1. Humanize the Security Awareness and Training Program
If it’s not human-centric, you’re not training your humans.
Info-Tech's products and services combine actionable insight and relevant advice with ready-to-use tools and templates that cover the full spectrum of IT concerns.© Info-Tech Research Group

2. ANALYST PERSPECTIVE
The cybersecurity landscape is changing faster than ever; can your organization keep up?
When building a security culture, organizations have traditionally focused on annual training that addresses all security threats and best practices. It was meant to cause the least friction for end users and show compliance with training requirements. However, as threats continue to evolve, this approach has become largely ineffective in ensuring that users are equipped with the correct knowledge to act securely.
The solution to this problem? Microlearning. This learning methodology consists of short, engaging, and highly effective training modules, and will allow companies to reduce training fatigue and increase engagement. It is no longer just the organization that is affected by cybersecurity. The growing personal exposure to technology has increased individual risk, making the organization’s security training more relevant and important to end users.
Azzam Ramji,
Consulting Analyst, Security Info-Tech Research Group

3. Our understanding of the problem
CISOs and security managers looking to introduce or improve their awareness and training program.
CIOs and IT managers looking to introduce or improve their awareness and training program.
Determine your current training maturity level and identify the topics to cover in your training.
Improve your end users’ security awareness through training developed using Info-Tech Research Group’s extensive materials.
Ensure your training program is compliant with regulation and industry best practices.
Create a reporting and evaluation system to enable an agile training methodology.
Department heads looking to understand the different security threats their end users face.
Executives looking to mitigate end-user risk to their company.
Functional teams looking to ensure training compliance is met.
Improve overall security awareness within the organization and reduce risk from end users.
Understand the various security threats that face different groups within the organization.
Identify the urgent topics for training to ensure your program is compliant with industry regulations and is appropriate for the general end user.

4. Executive summary
The fast evolution of the cybersecurity landscape requires security training and awareness programs that are frequently updated and improved.
Cyberattackers target your end users, who remain today’s weakest link in organizational security.
Your security training is not creating education, it’s creating information fatigue and therefore is not getting absorbed.
By presenting security as a personal and individualized issue, you can make this new personal focus a driver for your organizational security awareness and training program.
Security and awareness training programs often fail to engage end users. Lack of engagement can lead to low levels of knowledge retention.
Irrelevant or outdated training content does not properly prepare your end users to effectively defend the organization against security threats.
Create a training program that delivers smaller portions of information on a more frequent basis to minimize effort, reduce end-user training fatigue, and improve content relevance.
Evaluate and improve your security awareness and training program continuously to keep its content up to date. Leverage end-user feedback to ensure content remains relevant to those who receive it.
Teach end users how to recognize current cyberattacks before they fall victim, and turn them into active barriers against cyberattacks.
Use Info-Tech’s blueprint and materials to build a customized training program that utilizes best practices.

5. Why do we still care about security training?
75%
of large organizations and 31% of smaller organizations fell
victim to a staff-related security breach in the last year.1
50%
of organizations’ worst breaches were the result of inadvertent human error.1
Over 95% of all security incidents investigated recognized human error as a contributing error.2
Many employees have access to system networks that in turn can access confidential and sensitive information. It is important to educate these users on the best practices needed for them to protect both themselves and the organization from any potential threats or attacks.
55% of companies indicated that they believe privileged users were the biggest internal threat to corporate data.3
30% of data breaches globally are caused by negligent end users.4
Act Now
Intruders are becoming more sophisticated and are using highly targeted social engineering attacks that are difficult to defend against. If you don’t have a current security awareness and training program, it is time to join the 72% of large organizations and 68% of small organizations that conduct security training on an ongoing basis.1
Sources: 1 – PwC 2015 Information Security Breaches Report, 2 – IBM Security Services 2014 Cyber Security Intelligence Index,
3 – 2015 Vormetric Insider Threat Report, 4 – Ponemon Institute, 2014 Cost of a Data Breach Study

6. End users are the weakest link
Most organizations have security software in place to protect against external threats but end users can bypass some of these protocols unknowingly, in the due course of “just doing their job”. For example, they might shift from a corporate controlled device to a BYOD device because they were blocked on the controlled device but didn't know why. Unaware and/or untrained end users are the weakest exposure to external threats and unlike technology, end users can be manipulated to grant hackers access to critical information.
While the security system’s capacity can be expanded over time to encompass new threats, end users have a limited capacity to take on new information and can only action simple tasks that don’t affect their ability to complete their core job.
Technology
People
Process
While software requires constant updates to defend against new and evolving security threats, so do humans through training. Therefore, outdated training will leave end users unaware and vulnerable to new security threats.
End users will be disengaged from excessive training efforts, especially when they don’t believe the content applies to their role in the company.
Helping end users understand the risk of security unawareness will make them active weapons in the war against cybercriminals.

7. Make security awareness training relatable to the individual
Keep it Personal
Make End Users
Self-Aware
Create Human
Malware Sensors
End users are more likely to engage with security training that affects their personal lives.
Identify the risks that end users face in the workplace and in their home.
Your program should highlight the impact that the training content has on their personal devices and home networks.
Help your end users become more aware of the reasons behind why cybercriminals target them.
This understanding will improve the end users’ ability to identify threats that may be trying to exploit them.
Proper training techniques can go beyond improving end-user knowledge about security; they can promote behavior change.
Once your end users begin to actively evaluate possible security risks, threat identification and risk mitigation will improve.
Ensuring that your training program focuses on the human element of cybersecurity will increase end-user compliance.

8. Use a microlearning methodology to allow for frequent and engaging training for end users
Your current training methodology is ineffective.
Current Training Methodology
Microlearning Methodology
Long training sessions
Delivered annually
Lecture style
Outdated
Rigid structure
Compliance-driven
Standard for all employees
Training in small, short bursts
Delivered frequently (quarterly or monthly)
Interactive and engaging
Continuously updated
Flexible and continuously iterated
Awareness- and culture-driven
Customized to functional departments
VS.
Meet business goals
Finish on time
Stay within budget
High Agile Org.
75%
65%
67%
Low Agile Org.
56%
40%
45%
Percent of time that organizations:
Microlearning
Source: Wrike, 7 July 2015

9. Leverage Info-Tech to create your microlearning program
POINT
Info-Tech will provide easily customizable materials that will be regularly updated to ensure you have the relevant information to keep iterating your training modules.
Info-Tech’s training program manual will help you select which group of end users need training, outline what training modules are needed, determine how to deliver it, and determine when to deliver it. 3 2 1
Info-Tech can help you plan out each module and guide you through the iteration process through Guided Implementation calls and workshops, saving you $35,200 from hiring a consultant.
POINT
POINT
Your security training is not creating education, it’s creating information fatigue and therefore is not getting absorbed. Security is a macro topic that should be taught through microlearning to make training more manageable for end users.

10. Overall value of using Info-Tech
Phase
Guided Implementation
Phase 1: Assess the maturity level of the security culture
Cost to assess current state of program
120 FTE $80k/year = $4,800
Cost to perform group risk assessment
Cost to define a target program state and establish minimum security awareness level
80 FTE $80k/year = $3,200
Phase 2: Select an effective plan of training delivery
Cost of selecting delivery methods
160 FTE $80k/year = $6,400
Cost of creating training modules, training content, and a training schedule
200 FTE $80k/year = $8,000
Phase 3: Build a reporting system and continuously update the training program
Cost of creating and implementing a pilot program
100 FTE $80k/year = $4,000
Cost of designing a reporting system and establishing a feedback loop
Potential financial savings from utilizing Info-Tech resources:
Phase 1 ($12,800) + Phase 2 ($14,400) + Phase 3 ($7,200) = $34,400 By using our Guided Implementation rather than a self-directed implementation, you can expect to save ~75% of the overall cost, which represents ~$25,800
Engage with Info-Tech from the outset for the best opportunity to maximize your benefits.
Use the Info-Tech workshop and get everything done in a week, saving you 820 FTE hours (equal to $32,800).

11. How does it fit within your organization?
Come together and leverage the other departments within your organization to create, facilitate, and roll out the security awareness and training program.
Security Awareness & Training Program
IT Department
HR Team
Executive Team
Info-Tech Research Group
Third-Party Vendors
End Users

12. Info-Tech Research Group Helps IT Professionals To:
Quickly get up to speed with new technologies
Make the right technology purchasing decisions – fast
Deliver critical IT projects, on time and within budget
Manage business expectations
Justify IT spending and prove the value of IT
Train IT staff and effectively manage an IT department
Sign up for free trial membership to get practical
solutions for your IT challenges
“Info-Tech helps me to be proactive instead of reactive – a cardinal rule in a stable and leading edge IT environment.
- ARCS Commercial Mortgage Co., LP
Toll Free: