Twice a year at Securing The Human we do a complete review of our security awareness training library. We start with reviewing all the topics and identify if we should add any new ones or remove any old ones. We then review the existing topics to see if any should be updated. We have just completed the second review for this year, which I'll be updating you on over the coming weeks. One of our first findings was we were able to reduce what we consider the "Core" or top topics almost every program should start with. For a program to be effective, less is actually more. The fewer topics you cover, and the more actively you reinforce them, the more likely you will change those behaviors.
After review by SANS instructors, subject matter experts and community feedback, we have narrowed the top topics to just nine (yes Top 10 sounds so much sexier but our goal is to have a few as possible, not a catchy title). I'll cover each later this week on what they are and why we have them in the top nine.
- You Are the Target
- Social Engineering
- Email & Messaging
- Social Networking
- Mobile Device Security
- Data Security
We are not stating that these top 9 topics are required for everyone, but we are recommending that most organizations start with this list, then add or remove topics they need to address. Having a starting point like this is especially important for smaller organizations that may not have the resources or expertise to identify their top human risks. They often fall in the trap of training people on everything to be safe, which in the long run does more harm then good as NO behaviors are changed.