Humanize the Security Awareness and Training Program If it’s not human-centric, you’re not training your humans. Info-Tech's products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns.© 1997-2017 Info-Tech Research Group

ANALYST PERSPECTIVE The cybersecurity landscape is changing faster than ever; can your organization keep up? When building a security culture, organizations have traditionally focused on annual training that addresses all security threats and best practices. It was meant to cause the least friction for end users and show compliance with training requirements. However, as threats continue to evolve, this approach has become largely ineffective in ensuring that users are equipped with the correct knowledge to act securely. The solution to this problem? Microlearning. This learning methodology consists of short, engaging, and highly effective training modules, and will allow companies to reduce training fatigue and increase engagement. It is no longer just the organization that is affected by cybersecurity. The growing personal exposure to technology has increased individual risk, making the organization’s security training more relevant and important to end users. Azzam Ramji, Consulting Analyst, Security Info-Tech Research Group

Our understanding of the problem CISOs and security managers looking to introduce or improve their awareness and training program. CIOs and IT managers looking to introduce or improve their awareness and training program. Determine your current training maturity level and identify the topics to cover in your training. Improve your end users’ security awareness through training developed using Info-Tech Research Group’s extensive materials. Ensure your training program is compliant with regulation and industry best practices. Create a reporting and evaluation system to enable an agile training methodology. Department heads looking to understand the different security threats their end users face. Executives looking to mitigate end-user risk to their company. Functional teams looking to ensure training compliance is met. Improve overall security awareness within the organization and reduce risk from end users. Understand the various security threats that face different groups within the organization. Identify the urgent topics for training to ensure your program is compliant with industry regulations and is appropriate for the general end user.

Executive summary The fast evolution of the cybersecurity landscape requires security training and awareness programs that are frequently updated and improved. Cyberattackers target your end users, who remain today’s weakest link in organizational security. Your security training is not creating education, it’s creating information fatigue and therefore is not getting absorbed. By presenting security as a personal and individualized issue, you can make this new personal focus a driver for your organizational security awareness and training program. Security and awareness training programs often fail to engage end users. Lack of engagement can lead to low levels of knowledge retention. Irrelevant or outdated training content does not properly prepare your end users to effectively defend the organization against security threats. Create a training program that delivers smaller portions of information on a more frequent basis to minimize effort, reduce end-user training fatigue, and improve content relevance. Evaluate and improve your security awareness and training program continuously to keep its content up to date. Leverage end-user feedback to ensure content remains relevant to those who receive it. Teach end users how to recognize current cyberattacks before they fall victim, and turn them into active barriers against cyberattacks. Use Info-Tech’s blueprint and materials to build a customized training program that utilizes best practices.

Why do we still care about security training? 75% of large organizations and 31% of smaller organizations fell victim to a staff-related security breach in the last year.1 50% of organizations’ worst breaches were the result of inadvertent human error.1 Over 95% of all security incidents investigated recognized human error as a contributing error.2 Many employees have access to system networks that in turn can access confidential and sensitive information. It is important to educate these users on the best practices needed for them to protect both themselves and the organization from any potential threats or attacks. 55% of companies indicated that they believe privileged users were the biggest internal threat to corporate data.3 30% of data breaches globally are caused by negligent end users.4 Act Now Intruders are becoming more sophisticated and are using highly targeted social engineering attacks that are difficult to defend against. If you don’t have a current security awareness and training program, it is time to join the 72% of large organizations and 68% of small organizations that conduct security training on an ongoing basis.1 Sources: 1 – PwC 2015 Information Security Breaches Report, 2 – IBM Security Services 2014 Cyber Security Intelligence Index, 3 – 2015 Vormetric Insider Threat Report, 4 – Ponemon Institute, 2014 Cost of a Data Breach Study

End users are the weakest link Most organizations have security software in place to protect against external threats but end users can bypass some of these protocols unknowingly, in the due course of “just doing their job”. For example, they might shift from a corporate controlled device to a BYOD device because they were blocked on the controlled device but didn't know why. Unaware and/or untrained end users are the weakest exposure to external threats and unlike technology, end users can be manipulated to grant hackers access to critical information. While the security system’s capacity can be expanded over time to encompass new threats, end users have a limited capacity to take on new information and can only action simple tasks that don’t affect their ability to complete their core job. Technology People Process While software requires constant updates to defend against new and evolving security threats, so do humans through training. Therefore, outdated training will leave end users unaware and vulnerable to new security threats. End users will be disengaged from excessive training efforts, especially when they don’t believe the content applies to their role in the company. Helping end users understand the risk of security unawareness will make them active weapons in the war against cybercriminals.

Make security awareness training relatable to the individual Keep it Personal Make End Users Self-Aware Create Human Malware Sensors End users are more likely to engage with security training that affects their personal lives. Identify the risks that end users face in the workplace and in their home. Your program should highlight the impact that the training content has on their personal devices and home networks. Help your end users become more aware of the reasons behind why cybercriminals target them. This understanding will improve the end users’ ability to identify threats that may be trying to exploit them. Proper training techniques can go beyond improving end-user knowledge about security; they can promote behavior change. Once your end users begin to actively evaluate possible security risks, threat identification and risk mitigation will improve. Ensuring that your training program focuses on the human element of cybersecurity will increase end-user compliance.

Use a microlearning methodology to allow for frequent and engaging training for end users Your current training methodology is ineffective. Current Training Methodology Microlearning Methodology Long training sessions Delivered annually Lecture style Outdated Rigid structure Compliance-driven Standard for all employees Training in small, short bursts Delivered frequently (quarterly or monthly) Interactive and engaging Continuously updated Flexible and continuously iterated Awareness- and culture-driven Customized to functional departments VS. Meet business goals Finish on time Stay within budget High Agile Org. 75% 65% 67% Low Agile Org. 56% 40% 45% Percent of time that organizations: Microlearning Source: Wrike, 7 July 2015

Leverage Info-Tech to create your microlearning program POINT Info-Tech will provide easily customizable materials that will be regularly updated to ensure you have the relevant information to keep iterating your training modules. Info-Tech’s training program manual will help you select which group of end users need training, outline what training modules are needed, determine how to deliver it, and determine when to deliver it. 3 2 1 Info-Tech can help you plan out each module and guide you through the iteration process through Guided Implementation calls and workshops, saving you $35,200 from hiring a consultant. POINT POINT Your security training is not creating education, it’s creating information fatigue and therefore is not getting absorbed. Security is a macro topic that should be taught through microlearning to make training more manageable for end users.

Overall value of using Info-Tech Phase Guided Implementation Phase 1: Assess the maturity level of the security culture Cost to assess current state of program 120 FTE hours @ $80k/year = $4,800 Cost to perform group risk assessment Cost to define a target program state and establish minimum security awareness level 80 FTE hours @ $80k/year = $3,200 Phase 2: Select an effective plan of training delivery Cost of selecting delivery methods 160 FTE hours @ $80k/year = $6,400 Cost of creating training modules, training content, and a training schedule 200 FTE hours @ $80k/year = $8,000 Phase 3: Build a reporting system and continuously update the training program Cost of creating and implementing a pilot program 100 FTE hours @ $80k/year = $4,000 Cost of designing a reporting system and establishing a feedback loop Potential financial savings from utilizing Info-Tech resources: Phase 1 ($12,800) + Phase 2 ($14,400) + Phase 3 ($7,200) = $34,400 By using our Guided Implementation rather than a self-directed implementation, you can expect to save ~75% of the overall cost, which represents ~$25,800 Engage with Info-Tech from the outset for the best opportunity to maximize your benefits. Use the Info-Tech workshop and get everything done in a week, saving you 820 FTE hours (equal to $32,800).

How does it fit within your organization? Come together and leverage the other departments within your organization to create, facilitate, and roll out the security awareness and training program. Security Awareness & Training Program IT Department HR Team Executive Team Info-Tech Research Group Third-Party Vendors End Users

Info-Tech Research Group Helps IT Professionals To: Quickly get up to speed with new technologies Make the right technology purchasing decisions – fast Deliver critical IT projects, on time and within budget Manage business expectations Justify IT spending and prove the value of IT Train IT staff and effectively manage an IT department Sign up for free trial membership to get practical solutions for your IT challenges “Info-Tech helps me to be proactive instead of reactive – a cardinal rule in a stable and leading edge IT environment. - ARCS Commercial Mortgage Co., LP Toll Free: 1-888-670-8889 www.infotech.com