Build an Enterprise IT Security Training Program
IT Security Training Those who should read this: Over 50% of security breaches are caused by end-user error and ignorance; these can be costly and embarrassing. Most end-user breaches are preventable with proper IT security training. Companies tend to neglect the importance of constant reinforcement of the training and testing. Annual training that is supplemented by “microtraining,” or training that is done on a regular basis, is far more effective. Those who should read this: Clients looking to put an IT security training program in place. Clients that want to improve their current IT security training program. Clients that want to learn how other companies are performing their IT security training. Clients who have experienced security breaches caused by end-user negligence or ignorance. At the end, you will have: A better understanding of end users and their IT security training needs. An outline of the organization’s IT security training goals. Specific IT security topics to cover and the delivery method(s) to use. End-user testing best practices.
Executive Summary IT security training is necessary in all organizations, regardless of size, industry or complexity. Evaluating the organization and its end users is a key step to determining what training the organization needs. There are four main classes of end users; determine which classes are present in your organization in order to tailor the training to best meet their needs. Keep IT security training simple. Adjust training to the level of the end users. Create training programs geared toward the least knowledgeable end users in your organization. Informal and computer-based training are the most successful at improving end-user security performance. Build these methods into your training program. Formal training coupled with microtraining and testing is the best way to keep security training fresh in the minds of end users. Testing end users results in significant improvements in training retention. 45% of companies that performed some degree of IT security training saw significant improvements in their end users’ IT security knowledge.
Create an Employee Training Program Establish Needs Assess, Interview and Analyze Classify End Users Set Goals and Needs Create an Employee Training Program Delivering and Maintaining Training Case Study Appendix
Most security breaches are a result of end-user error: IT security training programs can help Over 50% of all security breaches are a direct result of end-user error. Improve organizational IT security by providing adequate IT training to employees. Companies that perform end-user security training see significant improvements in their end-user knowledge. Regardless of company size and industry, all companies can benefit from improving their current IT security training methods. All companies require some degree of IT security training. Companies with no training practices should follow the guidelines in this report to create training programs. If training programs are already in place, consider adopting microtraining and testing practices to see improvements.
When developing training, be sure to assess needs before creating the program PHASE 1: Establish Training Parameters Determine needs and training goals Determine the organization’s training needs; to do this, find the problem areas in your organization. Bring all of the groups in the organization together to create a list of desired training goals. PHASE 2: Create the Program Assign a champion to the initiative Get a C-level executive on board with the training program; a high-level champion will make it easier to get needed resources. Determine which department will lead the training program. Determine what topics to address Choose the topics on which the organization will perform the training. Training topics will be different for each organization depending on a number of variables. Choose a training delivery method Choose training delivery methods that suit the topics to be covered. Consider how end-user IT security knowledge will affect different training delivery methods.
Assess, interview & analyze to determine security problems & needs Perform an assessment to determine users’ level of security knowledge or experience: Online quizzes: comprehensive tests or a series of mini-tests. Guerilla testing: tests that are performed without end-user knowledge in order to see how employees respond to threats and attacks. This form of testing includes e-mails that look like phishing attempts or other forms of e- mail attacks and suspicious phone calls requesting confidential information. INTERVIEW Collect anecdotal and qualitative evidence from managers and staff; sometimes what people know is quite different from what they actually do. This information might not get captured in a quiz or test. It will give insight into how employees feel about known rules. If employees think the rules are impractical and have no value, then the organization needs to gain employee acceptance. ANALYZE Review recent changes in the organization by performing a PEST (Political, Economic, Social, and Technological) analysis. The PEST analysis will provide you with a snapshot of the organization’s current environment. Ensure that the following topics are also addressed in your analysis: Review recent organizational threats and security breach attempts. The impact of recent organizational mergers and acquisitions. The security impact that any recent downsizing has on the organization. The security impact that any recent hiring has on the organization.
Classify end users to provide training that best meets their needs High Acceptance Determine into what class your end users fall. This will help set training goals and requirements. Classify users by analyzing the information gathered in the needs and goal setting step. There are four classes of end users: Champions Laggards Objectors NIMBYs (Not In My Back Yard) It is possible to have more than one type of end user within an organization. Focus on educating these end users. Since they have a high acceptance level, not much focus is required to encourage them to participate. Laggards Focus on modifying their current IT security knowledge to meet the needs of the organization’s IT security policy. Champions Create a training program that focuses on education and the importance of abiding by the organization’s security policy. NIMBYs Focus on increasing end-user acceptance of the organization’s security policy. Objectors Low Knowledge Base High Knowledge Base Low Acceptance
Define clear goals to ensure a focused training program Use the information gathered from the organizational security assessment to set realistic goals and objectives for your training project. Don’t be shortsighted, these goals should cover all aspects of the IT security training program. Decide on the following goals and objectives: End-user behaviors that should be exhibited after training. Expected level of improvement in end-user knowledge. Security requirements and expectations for each department. Date by which training must be complete. Milestones to ensure that training stays on track. The results, beyond testing, that the organization will use to track success. Goal Setting Phase
Use Info-Tech’s Establishing Training Parameters Template to record information gathered in this section The Establishing Training Parameters Template will consolidate all of the information that is gathered in this section. Use this tool when creating and structuring the actual training program. The information contained will help determine the following: The training topics that should be covered. The best method(s) of delivering the training. The tool will walk you through three main areas: Identifying security issues in the organization Classifying end users Organizational goals and needs
Info-Tech Helps Professionals To: Sign up for free trial membership to get practical Solutions for your IT challenges “Info-Tech helps me to be proactive instead of reactive - a cardinal rule in stable and leading edge IT environment.” - ARCS Commercial Mortgage Co., LP