The role of employees in information security cannot be overstated – after all, technology alone cannot protect your systems without their involvement. In fact, your workforce is your greatest single asset in the battle against increasingly sophisticated and persistent threats. And what’s equally true is that one size definitely doesn’t fit all when it comes to the style of training and communication needed to embed a successful security culture.
The name of the game is to employ a multi-channel approach to reach as many target audiences as possible. This is quite different from using traditional e-learning, which undoubtedly is a convenient low cost training, but in isolation it is only likely to deliver a basic level of engagement.
Whereas, when e-learning is combined with a range of other methods, the likelihood is that engagement and internalisation levels will be much greater. It’s all about recognising that everyone has different learning styles and one company’s culture is very different from another’s.
At HPE, our approach is very much about combining learning with communication. We recognise the diversity of learning styles; visual learners need to see content to absorb it, auditory learners listen, communicative learners like to talk about the topic, and motor learners learn by doing.
To ensure you get all these groups fully engaged, your information security awareness programme needs to be equally as diverse and offer employees multiple ways to learn. We group our training methods under five broad headings: communication, onsite training, web-based training, edutainment and security giveaways.
Communication covers traditional awareness-raising activities such as posters, brochures, newsletters and videos. Onsite training includes classic learning techniques such as seminars, conferences and lectures. Web-based training comprises e-learning, interactive CD training and other computer-based methods.
When education meets entertainment
Edutainment is a fresh concept, where education and entertainment combine in activities such as quizzes, games and brainteasers, with built-in security messages. We’ve also introduced interactive events and game-style learning within this category. A security circle training and ‘lunch & learn’ events mix informal learning with security-themed entertainment such as live-hacking demonstrations. Finally, attractive security giveaways such as calendars, trump games or even lego robots are used to visually reinforce security tips and hints within offices and workplaces.
For maximum effectiveness, information security awareness programmes should be branded with a logo and slogan. Apart from raising general awareness, a strong identity and storytelling helps employees to associate with the programme and to quickly identify security awareness initiatives.
It’s also helpful to make campaigns as real and as engaging as possible. Case studies and examples will help to contextualize learning and make it more relevant to everyday routines. Using real employees in security messaging will generate more interest and hold attention for longer.
There are unquestionably a range of techniques that can be used for training and learning, some old, some new, but all of them will help to increase the strength of your security culture when used in the right way. Training methods should be diverse, inclusive and as far as possible tailored to the individual needs of the organisation. Getting it right may take some time, but the cost and effort involved is small compared to the huge advantages that a risk-aware workforce will bring to your overall security protection.