In my experience, one of the most common ways that security awareness training programs fail is that the content of the awareness/training materials is wrong for the target audience.
The mention of the audience is important here – what’s appropriate for an IT group is seldom useful for a group of average PC users, and what’s useful for the PC users probably won’t be as valuable for workers in a warehouse or distribution center.
But, bearing that in mind, here are four of the ways that I’ve seen programs fail because of the wrong content.
- The Content is Too Technical
- Compliance Training About Regulations – Not Topics Specified by the Regulations
- The Training is Entirely Work-Related
- The Training Ignores Known Security Problems
1. The Content is Too Technical
Probably the most common failing of security awareness training programs is that the content is far too technical for the average user. As a result, the students “tune out” the course and, all too often, any other courses that follow.
Usually, the reason is that the development of the training was delegated to someone from the IT/IS group. This can result in a great course but, more often, it results in one that’s not right for the target audience. For example, I remember one end-user training program that started with a 90 minute course on information security risk assessment – an interesting topic for some of us, but much too complex for the average office worker.
Developing high quality training material is a skill in its own right, and very few people possess that skill as well as in-depth domain knowledge. So, in the training industry, this problem is often addressed by separating out the roles of:
- Subject Matter Expert (or “SME”)
- Instructional Designer (or “ID”)
The SME is responsible for the technical background to the course, and for making sure that it’s accurate. The ID takes the information that the SME has provided, breaks it down, and presents it in a way that the target audience will understand. Understanding the difference between these two roles will help you determine the right people to develop your awareness materials.
2. Compliance Training About Regulations – Not Topics Specified by the Regulations
Security awareness training programs focused on regulatory compliance sometimes fail because they concentrate on teaching students about the regulation rather than about the subjects specified by the regulation.
For example, imagine that you’ve been tasked with providing security awareness training for Gramm-Leach-Bliley Act (GLBA) compliance. So you go out and find a course (or write your own) that explains what GLBA is, how it came about, the penalties for non-compliance, and so on.
When you’ve finished, you have a great backgrounder on GLBA. However, as noted in an earlier post on this blog, the FTC-issued guidelines for organizations implementing measures to meet the GLBA Safeguards rule say that organizatiosn should:
Train employees to take basic steps to maintain the security, confidentiality and integrity of customer information, such as:
- locking rooms and file cabinets where paper records are kept;
- using password-activated screensavers;
- using strong passwords (at least eight characters long);
- changing passwords periodically, and not posting passwords near employees’ computers;
- encrypting sensitive customer information when it is transmitted electronically over networks or stored online;
- referring calls or other requests for customer information to designated individuals who have had safeguards training; and
- recognizing any fraudulent attempt to obtain customer information and reporting it to appropriate law enforcement agencies.
I’m not saying that discussing the regulation isn’t of value – it’s vital to provide a context for your students: why they should care, the penalties for failure to comply. But the focus of the security awareness program should be on security.
3. The Training is Entirely Work-Related
This one may be a little more controversial, but I’ve seen quite a number of programs fail to have any real impact when they focused the training materials entirely on the business issues.
The reason for managers wanting to do this is understandable – after all, it’s not their job to teach people about how to keep themselves secure at home. In addition, some managers have expressed concerned about liability that they might incur if they teach students something that backfires.
But, my personal feeling is that they’re missing the critical point. If you can engage students and show them how good security practices can benefit them personally, they’re going to pay more attention to what you’re teaching. I’ve taught classroom sessions on malware (viruses, spyware), passwords, social engineering … and the look on students’ faces when they realize how it relates to their own life tells you that they “get it”. If they then transfer even a small part of that back to the work environment, you’ve gained something very important.
Here’s an earlier post on this blog that discusses the same thing in the context of teaching students about avoiding identity theft.
4. The Training Ignores Known Security Problems
This is an interesting one, and one that I hadn’t really thought too much about until I was involved in a training needs assessment project.
I talked to a number of students in one organization about the security awareness training that they’d received. Almost unanimously, they told me that they considered the training to be of dubious value because it didn’t even mention a major security hole that they all saw each and every day – sensitive documents left lying on printers in common areas. Their logic – if it didn’t cover that one simple problem, why should they take the rest of the training seriously?
Presenting students with training that they see as unrealistic is a sure way to make them ignore it.
Next time … how poor presentation can cause a program to fail.
Pingback: Why Security Awareness Fails … « Imran Research Notes