Security awareness training

Issue 2/3 2023 Training & Education, Security Services & Risk Management

Tyrone Meyer.

Most organisations don’t have a lot of time to make an impact with their security awareness programmes, but are faced with compliance obligations that must be met. It is critically important to have a security awareness solution that uses the limited time available to train effectively, and one that provides targeted education that is relevant to users. This latter must be based on the knowledge gaps they have and the topics that they need to learn about now.

Currently there are two issues facing us today:

• How to keep users engaged?

• How to account for an education programme that factors in your globalised audience?

Ultimately, the goal of any security awareness programme is to drive behavioural change and drive actual security outcomes. It’s true to say that your company is only as strong as your weakest user, but what does this mean? Basically, you want to see fewer people clicking on malicious links, not only in simulated phishing tests, but in real-world attacks. However, if users mess up, you want them to learn from their mistakes. Without follow-up education users will continue to make the same mistakes in the future.

You want to work for a situation where more employees report suspicious emails, proactively helping you to keep your organisation safe. Data from the SOTP Report shows that a little over a third of organisations currently educate employees about best practices for reporting. If users don’t know what to do when they get a malicious email, how will they know how to act appropriately? What you don’t want is users reporting on random spams or low-risk emails. You want end-users to know what a potential threat looks like and report on high-risk emails, and know how to tell the difference.

To help customers build a strong culture and shape existing behaviours, values and beliefs towards it, you need to organise a solution into three key steps – an ACE Framework – Assess, Change Behaviour and Evaluation.

Assess: The first step is to assess current culture, knowledge and skills to help establish the baseline and understand where the gaps are and what users believe. This helps inform a programme focus and aids with evaluations. Customers can do this using a variety of tools like knowledge and culture assessments.

Change Behaviour: The second step is to help customers execute on their behavioural change programme. This consists of three key components: automation, adaptive learning and the reinforcement of that learning.

• Automation is very important: security teams can get inundated with user reporting of suspicious messages and threats. It is necessary to provide a way to automate remediation of threats. This approach saves time and resources.

• We also know that one size does not fit all, and this couldn’t be truer for training. An adaptive framework makes it easy to deliver continuous learning throughout the year, adjusting the style of learning and the size so that it fits easily into people’s daily schedule. This helps them move along a path that increases skills level over time across key security domains, and based on role. Think targeted education that’s geared right to where users need to be learning at any given time.

• Reinforcement is also key to combatting the forgetting curve. Using existing tools like threat guided training and email warning tags (providing contextual nudges) are some examples, as well as teachable moments, videos, and more.

• Evaluate: you want to be able to evaluate your programme regularly and make changes as needed, to get results.

Above all, remember, this is a cycle, not a linear process. It is constantly restarting and improving.

Now that we’ve covered the stages of the ACE framework, it’s necessary to take a holistic approach to security awareness education. You need to use a threat-driven content informed by threat intelligence to drive educational modules and help users be prepared to face threats in the wild. A tailored education is not only based on users’ roles and knowledge gaps but is also informed by user vulnerabilities, which must be captured using threat intelligence.

Threat detection capabilities also automatically analyse user-reported messages for fast, time-saving detection. You need visibility to help you communicate the impact of your programme to your leadership team, and to help inform future changes you are considering for your security awareness.

These components come together to help save you time, resources, and enhance the administrator experience – which helps you expand and scale your growing business.

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Deception technology crucial to unmasking data theft
Information Security Security Services & Risk Management
The ‘silent theft’ of data is an increasingly prevalent cyber threat to businesses, driving the ongoing leakage of personal information in the public domain through undetected attacks that cannot even be policed by data privacy legislation.

Proactive strategies against payment fraud
Financial (Industry) Security Services & Risk Management
Amid a spate of high-profile payment fraud cases in South Africa, the need for robust fraud payment prevention measures has never been more apparent, says Ryan Mer, CEO of eftsure Africa.

How to prevent and survive fires
Fire & Safety Security Services & Risk Management
Since its launch in August 2023, Fidelity SecureFire, a division of the Fidelity Services Group, has been making significant strides in revolutionising fire response services in South Africa.

A long career in mining security
Technews Publishing Editor's Choice Security Services & Risk Management Mining (Industry)
Nash Lutchman recently retired from a security and law enforcement career, initially as a police officer, and for the past 16 years as a leader of risk and security operations in the mining industry.

Risk management: There's an app for that
Editor's Choice News & Events Security Services & Risk Management
Zulu Consulting has streamlined the corporate risk management process with the launch of Risk-IO, a web-based app designed to consolidate and guide risk managers through the process, monitoring progress as one proceeds.

Integrated information platform for risk management
Editor's Choice News & Events Security Services & Risk Management
Online Intelligence recently launched version 7 of its CiiMS risk and security platform. Speaking to SMART Security Solutions after the launch event, the company’s Arnold van den Bout described the enhancements in version 7.

Global Identity Fraud Report revealing eight-month ‘mega-attack’
Editor's Choice Security Services & Risk Management
AU10TIX recently released its Q4 Global Identity Fraud Report, with the research identifying two never-before-seen attack patterns, with the worst case involving 22 000+ AI-generated variations of a single U.S. passport.

Linking of security officers by security businesses
PSiRA (Private Security Ind. Regulatory Authority) News & Events Security Services & Risk Management
[Sponsored] By law, all security businesses are required to declare their employees to PSiRA so that they can be accounted for administratively. Failure to link employees by security businesses is a contravention of the Code of Conduct and a criminal offence.

Tips and tools for trade businesses
News & Events Training & Education
ServCraft brings together trade industry associations and corporations to launch blox, a digital content platform and community impacting lives, businesses and industries across hundreds of thousands of trade business SMEs.

Africa Online Safety Platform launched in SA
Training & Education News & Events
Impact Amplifier, with the financial support of, launched its African Online Safety Platform (AOSP), a platform providing a rich repository of research, education content, funding opportunities and ways to seek help after an online crime.