Cybersecurity Series
Cyber Security_Blog_with Book

CIR PgM Training and Awareness

This article discusses the various processes of the Program Management phase that organisations can utilise to ensure that the contents of the CIR Plan are relevant to tackle the evolving cyber security threats so that the CBF of an affected organisation can continue operations smoothly during a cyber security attack.

Reference: Chapter 10 Program Management 10.4 Training and Awareness

Moh Heng Goh

Banner 9 V2CIR Program Management

Training and Awareness

CIR Training and AwarenessTraining and awareness mainly focus on enhancing the employees’ skills and knowledge, which, if executed effectively, can significantly increase the organisation’s ability (Resilia, 2016) to manage cybersecurity incidents. The “human factor” is one potential platform that cybercriminals can exploit to launch a successful cyber security attack.

The organisation’s ability to manage cyber security incidents effectively is as strong as its weakest link; in this case, its employees can be the most effective security control or the most significant vulnerability. The key consideration for executing the training and awareness program.

1. Relevancy

The employees are preoccupied with performing their daily operations. In their mindsets, the execution of the daily procedures takes precedence over incorporating cyber security practices into their processes, especially if they are irrelevant.

The content of the training and awareness program should be related to what the employees are doing. Employees can then draw relationships (Resilia, 2016) between their daily practices and cyber security measures and realise their important role in mitigating and responding to cyber security incidents.

Different training and awareness programs must be designed for the organisation's different departments. Simulating daily procedures or conducting role-based awareness training allows employees to be in their comfort zones and understand how cyber security practices can be incorporated into their daily routine and not affect their processes.

2. Distribution

Training and awareness programs are specifically designed for the respective departments due to the difference in daily processes executed. Effort spent designing the programs is wasted when the organisation realises that certain employees are not aware or trained to execute the mitigation and response procedures because the programs were not distributed to them.

Another challenge that organisations might face is dilution. The busy nature of the employees’ daily operations will result in having less time to participate in training and awareness programs. Hence, the employees request a condensed version (Resilia, 2016) of the content of the learning modules. Since the content is summarised, they are not as skilled or knowledgeable in effectively managing cyber security incidents, making the organisation vulnerable and susceptible to cyber security attacks.

3. Engagement

A high volume of communication occurs within the organisation daily. Employees may get overwhelmed by the high traffic of communicated information, losing track of information on cyber security as it is considered secondary (Resilia, 2016). There are specific techniques that organisations can utilise to engage the audience (employees) to participate in the training and awareness program and ensure that they are equipped with the relevant knowledge and skills.

3.1 Language Usage

Specific terms and definitions in cyber security are particular and may not be understandable by employees, especially those without an IT background. Hence, the various cyber security keywords should be converted to alternative terms that every employee knows the meaning of.

3.2 Accessibility

The employees' workload may be too heavy to warrant a specific time to participate in a training and awareness program. Hence, the program can be divided into smaller digestible components and spread across technologies so employees, in their spare time, can access the learning documents. A management system can be developed to monitor if employees have accessed the document by testing their knowledge and skills in cyber security.

3.3 Fun and Interesting

Different employees have different forms of learning. Employees can be visual, auditory or practical learners. Hence, utilising different forms of teaching can make the training and awareness program fun and interesting for the employees. Different forms can include videos, animations and games, which increases the chances of information from the program being picked up by the employees.

3.4 Communication Team

More employees can be engaged with the assistance of the communication team. The training and awareness program can stand out to employees if the skills of communication personnel can be utilised effectively to get the message on the importance of cyber security across.

4. Content

Feeding the appropriate information (Resilia, 2016) to the employees at the correct time facilitates their decision-making. Information that is vague or dictates their actions in various scenarios is not sufficient. Facts and reasons should be provided to justify performing certain actions, increasing the chances of employees remembering and adopting the documented procedures.

4.1 Support

For a cyber security training and awareness program to successfully create an environment for employees to learn, leadership and financial support (Resilia, 2016) from the Senior Management is necessary. Additionally, appropriate decisions can be made during cyber security attacks when the Senior Management knows how to process the information received from the employees that had encountered the attack first.

New call-to-action
4.2 Effectiveness

Measurement methods have to be in place to evaluate the effectiveness of the training and awareness program (Resilia, 2016). The organisation can determine if its employees have the skills and knowledge to execute the appropriate mitigation and response procedures during a cyber security attack.

Related Topic for CIR Program Management
Back To: Rationale for Lack of Cyber Security Prioritisation Plan Maintenance Training and Awareness
CIR PgM Rationale for Lack of Cyber Security Prioritisation CIR Plan Maintenance CIR Training and Awareness
Advanced Testing and Exercising Audit Cyber Security Mindset and Culture
CIR Advanced Testing and Exercising CIR Audit CIR Cyber Security Mindset and Culture

 

 

 


BCMI Logo

Do You Want to Continue BCM Training onsite or online?

Competency-based Course
Certification Course
New call-to-action New call-to-action [BL-3-Catalog] What Specialist Level Blended Learning Courses that are Available? [BL-5-Catalog] What Expert Level Blended Learning Courses that are Available?

A Manager’s Guide to BCM for Cybersecurity Incident Response

Goh, M. H. (2017). A Manager's Guide to Business Continuity Management for Cyber Security Incidents, 2nd Edition. GMH Pte Ltd.

Reference: Chapter 10 Program Management 10.4 Training and Awareness

Note:  This version was the draft 2nd Edition being updated in 2023. The numeric in the square bracket [X-X] cross-refers to the actual chapter and section in the 1st Edition.

 

Comments:

 

More Posts

New Call-to-action