comes to improving the SETA program at an organization, I would start by holding managers accountable for ensuring their employees complete cybersecurity training, as they play a crucial role in promoting a strong security environment. Security awareness and training should not fall solely on the IT team; instead, it should be a collective responsibility across the organization. By making managers responsible for their teams’ compliance, accountability is introduced at all levels.
Gbolahan Afolabi says
Taking into account that some of the phishing attacks leading to higher impact and losses result from responses or information given by senior management, it is important for information security to be owned by everyone in the organization.
More funding could be allocated to information security programs and campaigns such as SETA if management values information security.
Aisha Ings says
I agree that allocating more funding to information security programs like SETA is essential. When management truly values information security, they’re more likely to care about regular audits and advanced training that keep everyone up to date on the latest threats. This combined approach of responsibility and investment ensures a stronger defense against potential security breaches.