Security awareness training

Issue 2/3 2023 Training & Education, Security Services & Risk Management


Tyrone Meyer.

Most organisations don’t have a lot of time to make an impact with their security awareness programmes, but are faced with compliance obligations that must be met. It is critically important to have a security awareness solution that uses the limited time available to train effectively, and one that provides targeted education that is relevant to users. This latter must be based on the knowledge gaps they have and the topics that they need to learn about now.

Currently there are two issues facing us today:

• How to keep users engaged?

• How to account for an education programme that factors in your globalised audience?

Ultimately, the goal of any security awareness programme is to drive behavioural change and drive actual security outcomes. It’s true to say that your company is only as strong as your weakest user, but what does this mean? Basically, you want to see fewer people clicking on malicious links, not only in simulated phishing tests, but in real-world attacks. However, if users mess up, you want them to learn from their mistakes. Without follow-up education users will continue to make the same mistakes in the future.

You want to work for a situation where more employees report suspicious emails, proactively helping you to keep your organisation safe. Data from the SOTP Report shows that a little over a third of organisations currently educate employees about best practices for reporting. If users don’t know what to do when they get a malicious email, how will they know how to act appropriately? What you don’t want is users reporting on random spams or low-risk emails. You want end-users to know what a potential threat looks like and report on high-risk emails, and know how to tell the difference.

To help customers build a strong culture and shape existing behaviours, values and beliefs towards it, you need to organise a solution into three key steps – an ACE Framework – Assess, Change Behaviour and Evaluation.

Assess: The first step is to assess current culture, knowledge and skills to help establish the baseline and understand where the gaps are and what users believe. This helps inform a programme focus and aids with evaluations. Customers can do this using a variety of tools like knowledge and culture assessments.

Change Behaviour: The second step is to help customers execute on their behavioural change programme. This consists of three key components: automation, adaptive learning and the reinforcement of that learning.

• Automation is very important: security teams can get inundated with user reporting of suspicious messages and threats. It is necessary to provide a way to automate remediation of threats. This approach saves time and resources.

• We also know that one size does not fit all, and this couldn’t be truer for training. An adaptive framework makes it easy to deliver continuous learning throughout the year, adjusting the style of learning and the size so that it fits easily into people’s daily schedule. This helps them move along a path that increases skills level over time across key security domains, and based on role. Think targeted education that’s geared right to where users need to be learning at any given time.

• Reinforcement is also key to combatting the forgetting curve. Using existing tools like threat guided training and email warning tags (providing contextual nudges) are some examples, as well as teachable moments, videos, and more.

• Evaluate: you want to be able to evaluate your programme regularly and make changes as needed, to get results.

Above all, remember, this is a cycle, not a linear process. It is constantly restarting and improving.

Now that we’ve covered the stages of the ACE framework, it’s necessary to take a holistic approach to security awareness education. You need to use a threat-driven content informed by threat intelligence to drive educational modules and help users be prepared to face threats in the wild. A tailored education is not only based on users’ roles and knowledge gaps but is also informed by user vulnerabilities, which must be captured using threat intelligence.

Threat detection capabilities also automatically analyse user-reported messages for fast, time-saving detection. You need visibility to help you communicate the impact of your programme to your leadership team, and to help inform future changes you are considering for your security awareness.

These components come together to help save you time, resources, and enhance the administrator experience – which helps you expand and scale your growing business.




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Value and industry insight
Securex South Africa Training & Education News & Events
Securex South Africa 2025, co-located with A-OSH EXPO, Facilities Management Expo, and Firexpo, drew thousands of security professionals from across the continent and beyond, offering a platform for networking, product discovery, and knowledge sharing.

Read more...
Gallagher Security achieves ISO 27001 recertification
News & Events Training & Education
Gallagher Security has successfully achieved certification to the updated ISO/IEC 27001:2022 standard for Information Security Management Systems (ISMS). This accomplishment builds on previous certifications and reflects a continued commitment to the highest standards of information security.

Read more...
A new generational framework
Editor's Choice Training & Education
Beyond Generation X, and Millennials, Dr Chris Blair discusses the seven decades of technological evolution and the generations they defined, from the 1960’s Mainframe Cohort, to the 2020’s AI Navigators.

Read more...
Chubbsafes celebrates 190 years
Gunnebo Safe Storage Africa News & Events Security Services & Risk Management
Chubbsafes marks its 190th anniversary in 2025 and as a highlight of the anniversary celebrations it is launching the Chubbsafes 1835, a limited edition 190th-anniversary collector’s safe.

Read more...
New law enforcement request portal
News & Events Security Services & Risk Management
inDrive launches law enforcement request portal in South Africa to support safety investigations. New portal allows authorised South African law enforcement officials to securely request user data related to safety incidents.

Read more...
Continuous AML risk monitoring
Access Control & Identity Management Security Services & Risk Management Financial (Industry)
AU10TIX, launched continuous risk monitoring as part of its advanced anti-money laundering (AML) solution, empowering businesses to detect behavioural anomalies and emerging threats as they arise.

Read more...
Key design considerations for a control room
Leaderware Editor's Choice Surveillance Training & Education
If you are designing or upgrading a control room, or even reviewing or auditing an existing control room, there are a number of design factors that one would need to consider.

Read more...
The deepfake crisis is here and now
Information Security Training & Education
Deepfakes are a growing cybersecurity threat that blur the line between reality and fiction. These AI-generated synthetic media have evolved from technological curiosities to sophisticated weapons of digital deception, costing companies upwards of $600 000 each.

Read more...
CCTV control room operator job description
Leaderware Editor's Choice Surveillance Training & Education
Control room operators are still critical components of security operations and will remain so for the foreseeable future, despite the advances of AI, which serves as a vital enhancement to the human operator.

Read more...
SAFPS issues SAPS impersonation scam warning
News & Events Security Services & Risk Management
The Southern African Fraud Prevention Service (SAFPS) is warning the public against a scam in which scammers pose as members of the South African Police Service (SAPS) and trick and intimidate individuals into handing over personal and financial information.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.