What is the best way to learn? By experiencing the learning, of course. How can you bring the element of “experience” into an online training course? The answer is by creating “elements of interaction”

Elements of interaction

What are the benefits of introducing elements of interaction? Let us look at a few points.

Think, make decisions:

Interactive courses PAUSE at critical junctures and ask the learner to take decisions. This makes the learner think, which is an extremely important part of the learning process.

Generate interest

Interactivity involves clicking, moving forward, backward etc.. which makes the learner an active and interested participant in the course.

Freedom to make mistakes

Interactive courses allow the learner to make mistakes and learn from the mistakes. This involves making a bad decision and understanding the implications of that bad decision.

Interactive security awareness course

Now, let us take look at an interactive learning experience. Click here or on the image below.

Thank you,

Anup

Hello,

In my previous post we examined the importance of having security awareness success metrics in place before starting the security awareness campaign in order to measure whether the awareness campaign is successful or not. In this post we will move forward and evaluate the various channels through which security awareness can be delivered. We will consider screen savers, interactive videos, emails/ posters, newsletters, class room training sessions, social media and more.

Screen savers

Pros – The best thing about the screen savers is that everyone is guaranteed to see them at least once. This means that screen savers are an ideal channel for conveying essential security awareness messages in a minute or less.

View sample security awareness screen saver on information security basics.

Cons – They are not interactive which means the employee cannot navigate and learn through an interactive experience. But, hey….if someone comes to you at the watercooler and says …”hey that was a cool screen saver”, it’s worth it.

Classroom training

Pros – Nothing can beat the experience and impact of a security expert, who is also an eloquent trainer, delivering a powerful classroom training session. Aided with a powerful set of training slides and interactive sessions, this is the best of the lot.

View sample security awareness training slides for an information security classroom training program.

Cons – Getting it all together, a good security expert who is also an excellent trainer, the time of employees, if you have a large workforce getting them all into a classroom or scheduling multiple sessions, the effort involved….it becomes quite taxing.

Interactive videos

Pros – Videos that present scenarios and asks the learner to make decisions and learn through the simulated experience is a powerful form of information security awareness.

View fun sample security awareness training video on information security tips to protect laptops and mobile devices while traveling.

Cons – Employees may not pay interest if the video is not exciting enough.

Emails/ Posters

Pros – Emails/ posters with that twist of creativity with short powerful messages triggers learner inquisitiveness to understand more.

View security awareness email on phishing.

Cons – If creativity and crispness is lacking, it just becomes another email to be sent to the “Deleted Items” folder.

Newsletters

Pros – Newsletters, designed intelligently, with interesting content, facts, tit bits, “did you knows?” that can be read in less than 5 minutes are powerful security awareness channels .

View security awareness newsletter.

Cons – Again, if creativity and crispness is lacking, it becomes a dud.

Social Media

Pros – A powerful and viral channel. The trick is to use a social media platform, that is locked form external access and publish a variety of content as described above (videos, newsletters etc.) on it. The users will carry and promote the content. Another powerful advantage of social media platform is that you will know if the users “LIKE” the stuff or not .

Cons – While the platform could be powerful, if the content is not good enough, then the platform becomes worthless.

Closing note

Using as many channels as possible ensures that security awareness reaches the majority of users. While channels are good in carrying content, what influences the users is the quality of content. In my next post we will look at creating high quality information security awareness content.

Warm regards,

Anup Narayanan

Hello,

In my previous post we defined the importance of “security competence” as an important goal in the “Security awareness” campaign. Now that we have established this, let us define the metrics that will help you to measure the success of your efforts.

Metrics to measure success: For security awareness and security competence

Note: The metrics are based on the HIMIS (Human Impact Management for Information Security) methodology, the free copy of which can be downloaded here.

It is important to split the metrics into specific categories, viz. security awareness and security competence. This is to ensure that you do not get carried away with high “awareness”, whereas the “competence” could be low.

Security Awareness Metrics

Coverage
“Coverage” indicates the target workforce (employees, contractors, partners and other interested parties) that must be covered under the information security awareness program.

Format and visibility

“Format” indicates the different types of information security awareness content. “Visibility” indicates the channel through which the content is delivered. Channels are selected in order to put information security awareness content where maximum amount of visibility (eyeballs) can be gained.

Verbal: Trainer led classroom sessions, personal interactions
Paper: Posters, cards, quizzes or surveys
Electronic: Videos, Emails with messages, Animated games, Screensavers Quizzes or surveys

Frequency

“Frequency” indicates the gap between any two deliveries of information security awareness content. Frequency is critical because it influences “retention”.

Quality of content
These metrics are captured via qualitative analysis methods (survey and feedback) and the following measurement criterion can be used.

1. Impact visualization: Probably the most important factor. An example of impact visualization is visually depicting the damage (stealing a laptop, stealing valuable documents) that an intruder can cause by tailgating.

2. Business relevance:

The information security awareness program, specifically the content must capture the business requirements of information security.

Clarity and ease of understanding:

Style must not be sacrificed for substance. Emphasis must be given to conveying the message in a simple and clear manner first. Building style around the message should be done without diluting the message or making the content complicated.

Consideration of cultural factors:

It will be useful to consider cultural factors such as,

a.Language or terms used (usage of colloquial terms may be more effective),
b.Colour and design,
c.Characters represented

Retention measurement

“Retention measurement” indicates a method to measure how much the workforce has “understood and remembers” after the information security awareness delivery. Strategies that can be used are,

a.Personal interviews
b.Surveys
c.Quizzes

Security Competence Metrics

The following strategies can be used to measure security competence.

Observations: For example, observe for tailgating, observe how many meeting rooms still have sensitive information on the board after the meeting
Log review: For example, browsing and email patters can be observed through log reviews of corresponding systems
Data mining : For example, Mine through internet search engines to see how much sensitive information about the company is available online
Incident report review: For example, review of incident reports may show how many laptops were lost and a further investigation may reveal the cause as carelessness (poor behaviour) or not (may be the user was physically attacked).

Being practical, being creative, being reasonable

Too much metrics is also not a good idea. Use the ones that you will give a good degree of confidence so that you can trust your findings. With a list of success metrics and the strategy to measure them you are now ready to move forward.

Catch you with my next post.

Anup Narayanan

The first question to ask yourself when starting an information security awareness program is – What are the information security skills that my workforce must have? By asking this question you are going beyond awareness and focusing on competence. By focusing on competence you are looking at the actual information security practices that the employees must use at the workplace or anywhere else while handling valuable information. Don’t you agree that “actual ground level practice of information security” is the key?

Competence is the larger goal, Security awareness the first step in the path to the goal

Of course, to build competence you must create awareness first. But by setting the competence (security skills) goals upfront, the awareness program takes better shape and purpose. You could start with creating a list of security skills that you wish your employees to possess.

Security skills wishlist: I wish my employees had these…

- Knows what to post and not post regarding the business on social media
- Knows the information disclosure policy of the company and how to contact PR
- Knows whom to ask if in doubt about information security policies
- knows where to look quickly for information about security policies and procedures
- Wipes white boards off sensitive stuff after meetings
- Does not share passwords or access tokens/ cards, Keeps sensitive documents locked, Picks printouts immediately after firing
- More…

Don’t teach the employees, Enable them.

Rather than “teaching” the employee, look at “enabling” them. Of course no one will be able to remember the huge list of security policies the company has. Rather focus on conveying the purpose of the policies and how to implement the policies using simple and effective steps. Too often security awareness programs fail because the focus is on making the employees “remember” rather than “do”.

By constantly reminding yourself to focus on “competence” and that your job is to “enable” employees to implement/practice information security, you will be setting off with the right first step towards creating a successful security awareness and competence program.

See you soon with the next post.

Thank you,

Anup