Ultimate Guide: Security Awareness Training | KnowBe4 (2022)

How To Run A Successful Program In Your Organization

Critical Components of a Security Awareness Program

  1. Content - Content is king! As humans we all prefer different types and styles of content. Don’t approach content in your program as one size fits all. Match different content types to different roles in your organization.
  2. Executive Support & Planning - Materials that will help you continue to prove the value of the program to your executive team, and also to show auditors/regulators that you are doing the right thing.
  3. Campaign Support Materials - A successful program shouldn’t be ‘one and done’, treat it as a marketing endeavor. Once-a-year, ‘check the box’ training will not work toward changing user behavior. Continuously presenting the information in different ways, when it coincides with the context of their life, is what will influence their decisions and make it EASIER for users to make smarter choices.
  4. Testing - People need to be put in a situation where they will have to make a decision that will determine if the organization gets breached or not. Phishing simulations prompt users to either click a link, report the phish, or do nothing. You want to give them an opportunity to report phishing attempts and help the organization increase resilience. If they do fall for the phish, you want the ability to do training then and there to create a learning moment. Doing nothing isn't ideal as it leaves the potential threat out there and there's an opportunity for others in the organization to click.
  5. Metrics & Reporting - You need to be able to show you are closing security gaps. Reporting is also useful for optimizing campaigns based on past results. You want to be able to see what is working well and what can be improved upon.
  6. Surveys/Assessments - These types of tools can help you understand the attitudes of your organization and how well your program is resonating with your people so you can adapt. Think of it as a pulse check of subtle nuances that are different than metrics/reporting such as opinions, frame of mind, etc.

Here's a sobering truth: Your awareness program and content are the visible ‘face’ of your department to the rest of the organization. Especially if you are in a larger organization, a good portion of your coworkers don't know you, they only know what your department produces. For that reason, it HAS to be as good or better than anything else the organization is doing. Otherwise, security is seen as 'other', unimportant, an afterthought.

Program Development

Learning doesn't just happen at one point in time, we need to think about the entire context of user experience. Consider this 70:20:10 model for learning and development:

Ultimate Guide: Security Awareness Training | KnowBe4 (1)

  • 10% Formal - Structured learning, LMS courses, training days, etc. This is about the maximum amount of time you can allot per user for formal training. You need to be thinking about ways to address the other 90% of someone's experience in the organization.
  • 20% Informal - This would include asking others, collaborating, webinars, watching videos, reading, etc. Think about how to build an informal community for users to know where to go to get the information they need when they are actually seeking it out.
  • 70% Experiencial - On-the-job, social, in the workflow, corporate and departmental culture. From a security aspect, if we are ignoring that 70% social/cultural component, we're putting ourselves at a disadvantage. Think about ways to address that entire 100%. Vendor support systems can help.

The Five Moments of Need

  1. For the first time
  2. Wanting to learn more
  3. Trying to apply knowledge and/or remember
  4. When something goes wrong
  5. When something changes

Think About Learner Profiles/Segments Where Possible

The types of information and cultures of different departments vary. You need powerful ways to split your user population into groups. This allows you to measure them and train them in ways that best resonate with their individual needs and learning styles.

"3 truths about human nature. We’relazy, social, and creatures of habit. Design products for this reality." - BJ Fogg, Behavioral Researcher

The Four Stages of Competence

  1. Lack of Awareness - Unconscious Incompetence or "I don't know that I don't know something." They are blissfully unaware and their behavior will reflect that.
  2. Awareness - Conscious Incompetence or "I know that I don't know something." They now realize they don't have all the knowledge and tools they need. We can hope that will move them to the next stage.
  3. Step-by-step - Conscious Competence or "I know something, but I have to think about it as I do it." They either need to access stored information or really intentionally weigh all the options then come to the right conclusion.
  4. Skilled Stage - Unconscious Competence or "I know something so well that I don't have to think about it." This is where most of us are with pattern-based behaviors like driving, brushing our teeth, etc. At some point these things were difficult, and we can actually build up to this stage.

Ultimate Guide: Security Awareness Training | KnowBe4 (2)

(Video) Cyber Security Awareness Training For Employees (FULL Version)

The problem is that traditional programs fail by leaving users to linger in stages 1 and 2. Design your program to push them all the way through to stage 4. Getting users to stage 4 with constant training and simulation is ideal and cultivates the kind of behavior that can protect you from a breach.

Plan like a Marketer. Test like an Attacker.

Multi channel campaign - different types of content at different times targeting different audiences going through different channels so you have a constant barrage of information and working within the context that those different people are in. You need to be constantly building reflexes and building muscle memory for your people, which is where the testing component comes in. No matter which tool you use, even if you are using a homegrown program, you need to send a social engineering test like a phishing test to users at least every 30 days. By doing both training and testing, you are running a hearts and minds campaigns like a marketer would. Over a period of time through different channels/mediums you can start building influence in the mind. Supplementing that with frequent phishing attacks you are building the muscle memory on top of that so users naturally react in the right way. That's the key to building resilience.

Ultimate Guide: Security Awareness Training | KnowBe4 (3)

Variety of Content

More than just formal training

When you think of security awareness training content, the first thing that comes to mind is probably traditional courses in an LMS. It's so much more than that! Other examples include videos, games, blog, webinars, posters, messaging on swag, self-produced content, newsletters, email content, etc. Anything you can deliver that conveys your message and elicits some kind of thinking, engagement or reaction is considered content.

Make your content interesting and relevant to your uses

This is important when it comes to training because if content isn’t appealing to the audience it’s in front of, it doesn’t feel relevant to them and won’t stick with them. Relevance is key. The human mind learns through storytelling, security awareness training is no different. A story contains contextual information that a boring, written policy simply cannot. People learn in many different ways and naturally gravitate toward different types of content, so it makes sense that if you use a one-dimensional approach in training, you are going to lose a huge part of your audience. You want to come to the learner with content suited for them rather than try to make them learn in one certain way.

(Video) Information Security Awareness | Training For Employees

And don’t just add more content for the sake of having more content. A diverse portfolio of different types of content will get the message to resonate. Repetition is key for knowledge to stick, and you need to have variety to go along with a repetitive message. Showing the same exact course over and over isn’t going to make much of a difference. If you're not sure where to begin, you're not alone. Many vendors can provide recommendations and best practices. Start there and adjust over time according to what works for your environment.

Avoid Potential Pitfalls in Phishing Your Users

Five Principles to build positive anti-phishing behavior management programs

Ultimate Guide: Security Awareness Training | KnowBe4 (4)

Shifting organizational behavior requires a recognition that simply exposing employees to security-related information will never be enough. Instead, it is imperative to train secure reflexes through intentional and methodical simulated testing so that employees are continually exposed to the situations in which you hope they will exhibit secure behavior.

Some security and organizational leaders might be hesitant to phish their users, fearing that end-users or managers could react negatively to the experience. In fact, some organizations may even have horror stories of phishing simulations that have backfired, resulting in more harm than good. Yet, security leaders, auditors, and adult-learning experts agree that the best way to train secure reflexes is through simulation (not information).

It is possible to work through concerns related to simulated phishing and, in fact, make the experience positive for end-users and management alike. Use the following five principles to build a positive anti-phishing behavior management program:

  1. Frame the program with a positive tone: the way that employees react to simulated phishing events is directly related to the way that you message the program. If employees feel that your main goal is to trick them and make them fail, then they will view you as an adversary. It is much better to position your program as something that you are doing for the good of the organization and the employees within it. In short, your message is that you are running these campaigns for the same reasons that you conduct events like fire-drills. For people’s ultimate safety and preservation.
  2. Be intentional about your ‘post click’ landing pages: The time immediately following a phishing test failure is your most critical messaging moment. Employees will naturally feel the most vulnerable and sensitive when they’ve fallen for a simulated attack. If you are directing them to a landing page that lets them know they’ve failed, it is important that you account for their heightened emotional state. Use the learning moment – but be extra careful not to heap shame on the employee. Instead, be friendly and to the point. Additionally, your messaging for any follow-up training should not be framed in shame or condemnation; it should remind them of the program, why tests like these are important, and how we all struggle to retrain human nature.
  3. Empower them with new behaviors: Give your employees the power to build new behavioral patterns by offering them replacement behaviors. Humans struggle with simply removing a behavioral pattern. It can actually be easier to replace one behavior with another. For phishing simulation tests, we consider it best practice to have your employees report the simulated phish by clicking on our free Phish Alert Button (PAB). This not only gives them a replacement behavior, but can also give them a positive reinforcement by displaying congratulatory message for reporting the simulated phish. For organizations that have not deployed the PAB, train them to think, “when in doubt, throw it out,” so that their replacement behavior is simply deleting emails that are worrisome.
  4. Measure and train at their individual competency – and train for improvement: In all organizations, there are different levels of employee sophistication in detecting simulated phish. You will have some employees who almost never fall victim to phishing tests, and some who fall victim much more often. Because your employees have different levels of maturity in detecting phish, it can be extremely useful to train employee groups at their current level of competence, so they can improve. For the same reason that we don’t expect grade school students to do college-level math, we shouldn’t expect employees to immediately become expert phish detectors. Consider a tiered system of phishing training for your users to train them according to their current level of competence and allowing them to grow over time.
  5. Phish frequently: A pattern of frequent simulated phishing tests let employees know simulated phishing is a part of your security culture -- that this is standard practice because frequent training provides the best chance at developing proper reflexive behaviors. Organizations that only conduct yearly or quarterly simulated phishing are actually only performing baselining measurements – not training secure reflexes. Monthly – or, better yet – bi-weekly simulated phishing training will let employees know that they should always be on the lookout for the next phish to land in their inbox, and that they can always show improvement because the next test is not far away.

Creating your anti-phishing behavior management program according to these five principles will ensure that your program is seen as something that builds-up employees rather than tearing them down. These principles are aimed at recognizing that humans can become an effective last line of defense for your organization when given proper training, motivation, and support.

Avoid these top 10 security awareness training program fails

We want you and your employees to enjoy the benefits of a great security awareness training program without experiencing the pain and setbacks associated with missteps. Set your organization up for success by avoiding these common security awareness program fails:
  1. Avoid singling out users that click on a phishing link and making a public example of them. Do not punish employees that make mistakes early on.
  2. Avoid sending phishing campaigns only every 90 days. Quarterly phishing tests really just take a baseline, whereas phishing users at least once a month is an effective method to groove in making smart security decisions.
  3. Avoid sending the same phishing template instead of randomizing the templates to each user, and running campaigns on predictable times like every Monday afternoon.
  4. Avoid starting out with 5-star phishing templates that are too difficult to identify.
  5. Avoid sending only phishing attacks and overlooking stepping users through interactive training.
  6. Avoid forgetting to emphasize that this program will also help your users to keep their family safe online.
  7. Avoid forcing the program through your users throats, and bypassing getting C-level air cover for the program. You want as much buy-in from the get-go as possible.
  8. Avoid neglecting to inform key stakeholders, department managers and tech support before you send the initial baseline test.
  9. Avoid not reporting the positive results to the stakeholders with graphics that show improvement over time.
  10. Avoid not having a good procedure / process that allows users to report phishing emails that they found in their inbox, and not having a Social Engineering Incident Response program.

Follow these guidelines to ensure the success of your program. Need help getting started? KnowBe4's Automated Security Awareness Program takes away all the guesswork. Answer 15-25 questions about your goals and organization and get your customized program in just 10 minutes!

(Video) Employee Security Awareness Training

* This list is also available as aninfographic

How to Gain and Maintain Executive Support for Your Security Awareness Program

How to work through "push back" when seeking to implement security awareness and training programs

Ultimate Guide: Security Awareness Training | KnowBe4 (5)

With so many regulations and audit standards requiring organizations to provide critical security-related information and training programs for their employees, it can be shocking that security leaders often encounter high-level "push back" when seeking to implement security awareness and training programs.

To overcome this situation, propose your program in a way that addresses executive concerns, links to corporate objectives, and tells a story. This is accomplished in three steps:

  1. Seek first to understand

    Habit five of Stephen Covey's "Seven Habits of Highly Effective People" states, "Seek first to understand, then to be understood." Dr. Covey writes,

    "If you're like most people, you probably seek first to be understood; you want to get your point across. And in doing so, you may ignore the other person completely, pretend that you're listening, selectively hear only certain parts of the conversation or attentively focus on only the words being said, but miss the meaning entirely. So why does this happen? Because most people listen with the intent to reply, not to understand. You listen to yourself as you prepare in your mind what you are going to say, the questions you are going to ask, etc. You filter everything you hear through your life experiences, your frame of reference. You check what you hear against your autobiography and see how it measures up. And consequently, you decide prematurely what the other person means before he/she finishes communicating."

    It is vital to recognize that most business leaders (and end users) simply will not care about security in the same way that a security professional does. People don't care about security for the sake of security alone. What they care about is the result that a sound security strategy can provide and the impacts/risks associated with the lack of a sound security strategy. Use this understanding to inform the methods that you use to engage the organization and business leaders.

  2. Take Genuine Interest and See the Motivation Behind Any Concerns
    So, what motivates a business leader? The answer is: business risks and business outcomes. Therefore, it is helpful to position your security awareness and training program in this context. To do this, consider highlighting the following:
      • Issues associated with behavior-related risks. It's important to speak to the traditional factors related to the possibility of data breach and negative PR. But don't stop there — behavior-related risk is broader and gets into areas related to system stability, continuity of operations, employee morale and productivity, proper handling of intellectual property, and more.
      • Regulatory and audit requirements. Here is where you get to highlight the slew of regulations and audit requirements that mandate awareness and training programs.
      • Industry best practice and competitor benchmarking. Decision makers are very interested in understanding where their organization stands relative to peer organizations. A few data points that decision makers may find interesting include: what are the standard topics that organizations like us train on? What is the average phish-prone percentage for organizations like ours, and how do we compare? What are the greatest behavior-related risks for organizations like us? How much do other organizations spend on security awareness and training programs?
      • A sense of respect for everyone's time. Time is your employee's most valuable resource. It's important that your security awareness and training program respect this fact by not exposing employees to information that is irrelevant or unnecessary. Where possible, provide data points to demonstrate that your awareness and training efforts will have a positive payback for the organization.
      • Evidence that you have an informed plan. Give your executive team confidence in your program by eliminating as much uncertainty as possible. Often, security leaders embark on awareness and training programs that are amorphous and without a clear sense of direction. Eliminate uncertainty and/or smooth-out any potential future conflicts by sharing a well-formed plan that removes the guesswork.
  3. Connect Your Security Awareness Program to Organizational Outcomes
    Where possible, you need to speak the language of "the business" and report in a way that shows relevance to organizational outcomes. Notice that this is directly related to the other points mentioned in this article. In order to report in a relevant way, you first need to understand your organization's targets and the agreed-upon risks.

    When reporting your security awareness successes, continue to remind the executive team why the program is important, and how the activities and metrics connect with the motivations outlined in points 1 and 2, above. In the end, many of the metrics can be the same as you would normally report (for example, course completion rates, phishing test outcomes, and so on), but the difference here is that you are able to put these numbers into context. This context is used to tell the story of how your security awareness and training program is strengthening the overall security culture of the organization, thereby reducing risk, potentially increasing productivity, and having a positive impact on the organization's ability to execute.

"Culture eats strategy for breakfast." - Peter Drucker, Management Consultant, Educator and Author

(Video) The Best Free One Hour Security Awareness Training Ever

Maintaining Executive Support for Your Program

Communication Strategy is Key

Any time you are presenting data numbers, don’t leave the interpretation up for chance. The ‘what’ is the data, with every ‘what’ comes a so what? meaning what does that data actually mean? and a now what?, or what do we do in light of that information? Any time you have a what, you need to answer the so what and the now what, otherwise you’re leaving one or both of those things up for interpretation and that’s a chance you cannot afford to take. Your communication strategy throughout the whole process is key. You want to tell a memorable story, the moral being you need security awareness training. Use statistics and charts and graphs to support that story.

Capturing Executive Attention

What’s in it for them - Answer the "so what" question. Answer specifically for each member of the executive team what is going to matter most for them with the output of a security awareness training program. This can be talked about positively - increased resiliency that leads to stabilization of environment, higher employee productivity or negatively - pain that can be avoided when this is done right (data doesn’t get exposed, users don’t get compromised, etc.).

Outline clear connections - Showing connection between the action of training and things that are important for that executive. Could be a specific system, business outcome, specific project, a regulation they are accountable for.

Measurement and stories - Talk about what is going to be measured, how it will be presented, and use that to get into the morality (this is what goes wrong without a security awareness program, here is what can go right, etc.)

Be on the Lookout for Ways To:

  • Align your program to the organization’s strategy, mission, and initiatives. This can get heads around the table nodding.
  • Tie your program to compliance requirements. For most major security best practices, audit requirements and regulatory requirements, security awareness training IS a requirement.
  • Use current events and stories about organizations that are similar to yours in terms of industry, size, or other demographic characteristics. Note: Be careful not to do this in a way that will be perceived as alarmist or as fear mongering. The closer to home it feels, the more real it becomes in their minds.
  • Map your program to established industry best practices (such as the NIST Cybersecurity Framework, the National Association of Corporate Directors guidance on cybersecurity, and so on).

Use SMARTER Goals

Show that you are being very intentional about starting your program and you will more likely get the support, budget and resources you need to get it started. Use a SMARTER goal-setting framework, goals should beSpecific, Measurable, Actionable, Risky, Time-keyed, Exciting and Relevant.

Goals like "The goal is to reduce our phish-prone percentage" or "To be able to engage employees so they are more aware of the risks and threats around them" are not specific or measurable and are certainly not exciting. An example of a SMARTER goal would be: We are going to reduce our phish-prone percentage from an initial baseline of 30% down to 15% within the next 45 days. You will know for sure whether you’ve hit the goal or not once that 45 days is up. With this framework in mind, it is much easier to build out your training plan and reporting schedule around these types of goals.

Brainstorming Worksheet for Gaining Support

We recommend filling something like the below sheet out for each executive you need to get buy-in from. This isn’t to share with anyone, it’s a tool for you to help before you start meeting with your executive team. Find ways to amplify their value proposition and address or minimize their concerns early on. Try to have one-on-one conversations before you officially ask for support so there are no major surprises when that time comes.

(Video) Human Error's Guide to Keeping Security Simple - Mimecast Security Awareness Training

Ultimate Guide: Security Awareness Training | KnowBe4 (6)

It's a Marathon, not a Sprint

It's very important that you present this as an ongoing program from the very beginning - not a one and done. Think about the difference between an event and an ongoing effort… and the difference between a sprint and a marathon. Time and consistency make a BIG impact in changing behavior for the better.

FAQs

What is the main purpose of security awareness training? ›

Security awareness training is a formal process for educating employees and third-party stakeholders, like contractors and business partners, how to protect an organization's computer systems, along with its data, people and other assets, from internet-based threats or criminals.

Why are humans still the weakest link despite security training and resources? ›

Why are humans still the weakest link despite security training and resources? Threat actors spend their days thinking of new ways to exploit human vulnerabilities and are rewarded for their innovation. Average people do not spend all their time thinking about security and may feel powerless in preventing attacks.

How long is the KnowBe4 training? ›

Our 15-, 30- and 45-minute basic training modules specialize in making sure employees understand the mechanisms of spam, phishing, spear-phishing, malware and social engineering, and are able to apply this knowledge in their day-to-day job.

What are the common tools used to create or increase security awareness? ›

Answer: The common tools used to create or increase security awareness are newsletters, blog postings, and newsfeeds.

Why physical security is considered the first thing first in security? ›

Physical security's main objective is to protect the assets and facilities of the organization. So the foremost responsibility of physical security is to safeguard employees since they are an important asset to the company. Their safety is the first priority followed by securing the facilities.

Which three activities pose a potential security threat to users? ›

Question 9: Which three activities pose a potential security threat to users? (Choose three.)
  • Reading an online journal from a public library computer.
  • Using your own portable charger in a public place.
  • Doing your banking on your laptop from a friend's secured home network.
Jun 9, 2021

Why do I need KnowBe4? ›

Only KnowBe4 enables REAL phishing simulations that teach your users how to watch out for phishing scams from the brands they are most familiar with. With the world's largest library of phishing and email templates, you are well-equipped to deliver real-world testing campaigns that help your employees learn fast!

Who are KnowBe4 competitors? ›

Top KnowBe4 Alternatives
  • Cofense.
  • SANS Institute.
  • PhishLabs.
  • Broadcom (Symantec)
  • Sophos.
  • Infosec.
  • Rapid7.
  • Proofpoint.

How much does security awareness training cost? ›

Security Awareness Training is relatively inexpensive, ranging from $10-$60 per employee per year. Compare that to the average ransomware payment of $170,000 or to the cost of downtime per hour, and security awareness training for your employees is a worthwhile investment.

What is basic security awareness? ›

Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical and, especially, information assets of that organization.

What are the top three outcomes An organization should have for security training in an organization? ›

Outcomes are organized into the three categories of: Enabling the Business, Managing Risk, and Operating Efficiently.

What is the importance of security? ›

Effective and reliable workplace security is very important to any business because it reduces insurance, compensation, liabilities, and other expenses that the company must pay to its stakeholders, ultimately leading to increased business revenue and a reduction in operational charges incurred.

Are humans the weakest link in cyber threats? ›

When it comes to securing their organizations, CISOs need to focus on the human in the loop. According to Proofpoint's 2022 Human Factor report, 55% of U.S. workers admitted to taking a risky action in 2021.

What is the weakest link in the security chain? ›

Anyone with access to any part of the system, physically or electronically, is a potential security risk. Security is about trust, and trust is generally considered the weakest link in the security chain.

What is considered the weakest link in cybersecurity? ›

Your employees are the weakest link in your cybersecurity chain.

What do you think is the weakest link in the technology? ›

Technology is important, but the old expression that "humans are the weakest link" in any cybersecurity program seems truer than ever. Employee training is a critical line of defense as cybercriminals continue to prey on remote workers.

Videos

1. Cyber Security Awareness Training
(Texas Municipal League Intergovernmental Risk Pool)
2. Cybershare: Security Awareness Training and Awareness | Part 2 – Security Training
(Kaspersky)
3. Security Awareness Training for Employees: An Overview
(CompTIA)
4. Demo: The Best FREE Security Awareness Training For Employees - 2022
(Wizer - Security Awareness Training)
5. Avoid These 10 Common Security Awareness Training Program Fails
(KnowBe4)
6. Security Awareness, Education, and Training
(Tom Olzak)

Top Articles

Latest Posts

Article information

Author: Fredrick Kertzmann

Last Updated: 08/27/2022

Views: 6277

Rating: 4.6 / 5 (46 voted)

Reviews: 93% of readers found this page helpful

Author information

Name: Fredrick Kertzmann

Birthday: 2000-04-29

Address: Apt. 203 613 Huels Gateway, Ralphtown, LA 40204

Phone: +2135150832870

Job: Regional Design Producer

Hobby: Nordic skating, Lacemaking, Mountain biking, Rowing, Gardening, Water sports, role-playing games

Introduction: My name is Fredrick Kertzmann, I am a gleaming, encouraging, inexpensive, thankful, tender, quaint, precious person who loves writing and wants to share my knowledge and understanding with you.