The organisation’s ability to manage cyber security incidents effectively is as strong as its weakest link; in this case, its employees can be the most effective security control or the most significant vulnerability. The key consideration for executing the training and awareness program.
1. Relevancy
The employees are preoccupied with performing their daily operations. In their mindsets, the execution of the daily procedures takes precedence over incorporating cyber security practices into their processes, especially if they are irrelevant.
The content of the training and awareness program should be related to what the employees are doing. Employees can then draw relationships (Resilia, 2016) between their daily practices and cyber security measures and realise their important role in mitigating and responding to cyber security incidents.
Different training and awareness programs must be designed for the organisation's different departments. Simulating daily procedures or conducting role-based awareness training allows employees to be in their comfort zones and understand how cyber security practices can be incorporated into their daily routine and not affect their processes.
Training and awareness programs are specifically designed for the respective departments due to the difference in daily processes executed. Effort spent designing the programs is wasted when the organisation realises that certain employees are not aware or trained to execute the mitigation and response procedures because the programs were not distributed to them.
Another challenge that organisations might face is dilution. The busy nature of the employees’ daily operations will result in having less time to participate in training and awareness programs. Hence, the employees request a condensed version (Resilia, 2016) of the content of the learning modules. Since the content is summarised, they are not as skilled or knowledgeable in effectively managing cyber security incidents, making the organisation vulnerable and susceptible to cyber security attacks.
A high volume of communication occurs within the organisation daily. Employees may get overwhelmed by the high traffic of communicated information, losing track of information on cyber security as it is considered secondary (Resilia, 2016). There are specific techniques that organisations can utilise to engage the audience (employees) to participate in the training and awareness program and ensure that they are equipped with the relevant knowledge and skills.
Specific terms and definitions in cyber security are particular and may not be understandable by employees, especially those without an IT background. Hence, the various cyber security keywords should be converted to alternative terms that every employee knows the meaning of.
The employees' workload may be too heavy to warrant a specific time to participate in a training and awareness program. Hence, the program can be divided into smaller digestible components and spread across technologies so employees, in their spare time, can access the learning documents. A management system can be developed to monitor if employees have accessed the document by testing their knowledge and skills in cyber security.
Different employees have different forms of learning. Employees can be visual, auditory or practical learners. Hence, utilising different forms of teaching can make the training and awareness program fun and interesting for the employees. Different forms can include videos, animations and games, which increases the chances of information from the program being picked up by the employees.
More employees can be engaged with the assistance of the communication team. The training and awareness program can stand out to employees if the skills of communication personnel can be utilised effectively to get the message on the importance of cyber security across.
Feeding the appropriate information (Resilia, 2016) to the employees at the correct time facilitates their decision-making. Information that is vague or dictates their actions in various scenarios is not sufficient. Facts and reasons should be provided to justify performing certain actions, increasing the chances of employees remembering and adopting the documented procedures.
For a cyber security training and awareness program to successfully create an environment for employees to learn, leadership and financial support (Resilia, 2016) from the Senior Management is necessary. Additionally, appropriate decisions can be made during cyber security attacks when the Senior Management knows how to process the information received from the employees that had encountered the attack first.
Measurement methods have to be in place to evaluate the effectiveness of the training and awareness program (Resilia, 2016). The organisation can determine if its employees have the skills and knowledge to execute the appropriate mitigation and response procedures during a cyber security attack.
Back To: Rationale for Lack of Cyber Security Prioritisation | Plan Maintenance | Training and Awareness |
Advanced Testing and Exercising | Audit | Cyber Security Mindset and Culture |
Competency-based Course |
Certification Course | ||
Goh, M. H. (2017). A Manager's Guide to Business Continuity Management for Cyber Security Incidents, 2nd Edition. GMH Pte Ltd.
Reference: Chapter 10 Program Management 10.4 Training and Awareness
Note: This version was the draft 2nd Edition being updated in 2023. The numeric in the square bracket [X-X] cross-refers to the actual chapter and section in the 1st Edition.