6 Ways to Sabotage Your Awareness Training Program

On: January 27, 2016
There is no shortage of pundits who claim security awareness training doesn’t work. But are they right?

Most of us understand sabotage as a deliberate act of subversion, disruption, or destruction. But in the context of information security and privacy, the late 19th-century French use of the word might be more apropos.

The term sabot was also used to describe an unskilled worker, as well as the poor quality work they performed. So it happens that malicious insiders aren’t the only saboteurs you might come up against; shoddy work in protecting your organization’s information can actually be just as destructive.

Are you are unwittingly sabotaging your security or privacy awareness objectives? Here are six ways you might be doing just that—and what you can do about it:

1. Leave the top executives out of it

Absent a corporate mandate, you can pretty much put the idea of behavior change on ice. If the “C” Suite folks aren’t already driving security and privacy awareness into the culture of your organization, then gaining their support will be Job One. The best way to accomplish that? Align your awareness programs to the business objectives. Nothing gets executive attention faster than profits and reputation. And a solid privacy and/or security awareness training program helps big time on both counts. Need convincing? Here are two valuable resources that will get you well on your way to making the case—and making privacy and security awareness a highly profitable organizational habit.

2. Just check the compliance box

When compliance is the sole driver of awareness training, you can count on two results: 1) no one will learn anything, and 2) your risk exposure (and liability) will actually go up. It’s true. That’s because the “compliance first” strategy actually gets things backwards. How so? As we wrote in CSO Online:

“Compliance only muddies the waters. At best it’s only a baseline or minimum and does not take into consideration the ever-evolving threat landscape security pros face every day. When organizations embrace the right strategy to fortify their network, they can focus on protecting organizational assets with top notch tools . . . and training the user base on security best practices. When this is the focus, compliance always falls in line.”

3. Have your IT department develop and deliver the awareness training themselves

Unless your IT people are credentialed in adult education – and actually interested in teaching – chances are all they’ll deliver is a boring PowerPoint presentation on various awareness topics. Sure, you’ll check the compliance box, but as we’ve just seen, that approach is also a setup for failure. Besides, as Larry Ponemon points out in a post here, it’s likely that your IT people are also in need of privacy and security awareness training.

4. Apply the “Once and Done” training strategy

How many times have you been asked—and always with more than a touch of condescension—“How many times do I have to tell you?!” Well, if you’re like most people working to take in new information, the answer is “many times.” Over time. That’s why an annual security/privacy awareness training event without any follow-on reinforcement does nothing to change behaviors. In fact, it may just annoy. An effective security or privacy awareness program works a lot like an advertising campaign, so take a page out of Madison Avenue’s playbook and deliver the awareness message frequently, and through a mix of media channels. The fact is every day we are all bombarded with torrents of information competing for our attention. You think you cut through all that with an annual PowerPoint and expect anyone to remember it, let alone be impressed or motivated by it? That’s a great way to become undone.

5. One size fits all

Want to alienate your people in a hurry? Treat them all the same. One-size-fits-all awareness training programs are rarely that. If you look into the principles of adult learning, you’ll find that subject matter relevance reigns supreme. Ignore that and you’ll turn off your learners faster than a rerun of Rocky V.

6. Blow off the principles of adult learning

If your goal is to create a risk-aware culture in your organization, then you’ll need a training program that has been expressly designed to bring about the requisite changes in behavior. And not all training solutions are created equal. So look for a training program that has been built upon the proven principles of adult learning. Anything less is simply checking the compliance box. And a lot of good that will do you.

Share this Article

Related Articles

Read our newest eBook on how the NIST Cybersecurity Framework can be used to improve security awareness.
eBook: How the NIST Cybersecurity Framework Improves Security Awareness
Share this free animation with your employees to remind them of the dangers of malware.
Video: Don't Let Malware Spoil the Fun
Building a truly adaptive security awareness program is worth it. Here are five reasons why.
Adapt to Survive: 5 Benefits of an Adaptive Awareness Program
Download MediaPro's comprehensive guide to a winning security and privacy awareness training program.
White Paper: 3 Steps to Awareness Success