What’s next for your awareness program?

When I talk to CISOs or security awareness professionals, I frequently hear the same frustration about the results of their awareness programs. The supposed awareness programs have been a place for a year or more, and they have not yielded noticeable results, and in many cases seem almost useless, as user created incidents seem to continue to increase. When I ask them to describe their programs, what I get are descriptions of components of an awareness program and not a program itself. They describe computer-based training (CBT), and sometimes phishing simulations.

[ 5 steps to incorporate threat intelligence into your security awareness program ]

As you look to your awareness program, you need to honestly answer, “Is my awareness program working?” More important, you need to ask, “How do I know?” The second question is actually much more insightful.

Answers I heard from people, that I personally don’t believe are valid, include, “I get very positive feedback on the videos used,” and “The percentage of people clicking on phishing messages keeps going down.”

When I asked the first person if there were fewer awareness-related incidents, he didn’t know. When I asked the second person if there was a decrease in click-throughs on real phishing messages, I was told there was actually an increase as far as they could tell.

CBT and phishing simulations provide easy metrics. That is the primary reason they are common. For example, CBT is generally used to satisfy audit requirements. CBT printouts provide a check the box proof that all employees at least went through mandatory awareness training. It doesn’t prove there was an actual increase in awareness. Phishing simulations usually show that there is a decrease in clicks on the simulated phishing messages. Typically, the same or similar messages are resent until the failure rate goes down. At that point in time, it usually shows that employees recognize the simulations, and basic messages that would normally be stopped by spam filters anyway. There is no inherent proof that people are less susceptible to actual phishing messages.

While CBT is unfortunately important due to narrowly defined audit requirements, and can potentially cover a variety of topics, it needs to be reinforced. Cases of organizations having a single person taking the CBT quizzes and sharing the results with other employees, so the other employees don’t have to actually pay attention to the CBT, are common. Phishing simulations, even assuming they are effective, are limited to phishing education, and do nothing to support broader social engineering, physical security, password security, data protection, etc. awareness. It is no wonder that the typical security awareness programs fail.

[ 6 essential components for security awareness programs ]

While even an organization with a comprehensive awareness program will experience incidents, they should be fewer and more quickly mitigated. In order to have a successful awareness program, there has to be a constant stream of information that is delivered both actively and passively. In some cases, a comprehensive form of gamification can help the organization.

The purpose of this article is not necessarily to introduce a new concept, but to address the question of “What’s next?” and unfortunately more frequently, “Why is my awareness program failing?”

My previous articles have addressed those issues. Articles to refer to include:

This story, "What’s next for your awareness program?" was originally published by CSO.

Copyright © 2015 IDG Communications, Inc.

Discover what your peers are reading. Sign up for our FREE email newsletters today!