This Research is for Members Only

Not a member? Unlock a free sample of our research now!

Already a member?

Humanize the Security Awareness and Training Program

If it’s not human-centric, you’re not training your humans.

View Storyboard

Contributors

Sky Sharma, CIO
Adrien de Beaupré, Certified Instructor and Penetration Tester, SANS Institute
Robert Hawk, Information Security Expert, xMatters, Inc.
Steven Woodward, CEO, Cloud Perspectives
Riddhi Patel, Information Security Analyst, National Life Group
Blair Panasiuk, Manager of IT Operations, Dynalife
Erich Salie, Information Security Officer
David Shipley, Director of Strategic Initiatives, University of New Brunswick
Paul Daley, Sr. Analyst for Security Management, Risk and Audit, Toronto District School Board
Glen Maxfield, IT Security Manager, Workers Compensation Board of Manitoba

Your Challenge

The fast evolution of the cybersecurity landscape requires security training and awareness programs that are frequently updated and improved.
Security and awareness training programs often fail to engage end users. Lack of engagement can lead to low levels of knowledge retention.
Irrelevant or outdated training content does not properly prepare your end users to effectively defend the organization against security threats.

Our Advice

Critical Insight

Your security training is not creating education, it’s creating information fatigue and, therefore, not getting absorbed.
By presenting security as a personal and individualized issue, you can make this new personal focus a driver for your organizational security awareness and training program.

Impact and Result

Create a training program that delivers smaller portions of information on a more frequent basis to minimize effort, reduce end-user training fatigue, and improve content relevance.
Evaluate and improve your security awareness and training program continuously to keep its content up to date. Leverage end-user feedback to ensure content remains relevant to those who receive it.

Start here – read the Executive Brief

Read our concise Executive Brief to find out why you should humanize your security awareness and training program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

Humanize the Security Awareness and Training Program – Executive Brief

Humanize the Security Awareness and Training Program – Phases 1-3

1. Assess the maturity level of the security culture

Examine the current security culture and determine future target states.

Humanize the Security Awareness and Training Program – Phase 1: Assess the Maturity Level of the Security Culture

Security Training Program Manual

Security Culture Maturity Assessment and Content Development Tool

End-User Security Knowledge Test Template

End-User Security Knowledge Test Tool

Group Risk and Vulnerability Assessment Tool

Security Awareness and Training End-User Feedback Template

2. Select an effective training delivery plan

Explore methods of training delivery and select the most effective solutions.

Humanize the Security Awareness and Training Program – Phase 2: Select an Effective Training Delivery Plan

Security Awareness and Training Gamification Guide

Security Awareness and Training Roadmap Tool and Participant Tracker

Training Materials – Physical Computer Security

Training Materials – Cyber Attacks

Training Materials – Incident Response

Training Materials – Mobile Security

Training Materials – Passwords

Training Materials – Phishing

Training Materials – Social Engineering

Training Materials – Web Usage

Mock Spear Phishing Email Examples

Security Training Email Templates

3. Build a reporting system and continuously update the training program

Discover the most effective methods for improving a training program after each iteration.

Humanize the Security Awareness and Training Program – Phase 3: Build a Reporting System and Continuously Update the Training Program

End-User Security Job Description Template

Information Security Awareness and Training Policy

Guided Implementations

This guided implementation is a seven call advisory process.

Guided Implementation #1 - Assess the maturity level of the security culture

Call #1 - Perform an end-user group risk assessment.

Call #2 - Assess the current state of the security culture.

Call #3 - Define target state and establish minimum security awareness.

Guided Implementation #2 - Select an effective training delivery plan

Call #1 - Identify possible delivery methods.

Call #2 - Create an implementation timeline and training schedule.

Guided Implementation #3 - Build a reporting system and continuously update the training program

Call #1 - Establish a feedback loop and build accountability for end users.

Call #2 - Create a pilot program and ensure to update and evaluate the program continuously.

Book Your Workshop

Onsite workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost onsite delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

Module 1: Assess the Maturity Level of the Current Security Culture

The Purpose

Identify the maturity level of the existing security awareness and training program and set future target states.
Determine the unique audience groups within your organization and evaluate their risks and vulnerabilities.
Prioritize training topics and audience groups to effectively streamline program development.

Key Benefits Achieved

Identified the gaps between the current maturity level of the security awareness and training program and future target states.
Created a comprehensive list of unique audience groups and the corresponding security training that each group should receive.
Determined priority ratings for both audience groups and the security topics to be delivered.

Activities

Outputs

1.1

Select your executive champion.

Executive champion support

1.2

Evaluate your end users’ current knowledge.

Knowledge of end users’ current knowledge level

1.3

Assess the maturity of your current awareness and training program.

Maturity score of current training program

1.4

Identify your user groups and their corresponding topics.

Chart of audience groups and the security topics that each needs to receive

1.5

Analyze your organization’s current IT environment and set a target state.

List of risks and vulnerabilities for each audience group

1.6

Set a minimum security awareness level and prioritize your topics.

List of prioritized training topics

Module 2: Plan the Training Delivery

The Purpose

Identify all feasible delivery channels for security training within your organization.
Establish program milestones and outline key initiatives for program development.
Create an ongoing training schedule.

Key Benefits Achieved

Outlined a detailed plan for program development, including a timeline for planned initiatives and initiative ownership assignment.
Created a schedule for training deployment.

Activities

Outputs

2.1

Refine your approach to training.

2.2

Identify available delivery methods.

A list of delivery methods to use for training deployment

2.3

Build an implementation timeline and training schedule.

A schedule for completing program initiatives and a schedule for delivering training sessions to the organization

2.4

Create customized training materials.

Customized training materials

Module 3: Outline the Plan for Long-Term Program Improvement

The Purpose

Define the end users’ responsibilities towards security within the organization.
Document results gathered from previous workshop modules.
Create a plan for deploying a pilot program to gather valuable feedback.

Key Benefits Achieved

Defined role of end users in helping protect the organization against security threats.
Finalized security awareness and training program manuals.
Created a plan to deploy a pilot program.

Activities

Outputs

3.1

Create accountability for your end users.

A customized definition of end-user responsibility towards security within your organization

3.2

Document and evaluate your training program.

A training manual containing all information regarding your training program

3.3

Design a pilot program.

A plan for deploying a pilot program capable of harvesting valuable feedback for improving your program

After each Info-Tech experience, we ask our members to quantify the real time savings, monetary impact, and project improvements our research helped them achieve. See our top member experiences for this Blueprint, and what our clients have to say.

Client

Experience

Impact

$ Saved

Days Saved

Testimonial

County of Nevada

Guided Implementation

9/10

N/A

Ian listened and provided helpful suggestions

Town Of Marana

Guided Implementation

10/10

$13,236

Ian was amazing! His knowledge on the subject-area allowed us to go with a product we otherwise would have never known about. I was able to demo different products with staff to ultimately select a solution that we are confident will resonate with our end users. It's very refreshing to speak with someone who is unbiased and ultimately cares about your needs!

Palm Beach State College

Guided Implementation

10/10

N/A

Ben was very helpful and knowledgeable about the subject matter of ?Humanize the Security Awareness and Training Program.?

Capital Regional District

Guided Implementation

9/10

$7,000

Ian is very knowledgeable and was able to assist me by providing best practice solutions to some of the issues that I have run into when implementing Security Awareness Training in the past. Very valuable insights. Also, Ian knew a lot about the various vendors in this space and provided me with very good recommendations and what to look out for. When I mentioned a new vendor in the space that Ian had not heard of he was able to reach out to them to do some initial research and provide me with his initial thoughts. He really went out of his way to help me and made me feel like an important client. I would be very happy to work with Ian again in the future.

Pennon Group

Guided Implementation

10/10

N/A

CIEE, Org.

Guided Implementation

10/10

$13,236

Great session with Ian on how to approach our Security Awareness program. It really helped.

Government of New Brunswick

Guided Implementation

9/10

N/A

Ian was very open to questions and provided helpful answers. Ian also provided good follow up material after the call.

Ohio State Bar Association

Guided Implementation

10/10

$2,514

Best part was Ian's advice, and reassurance that we were not the only client with gaps in our security knowledge. Worst part was trying to get dialed in to the conference bridge, but that turned out to be a problem on our end, not WebEx.

Thames Valley District School Board

Guided Implementation

8/10

N/A

The New York Racing Association Inc

Guided Implementation

10/10

N/A

Ian provided very valuable feedback and guidance, from features, pricing and rollout methodology prospective, on what should I be looking for in a Cyber security training program. I was able to find a suitable vendor and are now in process to roll out program here at NYRA.

Kinze Manufacturing

Guided Implementation

10/10

$6,618

There was no bad. I'd like to give you something to improve on, but it was professional, informative, and there was good follow up. I thought I knew who to look at but I was wrong. My current leader is a company Ian turned me onto.

Griffith University

Guided Implementation

10/10

$44,682

Ian Mullholland undertook a very detailed review of Griffith University's cyber awareness plan and provided valuable insights and feedback based on best practice review and very helpful suggestions in avoiding commonly biased areas in terms of measurement and evaluation of statistical results Ian also gave deep insights into some of the ways we can improve our application of our cyber awareness plan applied to our extensive cohort which will help ensure the success of the plan.

Lgi

Guided Implementation

10/10

$13,236

The best part was the reinforcement of what we are currently doing. No bad parts

LiDestri Foods, Inc.

Guided Implementation

9/10

$13,236

Surescripts

Guided Implementation

9/10

$2,382

It was a good discussion. I was looking for the silver bullet and there really isn't one for all of the roles that might be appropriate for a roles based training program. Good starter discussion though.

Symcor Inc.

Guided Implementation

9/10

N/A

Huntington University

Guided Implementation

9/10

N/A

Ian's assistance in walking through the process and providing suggestions and input in many different areas was invaluable.

Pharmascience

Guided Implementation

9/10

N/A

Pace Suburban Bus Service

Guided Implementation

10/10

$6,618

Ian's insight and recommendations regarding Pace security awareness initiatives that will help steer them to a greater chance of success.

The New York Racing Association Inc

Guided Implementation

10/10

N/A

Ian was great. We covered everything I wanted to discuss on our call. He gave valuable feedback and some great ideas that we will be considering when we roll out our training program.

Northern Trust Company

Guided Implementation

10/10

N/A

I was not able to provide a response for question 2 and 3 as I will not know the time or cost savings until we implement. However, the meeting was great as I received insightful information that I can use to improve my metrics area of our security awareness program.

County of Nevada

Guided Implementation

10/10

$2,647

Appreciate Ian listening to my needs/wants. Finding something to take away or for him to find for me. And hearing how/what others have learned from doing a similar initiative.

Blue Ant Media

Guided Implementation

10/10

N/A

Extremely impressed with the amount of information Ian readily provided. Ian was very clearly knowledgeable in the topic discussed but, what I most appreciated was that he maintained a comfortable conversation where there was no judgement in my lack of knowledge. A thank you does not suffice for how great this first call with Ian was.

Soboba Band of Luiseno Indians

Guided Implementation

10/10

$33,091

American Systems Corporation

Guided Implementation

8/10

N/A

Surgi-Care, Inc.

Guided Implementation

9/10

$2,647

Very informative call. Our rep gave me real examples from other companies he's worked with and was very helpful.

Mt. Hood Community College

Guided Implementation

10/10

$2,647

Best part was info shared and access to tools. This will save us time in creating new materials and we will have tools that follow best practices and have been vetted. There was no worse part of the experience. All good.

Canadian National Railway

Guided Implementation

10/10

N/A

Lincoln Electric System

Guided Implementation

9/10

N/A

U.S. Holdings

Guided Implementation

9/10

$33,091

Ian was very helpful, opening my eyes to the concept of outsourced training program. With properly trained employees I anticipate a reduction in security incidents that will result in an annual saving of about $25,000