Security awareness needs to be more than a checkbox

Most companies understand that users educated to recognize and avoid security concerns are one of the–if not the–best defense against malware and network compromise. Unfortunately, the approach most organizations use for security awareness training accomplishes little more than providing some sort of CYA checkbox stating that a user received some sort of training.

The goal isn’t just to force users to endure 30 minutes of training and check a box once a year. The goal is to actually educate them–and that requires getting them more engaged in the training, and more vested in the outcome.

I wrote about a session from this year’s RSA Security Conference that addressed the issue of employee security awareness training.

It is no secret that no matter how many layers of security you have, or how great your computer and network defenses are, the user is the weak link in the security chain. This being the case, effective training to make users aware of security concerns and security best practices is often a better investment than additional security devices or applications. The challenge is how to get the employees engaged and invested in the training so they actually retain and apply it.

Katrina Rodzon, a security awareness professional, presented a session at the 2014 RSA Security Conference titled “Making the Security Super Human: How to Effectively Train Anyone/Anything.” It was an enlightening session that highlighted the common problems with security awareness training and provided some guidance for how to improve employee engagement.

Rodzon pointed out that many security awareness systems are either based on rewards or consequences, but that neither really provides the right motivation. What companies need is a more consistent, ongoing approach to security awareness rather than a once-a-year mind dump.

Click here to read the full article: Getting Employees Engaged in Cyber-Security Training.

Scroll to Top