If you would like to read the other parts in this article series please go to:
- Security Awareness Training: Your First Line of Defense (Part 1)
- Security Awareness Training: Your First Line of Defense (Part 3)
- Security Awareness Training: Your First Line of Defense (Part 4)
In Part 1 of this series, we discussed the importance of security awareness in today’s highly regulated workplaces that operate within an increasingly litigious society, and then talked about some of the factors you need to consider when implementing a security awareness training program for your computer users. Next, we examined the question of whether it’s best to develop your own program in-house and have company personnel deliver it, or contract with an outside training company that specializes in this type of training.
Since both of the above options have advantages and disadvantages, the right choice depends on your organization’s needs, resources, budget and other factors. First we’ll look at some tips and pointers for developing your own program, if you should decide to go that route. Then in a later section, we’ll discuss what you need to know and do if you decide to contract with a training company.
Developing your own program
Developing your own program gives you the flexibility to ensure that it meets your company’s unique needs and is tailored precisely to best communicate with the unique individuals who make up your workforce. However, it’s also easy to leave out critical information if the program isn’t developed properly.
There are two very important elements that go into creating an effective training program, regardless of the subject:
- Accuracy and completeness of the information
- Effectiveness of the delivery of the information
This leads us to one of the first decisions that will have to be made after deciding to do the development and training in-house: deciding who will be tasked with the responsibilities of developing and delivering the curriculum. Ideally, you would have one or more employees who are both subject matter experts in network/computer security and experienced trainers. Failing that, a team comprised of persons with expertise in one facet, working together, can accomplish the same thing.
The person who writes the lesson plan may not be the one who delivers it, but in that case, the two should work closely together so there is a basic understanding and the intent of the plan is carried out as it was designed.
Once you have selected the right people, the process follows a fairly standardized pattern.
As with any formal training program, you need to start the curriculum development process by creating a lesson plan, and the first step there is defining your training objectives. The objectives form the basis of your lesson plan. Each training objective states a specific behavior or task that the learner should be able to demonstrate after completing the training. Training objectives should include action verbs and should not be too vague.
For example, a broad objective such as “Understand the risks Internet usage poses to the business environment” is not as effective as “Be able to list three methods hackers can use to steal critical business data.” By specifying the number of methods a learner must be able to name, you include in the objective the standard by which the learner will be graded in determining whether he/she has mastered the material.
Your training objectives should be listed in order of the logical learning sequence. Obviously the learners will need to know the terminology before they can understand technical material, so you will want to discuss the meanings of terms such as “virus,” “worm,” “Trojan,” “phishing” and so forth before you jump into explaining how they can help protect against those threats.
You’ll develop objectives that are relevant to your environment and people, but some sample training objectives for a security awareness training session might look like this:
- Define ten terms used to describe common attacks.
- Describe five possible consequences of a virus infiltration on the company network.
- List five examples of “social engineering” techniques.
- List five user activities prohibited by the company’s security and usage policies.
- Describe the end user’s role and responsibilities pertaining to secure Internet usage.
and so forth.
The lesson plan is an expansion on your training objectives. There are many different formats that can be used, but there are some basics that they all have in common. The most common format is in the form of an outline. The lesson plan includes the approximate estimate time required to complete the lesson, materials needed by students, teaching aids (PowerPoint, white board, models, demonstration, etc.) to be used by the instructor, student activities and class assignments (role-play, question and answer, discussion groups, etc.), instructor notes, an introduction, body and summary, and evaluation (test). Some lesson plans will contain additional sections/components.
You can learn more about writing a lesson plan here.
In the course of developing the lesson plan, you’ll determine how the lesson will be delivered to the learners. Will it be done as a lecture in a classroom, a PowerPoint presentation, a roundtable or panel discussion, online or via DVD (computer based training), or some combination of the above?
Remember that different people have different preferred learning styles. Auditory learners can more easily retain material delivered as a lecture with no visual aids, or as an audio file, whereas visual learners may remember little unless they have photos, drawings, or written text to draw on. Those who are primarily kinesthetic learners need more hands-on, participatory activities for the best learning experience. Of course, everyone receives input in all three ways, but most people have a dominant learning style. When delivering training material to a group of people, it’s best to provide all three types of learning experiences to have the best overall effect. You can read more about the different learning styles or modalities here.
PowerPoint has become the default delivery method for corporate training, and when done properly, can be very effective. A slideshow can incorporate the visual interest that’s needed to capture and hold the attention of visual learners, who are thought to make up approximately 65 percent of the population, with some studies showing that visual aids in teaching can improve learning up to 400% (http://www.visualteachingalliance.com/).
The mistake made by many instructors and presenters is to allow the slideshow to drive the presentation, rather than being a visual aid to it. A good PowerPoint delivery involves much more than reading or reciting the contents of each slide. Each slide should serve as a basis for the instructor to impart further information or tell relevant stories, as a catalyst for group discussion, as the lead-in to a demonstration, as the summary of points that learners should take away from an example, etc. If the slideshow is so all-encompassing that it includes everything you want the learners to learn, and does it in a way that engages them through videos, animation, Q&As, etc., then there is no need for an instructor at all; you’ve created a computer-based training lesson and you can simply give it to the learners and allow them to go through it on their own.
Adult learning theory
It pays to have some education in adult learning theory when developing any kind of corporate training program. Teaching adults is different from teaching children; they have different motivations and respond to different instructional styles. Most adults don’t learn as well in an authoritarian classroom environment as when they’re given some control over the learning process.
While young students (and to an extent, older students in a traditional school environment such as college) see school work as their “job” and something that must be done in order to move on to the next step (graduation), training in the work environment must take into account workers’ natural resistance to forced learning – especially if they feel they’re being talked down to, or if they feel the training is not relevant to them in the real world.
Adult learners also tend to have their egos involved; they’re afraid of looking/sounding “stupid” or unknowledgeable, so they may be hesitant to ask questions or request clarification when they don’t understand something. Adults also bring a lot of “baggage” – past personal experiences that influence how receptive they are to the learning process.
Adult learning, then, often works best when it incorporates active/interactive learning, rather than the traditional teacher-in-front-of-the-classroom approach. Experiential exercises, problem solving exercises, case study exercises, and group work or group discussion are all good ways to engage adults in the learning process.
You can set up lab computers where learners can actually experience various scenarios and be faced with decisions about how to handle potential security threats safely. You can create role-play exercises where learners have to deal with social engineers who attempt to trick them into providing access to the network. You can have them discuss their real-world experiences with the frustrations of trying to remove viruses or other malware from their own computers, or the effects on their own jobs and productivity of down time caused by security breaches or issues. These methods are likely to be both enjoyable and make more of an impact on learners than simply sitting through a boring recitation or a half-hearted presentation.
You can learn more about Malcolm Knowles’ popular theory of how to best facilitate adult learning, andragogy, and how it differs from pedagogy (teaching children), here.
Once you’ve created a comprehensive lesson plan and mapped out a delivery strategy that’s based on sound principles for helping adults to learn, you’ll need to think about such considerations as:
- The best location for the sessions (a computer lab that’s not connected to the production network is the ideal setting).
- How many workers to train in one class/session (a smaller number allows for more interaction and personal attention to each student, but if the class is too small, you may not have enough diversity to create lively discussions).
- Timing issues (If there will be more than one session, how much time should pass between sessions? Should classes be held in the morning or afternoon? How long should each session last?).
Developing your own training program is a lot of work, if done correctly – but it can also be very rewarding and more effective than a “canned” class. There is one more important component involved in developing the program, and that’s testing and evaluation. Because you might want to administer this on your own even if you go with hiring a training company to deliver already-developed material, in order to have a more objective view of how well the workers learned, we’ll discuss that in Part 3, after we talk about considerations for hiring the right training company.
If you would like to read the other parts in this article series please go to: