How much risk reduction has your user awareness training provided to your organization?

Tough question for most people to answer.

The solution – take a baseline metric before providing the user awareness training.

Before user awareness training, get leadership approval to send out a test phishing email, or a test phone call, or drop test USB sticks. Then wait and measure how many employees, contractors, or vendors open and click.

This will provide a solid idea of what percentage of the employee population is currently suspectable to phishing attacks, social attacks, or physical drive-by attacks.

If your organization is new to providing user awareness training, I recommend starting with a single vector for testing, such as phishing.

The employees are at the front line of the company’s security every day. They are continually making decisions that can benefit or put the company at risk. A solid and well through and delivered user security awareness program does make big impacts over the long run.

Three critical components to effective training:

  1. Leadership support. It needs to come from the top down that leadership believes there is a significant risk to the business. The leaders believe that users can make an impact on that risk by following the delivered training and implementing what they’ve learned.
  2. Tools and resources. People won’t remember the training, but they can remember the resources you provide that will equip them to make the right decision when faced with a questionable situation. Setup an intranet site put a link on the default Internet browser page, or put up posters around the office, pointing people where to go and how to get help making the right decisions and using the right tools.
  3. Responsibility. Security is everyone’s responsibility, not just the security guy or gal. This culture needs to be massaged into the employees. One way to highlight this is by having supporting documentation in the information security policy that outlines the consequences of NOT following the security guidance. Often this is direct like, “Not following the company security policy can result in consequences such as disciplinary correction programs and as severe as termination.” It can be sensitive to touch on this, but really it’s no different than telling people to pick up after themselves. You wouldn’t support employees dropping their garbage around the office, or stealing company assets, without consequences.

For more information on how to plan and execute impactful user security awareness training that effectively reduces the risk to your organization visit our full article on how to build a GREAT security awareness program: