One of the biggest challenges I feel organizations face in their awareness program is lack of structure. Even if they have taken time to identify the security awareness topics with greatest impact, they often communicate that content in a haphazard manner. To be effective you need a communications plan. To help you structure your communications plan I like to break it down into two general areas, Primary training and Reinforcement training.- Primary training is the core of your program, this is when you communicate content to an end user for the first time. For example, new hires at your organization or a contractor recently brought on to a project. Primary training brings everyone up to speed and sets expectations. This is also the minimum requirement for many compliance standards such as HIPAA or ISO 27001. Common examples of primary training would be computer based training or onsite workshops.
- Reinforcement training is where you repeat your topics, this is key to having an impact. You cannot teach people once then expect to change behavior, you have to repeat your message. Reinforcment does not teach anything new, it just reminds people in what you have taught them in the past. Common examples of reinforcement training include newsletters, posters, screensavers, or phishing assessments.
About the Author
Lance Spitzner
Director, SANS Security Awareness
Lance has over 20 years of security experience in cyber threat research, awareness and training. He invented the concept of honeynets, founded the Honeynet Project and helped pioneer the field of cyber intelligence. Lance has published three security books, consulted in over 25 countries and helped hundreds of organizations establish mature security awareness programs. Lance serves on the Board for the NCSA, is a frequent presenter, serial tweeter ( @lspitzner ) and works on numerous community security projects. He served as an armor officer in the Army's Rapid Deployment Force and earned his MBA from the University of Illinois.