The Ultimate Guide to
Security Awareness Training

What Is Security Awareness Training?

Security awareness training is a form of education that seeks to equip employees of an organization with the information they need to protect themselves and their organization's assets from loss or harm. For the purposes of any security awareness training discussion, members of an organization include employees, temps, contractors, and anybody else who performs authorized functions online for an organization.

Organizations that must comply with industry regulations or frameworks such as PCI (Payment Card Initiative), HIPAA (Health Insurance Portability and Accountability Act of 1996), the Sarbanes-Oxley reporting requirements, NIST or ISO usually deliver security awareness training to all employees once or perhaps twice a year.

And even though it may not be required by Small and Medium Enterprises for compliance reasons, they can also benefit from training their employees to avoid cyberheists through phishing attacks, account takeovers, or other well-known means that cybercriminals use to misappropriate company funds.

Avoid Potential Pitfalls in Phishing Your Users

Five Principles to build positive anti-phishing behavior management programs

Shifting organizational behavior requires a recognition that simply exposing employees to security-related information will never be enough. Instead, it is imperative to train secure reflexes through intentional and methodical simulated testing so that employees are continually exposed to the situations in which you hope they will exhibit secure behavior.

Some security and organizational leaders might be hesitant to phish their users, fearing that end-users or managers could react negatively to the experience. In fact, some organizations may even have horror stories of phishing simulations that have backfired, resulting in more harm than good. Yet, security leaders, auditors, and adult-learning experts agree that the best way to train secure reflexes is through simulation (not information).

It is possible to work through concerns related to simulated phishing and, in fact, make the experience positive for end-users and management alike. Use the following five principles to build a positive anti-phishing behavior management program:

1. Frame the program with a positive tone: the way that employees react to simulated phishing events is directly related to the way that you message the program. If employees feel that your main goal is to trick them and make them fail, then they will view you as an adversary. It is much better to position your program as something that you are doing for the good of the organization and the employees within it. In short, your message is that you are running these campaigns for the same reasons that you conduct events like fire-drills. For people’s ultimate safety and preservation.
2. Be intentional about your ‘post click’ landing pages: The time immediately following a phishing test failure is your most critical messaging moment. Employees will naturally feel the most vulnerable and sensitive when they’ve fallen for a simulated attack. If you are directing them to a landing page that lets them know they’ve failed, it is important that you account for their heightened emotional state. Use the learning moment – but be extra careful not to heap shame on the employee. Instead, be friendly and to the point. Additionally, your messaging for any follow-up training should not be framed in shame or condemnation; it should remind them of the program, why tests like these are important, and how we all struggle to retrain human nature.
3. Empower them with new behaviors: Give your employees the power to build new behavioral patterns by offering them replacement behaviors. Humans struggle with simply removing a behavioral pattern. It can actually be easier to replace one behavior with another. For phishing simulation tests, we consider it best practice to have your employees report the simulated phish by clicking on our free Phish Alert Button (PAB). This not only gives them a replacement behavior, but can also give them a positive reinforcement by displaying congratulatory message for reporting the simulated phish. For organizations that have not deployed the PAB, train them to think, “when in doubt, throw it out,” so that their replacement behavior is simply deleting emails that are worrisome.
4. Measure and train at their individual competency – and train for improvement: In all organizations, there are different levels of employee sophistication in detecting simulated phish. You will have some employees who almost never fall victim to phishing tests, and some who fall victim much more often. Because your employees have different levels of maturity in detecting phish, it can be extremely useful to train employee groups at their current level of competence, so they can improve. For the same reason that we don’t expect grade school students to do college-level math, we shouldn’t expect employees to immediately become expert phish detectors. Consider a tiered system of phishing training for your users to train them according to their current level of competence and allowing them to grow over time.
5. Phish frequently: A pattern of frequent simulated phishing tests let employees know simulated phishing is a part of your security culture -- that this is standard practice because frequent training provides the best chance at developing proper reflexive behaviors. Organizations that only conduct yearly or quarterly simulated phishing are actually only performing baselining measurements – not training secure reflexes. Monthly – or, better yet – bi-weekly simulated phishing training will let employees know that they should always be on the lookout for the next phish to land in their inbox, and that they can always show improvement because the next test is not far away.

Creating your anti-phishing behavior management program according to these five principles will ensure that your program is seen as something that builds-up employees rather than tearing them down. These principles are aimed at recognizing that humans can become an effective last line of defense for your organization when given proper training, motivation, and support.

Avoid these top 10 security awareness training program fails

1. Avoid singling out users that click on a phishing link and making a public example of them. Do not punish employees that make mistakes early on.
2. Avoid sending phishing campaigns only every 90 days. Quarterly phishing tests really just take a baseline, whereas phishing users at least once a month is an effective method to groove in making smart security decisions.
3. Avoid sending the same phishing template instead of randomizing the templates to each user, and running campaigns on predictable times like every Monday afternoon.
4. Avoid starting out with 5-star phishing templates that are too difficult to identify.
5. Avoid sending only phishing attacks and overlooking stepping users through interactive training.
6. Avoid forgetting to emphasize that this program will also help your users to keep their family safe online.
7. Avoid forcing the program through your users throats, and bypassing getting C-level air cover for the program. You want as much buy-in from the get-go as possible.
8. Avoid neglecting to inform key stakeholders, department managers and tech support before you send the initial baseline test.
9. Avoid not reporting the positive results to the stakeholders with graphics that show improvement over time.
10. Avoid not having a good procedure / process that allows users to report phishing emails that they found in their inbox, and not having a Social Engineering Incident Response program.

Follow these guidelines to ensure the success of your program. Need help getting started? KnowBe4's Automated Security Awareness Program takes away all the guesswork. Answer 15-25 questions about your goals and organization and get your customized program in just 10 minutes!

* This list is also available as an infographic

How to Gain and Maintain Executive Support for Your Security Awareness Program

How to work through "push back" when seeking to implement security awareness and training programs

With so many regulations and audit standards requiring organizations to provide critical security-related information and training programs for their employees, it can be shocking that security leaders often encounter high-level "push back" when seeking to implement cyber security awareness and training programs.

To overcome this situation, propose your program in a way that addresses executive concerns, links to corporate objectives, and tells a story. This is accomplished in three steps:

1. Seek first to understand

   Habit five of Stephen Covey's "Seven Habits of Highly Effective People" states, "Seek first to understand, then to be understood." Dr. Covey writes,

   "If you're like most people, you probably seek first to be understood; you want to get your point across. And in doing so, you may ignore the other person completely, pretend that you're listening, selectively hear only certain parts of the conversation or attentively focus on only the words being said, but miss the meaning entirely. So why does this happen? Because most people listen with the intent to reply, not to understand. You listen to yourself as you prepare in your mind what you are going to say, the questions you are going to ask, etc. You filter everything you hear through your life experiences, your frame of reference. You check what you hear against your autobiography and see how it measures up. And consequently, you decide prematurely what the other person means before he/she finishes communicating."

   It is vital to recognize that most business leaders (and end users) simply will not care about security in the same way that a security professional does. People don't care about security for the sake of security alone. What they care about is the result that a sound security strategy can provide and the impacts/risks associated with the lack of a sound security strategy. Use this understanding to inform the methods that you use to engage the organization and business leaders.

2. Take Genuine Interest and See the Motivation Behind Any Concerns
   So, what motivates a business leader? The answer is: business risks and business outcomes. Therefore, it is helpful to position your security awareness and training program in this context. To do this, consider highlighting the following:
    
   • Issues associated with behavior-related risks. It's important to speak to the traditional factors related to the possibility of data breach and negative PR. But don't stop there — behavior-related risk is broader and gets into areas related to system stability, continuity of operations, employee morale and productivity, proper handling of intellectual property, and more.
   • Regulatory and audit requirements. Here is where you get to highlight the slew of regulations and audit requirements that mandate awareness and training programs.
   • Industry best practice and competitor benchmarking. Decision makers are very interested in understanding where their organization stands relative to peer organizations. A few data points that decision makers may find interesting include: what are the standard topics that organizations like us train on? What is the average phish-prone percentage for organizations like ours, and how do we compare? What are the greatest behavior-related risks for organizations like us? How much do other organizations spend on security awareness and training programs?
   • A sense of respect for everyone's time. Time is your employee's most valuable resource. It's important that your security awareness and training program respect this fact by not exposing employees to information that is irrelevant or unnecessary. Where possible, provide data points to demonstrate that your awareness and training efforts will have a positive payback for the organization.
   • Evidence that you have an informed plan. Give your executive team confidence in your program by eliminating as much uncertainty as possible. Often, security leaders embark on awareness and training programs that are amorphous and without a clear sense of direction. Eliminate uncertainty and/or smooth-out any potential future conflicts by sharing a well-formed plan that removes the guesswork.
     
     
3. Connect Your Security Awareness Program to Organizational Outcomes
   Where possible, you need to speak the language of "the business" and report in a way that shows relevance to organizational outcomes. Notice that this is directly related to the other points mentioned in this article. In order to report in a relevant way, you first need to understand your organization's targets and the agreed-upon risks.
   
   When reporting your security awareness successes, continue to remind the executive team why the program is important, and how the activities and metrics connect with the motivations outlined in points 1 and 2, above. In the end, many of the metrics can be the same as you would normally report (for example, course completion rates, phishing test outcomes, and so on), but the difference here is that you are able to put these numbers into context. This context is used to tell the story of how your security awareness and training program is strengthening the overall security culture of the organization, thereby reducing risk, potentially increasing productivity, and having a positive impact on the organization's ability to execute.

"Culture eats strategy for breakfast." - Peter Drucker, Management Consultant, Educator and Author

Maintaining Executive Support for Your Program

Communication Strategy is Key

Any time you are presenting data numbers, don’t leave the interpretation up for chance. The ‘what’ is the data, with every ‘what’ comes a so what? meaning what does that data actually mean? and a now what?, or what do we do in light of that information? Any time you have a what, you need to answer the so what and the now what, otherwise you’re leaving one or both of those things up for interpretation and that’s a chance you cannot afford to take. Your communication strategy throughout the whole process is key. You want to tell a memorable story, the moral being you need cyber security awareness training. Use statistics and charts and graphs to support that story.

Capturing Executive Attention

What’s in it for them - Answer the "so what" question. Answer specifically for each member of the executive team what is going to matter most for them with the output of a security awareness training program. This can be talked about positively - increased resiliency that leads to stabilization of environment, higher employee productivity or negatively - pain that can be avoided when this is done right (data doesn’t get exposed, users don’t get compromised, etc.).

Outline clear connections - Showing connection between the action of training and things that are important for that executive. Could be a specific system, business outcome, specific project, a regulation they are accountable for.

Measurement and stories - Talk about what is going to be measured, how it will be presented, and use that to get into the morality (this is what goes wrong without a security awareness program, here is what can go right, etc.)

Be on the Lookout for Ways To:

• Align your program to the organization’s strategy, mission, and initiatives. This can get heads around the table nodding.
• Tie your program to compliance requirements. For most major security best practices, audit requirements and regulatory requirements, security awareness training IS a requirement.
• Use current events and stories about organizations that are similar to yours in terms of industry, size, or other demographic characteristics. Note: Be careful not to do this in a way that will be perceived as alarmist or as fear mongering. The closer to home it feels, the more real it becomes in their minds.
• Map your program to established industry best practices (such as the NIST Cybersecurity Framework, the National Association of Corporate Directors guidance on cybersecurity, and so on).

Use SMARTER Goals

Show that you are being very intentional about starting your program and you will more likely get the support, budget and resources you need to get it started. Use a SMARTER goal-setting framework, goals should be Specific, Measurable, Actionable, Risky, Time-keyed, Exciting and Relevant.

Goals like "The goal is to reduce our phish-prone percentage" or "To be able to engage employees so they are more aware of the risks and threats around them" are not specific or measurable and are certainly not exciting. An example of a SMARTER goal would be: We are going to reduce our phish-prone percentage from an initial baseline of 30% down to 15% within the next 45 days. You will know for sure whether you’ve hit the goal or not once that 45 days is up. With this framework in mind, it is much easier to build out your training plan and reporting schedule around these types of goals.

Brainstorming Worksheet for Gaining Support

We recommend filling something like the below sheet out for each executive you need to get buy-in from. This isn’t to share with anyone, it’s a tool for you to help before you start meeting with your executive team. Find ways to amplify their value proposition and address or minimize their concerns early on. Try to have one-on-one conversations before you officially ask for support so there are no major surprises when that time comes.

It's a Marathon, not a Sprint

It's very important that you present this as an ongoing program from the very beginning - not a one and done. Think about the difference between an event and an ongoing effort… and the difference between a sprint and a marathon. Time and consistency make a BIG impact in changing behavior for the better.

Awareness posters are great to display in the office as a reminder for the whole organization to keep security top of mind. Posters should be changed frequently enough so the message doesn't get stale. These high-res JPGs are suitable for printing: