Security awareness training is a crucial component of any organization's cybersecurity program. It helps ensure that all employees understand their role in protecting corporate assets and have the knowledge and skills necessary to do so effectively. A well-designed security awareness training program should be comprehensive, regularly updated, and mandatory for all personnel.

Where did this come from?

This control comes from the CSA Cloud Controls Matrix v4.0.10 - 2023-09-26, which can be downloaded at https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4. The Cloud Security Alliance developed this matrix as a framework to help organizations assess the security posture of cloud service providers and guide internal security control implementation. For more on AWS security awareness training, see https://aws.amazon.com/compliance/security-awareness-training/.

Who should care?

• CISOs and security leaders responsible for reducing organizational cyber risk
• HR managers involved in employee training and development
• IT managers overseeing technical controls that rely on proper user behavior
• Compliance officers ensuring adherence to industry and regulatory standards
• Individual contributors whose actions impact the security of corporate assets

What is the risk?

Lack of security awareness among employees greatly increases an organization's cyber risk exposure. Untrained users are more likely to fall victim to social engineering attacks, use weak passwords, mishandle sensitive data, and fail to identify or report security incidents promptly. This can lead to data breaches, malware infections, financial fraud, reputational damage, regulatory fines, and other adverse outcomes.

What's the care factor?

Given the severe consequences of poor user security behaviors, this control should be a top priority for most organizations. Even with robust technical controls in place, inappropriate action by a single employee can compromise security. Effective training transforms staff from being the weakest link into a powerful layer of defense. All organizations should devote substantial effort to defining and delivering a strong security awareness program.

When is it relevant?

Security awareness training is relevant for all organizations, regardless of size or industry. It is especially critical for businesses handling sensitive data, operating in regulated sectors, or facing heightened threat levels. However, the depth and specificity of training may vary based on employee roles. For example, developers may require more technical content than salespeople. Training should also be more frequent during times of elevated risk, such as after a publicized breach or during a merger.

What are the trade-offs?

Implementing a comprehensive security awareness program requires significant investments of time, money, and effort. Course development, delivery, and tracking all consume resources. Pulling employees away from their core job functions for training has an opportunity cost. Some may find the training process disruptive or tedious, impacting morale. There is also a point of diminishing returns, where more training shows minimal improvement in outcomes. Organizations must strike a balance to avoid security fatigue.

How to make it happen?

1. Assess the current state of employee security awareness and training
2. Define security awareness learning objectives aligned with organizational goals and risk profile
3. Develop engaging training content in various formats (e.g. videos, quizzes, simulated phishing)
4. Determine training cadence and delivery methods (e.g. new hire orientation, annual refresher)
5. Assign training to employees based on role-specific needs
6. Deliver training and track individual completion rates
7. Test employee knowledge retention and behavior change after training
8. Collect feedback from participants on training effectiveness and suggestions for improvement
9. Analyze training metrics and adjust program accordingly on a regular basis
10. Document all aspects of the security awareness program for auditing and reporting purposes

What are some gotchas?

For training to be effective, it must resonate with users. Overly long, technical, or dry content will not yield lasting knowledge transfer. Training should be tailored to the unique risks, tools, and processes of each organization - generic off-the-shelf content is less impactful. Tracking training completion requires integration with an LMS or HR system, which may pose technical challenges. Managers and top executives must fully support and participate in training, or subordinates will not take it seriously.

What are the alternatives?

Traditional classroom training can be supplemented or replaced with computer-based training, security newsletters, posters, reward programs, guest speakers, and spontaneous teaching moments. Some vendors offer outsourced phishing simulation and training services to offload the work from in-house teams. However, there is really no substitute for a programmatic approach to security awareness embedded in company culture.

Explore Further

• NIST SP 800-50 provides guidelines for security awareness training programs: https://csrc.nist.gov/publications/detail/sp/800-50/final
• SANS offers free security awareness resources: https://www.sans.org/security-awareness-training/resources/
• CIS Control 14 provides additional details on security awareness training: https://www.cisecurity.org/controls/security-awareness-and-skills-training/

‍