Security Awareness training is a critical part of an organization's Cyber Security strategy. But, is awareness alone enough? Read more to discover.
What is Information Security Awareness?
What is the purpose of Information Security Awareness Training?
What is Information Security competence?
How is training delivered effectively?
Security Awareness is the essential knowledge on topics related to Information Security that triggers the correct response in an individual when confronted with Information Security risks.
Here is an example - When an individual receives a phishing email, he or she should have the correct knowledge to identify the email as malicious. Further, this knowledge must trigger the correct response such as deleting the email or reporting to the help desk.
++The terms Information Security and Cyber Security are often used interchangeably by practitioners as they largely imply the same purpose and meaning.
The purpose of Information or Cyber Security Awareness training is to educate employees (end-users) on Information Security threats (attacks, malicious actors), vulnerabilities, risks and the impact along-with counter-measures and best practices to eliminate or reduce the threat.
The term Security Awareness is usually associated with acquiring Information Security knowledge. But, Information Security practitioners largely acknowledge that knowledge alone is sufficient. Security Awareness programs are nowadays seen as the important first step towards building Cyber Security competence in the workforce.
Information Security competence implies both Information Security Knowledge and Information Security skills. Cyber Security competence is a more apt term as the term competence refers to knowledge and skills. Knowledge alone isn't sufficient. Knowledge should help the learner gain skills, which are used (triggered) when required.
By focusing on competence, the individual gains the what (what is information security?) and how (how to use it?)
Practitioners are increasingly moving away from theory-based training to a more hands-on approach. This change in attitude has come from the following realisations:
- Theoretical knowledge does not guarantee that the learner will apply the knowledge in a real risk scenario.
- In spite of employees having completed the training, if a security incident does happen, they could be serious repercussions for Cyber Security managers who may have to explain the money and time spent on the training.
Hence, Cyber Security training has moved towards more practical scenarios. Example are;
- Live simulations: Employees are subjected to real phishing attacks and their behaviour or response is observed and corrected.
- Hands-on: Learners are subjected to real risk scenarios using 3D or Virtual Reality (VR) and made to experience a risk and solve it.
The following methods are used to deliver training;
- e-Learning courses with Cyber Security risk simulations
- Micro-learning courses for busy knowledge workers
- Virtual reality Cyber Security Awareness training