At The European Information Security Summit last week, Professor Angela Sasse, who is the director of the UK Research Institute in Science of Cyber Security (RISCS), spoke about the need to change how organisations create and manage cyber security awareness training.
According to Professor Sasse, what has to be changed is the assumption that “people are at fault” for security incidents and problems. From her point of view, staff awareness training is “just background noise”, something pushed at people without developing any engagement, resulting in no change at all. Awareness training should change staff behaviours in such a way that these behaviours become natural.
Engagement is the key
She pushed for an alternative way to make staff awareness training really work – through engagement. “You need to really work with your people and embark on having ongoing conversations with them about what the threats are out there.”
“That’s what we want to change – we want people to talk about security, discuss the risks, but help each other out. The more people talk about security to each other, the better things will become.”
The four steps to improve security awareness training
She suggested a four-step course of action to change and improve security awareness training:
- Security hygiene: share basic cyber security rules and best practices through comprehensive and easy-to-follow information security e-learning courses.
- Authoritative, trustworthy instructions: provide the same resources and training to the whole staff.
- Target: identify the areas that need to improve.
- Engagement: allow constructive discussions among employees with games and activities.