I’ve been reviewing some of the information security and privacy training and awareness content for some organizations; some large and some small. Most of the training is ineffective…
When information security and/or privacy incidents happen, too many organizations, and otherwise smart professionals, say that information security and privacy training doesn’t work and isn’t worth the time, when in fact the problem is that the training they are providing is bad and ineffective, and usually awareness communications are non-existent!
Step back and consider that everyone does NOT learn and understand in the exact same way. Organizations must think about the communications used within training and awareness efforts.
Human nature closely parallels mother nature…
I like to run around my lake next to the hay field. Not only is it good exercise, it also gives me some good thinking time. As I run, I hear the constant croaking of the bullfrog and the intermittent but regular chirps of the leopard frog. When I’m close to the water, the sandpipers start squeaking at me from where they stand and continue until I leave the water’s edge. There are three red-winged blackbird nests right next to my running path. When I approach each, the parent birds start screaming at me and flying around me, trying to distract me from their nest. As soon as I am a little distance away, they stop their tirade. These are four different creatures with four different and distinct ways of communicating. The bullfrog constantly drones with his loud message, the leopard frogs emphasize their chirping message regularly, the sandpipers start sounding their warnings when I approach, and consistently squeak while I’m in their area. The red-winged blackbirds scream only when I am very close.
They remind me of how organizations do their awareness and training activities: The frogs sing out to anyone within earshot, such as many organizations do who are sending awareness messages for anyone to read or notice. The blackbirds targeted their messages specifically at me, much like training efforts that are targeted at specific groups. As with most organizations, these messages are basically the same, regardless of who might be within hearing range.
Indiscriminate announcements such as these are bound to be ineffective with some types of passersby. This consistent and unvarying type of communicating is often the same move that organizations make when it comes to information security and privacy training and awareness activities; they send the same messages in the same way to widely diverse groups of audiences. This is just one of the mistakes organizations make when launching training and awareness programs.
Tailor training content and awareness communications to be specific to your organization, and provide different content to your different target groups, based upon their job responsibilities.
I will provide much more about infosec and privacy training and awareness mistakes, along with more in-depth details, in blog posts to come!
Have any questions? Let me know and I’ll try to address them in future posts.
Tags: awareness and training, Information Security, IT compliance, IT training, policies and procedures, privacy training, risk management, security training