In days long gone by, a lazy weekend meant sleeping in till mid-day, watching TV and going out with friends. With children that all changed and I’m lucky to sleep in at all before the weekend routine of extra-curricular activities start ranging from tuition, swimming, fixing things around the house and doses of, “I’m boooooored”
Just like the definition of a lazy weekend changes depending on circumstances and size of family – a user awareness program will vary depending upon the size of your company, the culture, regulation, what your objectives are and so on.
The first step one should consider taking before embarking on a program is baselining the current company culture and mapping them against risk vectors you are seeing.
If you’re stuck for ideas on how to start, the security culture framework is a good free resource. This will also help you define metrics and measurements. If you’re not measuring… or measuring the wrong things, then you won’t be able to validate any progress.
Once you’ve established your baseline, got your metrics in place and identified threat vectors – you will be in the ideal place to evaluate the different options that are available.
It could be that the best approach for your company is to have informal breakfast meetings, show educational videos, or to undertake computer-based training. Maybe you are primarily worried about users clicking on phishing links – or in other cases you are concerned with users using untrusted cloud storage platforms.
In any case, picking the right tools and techniques that meet your objects and fit your company culture are imperative to making meaningful progress in user awareness… unless of course you don’t want to train users so well that you no longer have a job!
Notable vendors in the user awareness space are listed below. Let me know if I’ve missed out anyone important.
The Security Awareness Company
Javvad Malik 