Should corporate security training be tailored based on a users' job role?
I work in the Information Security team at my workplace. We work in the insurance and healthcare industry and work frequently with customer credit card, financial, and private health data.
Today I was meeting with security management to plan for this year's annual security training curriculum. We are thinking about customizing the training modules for end users depending on their job role. As examples:
- Additional, customized training modules for privileged users such as domain admins
- A training module customized for non-IT employees working in customer-facing roles
- A separate training module for developers, perhaps with a heavier focus on defensive coding and software development vulnerabilities - e.g: SQL injection
As the security risk associated with an IT domain admin level user is obviously very different from a non-IT customer-facing employee, it seems customizing the security training to the specific needs of the type of employee is reasonable. What may be important and relevant to an IT employee may not be so to a customer service representative working in a call center, so it seems a one size fits all approach is just ineffective.
However, I can also see the downsides of a customized approach. An end user could possibly reason that because they were not provided a specific module, that training module is not meaningful or important. In other words, it is possible to encourage end user employees to be more lax in their security habits as they associate only what they see in training as important. We want to avoid this perception.
Is customizing corporate IT security training based on job roles and the differing inherent risks associated with those roles a good practice?
What are some possible downsides to such a customized approach, other than described above?
corporate-policy awareness
add a comment |
I work in the Information Security team at my workplace. We work in the insurance and healthcare industry and work frequently with customer credit card, financial, and private health data.
Today I was meeting with security management to plan for this year's annual security training curriculum. We are thinking about customizing the training modules for end users depending on their job role. As examples:
- Additional, customized training modules for privileged users such as domain admins
- A training module customized for non-IT employees working in customer-facing roles
- A separate training module for developers, perhaps with a heavier focus on defensive coding and software development vulnerabilities - e.g: SQL injection
As the security risk associated with an IT domain admin level user is obviously very different from a non-IT customer-facing employee, it seems customizing the security training to the specific needs of the type of employee is reasonable. What may be important and relevant to an IT employee may not be so to a customer service representative working in a call center, so it seems a one size fits all approach is just ineffective.
However, I can also see the downsides of a customized approach. An end user could possibly reason that because they were not provided a specific module, that training module is not meaningful or important. In other words, it is possible to encourage end user employees to be more lax in their security habits as they associate only what they see in training as important. We want to avoid this perception.
Is customizing corporate IT security training based on job roles and the differing inherent risks associated with those roles a good practice?
What are some possible downsides to such a customized approach, other than described above?
corporate-policy awareness
add a comment |
I work in the Information Security team at my workplace. We work in the insurance and healthcare industry and work frequently with customer credit card, financial, and private health data.
Today I was meeting with security management to plan for this year's annual security training curriculum. We are thinking about customizing the training modules for end users depending on their job role. As examples:
- Additional, customized training modules for privileged users such as domain admins
- A training module customized for non-IT employees working in customer-facing roles
- A separate training module for developers, perhaps with a heavier focus on defensive coding and software development vulnerabilities - e.g: SQL injection
As the security risk associated with an IT domain admin level user is obviously very different from a non-IT customer-facing employee, it seems customizing the security training to the specific needs of the type of employee is reasonable. What may be important and relevant to an IT employee may not be so to a customer service representative working in a call center, so it seems a one size fits all approach is just ineffective.
However, I can also see the downsides of a customized approach. An end user could possibly reason that because they were not provided a specific module, that training module is not meaningful or important. In other words, it is possible to encourage end user employees to be more lax in their security habits as they associate only what they see in training as important. We want to avoid this perception.
Is customizing corporate IT security training based on job roles and the differing inherent risks associated with those roles a good practice?
What are some possible downsides to such a customized approach, other than described above?
corporate-policy awareness
I work in the Information Security team at my workplace. We work in the insurance and healthcare industry and work frequently with customer credit card, financial, and private health data.
Today I was meeting with security management to plan for this year's annual security training curriculum. We are thinking about customizing the training modules for end users depending on their job role. As examples:
- Additional, customized training modules for privileged users such as domain admins
- A training module customized for non-IT employees working in customer-facing roles
- A separate training module for developers, perhaps with a heavier focus on defensive coding and software development vulnerabilities - e.g: SQL injection
As the security risk associated with an IT domain admin level user is obviously very different from a non-IT customer-facing employee, it seems customizing the security training to the specific needs of the type of employee is reasonable. What may be important and relevant to an IT employee may not be so to a customer service representative working in a call center, so it seems a one size fits all approach is just ineffective.
However, I can also see the downsides of a customized approach. An end user could possibly reason that because they were not provided a specific module, that training module is not meaningful or important. In other words, it is possible to encourage end user employees to be more lax in their security habits as they associate only what they see in training as important. We want to avoid this perception.
Is customizing corporate IT security training based on job roles and the differing inherent risks associated with those roles a good practice?
What are some possible downsides to such a customized approach, other than described above?
corporate-policy awareness
corporate-policy awareness
edited 24 mins ago
Sasha
32
32
asked 20 hours ago
AnthonyAnthony
697415
697415
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
The idea of customising the training to meet user requirements is in fact a very good approach. However, there will have to be certain additions to this approach which will then suit everyone in your organisation.
With that being said, it is very correct when you say that the training required for an application developer will not be the same as an HR person.
However, when you look at structure of ISO 27001, you will see that it has many aspects which will be applicable to all departments, such as access control, asset management and disposal, Intellectual property rights management, Business continuity procedures, Employment procedures, Incident handling, Acceptable use guidelines, Clear desk and Clear screen and much more. You will see that each of these items which I have listed above will be applicable to everyone.
Your training approach should take all these into account while also making the training role-specific. I have been taking an approach that is department-specific. Some modules have been exclusively reserved for certain departments, while most modules are applicable to all departments. Your training schedule should list out all these.
Finally the topics that you impart to your employees should actually be within the limits of your organisation's Information security management system (ISMS). So, if you have a well defined ISMS, look through all the policies and procedures that have been defined for your organisation. This will give you a good starting point to define all your topics.
2
Important to note that security training is not ISO 27k specific and it is completely reasonable to have training even if the org is not even considering ISO 27k. A well-defined ISMS should be designed to address the org's risks, which means that the more generic approach for training design is to train based on risk rather than policy. And that's true both for procedural training as well for awareness training.
– schroeder♦
13 hours ago
add a comment |
Security Awareness expert here (awards, best-selling book).
Absolutely, you should/need to customise training to the role/risks.
Many international bodies actually call this out as important:
NIST CSF (PR.AT)- NIST SP 800-16
- SANS
- FBI/DHS
- Jonathan Steenland, COO of the National Cyber Center
Those were just what I could recall off the top of my head.
But your questions at the end seem to show a misunderstanding about how the materials would be created.
Set a baseline standard
Your organisation needs to set a minimum standard for awareness that meets the risk profile of your organisation. That means that everyone gets the same basic foundations. On top of that is the role-specific material.
Same material, role-specific examples
But it can go deeper than that to be more effective. I advocate creating material that is role-specific using the same base material, but having the examples be role-specific. Don't show an HR example to the Shipping department. Keep the examples specific to the role, where practical, but cover the same material so that the foundations are the same. This helps to show why the material is important to the employee.
Train to meet the risks
In addition, different roles in your organisation are going to experience different risks, and those unique risks should be addressed in training. Finance and HR experience different risks and need different tools/procedures to meet those risks. The Shipping department is going to have a completely different set of risks. Training should most definitely be customised to the risks.
Yes, that is going to look daunting to anyone who is not a dedicated security awareness curriculum designer. That is a lot of work. And that's why most organisations do not do it. But they should.
Easy mode: Champions
One way to make it easier is to employ a "Champions" programme where selected individuals in each department/risk area are trained and supported to help design, deliver and be a point of contact for the department/risk-specific material. This has been shown to be extremely effective in many organisations. You should then take the custom material that has been shown to work and roll that into your learning program to make it more consistent and repeatable.
Next step: not just role-specific but audience-specific
In addition, I also advocate having different material for the different technological and demographic groups in your organisation. "How to spot a phish" training needs to look different for people who have never heard of the concept before than for IT experts. And the language and concepts used need to be understood by the various demographic groups in your organisation. For example, ask different people whether they know what a "browser" is. You might be shocked to see who has not heard of the term. That means your "How to spot a phish" material needs to either not use the term or train people on it.
Graduated materials
In my materials, I graduate them so that there is a rising skill and knowledge level. People unlock the higher levels when they have shown to be proficient in the lower levels. This means that the IT experts only have to deal with the basic material once, but are challenged by the brand-new techniques in the high levels. New people can grow with the material.
add a comment |
This is more of a communication question than a security one, but I must acknowledge that the result has a strong impact on the global security practices. What matters here is that all employees can think that their activity is considered as important and that their poor practices would have serious effects.
If you present it that way:
- IT admins will follow a module dedicated to their job
- IT developpers will follow a module dedicated to their job
- non IT fellows will follow a generalist module
The risk is high that non IT staff members think that security is not their concern.
As one of my previous jobs was not IT focused, I think that non IT staff members could feel more concerned with the following presentation:
- one generalist module for everybody so that the base is shared among all employees, whatever their specific activity
- one additional module for every group
The content of the additional module is trivial for the IT groups, admins and developpers.
For non IT members, you will have to find examples related to their actual activity. Social attacks are a primary concern for the financial team, confidentiality is a primary concern for the customer service representative teams, etc. That way, you show every group that you have considered their activity and that lack of good security practices in their activity will have serious consequences.
The actual content will not be much different than the first approach, but it could be seen differently.
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f203797%2fshould-corporate-security-training-be-tailored-based-on-a-users-job-role%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
The idea of customising the training to meet user requirements is in fact a very good approach. However, there will have to be certain additions to this approach which will then suit everyone in your organisation.
With that being said, it is very correct when you say that the training required for an application developer will not be the same as an HR person.
However, when you look at structure of ISO 27001, you will see that it has many aspects which will be applicable to all departments, such as access control, asset management and disposal, Intellectual property rights management, Business continuity procedures, Employment procedures, Incident handling, Acceptable use guidelines, Clear desk and Clear screen and much more. You will see that each of these items which I have listed above will be applicable to everyone.
Your training approach should take all these into account while also making the training role-specific. I have been taking an approach that is department-specific. Some modules have been exclusively reserved for certain departments, while most modules are applicable to all departments. Your training schedule should list out all these.
Finally the topics that you impart to your employees should actually be within the limits of your organisation's Information security management system (ISMS). So, if you have a well defined ISMS, look through all the policies and procedures that have been defined for your organisation. This will give you a good starting point to define all your topics.
2
Important to note that security training is not ISO 27k specific and it is completely reasonable to have training even if the org is not even considering ISO 27k. A well-defined ISMS should be designed to address the org's risks, which means that the more generic approach for training design is to train based on risk rather than policy. And that's true both for procedural training as well for awareness training.
– schroeder♦
13 hours ago
add a comment |
The idea of customising the training to meet user requirements is in fact a very good approach. However, there will have to be certain additions to this approach which will then suit everyone in your organisation.
With that being said, it is very correct when you say that the training required for an application developer will not be the same as an HR person.
However, when you look at structure of ISO 27001, you will see that it has many aspects which will be applicable to all departments, such as access control, asset management and disposal, Intellectual property rights management, Business continuity procedures, Employment procedures, Incident handling, Acceptable use guidelines, Clear desk and Clear screen and much more. You will see that each of these items which I have listed above will be applicable to everyone.
Your training approach should take all these into account while also making the training role-specific. I have been taking an approach that is department-specific. Some modules have been exclusively reserved for certain departments, while most modules are applicable to all departments. Your training schedule should list out all these.
Finally the topics that you impart to your employees should actually be within the limits of your organisation's Information security management system (ISMS). So, if you have a well defined ISMS, look through all the policies and procedures that have been defined for your organisation. This will give you a good starting point to define all your topics.
2
Important to note that security training is not ISO 27k specific and it is completely reasonable to have training even if the org is not even considering ISO 27k. A well-defined ISMS should be designed to address the org's risks, which means that the more generic approach for training design is to train based on risk rather than policy. And that's true both for procedural training as well for awareness training.
– schroeder♦
13 hours ago
add a comment |
The idea of customising the training to meet user requirements is in fact a very good approach. However, there will have to be certain additions to this approach which will then suit everyone in your organisation.
With that being said, it is very correct when you say that the training required for an application developer will not be the same as an HR person.
However, when you look at structure of ISO 27001, you will see that it has many aspects which will be applicable to all departments, such as access control, asset management and disposal, Intellectual property rights management, Business continuity procedures, Employment procedures, Incident handling, Acceptable use guidelines, Clear desk and Clear screen and much more. You will see that each of these items which I have listed above will be applicable to everyone.
Your training approach should take all these into account while also making the training role-specific. I have been taking an approach that is department-specific. Some modules have been exclusively reserved for certain departments, while most modules are applicable to all departments. Your training schedule should list out all these.
Finally the topics that you impart to your employees should actually be within the limits of your organisation's Information security management system (ISMS). So, if you have a well defined ISMS, look through all the policies and procedures that have been defined for your organisation. This will give you a good starting point to define all your topics.
The idea of customising the training to meet user requirements is in fact a very good approach. However, there will have to be certain additions to this approach which will then suit everyone in your organisation.
With that being said, it is very correct when you say that the training required for an application developer will not be the same as an HR person.
However, when you look at structure of ISO 27001, you will see that it has many aspects which will be applicable to all departments, such as access control, asset management and disposal, Intellectual property rights management, Business continuity procedures, Employment procedures, Incident handling, Acceptable use guidelines, Clear desk and Clear screen and much more. You will see that each of these items which I have listed above will be applicable to everyone.
Your training approach should take all these into account while also making the training role-specific. I have been taking an approach that is department-specific. Some modules have been exclusively reserved for certain departments, while most modules are applicable to all departments. Your training schedule should list out all these.
Finally the topics that you impart to your employees should actually be within the limits of your organisation's Information security management system (ISMS). So, if you have a well defined ISMS, look through all the policies and procedures that have been defined for your organisation. This will give you a good starting point to define all your topics.
edited 14 hours ago
schroeder♦
76k29169202
76k29169202
answered 18 hours ago
VikasVikas
18510
18510
2
Important to note that security training is not ISO 27k specific and it is completely reasonable to have training even if the org is not even considering ISO 27k. A well-defined ISMS should be designed to address the org's risks, which means that the more generic approach for training design is to train based on risk rather than policy. And that's true both for procedural training as well for awareness training.
– schroeder♦
13 hours ago
add a comment |
2
Important to note that security training is not ISO 27k specific and it is completely reasonable to have training even if the org is not even considering ISO 27k. A well-defined ISMS should be designed to address the org's risks, which means that the more generic approach for training design is to train based on risk rather than policy. And that's true both for procedural training as well for awareness training.
– schroeder♦
13 hours ago
2
2
Important to note that security training is not ISO 27k specific and it is completely reasonable to have training even if the org is not even considering ISO 27k. A well-defined ISMS should be designed to address the org's risks, which means that the more generic approach for training design is to train based on risk rather than policy. And that's true both for procedural training as well for awareness training.
– schroeder♦
13 hours ago
Important to note that security training is not ISO 27k specific and it is completely reasonable to have training even if the org is not even considering ISO 27k. A well-defined ISMS should be designed to address the org's risks, which means that the more generic approach for training design is to train based on risk rather than policy. And that's true both for procedural training as well for awareness training.
– schroeder♦
13 hours ago
add a comment |
Security Awareness expert here (awards, best-selling book).
Absolutely, you should/need to customise training to the role/risks.
Many international bodies actually call this out as important:
NIST CSF (PR.AT)- NIST SP 800-16
- SANS
- FBI/DHS
- Jonathan Steenland, COO of the National Cyber Center
Those were just what I could recall off the top of my head.
But your questions at the end seem to show a misunderstanding about how the materials would be created.
Set a baseline standard
Your organisation needs to set a minimum standard for awareness that meets the risk profile of your organisation. That means that everyone gets the same basic foundations. On top of that is the role-specific material.
Same material, role-specific examples
But it can go deeper than that to be more effective. I advocate creating material that is role-specific using the same base material, but having the examples be role-specific. Don't show an HR example to the Shipping department. Keep the examples specific to the role, where practical, but cover the same material so that the foundations are the same. This helps to show why the material is important to the employee.
Train to meet the risks
In addition, different roles in your organisation are going to experience different risks, and those unique risks should be addressed in training. Finance and HR experience different risks and need different tools/procedures to meet those risks. The Shipping department is going to have a completely different set of risks. Training should most definitely be customised to the risks.
Yes, that is going to look daunting to anyone who is not a dedicated security awareness curriculum designer. That is a lot of work. And that's why most organisations do not do it. But they should.
Easy mode: Champions
One way to make it easier is to employ a "Champions" programme where selected individuals in each department/risk area are trained and supported to help design, deliver and be a point of contact for the department/risk-specific material. This has been shown to be extremely effective in many organisations. You should then take the custom material that has been shown to work and roll that into your learning program to make it more consistent and repeatable.
Next step: not just role-specific but audience-specific
In addition, I also advocate having different material for the different technological and demographic groups in your organisation. "How to spot a phish" training needs to look different for people who have never heard of the concept before than for IT experts. And the language and concepts used need to be understood by the various demographic groups in your organisation. For example, ask different people whether they know what a "browser" is. You might be shocked to see who has not heard of the term. That means your "How to spot a phish" material needs to either not use the term or train people on it.
Graduated materials
In my materials, I graduate them so that there is a rising skill and knowledge level. People unlock the higher levels when they have shown to be proficient in the lower levels. This means that the IT experts only have to deal with the basic material once, but are challenged by the brand-new techniques in the high levels. New people can grow with the material.
add a comment |
Security Awareness expert here (awards, best-selling book).
Absolutely, you should/need to customise training to the role/risks.
Many international bodies actually call this out as important:
NIST CSF (PR.AT)- NIST SP 800-16
- SANS
- FBI/DHS
- Jonathan Steenland, COO of the National Cyber Center
Those were just what I could recall off the top of my head.
But your questions at the end seem to show a misunderstanding about how the materials would be created.
Set a baseline standard
Your organisation needs to set a minimum standard for awareness that meets the risk profile of your organisation. That means that everyone gets the same basic foundations. On top of that is the role-specific material.
Same material, role-specific examples
But it can go deeper than that to be more effective. I advocate creating material that is role-specific using the same base material, but having the examples be role-specific. Don't show an HR example to the Shipping department. Keep the examples specific to the role, where practical, but cover the same material so that the foundations are the same. This helps to show why the material is important to the employee.
Train to meet the risks
In addition, different roles in your organisation are going to experience different risks, and those unique risks should be addressed in training. Finance and HR experience different risks and need different tools/procedures to meet those risks. The Shipping department is going to have a completely different set of risks. Training should most definitely be customised to the risks.
Yes, that is going to look daunting to anyone who is not a dedicated security awareness curriculum designer. That is a lot of work. And that's why most organisations do not do it. But they should.
Easy mode: Champions
One way to make it easier is to employ a "Champions" programme where selected individuals in each department/risk area are trained and supported to help design, deliver and be a point of contact for the department/risk-specific material. This has been shown to be extremely effective in many organisations. You should then take the custom material that has been shown to work and roll that into your learning program to make it more consistent and repeatable.
Next step: not just role-specific but audience-specific
In addition, I also advocate having different material for the different technological and demographic groups in your organisation. "How to spot a phish" training needs to look different for people who have never heard of the concept before than for IT experts. And the language and concepts used need to be understood by the various demographic groups in your organisation. For example, ask different people whether they know what a "browser" is. You might be shocked to see who has not heard of the term. That means your "How to spot a phish" material needs to either not use the term or train people on it.
Graduated materials
In my materials, I graduate them so that there is a rising skill and knowledge level. People unlock the higher levels when they have shown to be proficient in the lower levels. This means that the IT experts only have to deal with the basic material once, but are challenged by the brand-new techniques in the high levels. New people can grow with the material.
add a comment |
Security Awareness expert here (awards, best-selling book).
Absolutely, you should/need to customise training to the role/risks.
Many international bodies actually call this out as important:
NIST CSF (PR.AT)- NIST SP 800-16
- SANS
- FBI/DHS
- Jonathan Steenland, COO of the National Cyber Center
Those were just what I could recall off the top of my head.
But your questions at the end seem to show a misunderstanding about how the materials would be created.
Set a baseline standard
Your organisation needs to set a minimum standard for awareness that meets the risk profile of your organisation. That means that everyone gets the same basic foundations. On top of that is the role-specific material.
Same material, role-specific examples
But it can go deeper than that to be more effective. I advocate creating material that is role-specific using the same base material, but having the examples be role-specific. Don't show an HR example to the Shipping department. Keep the examples specific to the role, where practical, but cover the same material so that the foundations are the same. This helps to show why the material is important to the employee.
Train to meet the risks
In addition, different roles in your organisation are going to experience different risks, and those unique risks should be addressed in training. Finance and HR experience different risks and need different tools/procedures to meet those risks. The Shipping department is going to have a completely different set of risks. Training should most definitely be customised to the risks.
Yes, that is going to look daunting to anyone who is not a dedicated security awareness curriculum designer. That is a lot of work. And that's why most organisations do not do it. But they should.
Easy mode: Champions
One way to make it easier is to employ a "Champions" programme where selected individuals in each department/risk area are trained and supported to help design, deliver and be a point of contact for the department/risk-specific material. This has been shown to be extremely effective in many organisations. You should then take the custom material that has been shown to work and roll that into your learning program to make it more consistent and repeatable.
Next step: not just role-specific but audience-specific
In addition, I also advocate having different material for the different technological and demographic groups in your organisation. "How to spot a phish" training needs to look different for people who have never heard of the concept before than for IT experts. And the language and concepts used need to be understood by the various demographic groups in your organisation. For example, ask different people whether they know what a "browser" is. You might be shocked to see who has not heard of the term. That means your "How to spot a phish" material needs to either not use the term or train people on it.
Graduated materials
In my materials, I graduate them so that there is a rising skill and knowledge level. People unlock the higher levels when they have shown to be proficient in the lower levels. This means that the IT experts only have to deal with the basic material once, but are challenged by the brand-new techniques in the high levels. New people can grow with the material.
Security Awareness expert here (awards, best-selling book).
Absolutely, you should/need to customise training to the role/risks.
Many international bodies actually call this out as important:
NIST CSF (PR.AT)- NIST SP 800-16
- SANS
- FBI/DHS
- Jonathan Steenland, COO of the National Cyber Center
Those were just what I could recall off the top of my head.
But your questions at the end seem to show a misunderstanding about how the materials would be created.
Set a baseline standard
Your organisation needs to set a minimum standard for awareness that meets the risk profile of your organisation. That means that everyone gets the same basic foundations. On top of that is the role-specific material.
Same material, role-specific examples
But it can go deeper than that to be more effective. I advocate creating material that is role-specific using the same base material, but having the examples be role-specific. Don't show an HR example to the Shipping department. Keep the examples specific to the role, where practical, but cover the same material so that the foundations are the same. This helps to show why the material is important to the employee.
Train to meet the risks
In addition, different roles in your organisation are going to experience different risks, and those unique risks should be addressed in training. Finance and HR experience different risks and need different tools/procedures to meet those risks. The Shipping department is going to have a completely different set of risks. Training should most definitely be customised to the risks.
Yes, that is going to look daunting to anyone who is not a dedicated security awareness curriculum designer. That is a lot of work. And that's why most organisations do not do it. But they should.
Easy mode: Champions
One way to make it easier is to employ a "Champions" programme where selected individuals in each department/risk area are trained and supported to help design, deliver and be a point of contact for the department/risk-specific material. This has been shown to be extremely effective in many organisations. You should then take the custom material that has been shown to work and roll that into your learning program to make it more consistent and repeatable.
Next step: not just role-specific but audience-specific
In addition, I also advocate having different material for the different technological and demographic groups in your organisation. "How to spot a phish" training needs to look different for people who have never heard of the concept before than for IT experts. And the language and concepts used need to be understood by the various demographic groups in your organisation. For example, ask different people whether they know what a "browser" is. You might be shocked to see who has not heard of the term. That means your "How to spot a phish" material needs to either not use the term or train people on it.
Graduated materials
In my materials, I graduate them so that there is a rising skill and knowledge level. People unlock the higher levels when they have shown to be proficient in the lower levels. This means that the IT experts only have to deal with the basic material once, but are challenged by the brand-new techniques in the high levels. New people can grow with the material.
edited 13 hours ago
answered 14 hours ago
schroeder♦schroeder
76k29169202
76k29169202
add a comment |
add a comment |
This is more of a communication question than a security one, but I must acknowledge that the result has a strong impact on the global security practices. What matters here is that all employees can think that their activity is considered as important and that their poor practices would have serious effects.
If you present it that way:
- IT admins will follow a module dedicated to their job
- IT developpers will follow a module dedicated to their job
- non IT fellows will follow a generalist module
The risk is high that non IT staff members think that security is not their concern.
As one of my previous jobs was not IT focused, I think that non IT staff members could feel more concerned with the following presentation:
- one generalist module for everybody so that the base is shared among all employees, whatever their specific activity
- one additional module for every group
The content of the additional module is trivial for the IT groups, admins and developpers.
For non IT members, you will have to find examples related to their actual activity. Social attacks are a primary concern for the financial team, confidentiality is a primary concern for the customer service representative teams, etc. That way, you show every group that you have considered their activity and that lack of good security practices in their activity will have serious consequences.
The actual content will not be much different than the first approach, but it could be seen differently.
add a comment |
This is more of a communication question than a security one, but I must acknowledge that the result has a strong impact on the global security practices. What matters here is that all employees can think that their activity is considered as important and that their poor practices would have serious effects.
If you present it that way:
- IT admins will follow a module dedicated to their job
- IT developpers will follow a module dedicated to their job
- non IT fellows will follow a generalist module
The risk is high that non IT staff members think that security is not their concern.
As one of my previous jobs was not IT focused, I think that non IT staff members could feel more concerned with the following presentation:
- one generalist module for everybody so that the base is shared among all employees, whatever their specific activity
- one additional module for every group
The content of the additional module is trivial for the IT groups, admins and developpers.
For non IT members, you will have to find examples related to their actual activity. Social attacks are a primary concern for the financial team, confidentiality is a primary concern for the customer service representative teams, etc. That way, you show every group that you have considered their activity and that lack of good security practices in their activity will have serious consequences.
The actual content will not be much different than the first approach, but it could be seen differently.
add a comment |
This is more of a communication question than a security one, but I must acknowledge that the result has a strong impact on the global security practices. What matters here is that all employees can think that their activity is considered as important and that their poor practices would have serious effects.
If you present it that way:
- IT admins will follow a module dedicated to their job
- IT developpers will follow a module dedicated to their job
- non IT fellows will follow a generalist module
The risk is high that non IT staff members think that security is not their concern.
As one of my previous jobs was not IT focused, I think that non IT staff members could feel more concerned with the following presentation:
- one generalist module for everybody so that the base is shared among all employees, whatever their specific activity
- one additional module for every group
The content of the additional module is trivial for the IT groups, admins and developpers.
For non IT members, you will have to find examples related to their actual activity. Social attacks are a primary concern for the financial team, confidentiality is a primary concern for the customer service representative teams, etc. That way, you show every group that you have considered their activity and that lack of good security practices in their activity will have serious consequences.
The actual content will not be much different than the first approach, but it could be seen differently.
This is more of a communication question than a security one, but I must acknowledge that the result has a strong impact on the global security practices. What matters here is that all employees can think that their activity is considered as important and that their poor practices would have serious effects.
If you present it that way:
- IT admins will follow a module dedicated to their job
- IT developpers will follow a module dedicated to their job
- non IT fellows will follow a generalist module
The risk is high that non IT staff members think that security is not their concern.
As one of my previous jobs was not IT focused, I think that non IT staff members could feel more concerned with the following presentation:
- one generalist module for everybody so that the base is shared among all employees, whatever their specific activity
- one additional module for every group
The content of the additional module is trivial for the IT groups, admins and developpers.
For non IT members, you will have to find examples related to their actual activity. Social attacks are a primary concern for the financial team, confidentiality is a primary concern for the customer service representative teams, etc. That way, you show every group that you have considered their activity and that lack of good security practices in their activity will have serious consequences.
The actual content will not be much different than the first approach, but it could be seen differently.
answered 15 hours ago
Serge BallestaSerge Ballesta
16.7k32661
16.7k32661
add a comment |
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f203797%2fshould-corporate-security-training-be-tailored-based-on-a-users-job-role%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown