homepage
Open menu
Go one level top
  • Train and Certify
    Train and Certify

    Immediately apply the skills and techniques learned in SANS courses, ranges, and summits

    • Overview
    • Courses
      • Overview
      • Full Course List
      • By Focus Areas
        • Cloud Security
        • Cyber Defense
        • Cybersecurity and IT Essentials
        • DFIR
        • Industrial Control Systems
        • Offensive Operations
        • Management, Legal, and Audit
      • By Skill Levels
        • New to Cyber
        • Essentials
        • Advanced
        • Expert
      • Training Formats
        • OnDemand
        • In-Person
        • Live Online
      • Course Demos
    • Training Roadmaps
      • Skills Roadmap
      • Focus Area Job Roles
        • Cyber Defence Job Roles
        • Offensive Operations Job Roles
        • DFIR Job Roles
        • Cloud Job Roles
        • ICS Job Roles
        • Leadership Job Roles
      • NICE Framework
        • Security Provisionals
        • Operate and Maintain
        • Oversee and Govern
        • Protect and Defend
        • Analyze
        • Collect and Operate
        • Investigate
        • Industrial Control Systems
    • GIAC Certifications
    • Training Events & Summits
      • Events Overview
      • Event Locations
        • Asia
        • Australia & New Zealand
        • Latin America
        • Mainland Europe
        • Middle East & Africa
        • Scandinavia
        • United Kingdom & Ireland
        • United States & Canada
      • Summits
    • OnDemand
    • Get Started in Cyber
      • Overview
      • Degree and Certificate Programs
      • Scholarships
    • Cyber Ranges
  • Manage Your Team
    Manage Your Team

    Build a world-class cyber team with our workforce development programs

    • Overview
    • Why Work with SANS
    • Group Purchasing
    • Build Your Team
      • Team Development
      • Assessments
      • Private Training
      • Hire Cyber Professionals
      • By Industry
        • Health Care
        • Industrial Control Systems Security
        • Military
    • Leadership Training
  • Security Awareness
    Security Awareness

    Increase your staff’s cyber awareness, help them change their behaviors, and reduce your organizational risk

    • Overview
    • Products & Services
      • Security Awareness Training
        • EndUser Training
        • Phishing Platform
      • Specialized
        • Developer Training
        • ICS Engineer Training
        • NERC CIP Training
        • IT Administrator
      • Risk Assessments
        • Knowledge Assessment
        • Culture Assessment
        • Behavioral Risk Assessment
    • OUCH! Newsletter
    • Career Development
      • Overview
      • Training & Courses
      • Professional Credential
    • Blog
    • Partners
    • Reports & Case Studies
  • Resources
    Resources

    Enhance your skills with access to thousands of free resources, 150+ instructor-developed tools, and the latest cybersecurity news and analysis

    • Overview
    • Webcasts
    • Free Cybersecurity Events
      • Free Events Overview
      • Summits
      • Solutions Forums
      • Community Nights
    • Content
      • Newsletters
        • NewsBites
        • @RISK
        • OUCH! Newsletter
      • Blog
      • Podcasts
      • Summit Presentations
      • Posters & Cheat Sheets
    • Research
      • White Papers
      • Security Policies
    • Tools
    • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Digital Forensics & Incident Response
      • Industrial Control Systems
      • Cyber Security Leadership
      • Offensive Operations
  • Get Involved
    Get Involved

    Help keep the cyber community one step ahead of threats. Join the SANS community or begin your journey of becoming a SANS Certified Instructor today.

    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    About

    Learn more about how SANS empowers and educates current and future cybersecurity practitioners with knowledge and skills

    • SANS
      • Overview
      • Our Founder
      • Awards
    • Instructors
      • Our Instructors
      • Full Instructor List
    • Mission
      • Our Mission
      • Diversity
      • Scholarships
    • Contact
      • Contact Customer Service
      • Contact Sales
      • Press & Media Enquiries
    • Frequent Asked Questions
    • Customer Reviews
    • Press
    • Careers
  • Contact Sales
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Crushing Cyber-Risk on an In-House Learning Management System
370x370_Lance-Spitzner.jpg
Lance Spitzner

Crushing Cyber-Risk on an In-House Learning Management System

If you wake up one day and have found yourself at the intersection of Human-Cybersecurity-Risk-Management Avenue and Learning Management System...

May 2, 2019

large-il_cyber-risk-inhouse-LMS-header_500x300.jpg


If you wake up one day and have found yourself at the intersection of Human-Cybersecurity-Risk-Management Avenue and Learning Management System Boulevard, you already know it’s a busy place with a ton of traffic. Look both ways before crossing the street.

Humans and technology: We use it, we love it, and we connect with it. We use it professionally, and socially, and everywhere in-between. Unsurprisingly, as these lines have blurred, we find ourselves in a situation where we enjoy almost limitless access to an amazing mish-mash of digital stuff across seemingly countless devices. (Don’t get me wrong – It’s good to know that both the notes from last week’s engineering meetings and Aunt Ester’s pot roast recipe can be transported to my cell phone on a Slack Channel.)

Limitless access to technology is good, but it can be risky. There are bad guys out there, which poses as a downside to open technology access. These people can profit financially, politically, even militarily.

Meanwhile, some folks have roles as the cyber gate-keepers of information. They defend data with tools like encryption and firewalls. They fight the good fight, quietly in the background, turning away countless attacks, and are rarely recognized for their efforts. (Have you thanked your cyber guardian today? If you’re the cyber guardian, we applaud you. Keep up the good fight.)

Another role with a slightly different spin, finds us working the same problem from a different angle, called “human cyber risk management”. Those who have these roles offer training for individuals to be harder targets and better data stewards. Often this management or training involves a careful balance between convenience and attention, as well as what should be shared and what should be left private.

The tools for cyber-training your learners can be gathered in a few big buckets; training, simulation, and delivery. Choosing the right training and simulation packages is important, of course, but let’s focus on a reality that many cybersecurity training program managers face: the delivery of training via a Learning Management System (LMS).

Understanding the role of the LMS

A Learning Management System is an application used to plan, deliver, and track training. It also helps to assess learner activity and aggregate reports to produce an overview of training effort results. Depending on the platform capabilities and content presented on the LMS, the training could consist of some mix of computer-based training (CBT), video modules, games, simulations, and so on. Essentially, the LMS your organization uses helps you get the right training to the right people and measure the results.

Why use a Learning Management System? The Good, the Bad, and the Ugly

il_good-bad-ugly_500x300-01.png


In the security awareness business, we see an LMS used in just about every kind of way.

The good: Those who have shiny, next-gen SaaS products with sleek web interfaces, and deeply integrated to HR talent management systems, or even those that have been carefully built or customized to perfectly address your organization’s unique needs.

The bad and ugly: Some organizations are still using crusty, well-worn versions of Moodle (an online, open source platform). They'll drag it out each year to do annual compliance training – updating nothing, both interface and training as unconvincing at doing its job as you are bored in assigning it.

The good news is that if your organization is already regularly utilizing an LMS, it could make your job easier. If the setup, logins, people, and conventions around using the company system are well established, you can focus on building and deploying your training – even if the system is a little well-worn.

Getting the Job Done Right with Your LMS

Before launching an awareness training program on your LMS, take some time to get to know your system first. Remember this simple goal: “Get the right training to the right people.” While the definition of “right” might change depending on your security program’s maturity, you still need to cover some basics. (If you'd like to learn more about program maturity and how to benchmark it, we've detailed The Security Awareness Maturity Model© in the 2018 SANS Security Awareness Report. It is the key measure of program impact and success, as established by the level of measurable human risk that can be mitigated by changing end-user behavior.) While most awareness programs have a few things in common, there are some common LMS-focused questions you need to address first:

1. How do I get training onto this thing?

No matter how you slice it, getting training content onto your LMS may seem challenging, especially if this is one of your first ventures. Fortunately, LMS platforms are designed to help with this job once you understand a few facts.

Almost all systems, even the older ones, are typically based on a few industry standards such as SCORM, AICC, or xAPI.

  • SCORM stands for Shareable Content Object Reference Model. It’s a set of technical standards for e-learning software and is the most popular standard in the industry.
  • AICC actually is an acronym for a governing body: The Aviation Industry Computer-Based Training Committee. Way back in the 90’s, this committee designed the first e-learning standards for learning management systems. Even though it’s an older standard it’s still fairly popular.
  • XAPI (or TinCan) was developed more recently, in 2011. The American Development Learning group of the U.S. government created another standard, with the initial nickname “Tin Can” but officially released as the Experience API (or xAPI). It’s the newest of standards.

These standards or specifications are simply ways training companies and training tools package up video, documents, gamified content or other types of learning material so they will work with systems. Match up the training’s standard with the LMS, and you should be all set. To learn more about the history and use of the standards check out this article by Brian Westfall.

2. Where can I get cybersecurity awareness training content?

large-il_build-vs-buy_500x300.jpg

When it comes to getting the content, you have a few options. You could build it in-house, assuming you understand the relevant security topics and content or have the skills/resources to build it. I should note, that covering relevant security topics is important, but they do change regularly depending on the most current threats and attacks.

You’ll also need the tools to package it up and deploy it onto your LMS. Some larger companies have access to this type of tech and talent. Truth be told, we often see organizations attempt to do it and find they only partially address the security training they require; many companies take a run at it and only end up going a different way. I myself, at one point in my career, was found standing in front of a whiteboard with a video camera pointed at me while talking about the necessity of using VPNs to access some services on our network. It was ugly, and I was happy to drop it and look for a more “professional” solution.

You could buy training content. There are a multitude of vendors that can supply a variety of topics and present them in a variety of ways. Personally, I’d recommend having an in-depth understanding of your program goals before you go shopping. Some vendors offer a dizzying array of content while some keep it simple. Before getting caught up in the options, just remember your mission and try to keep training in the 15-30 minutes per year range. Remember that every minute counts, the effectiveness of the training matters, and presenting content that is “cool” only helps if it helps meet your program objectives. If you need help on this, we’ve created a short guide with a companion checklist to help you pick the right awareness training vendor.

3. What about the stuff that is unique to my organization?

Keep in mind that, even if you search, find, and select the ideal training for your organization, you will likely need to add a little local flavor to fit your corporate culture and needs. Work with your LMS people and see how you can incorporate your local cyber and acceptable use policies into your training cycle. Most LMS programs will have some way to do this, but it can sometimes get a bit wonky. Getting help from your experts will help ease the process and help you get a more customized training program.

4. How do I manage all my people (trainees, learners, users)?

Assuming you now have put together the training program that fits the goals and needs of your organization, you’ll need to work out who to give that training to. Many programs focus on compliance goals to make sure “everyone takes some basic package of essential cybersecurity training.” More mature programs do a better job of training alignment to audience and supplement the basics with additional training for people in certain roles. For example, they may decide to take the HIPAA training out of the “core” training and give it only to individuals in the HR areas or make sure that PCI training is only delivered to the people that handle credit card data. Neither program is strictly “better”, per se. They simply reflect different goals and maturity levels for your program.

They also require different representations of people in your LMS. If you are going to assign training to those HR people, the system will have to know who is in HR. Dig in a little – almost all learning management systems have role or grouping capability. Ask questions, research your departmental structure thoroughly if your training individuals are already using them, all the better. We will talk more about program maturity, why it matters, and when to go there in another article.

5. What about Security Awareness Tips or Hacks?

One key to a successful security awareness program is to work with your leadership. If it’s your CISO, your CIO, your VP of risk management, HR lead, or whoever is ultimately responsible for your security program, chances are everything will go much smoother if you have their support. Don’t assume because they said “go do this” that they will love the outcome, measures and rollout of the program you’ve created. Have them preview the packages, understand the program schedule, and buy into the strategy.

When you pull the trigger and send training to hundreds or thousands of trainees on your LMS, you are going to want leadership to know that it's likely that some of them will react less than enthusiastically about having to take the training. Let your exec know that some will say it’s not necessary, it takes too long, and that they already know this stuff. A word of advice. Get ahead of this; forewarned is forearmed.

When it comes to zeroing in on the specific awareness training content your organization should have, your best first step is to ask around. Research is your friend here. Get some guidance from your IT security department, do some surfing and ask your vendors. There are also some fantastic security awareness communities chock full of people running these types of programs. Get some advice, get involved. Jump into a LinkedIn Group, or follow some pros around on Twitter (blatant shout-out to my colleague, Lance Spitzner, who tweets about this regularly), maybe check out Bruce Schneier or Brian Krebs. Keep up on what’s what in the security awareness world. These forums are full of the latest hacks, strategies, and issues. (Hint: shoot one to your boss every now and then.)

Lastly, dig in on your metrics. Reporting systems vary widely on LMS platforms, but anything you can show about the impact of your program will help your leadership (and you) understand the value of the training. Remember, helping leadership communicate the value of the program around and up the chain will pay huge rewards down the line for your security awareness program.

Summary – Crushing Security Awareness with Your LMS is TotallyDoable

il_success-rocket_500x300-01.png


Let’s review. Your LMS may be ugly, but it may also be your friend. Someone, somewhere knows it, maybe even loves it; go and find them, bring them coffee.

Chances are, your LMS already knows your organization and holds the people you want to reach. Sort out your training priorities, the “who needs what” questions. Keep in mind that if you are trying to make a difference, this is a long fight – you don’t need to win in round one. Your leaders matter, and they matter big. Many awareness programs eventually reach every single person in the organization and can thus be a source of serious pain or a point of pride for your boss; loop ‘em in early and try to make sure they get “it”. Talk to your peers, your security folks, and connect with the greater community.

You aren’t in this alone. You may just need some cyber-savvy friends in your corner to find LMS success.

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Tags:
  • Security Awareness

Related Content

Blog
Security Awareness, Security Management, Legal, and Audit
December 13, 2022
SANS MGT433 Managing Human Risk – Now Expanded to Three Days
This expansion reflects just how much the field of security awareness / managing human risk has matured.
370x370_Lance-Spitzner.jpg
Lance Spitzner
read more
Blog
Top_10_Summit_Talks_2022.png
Cybersecurity Insights, Digital Forensics and Incident Response, Cyber Defense, Cloud Security, Open-Source Intelligence (OSINT), Security Management, Legal, and Audit, Security Awareness
December 5, 2022
Top 10 SANS Summits Talks of 2022
This year, SANS hosted 13 Summits with 246 talks. Here were the top-rated talks of the year.
370x370-person-placeholder.png
Alison Kim
read more
Blog
SSA_-_CAM_-_Blog_Thumb_-_What_is_Phishing_Resistant_MFA_-_.jpg
Security Awareness, Security Management, Legal, and Audit
October 6, 2022
What is Phishing Resistant MFA?
What exactly is phishing resistant MFA, what are the benefits, and what does it mean to you and your organization?
370x370_Lance-Spitzner.jpg
Lance Spitzner
read more
  • Register to Learn
  • Courses
  • Certifications
  • Degree Programs
  • Cyber Ranges
  • Job Tools
  • Security Policy Project
  • Posters & Cheat Sheets
  • White Papers
  • Focus Areas
  • Cyber Defense
  • Cloud Security
  • Cybersecurity Leadership
  • Digital Forensics
  • Industrial Control Systems
  • Offensive Operations
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • © 2023 SANS™ Institute
  • Privacy Policy
  • Contact
  • Careers
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn