Browsing around some blogs referenced on Twitter (see … it really is useful for something!), I came across a blog run by a gentleman called Dave Ferguson.
In the blog’s “about” page, he writes:
… training deals only with skill-knowledge gaps, and those aren’t the only possible barriers to performance. Sometimes people know how to do their jobs, but still aren’t producing results. Success might depends on factors like:
- Information essential to the task
- Standards for how to do the job
- Feedback on how well they’re doing
- Tools and materials
- Time to do the job right
- Incentives for good performance
I’m not going to argue with any of those points. I think Dave’s summed up very nicely many of the issues that we face when trying to change behavior patterns in the workplace – information security being only one such pattern.
But, I think it’s useful to divide this list into 3 categories:
1. Information
- Training to deal with skill-knowledge gaps
- Information essential to the task
- Standards for how to do the job
2. Enablement
- Tools and materials
- Time to do the job right
3. Encouragement
- Feedback on how well they’re doing
- Incentives for good performance
The best way to address these requirements is going to depend on the specific nature and needs of each organization, and I’m only going to comment in any detail on the first category – Information – as it applies to security awareness training. But I could see how:
- A small organization based in one place might run a series of talks about information security during monthly staff meetings, and might have a designated place in the office where security policies, procedures, and standards are kept.
- A large organization based in many places might use a web-based training portal that also stores policy, procedure and standard documents for ready access by staff as they need them.
Regardless of how you decide to set up your security awareness program, the 3 categories listed above should be a useful checklist for you.
