9 tips, tricks and must-haves for security awareness programs

What are the essential ingredients for making a security awareness program successful? Check out these 9 tips from CSO contributors on how to make awareness work in your organization.

Counting pencils
Credit: Thinkstock
Metrics

"One of the key factors in having a successful effort is being able to prove that your effort is successful. The only way to do this is to collect metrics prior to initiated new awareness efforts," according to Ira Winkler and Samantha Manke of Secure Mentem.

As the team outlines in the recent article The 7 elements of a successful security awareness program, these metrics can include surveys on attitudes. They could also include the use of phishing simulation tools to include pre and post awareness training. You can also examine the number of security related incidents, such as attempted visits to banned websites. 

Fish of a different color
Credit: Thinkstock
Flexibility

"When people discuss awareness, they usually focus on just prevention — they're trying to implement the idea of the 'human firewall,'" according Lance Spitzner, training director of SANS Institute's Securing the Human program and author of 5 myths about awareness. “While prevention is important, why limit ourselves? Why not train people to become human sensors as well?”

Spitzner recommends teaching employees about indicators of a compromise and having them report potential incidents.

"For example, if you are doing phishing assessments internally, you should not just track how many people fall victim, but also how many detect and report the attacks. Just think how much stronger your organization would be then," he said.

Some allowance of rule breaking

Rule-breaking within an organization can actually increase awareness, argues Security Catalyst Michael Santarcangelo.

To make this work in a business setting, Santarcangelo suggests the following:

-Select the 'right' rule to break: find something that is not likely to cause damage while allowing individuals to get the experience necessary to understand the outcome (the consequences of their actions).

-Make it a special event (and not a routine): acknowledge that they get a shot to break a rule because they are respected, but that it comes with conditions (some structure).

-Engage in a conversation, not a lecture; learn from their experience and use it as a basis to reach a common understanding on the purpose of the rule.

Person summits mountain
Credit: Thinkstock
A challenging new approach

"Most awareness programs in the past have failed to change behavior," said Spitzner. "However, that is because most programs in the past were not designed to change behavior. Their only goal was to meet compliance requirements, to check the box. As a result, the absolute minimum was invested."

"These bare-minimum awareness programs are the ones where someone runs a single PowerPoint presentation once a year, or perhaps sends out a quarterly security awareness newsletter," Spitzner continued.

For an awareness program to effectively change behavior, Spitzner said organizations need to create programs that are designed from the ground up to change behavior.

Board room
Credit: Thinkstock
C-Level support 


Awareness programs that obtain C-level support are more successful, according Winkler and Manke.

"This support inevitably leads to more freedom, larger budgets and support from other departments," they note. "Anyone responsible for running a security awareness program should first at least attempt to obtain strong support, before focusing on anything else."

Crew team
Credit: Thinkstock
Partnering with key departments 


Winkler and Manke also urge organizations looking to implement a successful awareness program to involve other departments, such as legal, compliance, human resources, marketing, privacy and physical security. These departments frequently have mutual interests and might be amenable to providing additional resources, such as funding or distribution. The can also make security awareness efforts mandatory. 

artist painting
Credit: Thinkstock

Creativity 


Creativity is a must, according to Winkler and Manke.

"An example of creativity includes the use of a security cube during a company event. The security awareness department set up a mock cubicle, with 10 common security violations, in the main hallway. Employees who could identify all 10 violations were entered in a prize drawing."

Stopwatch
Credit: Thinkstock
An effective time frame

Winkler and Manke say while most security awareness programs follow a one-year plan, those plans also attempt to cover one topic a month. They recommend a 90-Day plan – which reevaluates the program and its goals every three months.

"The most successful program focuses on three topics simultaneously that are reinforced regularly throughout the 90 Days. Every 90 days, the program is reevaluated to determine what topics need to be addressed moving forward."

laptop next to iPhone
Credit: Thinkstock
A multimedia approach

One size will not fit all when it comes to reaching different employees.

"The most successful programs are not only creative; they rely on many forms of awareness materials," said Winkler and Manke. "This includes newsletters, posters, games, newsfeeds, blogs, phishing simulation, etc. The most participative efforts appear to have the most success."