The Complete Security Awareness
Plan and
Strategy
Guide
Find guidance and actionable strategy for establishing your security awareness program
This page is designed to provide you with actionable guidance and strategy for establishing and maturing your security awareness program. These insights are based on real-life experiences from the experts who created the security awareness programs for The Walt Disney Company, Sony Pictures Entertainment, Activision Blizzard, and other leading firms.
What is Security Awareness?
Clearly defining and communicating your security awareness goals and initiatives is the lifeline of your program. Because programs that don’t engage with your employees or don’t connect with the unique culture of your company will quickly fail.
THIS MEANS:
Think of security awareness as “security marketing.” We’re trying to do the same thing as consumer brands: influence a person’s decision-making process by effectively communicating the value of the program to the organization and individual user. The goal is to get users to make better security decisions.
A crucial element to the success of your program involves establishing a series of goals and initiatives that gain approval from a small, internal committee. We've outlined a few key goals we feel will have the greatest impact and have proven successful across multiple organizations, each with their own unique needs.
You’ll also want to define the purpose of your program. Being able to state this clearly and simply will come in handy over time
TABLE OFCONTENTS
TABLE OFCONTENTS
01
Choosing Your Security Awareness Program Mission Statement
The Goal of Mission Statements
At its foundation, the goal of the security awareness program is to change behavior through education. In order to achieve the desired changes, select a mission statement that reflects the outcome you aim to achieve. Some options include:
-
Nurture a culture of security
-
Create a secure-minded workforce
-
Strengthen the human element of security
-
Communicate the correct security behavior
-
Avoid the front-page headlines in the news
Selecting your mission statement is the first step in building a security awareness program that will identify risky habits and replace them with secure ones. It will also instruct users on how to recognize the signs of an attack and provide information on how to react to an attack. This is a long-term, custom program designed to meet compliance and legal requirements as well as change behavior.
02
Defining Roles & Responsibilities
Now that we have stated the mission of the program, you’ll want to define who does what within the program. Roles, titles, and responsibilities around a security awareness program are going to be very different from company to company.
Here are some essential roles to be considered for an effective program:
Manager, Security Awareness
Ideally, the security awareness program should be managed by a dedicated individual, focused on building and maturing the role and initiatives of the program.
The Ideal Candidate
Select someone for the security awareness manager who has soft people skills, high emotional intelligence, and powerful communication abilities. You likely have enough technical resources and SMEs for this role already, however creativity and effective communication are typically harder to teach.
The Security Awareness Manager’s Biggest Responsibility
The manager needs to use their influence and leadership to execute a multi-faceted program that permeates through all areas of the organization. They need to be a bridge builder between the technical and the non-technical aspects of the program, as well as those who represent such roles.
An essential component of the position is to get employees to recognize and understand how they specifically contribute to the security of the organization— as well as how security and proper cyber hygiene is directly tied to the organization’s success.
CISO
The CISO needs to champion leadership roles and values of the program. This is because the CISO can provide input and guidance regarding executive board concerns and, in turn, represent the goals of the program to senior leadership. They should gain buy-in of the executive board to provide top-down, unified support for the security awareness program.
It is critical that senior leadership across all stakeholder departments acknowledge the importance of the manager role and provide appropriate support. When possible, the security awareness manager should have a direct line of communication with the most senior information security leadership, typically the CISO, CTO, or CIO.
Corporate Communications
All mass communications should be coordinated and approved by your communications department. This includes messages to large groups, company-wide distributions, and any content being delivered to “all company.”
03
Establishing a Security Awareness Advisory Board
The purpose of an Advisory Board is to help establish the program’s goals and make sure every stakeholder is represented. These committees are powerful tools, so we suggest establishing one right from the start. When created with purpose, it will become a key factor in your program’s success.
What Should the Advisory Board Entail?
The advisory board should consist of various members from the information security department, along with key stakeholders from other departments.
The role of the advisory board is to ensure the security awareness program’s implementation is successful. Stakeholders should be considered from among the following roles:
04
Identifying Key Users & Roles
Once you’ve established an advisory board, you can move forward with your overall plan. Start by identifying the key users and roles across the company who will be trained—in addition to the training most learners will receive.
It’s important to know who makes up your environment, so you can provide knowledge appropriately. An effective security awareness policy doesn’t need to be too complicated and can be developed at a high-level.
Begin by making a list of:
Who Needs to Be Trained in Your Security Awareness Program?
Once you create your list of groups of people to train, answer the following questions:
1. Why does this group need to be trained?
2. How does the training need to be administered?
3. What does this group need to learn?
4. Are there any unique requirements for this group?
Try to identify specific types of roles or users who, in addition to receiving required training, may need a custom course of training, delivery method, or additional topics.
The four most common groups of employees to consider while mapping out your security awareness journey:
1. Full-Time Employees
These employees are not limited by contractual or legal regulations, such as contractors and consultants.
Why Do Full-time Employees Need to Complete Compliance-Related Trainings?
Often full-time employees are used to assess a baseline of knowledge and behavior expectation across the company. This helps address the most common risks in an organization and provides the quickest compliance completion for audit reporting. This is as close to “check-the-box” compliance as it comes.
However, full-time employees must be treated as much more than a baseline requirement. After all, they are likely to have more access to data and an inner working knowledge of the organization itself. Thus, they may overly trust and allow fellow employees to take shortcuts — circumventing security practices or policies.
And, keep in mind, they may also be the most likely to resist change. This can include new forms of training, such as the security awareness program you plan to implement.
What Types of Ongoing Security Awareness Training Do Employees Need?
Ongoing training should include online sessions, live training, phishing training, and new-hire orientation.
The goal of ongoing security awareness is to provide educational learning moments and to keep security best practices and cyber hygiene top of mind. Focusing on security policy highlights, data classification, what is an incident and how to report it, and regulatory requirements (PCI, SOX, HIPAA, etc.), should all be in scope.
2. Privileged Users
This includes any user whether that be a full-time employee, contractor, or consultant, with privileged or elevated access to any IT resources, customer relationship management (CRM) platforms that hold prospect and customer personal data, electronic health record (EHR) systems, or payment processing tools. Common examples are not limited to IT system administrators, database administrators, network engineers, developers, helpdesk, but should also include payroll, human resources, accounts payable, accounts receivable and similar roles.
Why Do Privileged Users Need to Be Trained?
Privileged users may require technical training based on their role and must acknowledge and always consider the power and associated risk of their access. Contractors should provide confirmation of completed training from their source company prior to accessing the network.
Social engineers frequently target and impersonate privileged users in phishing attacks. This is because of privileged users’ access to data, their information about processes, and their ability to approve and or make changes within organizational systems.
What Types of Training Do They Need?
They may need additional training on topics like password practices and management, security considerations for the software development lifecycle (SDLC), role/industry appropriate, and targeted phishing training.
For Your Consideration
Involve an ambassador from each technical group for the development and delivery of technical, specialized security training and role-based requirements. Equip each ambassador with an understanding of where the program is succeeding, as well as any areas for improvement they are able to support.
3. C-Level Executives and Their Support Staff
C-level executive roles and their support staff, such as administrative staff and assistants, represent a unique risk as access may be connected at the hip. Often, executive level access is delegated to support staff. Training both roles with a custom program that addresses their unique level of risk provides significant value and risk reduction.
Why Do They Need Training?
These individuals represent a high risk to the company due to daily access to highly sensitive information, international travel, and sometimes a habit of making and following their own rules.
Often C-level executives use their authority to exempt themselves from security awareness training. This is NOT recommended. Leaders shouldn’t develop a reputation of disregarding security practices and policies.
They are often the most imitated position in an organization and most of a social engineer’s efforts are successful when they convince another employee to go outside normal policies and make exceptions. If a privileged user has established a firm reputation for abiding and upholding policies and procedures and promotes the security awareness trainings, targeted employees will have higher confidence in turning down and reporting an impersonation attack when it takes place.
What Kind of Training Should They Have?
Training that is curated for specific behaviors and concerns of the role, company culture, and job requirements. Emphasize and educate executives on the key role they play in top-down promotion of the security awareness program. Educate executives on the few key metrics they need to have insight. And, importantly, educate the executive on the responsibility they have in the event of security incidents.
For Your Consideration
Executives most likely require in-person, custom training. Leverage executive assistants to help train and guide their bosses. The assistants should be the first to receive training, as they usually provide clear insight into the habits and behaviors of their bosses.
Assistants frequently execute on many tasks asked of the executives. As a result, an assistant may have authority to request payments and perform other requests or actions without any checks and balances, making them an equally attractive target as their executive boss.
As a result, executive assistants need to be closely trained on identifying phishing attacks and know that social engineers will always attempt to impersonate their executive bosses to trick and victimize them directly.
4. Contractors and Temporary Staff
Staff not employed directly by the working on the network, with access to the same data as employees. Some may be assigned company email addresses; others may be provisioned segmented network access.
Why Do They Need Training?
These groups represent a high risk to the company. Often these users have elevated, or privileged network access as full-time employees yet are not mandated by the same training requirements due to contractual, legal limitations. Nonetheless, contractors should be treated the same as their full-time peers from a risk perspective and receive appropriate training based on role and access.
What Kind of Training Do They Need?
Onboarding process, ongoing online training, and continual annual verification of knowledge and certifications via the sourcing vendor. There should also be a formalized offboarding process/training to ensure there are no loose ends when a temporary employee leaves.
Password practices and management, Security considerations for the software development lifecycle (SDLC), and role/industry appropriate program.
For Your Consideration
Most likely require custom training via onboarding methods. Legal team should provide guidance on possible limitations regarding such training but have a definitive support structure for providing training as written into contracts.
05
Building Your Security Awareness Training
Now that you’ve identified who you need to train, determining what to train them on becomes slightly easier. Typically, this includes topics you’d expect to be included as part of security awareness training but should also include topics specific to your culture and roles.
What Cyber Risks Should Your Security Awareness Training Include?
-
Security Policies
-
Incident Reporting
-
Privacy
-
Phishing
-
BEC Scams
-
Social Engineering
-
Passwords
-
Ransomware
-
Mobile Devices
-
Remote Working
-
Wi-Fi
-
Cyber Hygiene
-
Physical Security Risks
06
How to Effectively Deliver Security Awareness Training
Now that you know who you want to train—and on what topics—you can now pinpoint the best methods for delivery. Part of a solid strategy involves determining your security communication plan and how it will cohabitate with the other goals.
Execution Strategies for Your Security Awareness Program:
You want to engage people. If users don’t listen or aren’t motivated to change their behaviors, your program will likely struggle. That’s why it is important to engage with your audience on two levels:
Organization
This addresses the company culture. Develop a plan and approach in conjunction with senior leadership and corporate communications that reflects full, top-down support of the security awareness program initiatives and goals.
Work directly with the teams and leaders to identify opportunities to strengthen support for security awareness and secure behaviors and habits. Think all-hands meetings, CEO involvement, HR involvement—written into employee contracts and job descriptions as performance expectations.
Individual
Develop an internal marketing campaign announcing what employees can expect from the training program. Modern marketing has revealed it typically takes people hearing something seven times before they remember it.
Don’t expect you can begin a security awareness program by just sending employees the first training session. They won’t know what it is, what to do with it, and they will have no idea why they should even care about it.
Instead, spend a few weeks leading up to the launch of the program announcing it in many different channels. Send emails, announce during meetings–especially company all hands or executive announcements, put up posters, use collaboration tools, e.g., Slack or Microsoft Teams, and include an announcement about it any place there are regular employee communications.
For Your Consideration
The intent will be to empower users with the ability to make smart, security-driven decisions in their personal lives that nurture secure habits they bring into work; along with the tools and resources to maintain secure behaviors at work.
Giving them ways to protect their family is always big win. Any time an employee understands how a risk could affect them personally helps them to see the value in whole-hearted participation.
Gamification
It’s also important to consider ongoing positive reinforcement and rewards for employees participating in the program. Many security awareness solutions have features like point trackers that aide in knowing which employees are taking the lead in the program. It’s important to utilize this data to offer friendly contests and rewards for the employees who are doing a great job in the program!
Another motivating factor for employees to actively participate in a security awareness program is giving them an understanding they are also at risk outside of work.
07
Understanding Types of Training
Most organizations will have a few different types of training they need to deliver through their security awareness program.
This is good to acknowledge early in the process. Identifying those trainings and putting circles around them will be helpful as your program plan begins to take shape and you start considering maturity and phases.
Here are the types of trainings we’ve seen included in successful programs:
Annual Compliance Training
Many compliance training topics are required annually. This is often presented as interactive online training. The goal of the compliance training is to both set the expectations for user behavior and processes within an organization as well as ensure standards are met.
Compliance topics typically revolve around mandated requirements that often fall under the human resources umbrella, such as sexual harassment prevention training, and—as a result—need to be tracked or administered by HR. Plus, completion and/or infringement upon these compliance topics must be enforced by HR policies.
Many other compliance topics may overlap into your ongoing security awareness program, such as payment card industry (PCI) compliance. But just because you must check a box and provide compliance training from a legal or auditing standpoint, that doesn’t replace the need for ongoing security awareness training. Stopping a potential breach is far more impactful than simply fulfilling a compliance requirement.
Ongoing Security Awareness Engagement
The importance of engaging employees on a regular basis (SANS recommends monthly) ensures employees will keep security threats, best practices, and cyber hygiene top of mind. This combats the Ebbinghaus Forgetting Curve.
Scientific data supports providing training on at least a monthly cadence. According to the Ebbinghaus Forgetting Curve, which demonstrates how information is lost over time when there is no attempt to retain new information, people forget 80% of what they learn within a month.
Conversely, the Ebbinghaus Forgetting Curve also shows that if people engage with education on a specific topic more than once a month, they retain 200% more information and accurately react 28% faster than those who learn by other methods.
The frequency of training is only part of the equation. The length of lessons also contributes to a program’s success. The ideal length of a learning session as identified by MIT researchers is three minutes or less. This forces content coverage to be succinct and focus only on the most critical information. With a consistently short duration, viewers know that sessions won’t waste their time or be overly taxing, which builds trust and ultimately increases engagement.
Driving a culture of ongoing learning through scheduled intervals of engagement and providing short learning sessions are two, of six, key principles of microlearning. A retention-focused approach to learning that presents information in a similar format to how the brain already functions, microlearning ensures people remember what they’re taught and can recall the information exactly when they need it.
For a complete look at how to implement microlearning as part of your security awareness strategy, read our white paper: The Valuable Role of Microlearning in Cybersecurity. There you will find in-depth guidance on creating content that supports the essential functions of an awareness program.
The key for the administrator of any ongoing program is to stay updated in the selecting and scheduling of content campaigns. Many administrators will seek out a fully managed security awareness solution to leave the content and its management in the hands of a trusted vendor, freeing themselves up to be a security awareness leader rather than functioning solely as program administrator.
However, it’s important not to get wowed by vendors who offer gigantic libraries of long-form content instead of new and fresh microlearning lessons. When long-form trainings get outdated, they quickly become a drain on employee time and hinder their ability to stay motivated and participate in the program.
Still, not all vendors are the same. Some may have extensive libraries that initially look impressive, but when given a closer look, the lessons don’t support your program’s goals, meet the learning needs of your users, or provide content that is up to date with the evolving threat landscape.
What to look for when evaluating Security Awareness Vendors
Make sure to ask the following questions to help make an informed decision:
-
Phishing Training
Phishing simulations should be included with any ongoing awareness program, and always treated as an educational tool.
Many organizations begin their phishing simulation efforts with education in mind but somehow lose their way and become overly focused on all the bells and whistles of their phishing simulation tools. Often, they cross a line between trying to educate employees and… trying to trick them.
This may cause employees to develop animosity toward the entire training program. And once the simulation program focuses on tricking employees to catch and punish them, the bridge is burned. Also, if you take a sarcastic tone or shame people who do click on a simulation, employees will begin to avoid the security awareness program at all costs and not react properly when they received a simulated email.
Instead, phishing simulations should be used as educational tools and employees’ engagement with them should elicit a “no shame” respectful tone. Sending monthly phishing simulations tied directly to on-the-spot training that teaches them how to properly identify whether an email is a phishing attempt or if it can be trusted is the best way to build a good relationship between employees and phishing simulations.
Along these lines, it is also important to educate employees on how to report suspicious emails. Many different tools can be used to safely handle potentially dangerous emails. A tool that is readily available to many organizations through Outlook and Google Workspace is a “report phishing” button that ensures proper and simple reporting.
-
New Hires and Contractors
All new employees and contractors should be required to complete an introduction to the organization’s security practices during employee onboarding, as well as be immediately enrolled in the ongoing security awareness program.
08
Implementing Awareness Initiatives
Major Awareness Initiatives
You can reinforce key behaviors using various methods throughout the year. These methods also help reach the different sub-cultures throughout the organization. These initiatives consist of the following:
Cybersecurity Coaches
This group of volunteer employees act as liaisons within their department or broader team. Appoint people who have a reputation in the organization as cyber experts, a passion for developing a culture of security, and are patient teachers.
The goal is to empower already security-minded users with the tools and resources they need to spread and strengthen efforts of the company security awareness program.
Executive Assistant Network
This group consists primarily of executive assistants, but also includes senior-level executives.
Like ambassadors, this group can help promote the program organization-wide. Emails that come from the office of the CEO or their assistant have a much higher open rate by employees — resulting in greater attention when needing to make key announcements to employees.
Security Culture Feedback
This process engages senior management throughout your company to candidly discuss any security concerns or needs unique to their footprint. Results from these discussions help inform you of previously unknown security risks and behaviors. This becomes a powerful assessment of your current environment as it gives you materials and ways to focus on reinforcement and potential training module candidates.
Senior management may not have an exact understanding of the step-by-step actions employees take while performing their jobs. So, this should be a multi-layered effort.
Leadership can receive their ideas on paper, but it’s also important to have peer-led discovery meetings where peoples can speak freely—and anonymously—if necessary, and pull the curtain back on practices that might, in fact, be dangerous for your organization. If you want to have employees expose weaknesses and vulnerabilities, you must create a no shame, no blame culture that welcomes the exposition of potential pitfalls.
Cybersecurity Awareness Month (CAM)
October is now globally recognized as Cybersecurity Awareness Month. This creates the opportunity to connect and engage with users throughout the entire month. Activities can include learning sessions, online scavenger hunts, external speakers, and a keynote event typically highlight events designed to take advantage of this special focus.
In the first year or two of implementing your security awareness program, use cybersecurity month as a ‘level-up’ event. Take the opportunity to leverage special resources and events available from other vendors and organizations to raise the security awareness program of your organization.
As your company’s security culture begins to mature, turn Cybersecurity Awareness Month into its own holiday season. Fill it full of prizes after you utilize points trackers for your employees and push your ongoing security awareness efforts to lead up to this month.
Newsletters
Newsletters require significant energy and access to editorial and creative resources, which you may or may not have. With the effort required to curate and develop content, newsletters yield low performance returns on time invested. Instead of building something new, focus on utilizing existing communication channels and piggy-back on existing internal marketing and communications activities.
However, if you really feel compelled to do one, send out a quarterly newsletter to InfoSec and senior leadership—a general audience won’t read it. Topics should focus on current strategies, results from initiatives, and projects on the horizon.
09
Reporting & Performance Metrics
Assessments and Scoring
You will need to measure the effectiveness of your security awareness training program in educating your users and changing their behaviors. We recommend the following methods to gauge its success:
Compliance Training Metrics
Think of this as your completion rates in terms of how many users completed the compliance training and regulatory requirements across the company. If you need to provide reports or documentation to any regulatory entities, be sure to understand what format they need the information in and then keep your records updated for reporting purposes.
Ongoing Security Awareness Education
The education portion of your security awareness program should have several key measurement capabilities.
Participation and Completion
It is important to know if employees are participating and completing the content they are assigned.
Quizzes
Asking employees questions and gauging their understanding of certain topics is more than just a neat stat for the reports. It further challenges them to quickly recall information which helps to transfer more of what they are learning to long-term memory.
Gamification and Leaderboard
Creating a points scale for participation, quiz scores, and other behavior trackers will give a security awareness program the ability to attribute motivators, friendly competition, as well as accountability.
-
Phishing Simulations
A phishing training program includes lots of metrics. Be careful not to allow the phishing metrics to become the core metric for the program. It is but one of many important reporting numbers representing an overall effort of the program.
The prioritized metrics in your phishing simulation programs should help you assess improvement toward what should be your ultimate goal, which is to educate your employees. Many people lose sight of this when utilizing a phishing simulation tool.
Phishing simulations should be directly linked to specific teaching moments that not only let employees know where they went wrong, but also explain what to watch out for every single time they receive an email to determine if it can be trusted.
It is important to track clicks, completion of follow-up education, and ongoing improvements in individual performance on things like reporting suspicious emails and not clicking on simulated phishing links.
-
Live Trainings
Live trainings are unique and can provide interesting windows into your culture. Keeping track of the number of trainings delivered, number of unique teams participating, and number of attendees. Even being a small part of an in-person company event promotes a positive security awareness culture.
Employees hear directly from the security awareness manager or CISO about the program is a valuable use of time. Not sure what to present on? You can take time to highlight an employee who reported a phishing email that saved the company from potential headaches, take the opportunity to announce or reinforce an upcoming security awareness training, or have leadership endorse the need for ongoing training participation.
Much like marketing programs it is then important to track registrations, attendance, and participation based on how much or how little promoting was done.
-
Incident Response
An effective security awareness program creates enough relevant data directly to the IR teams to enable those teams to become efficient. Tracking efficiency can demonstrate to senior leadership an additional way in which the program adds value. An important statistic involves “reduced time to respond” to phishing threats, because the users themselves are doing the reporting.
-
CAM
Cybersecurity Awareness Month is a behemoth. Robust events throughout the month means a lot of potential data to be collected. However, planning ahead of time and with intention can offer multitudes of great metrics—things like hours spent learning, events attended, participants in contests, etc.
-
Surveys
Sending out an annual anonymous security awareness survey to measure individual’s understanding of organizational policies and measure their beliefs and attitudes toward information security can provide you with valuable insight.
10
Building a Thriving Program
What’s really impactful about implementing a sound strategy is that you will build a continuous positive learning curve and give your entire organization a program they can all understand, support, and promote.
Key Building Blocks of a Security Awareness Program
Keep it simple.
So, plan big and keep the execution simple.
During year two, highlight maturing year-one goals, and add one or two new programs—like ambassadors and live training, or even role-based training efforts. You can forecast and show how your program matures each year. Doing so is executive team gold.
Above all else, remember that you, and your entire program are in place to educate and elevate employees. Don’t get so consumed by administering your program that you forget about your people. Find ways to automate your program so you can spend more time leading your people.
ARCTIC WOLF ARCTIC WOLF
PRESENTS PRESENTS
Managed Security Awareness
Embark on a Managed Security Awareness Journey.
Interested in learning about the future of security awareness?
This free time traveling tour will show you what it’s like to become an Arctic Wolf Managed Security Awareness customer.
You’ll participate in microlearning sessions, find out what your Concierge Security Team can do for you, and discover how an ongoing program can change your company culture.
Experience a tour of Managed Security Awareness today!
