If you want your organization to take security awareness training seriously, you need to plan for that. If you don’t know what success looks like you are unlikely to get there. To define success you need a firm understanding of why the organization needs awareness training. We are talking about communicating business justification for security awareness training, and more importantly what results you expect from your organization’s investment of time and resources.
The most valuable outcome is to reduce risk, which gives security awareness training its impact on corporate results. It’s reasonable to expect awareness training to result in fewer successful attacks and less loss: risk reduction. Every other security control and investment needs to reduce risk, so why hasn’t security awareness training been held to the same standard? We don’t know either, but the time has come to start thinking about it.
To overcome limitations in security awareness training and achieve the desired business objectives, in this paper we introduced the concept of Continuous, Contextual Content (3C) as the cornerstone of the kind of training program which can achieve security initiatives. This approach provides a user-centric concept to deliver the necessary content when they need it, reminding the employee about phishing, not at a random time, but after they’ve clicked on a phishing message. We also cover incentives, content approaches, and metrics to ensure your awareness training program provides sustainable impact.
We’d like to thank Mimecast for licensing the content. It’s through the support of forward-thinking companies that use our content to educate their communities that allow us to write what you need to read. As always, our research is done using our Totally Transparent research methodology. This allows us to do impactful research while protecting our integrity.
Download the paper here.