Many organizations create a security education and awareness plan to identify methods of raising the security awareness of employees. If you’re planning on taking the Security+ exam, you should have a basic understanding of security awareness and training plans.
For example, can you answer this question?
Q. Your organization has spent a significant amount of money on training employees on security awareness. Your organization wants to validate the success of this training. Which of the following is the BEST choice?
A. Implement role-based training.
B. Use metrics.
C. Use security policies.
D. Verify PII.
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation is available at the end of this post.
Role-Based Training
Training is often targeted to users based on their roles within the organization. For example, consider the following roles within an organization:
- Executive personnel. Executives need high-level briefings related to the risks that the organization faces, along with information on the organization’s overall information security awareness program. Additionally, executives should be trained on whaling attacks because attackers target executives with malicious phishing emails.
- Incident response team. An incident response team needs detailed training on how to respond to incidents. Even within the team, personnel might require different training. For example, security personnel responsible for forensic investigations need specialized training.
- Network and server administrators need to understand the hardware and software that they manage, so that they can deploy, manage, and maintain it as securely as possible.
- End users. End users need to have an understanding of common threats, such as malware and phishing attacks. They also need to understand the risk posed by clicking an unknown link and how drive-by downloads can infect their system.
Training can include a wide variety of topics depending on the organization. Some of the topics include:
- Security policy contents
- Keeping cipher codes private
- Acceptable use and user responsibilities
- Protection of Personally Identifiable Information
- Importance of data labeling, handling, and disposal
- Information classifications used by the organization
- Compliance with relevant laws, best practices, and standards
- Threat awareness, including current malware and phishing attacks
- User habits that represent risks such as with passwords and tailgating
- Use of social networking sites and peer-to-peer applications and how they result in data leakage
Remember this
A primary goal of security awareness and training is to reinforce user compliance with security policies and help reduce risks posed by users. The success of any security awareness and training plan is dependent on the support of senior management. and Compliance Because security issues change over time, it’s common to provide periodic refresher training.
Training Issues
There are many situations where training is required to maintain compliance with existing laws, best practices, and standards. As an example, many laws exist covering PII. Although these laws have many similarities, there can be minor differences in different localities. It’s important for personnel handling any PII to understand the laws that apply.
Best practices often prevent a wide range of incidents as long as users understand and follow them. The CompTIA Security+: Get Certified Get Ahead: SY0-401 Study Guide has covered many best practices, including developing and following a security policy, ensuring users do not share accounts, using strong passwords, following the principle of least privilege, and much more. Unless personnel know about them, and understand them, they might not be implementing them.
Additionally, many organizations have to abide by certain standards. For example, organizations handling credit card information need to comply with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS includes six control objectives and 12 specific requirements that combined help ensure an organization implements a series of best practices that will help prevent fraud.
Administrators might understand how to implement many of these without any additional training. However, some of the requirements might require additional training to maintain compliance. PCI DSS isn’t foolproof, but it has helped reduce many of the risks associated with credit card fraud.
Using Metrics to Validate Compliance
Metrics measure various activities and in some cases management uses them to measure the impact of training. For example, it’s possible for an organization to provide training to personnel and then follow up by gathering metrics. These metrics can validate compliance of personnel following established security policies and measure the overall security posture.
Imagine an organization has been having an average of 10 security incidents a month due to malware and phishing attacks. They might choose to provide training to personnel. Imagine that after personnel attended the training, the organization continued to have an average of 10 security incidents. This indicates the training did not have an impact.
On the other hand, imagine the number of incidents dropped from an average of 10 a month to 1 a month. This indicates that the training was very effective. One of the benefits of these metrics is that they justify the costs associated with training.
Remember this
Metrics can prove the success of a training or security awareness program by comparing incidents before the training with incidents after the training program.
Q. Your organization has spent a significant amount of money on training employees on security awareness. Your organization wants to validate the success of this training. Which of the following is the BEST choice?
A. Implement role-based training.
B. Use metrics.
C. Use security policies.
D. Verify PII.
Answer is B. Metrics are measurements and you can use them to validate the success of a security awareness program.
Role-based training is targeted training, but it does not validate the success of training.
Training would typically teach employees about a security policy, but the policy doesn’t provide measurements.
Personally Identifiable Information (PII) might be part of the training, but PII cannot validate training.