When we think of information security, we usually think of encryption, vulnerability management and other more technical subjects that my colleagues already covered. But, as you might know, information security is way more human and alive that we might think — People need to be aware of possible security risks and must be trained accordingly to react successfully to security threats.

What’s an Information Security Awareness Program ?

One way to promote security and train users is through Information Security Awareness, Education and Training (Control 7.2.2 for those familiar with ISO 27001/27002:2013). Directly from ISO 27002:2013:

An Information Security Awareness Program should aim to make employees and, where relevant, contractors aware of their responsibilities for information security and the means by which those responsibilities are discharged.

Those trainings need to be meaningful and adapted to the users’ reality to be successful. Difficult, but not impossible.

What’s this article about ?

We will walk through the five main steps we follow to build and publish awareness trainings at Poka, and advices on what to do. For those used to it, you will see it follows the PDCA process(Plan-Do-Check-Act)

Who’s this article for ?

Anyone who works in Security, Privacy, Governance, Risk or Compliance (you get the idea) and has to implement an Information Security Awareness Program, this article is for you.

1. Pick a Subject

It might be tempted to only do awareness trainings on what is currently popular like phishing/spear phishing/ransomware (which are good subjects to address nonetheless), but there’s also a great source of subject right within your company: your own Risks.

The very reason why you want to do awareness trainings is because you sense that there are risks in your company that need to be controlled and mitigated.

Even if you do not (yet) engage in Risk Management, it’s quite possible and simple to identify high-level risks in your company.

Let’s take for example phishing, which is a risk for most companies, if not all. I won’t go into the details of explaining all the possible risks of phishing because they have been well documented, but one way to mitigate the risks of phishing is to educate your employees on how to detect and report attempted phishing attempts.

You may also have a set of policies on different subjects, and even though all your employees are required to read and understand all of them, it’s unrealistic to believe that they will remember and follow 100% of policies. Awareness trainings can then be created to cover more specifically an entire policy or a part of it that you deem more important and crucial.

You should also choose a fixed schedule (e.g. each month/each 3 months) for publishing new awareness trainings. It’s better to do it in small doses over time than only one time in the year. By doing it in small doses over time, it encourages a better information security culture in the company, and employees are trained/reminded on pertinent subjects continuously.

Also, depending of your reality, you should try to create and design metrics so that you can measure the success of the awareness training that you want to do. Though, it’s not always possible to have statistically significant metrics because of the size of your organisation; (e.g. pertinent difference of reported phishing attempts in a small organisation might be difficult to observe). But if you do and if it’s done correctly, it will help you determine if the training has really changed positively the behavior of employees, and if yes, then it can be presented to the upper management to justify the program (if it’s a concern in your organisation). It’s a win-win situation.

What we do

We mainly choose subjects based on risks we identified within our Risk Management process. Employees’ feedback is also considered for choosing a new subject. In the end, awareness trainings need to cater to their needs and worries(more details in the fourth and fifth section)

For example, we made an awareness training on phishing/spear phishing because when we evaluated the risks of a successful phishing attempt to be real, and one of the mitigation controls that we chose to implement was to better train and instruct all Poka employees on phishing.

Similarly, we have a policy at Poka on how to report security incidents. Even though all employees are required to read and understand all policies (let’s be honest, that impossible), we also decided to do an awareness training on how to detect and report security incidents.

Right now, we’re doing awareness training every 3 months, but at the moment of writing this article, we are looking into the possibility of doing it each month. We also track a small set of metrics because we are a small organisation, but again, we are planning to expand the number metrics that we used.

Creating your Awareness Training can be as fun and easy as playing with Legos :)

2. Create your Awareness Training

Now that you have chosen a subject, it’s time to think about how you are going to build your awareness trainings.

First, I would advise, if possible, to construct your own awareness trainings so that it will be more adapted to your own culture and better suited to your needs instead of relying on generic training materials found online. It might costs more initially, but if done correctly, it will pay off.

While developing your awareness trainings, think more like a marketer/designer as you need to sell the content of your training, not just tell them what to do. If you have a Design and/or a Marketing team in your company, consult them to promote and improve the flow of your message, and maybe add some entertainment value to an otherwise boring presentation. It needs to be interesting to your audience. Information security objectives and employee’s objectives should be both aligned, because let’s face it, information security is not a priority for everyone, and many believe that information security is not in their responsibility.

What we do

Right now, all of our awareness trainings are created with Google Slides. We really try to make it lightweight, straight to the point, and fun to consult to avoid Death by Powerpoint. Some (a lot) of memes, Gifs (maybe to the dismay of some of my coworkers) and even games are incorporated into each awareness trainings. Each of them can be done in a short timespan of 5 to 10 minutes.

Our Design team developed a Google Slides template that we reuse most of the time.

When the awareness training is completed, it gets peer-reviewed by the rest of the Information Security Team, and when it’s adequate, it also gets peer-reviewed by 2–3 employees from different teams to gather general feedback. This serves to reduce the risk of a major problem/error with the awareness training, and to ensure that it is comprehensive.

3. Communicate your Awareness Training

Now that everything is ready, you should publish your awareness training on an official channel that is consulted by everyone in your company (Slack, HipChat, emails, intranet, etc.). Don’t be scared to use multiples channels, if necessary, to effectively reach all employees, but don’t harass them either.

Clear and concise indications should also be given of what is intended from all employees (e.g deadline to do the trainings).

What we do

Our official channel of communication at Poka is the #general channel in Slack where all major announcements are published, and where the noise is mostly limited. All awareness trainings are published in that channel, and we give indications on the deadline (2 weeks is given).

4. Gather Confirmations & Feedback

If you want good awareness trainings (and compliant with most security standards), you need to gather and keep a proof of confirmation from all employees.

And at the same time, why not gather some feedback from your audiance about the awareness training? Keep it short and sweet with only a few pertinent questions. This feedback will help improve actual and future trainings, and your overall information security.

What we do

At the end of each awareness trainings, there is a link to a Google Form that each employee must fill to confirm that they have completed the required training. Three optional questions are then available :

On which security and/or privacy subject(s) do you feel you lack information/training ?

What subject/training would you like to see in the future ?

Any other comments/improvements ?

You can consult our Google Forms template here. Feel free to copy/adapt it.

We study those feedback to see what we could improve in regards to information security. Maybe there’s a subject that we thought was not a risk or we thought that a subject was well understood by all, but was not.

In the future, we want to share a summary of the feedback on Slack, so that everyone can get an idea of what we need to improve and plan, and that we listen to their feedback.