We receive a number of questions regarding security awareness training. Below are some common questions.
What’s the best way to convince my management team to implement a security awareness program?
A lunch and learn presentation on what security awareness is, why it is important and what outcomes can be predicted is an excellent and low cost way to achieve management and stakeholder buy-in.
Why is it important to not to just go with the lowest possible price for security awareness training?
The old adage that you ‘get what you pay for’ does not always hold true but in this case it typically does.
How often should I implement security awareness training?
There are many ways to design your security awareness training and this will impact how often you have sessions and when you have reviews. It is a popular design to have a strong start to achieve good buy-in and fundamentals and then to update and refresh yearly.
Should my security awareness program include phishing simulation tests?
Doing tests is one of many ways to measure the impact of training and to also refresh the skills of employees. Typically this is a very good practice but should not come at the cost of other forms of measurement.
What type of reporting should I do with the data collected from the simulation tests?
At the very least you should establish a baseline trend. If resources allow this should also be used for enhanced risk assessments that can lead to a broad range of control management solutions.