Security Awareness Professionals! This Is Day 3 of Gartner Security and Risk Management Summit 2018. Join Terranova at booth 119!
We have been exchanging numerous ideas with participants about raising security awareness effectively and user training initiatives. Consequently, we are focusing our discussion on security awareness. We ask the following question:
“How do you measure employees’ progress in cyber security awareness training?
Think of security awareness as a marathon. It is a long haul, and your business is in it to win. Now think about a continuum that would reflect this security awareness marathon. What would it look like? What phases would it include?
In the following article, we present key steps that form a security awareness continuum. Your organization can now start monitoring the maturity curve of employees in relation to their security awareness training. We are shedding light on the process through which employees acquire the right skills, knowledge, and overall behavior to take on the role of security awareness champion and proactively prevent data breaches and reputation losses.
The popular expression attitude is everything applies more than ever today when it comes to information security. Among those responsible for protecting information, the ultimate nirvana signifies reaching the point where security becomes a security state of mind – an awakening of attitudes about the threats that surround your organization and the conscious desire to not become a victim.
Getting to that security state of mind is a long journey of the human psyche which employees should undertake to protect data in this digital age. It is an evolutionary process through an awareness continuum, which can ultimately become a cultural paradigm shift in human behavior and attitude. With every movement forward on that path, employees draw closer to a more secure environment.
Unconsciousness
Most employees begin this journey in a state of unconsciousness about threats and cybercriminals. This initial state of mind is not a sign of stupidity, but merely the result of inattention or ignorance of the things happening around them that can cause us harm. Unknowingly, employees may open harmful email attachments or follow links to malicious Internet sites. Perhaps users are unable to recognize the signs of trouble because they are so trusting of others. Whatever the reason, employees are highly vulnerable in this state of unconsciousness and therefore your organization’s security is weak.
Acknowledgment & Enlightenment
Your employees must first acknowledge that they do not know about information security. Consequently, your role as security professionals is to raise security awareness effectively by training employees on cybersecurity best practices – informing them about the threat landscape that surrounds the organization.
This can be accomplished by providing security awareness training across your organization and informing users of the latest hacks and how they happened. Employees now have taken the first step toward enlightenment.
Attention
Users begin paying closer attention to their interactions with their digital environment, and they are no longer careless in their actions within that environment. Those emails that they have opened so readily, even when they were from unknown senders, now appear more suspicious. Your employees’ attention can be heightened by security awareness reinforcement material, such as posters, newsletters, and microlearning modules. The more mindful they are in their actions, the sooner they begin to observe and recognize threats in real time. Your users have now reached a state of attention, and they apply more diligence in their actions.
Alertness
As users’ attention becomes more focused, they enter a state of alertness. Your employees have become more observant. They are on the lookout for things that appear suspicious or out of the ordinary, becoming more and more vigilant of potential harm. Alert, they are on guard against cybersecurity risks.
Security State of Mind
Once your employees have embraced security awareness best practices, they reach a tipping point, a sort of paradigm shift. The final step in the awareness evolution signifies that your users have acquired a security state of mind. Security awareness is so ingrained in their daily routine that it has become second nature, part of their physiological and psychological thumbprint.
Conclusion
This awareness continuum is an innovative way to measure and optimize employee performance, as well as monitor their training efforts over time.