Security icon

Develop a Security Awareness and Training Program That Empowers End Users

Turn end users into your organization’s secret security weapon.

Unlock This Blueprint

View Storyboard

Solution Set Storyboard Thumbnail

Contributors

  • Sky Sharma, CIO
  • Adrien de Beaupré, Certified Instructor and Penetration Tester, SANS Institute
  • Robert Hawk, Information Security Expert, xMatters, Inc.
  • Steven Woodward, CEO, Cloud Perspectives
  • Riddhi Patel, Information Security Analyst, National Life Group
  • Blair Panasiuk, Manager of IT Operations, Dynalife
  • Erich Salie, Information Security Officer
  • David Shipley, Director of Strategic Initiatives, University of New Brunswick
  • Paul Daley, Sr. Analyst for Security Management, Risk and Audit, Toronto District School Board
  • Glen Maxfield, IT Security Manager, Workers Compensation Board of Manitoba

Your Challenge

  • The fast evolution of the cybersecurity landscape requires security training and awareness programs that are frequently updated and improved.
  • Security and awareness training programs often fail to engage end users. Lack of engagement can lead to low levels of knowledge retention.
  • Irrelevant or outdated training content does not properly prepare your end users to effectively defend the organization against security threats.

Our Advice

Critical Insight

  • One-time, annual training is no longer sufficient for creating an effective security awareness and training program.
  • By presenting security as a personal and individualized issue, you can make this new personal focus a driver for your organizational security awareness and training program.

Impact and Result

  • Create a training program that delivers smaller amounts of information on a more frequent basis to minimize effort, reduce end-user training fatigue, and improve content relevance.
  • Evaluate and improve your security awareness and training program continuously to keep its content up-to-date. Leverage end-user feedback to ensure content remains relevant to those who receive it.

Research & Tools

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should develop a security awareness and training program that empowers end users, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

Guided Implementations

This guided implementation is a four call advisory process.

Guided Implementation #1 - Develop your training program

Call #1 - Build a development plan for your training program.
Call #2 - Learn best practices for the execution of development initiatives.

Guided Implementation #2 - Design an effective training delivery plan

Call #1 - Identify possible delivery methods.
Call #2 - Create a training schedule.

Onsite Workshop

Unlock This Blueprint

Book Your Workshop

Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Outline the Plan for Long-term Program Improvement

The Purpose

  • Identify the maturity level of the existing security awareness and training program and set development goals.
  • Establish program milestones and outline key initiatives for program development.
  • Identify metrics to measure program effectiveness.

Key Benefits Achieved

  • Identified the gaps between the current maturity level of the security awareness and training program and future target states.

Activities

Outputs

1.1

Create a program development plan.

  • Customized development plan for program.
1.2

Investigate and select metrics to measure program effectiveness.

  • Tool for tracking metrics.
1.3

Execute some low-hanging fruit initiatives for collecting metrics: e.g. create a knowledge test, feedback survey, or gamification guide.

  • Customized knowledge quiz ready for distribution.
  • Customized feedback survey for training.
  • Gamification program outline.

Module 2: Identify and Assess Audience Groups and Security Training Topics

The Purpose

  • Determine the unique audience groups within your organization and evaluate their risks and vulnerabilities.
  • Prioritize training topics and audience groups to effectively streamline program development.

Key Benefits Achieved

  • Created a comprehensive list of unique audience groups and the corresponding security training that each group should receive.
  • Determined priority ratings for both audience groups and the security topics to be delivered.

Activities

Outputs

2.1

Identify the unique audience groups within your organization and the threats they face.

  • Risk profile for each identified audience group.
2.2

Determine the priority levels of the current security topics.

  • Priority scores for all training topics.
2.3

Review audience groups and determine which topics need to be delivered to each group.

  • List of relevant security topics for each identified audience group.

Module 3: Plan the Training Delivery

The Purpose

  • Identify all feasible delivery channels for security training within your organization.
  • Build a vendor evaluation tool and shortlist or harvest materials for in-house content creation.

Key Benefits Achieved

  • List of all potential delivery mechanisms for security awareness and training.
  • Built a vendor evaluation tool and discussed a vendor shortlist.
  • Harvested a collection of free online materials for in-house training development.

Activities

Outputs

3.1

Discuss potential delivery mechanisms for training, including the purchase and use of a vendor.

  • List of available delivery mechanisms for training.
3.2

If selecting a vendor, review vendor selection criteria and discuss potential vendor options.

  • Vendor assessment tool and shortlist.
3.3

If creating content in-house, review and select available resources on the web.

  • Customized security training presentations.

Module 4: Create a Training Schedule for Content Deployment

The Purpose

  • Create a plan for deploying a pilot program to gather valuable feedback.
  • Create an ongoing training schedule.
  • Define the end users’ responsibilities towards security within the organization.

Key Benefits Achieved

  • Created a plan to deploy a pilot program.
  • Created a schedule for training deployment.
  • Defined role of end users in helping protect the organization against security threats.

Activities

Outputs

4.1

Build training modules.

  • Documented modular structure to training content.
4.2

Create an ongoing training schedule.

  • Training schedule.
4.3

Define and document your end users’ responsibilities towards their security.

  • Security job description template.
  • End-user training policy.

Member Testimonials

Unlock Sample Research

After each Info-Tech experience, we ask our members to quantify the real time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this Blueprint, and what our clients have to say.

Client

Experience

Impact

$ Saved

Days Saved

County of Nevada

Guided Implementation

9/10

N/A

1

Town Of Marana

Guided Implementation

10/10

$13,236

80

Palm Beach State College

Guided Implementation

10/10

N/A

5

Capital Regional District

Guided Implementation

9/10

$7,000

7

Pennon Group

Guided Implementation

10/10

N/A

N/A

CIEE, Org.

Guided Implementation

10/10

$13,236

10

Government of New Brunswick

Guided Implementation

9/10

N/A

N/A

Ohio State Bar Association

Guided Implementation

10/10

$2,514

50

Thames Valley District School Board

Guided Implementation

8/10

N/A

N/A

The New York Racing Association Inc

Guided Implementation

10/10

N/A

5

Kinze Manufacturing

Guided Implementation

10/10

$6,618

7

Griffith University

Guided Implementation

10/10

$44,682

20

Lgi

Guided Implementation

10/10

$13,236

10

LiDestri Foods, Inc.

Guided Implementation

9/10

$13,236

10

Surescripts

Guided Implementation

9/10

$2,382

2

Symcor Inc.

Guided Implementation

9/10

N/A

2

Huntington University

Guided Implementation

9/10

N/A

2

Pharmascience

Guided Implementation

9/10

N/A

N/A

Pace Suburban Bus Service

Guided Implementation

10/10

$6,618

5

The New York Racing Association Inc

Guided Implementation

10/10

N/A

5

Northern Trust Company

Guided Implementation

10/10

N/A

N/A

County of Nevada

Guided Implementation

10/10

$2,647

5

Blue Ant Media

Guided Implementation

10/10

N/A

N/A

Soboba Band of Luiseno Indians

Guided Implementation

10/10

$33,091

10

American Systems Corporation

Guided Implementation

8/10

N/A

N/A

Surgi-Care, Inc.

Guided Implementation

9/10

$2,647

10

Mt. Hood Community College

Guided Implementation

10/10

$2,647

2

Canadian National Railway

Guided Implementation

10/10

N/A

10

Lincoln Electric System

Guided Implementation

9/10

N/A

10

U.S. Holdings

Guided Implementation

9/10

$33,091

10