INTRO

WHAT IS SECURITY AWARENESS?

WHO NEEDS SECURITY AWARENESS?

HOW DO WE DEMONSTRATE SECURITY AWARENESS?

HOW TO CREATE A SECURITY AWARENESS PROGRAM

SECURITY AWARENESS COMPLIANCE REQUIREMENTS

HOW EFFECTIVE IS SECURITY AWARENESS TRAINING?

BEST PRACTICES FOR SECURITY AWARENESS

HOW CAN I AUDIT OUR COMPANY FOR SECURITY TRAINING

EFFECTIVENESS?

The Ultimate Guide to Security

Awareness Training
Published/Updated April 27, 2021
 p p

Intro

The definition of security awareness is likely broader

Hey! and
Wantdeeper than ZenGRC?
to chat about your organization
1
I'm here
may realize. Security awareness aims to address one to help
of the you find
trickiest yourpoints in your
weak
way.
organization: its people. Security awareness is intended to change behavior and reinforce
good security practices among your employees and other third parties. In short, it should be
a cultural change. 

Easy to do? Of course not. But if responsibility for security awareness training has fallen to
you, this guide can help. It will walk you through the foundational aspects of security
awareness so you can avoid common mistakes. It also provides detailed information on how
security awareness affects compliance issues to assure that you design a comprehensive
program.

What Is Security Awareness?

Information security begins and ends with your employees. As many as 95 percent of all
cybersecurity breaches are caused by human error. That’s because no matter what
technological controls you have in place, people will always be targets for threats such as
phishing attacks or online scams. Unfortunately, employees are highly effective entry points
for cybercriminals looking to access data or infect your systems with malware. 

Security awareness training is crucial to combating those risks. The key elements of
awareness are (1) knowledge, (2) understanding, and (3) attitudes about your company’s
physical and informational assets. 

When your personnel are aligned on those three elements, you can feel confident that your
workforce will identify risks and take the appropriate action to protect those assets.
Awareness exists when everyone: 

Recognizes security threats

Understands the associated risks
Has an appropriately urgent attitude 
Knows how to respond
Risks of Poor Security Awareness
Phishing attacks, malware, ransomware, viruses, scams, and other security threats all hit
unsuspecting organizations every day. Bad actors are constantly evolving to achieve their
goals. A workforce with low levels of security awareness is their ideal target; that’s why it’s
paramount that you prepare ahead of time.

As of 2020, the average cost of a data breach is $3.86 million, according to a report by IBM
Security. It also takes an average of seven months for an organization even to recognize the
breach. Add another two months to contain it. For ransomware attacks alone, victim
companies pay an average of more than $111,000. 

Remote work increases the risk of a threat. It has complicated compliance for many
companies that have not historically supported remote or hybrid environments. Unless you
want to become the next security breach headline, you must educate your employees.
Failure to make security as much of a priority as other parts of your job leaves you—and
your customers—at enormous risk.

Who Needs Security Awareness?

Personnel at every level and in every part of your organization should undergo security
awareness training. That training, however, will need to address various levels of
competence that will exist in any organization.

Your personnel will fall into the following categories:

Unknowing
These are people in the organization who lack security awareness and don’t even recognize
it as something they should understand. It isn’t an issue they consider as they operate day-
to-day. They rarely take any conscious steps to assure the safety of their activities or
recognize or respond to threats. 

As a result, the unknowing need to be made aware of security-related issues and recognize
their lack of knowledge. Some might require additional effort to convince them that security
is important. They’ll have to be motivated to learn if you want them to get past this stage.

Unsure
These individuals know some need for security awareness exists; but they don’t know what
security looks like, or how they should participate. They might make mistakes as they try.

The good news is, they don’t need to be convinced. They recognize the value in learning
more about security and gaining the necessary competence to help assure it. 

Conscious
This group of people will appreciate security risks and their duty to help mitigate those risks.
They might have received training, but keeping security top of mind or responding
appropriately still takes an extra effort. 

They may have to stop and think before getting into a security mindset. It’s also likely they
often have to look up security procedures and policies, or revisit guidance on recognizing
security threats. 

Second-nature

These individuals have such a high level of security awareness that they don’t have to think
consciously about staying safe. They immediately recognize threats and know how to
respond to them. Avoiding risky activities has become second nature to them. They carry
this awareness throughout the day, and possibly even at home. 

Your security awareness program will need to accommodate people at different levels of
engagement within your organization. New hires, for example, should have security
awareness training as part of their onboarding process. 

You might also need to implement training for contractors or vendors. In some cases,
security training is a requirement for maintaining compliance with some protocols, such as
HIPAA and NIST.

What State and Federal Laws Require Awareness Training?

A handful of federal laws mandate security awareness training. 

Federal security and cybersecurity awareness requirements are industry-specific, and are
often additions to long-standing regulations.

Electric utilities: The North American Electric Reliability Corp. (NERC) Critical
 Infrastructure Protection Standard requires quarterly security awareness training for
personnel with access to critical cyber assets.
Federal agencies: The Federal Information Security Modernization Act (FISMA)
mandates that all federal employees and contractors undergo annual cybersecurity
awareness training. 
Financial institutions: The Gramm-Leach-Bliley Act (GLBA), which determines how
financial institutions protect non-public information (NPI), requires annual
awareness training. 
Healthcare: The Health Insurance Portability and Accountability Act (HIPAA) requires
annual training based on employees’ roles in accordance with FISMA. 
Publicly held companies: The Sarbanes-Oxley Act (SOX) lists security awareness
training among activities for maintaining a compliant control environment for
information security. 
Credit reporting agencies: The Federal Trade Commission Red Flags Rule requires
employee training to prevent identity theft. 

Several states also require security awareness training. Other states encourage and provide
resources for voluntary security awareness programs. Still more address awareness with
some other guidance. Here are a few examples. 

Alabama authorizes cyber training for its executive branch and provides training. 
Connecticut requires cybersecurity awareness for state employees.
Georgia requires cybersecurity training for executive branch employees.
Louisiana requires cybersecurity training upon hire and annually for all state
employees.
New Jersey requires annual cybersecurity awareness training for state, county, and
municipal employees and certain state contractors.
Ohio requires and provides cybersecurity awareness training for information
system users, including employees, contractors and temporary personnel.
Pennsylvania requires yearly online security awareness training for all state
employees. 
Texas mandates annual cybersecurity training for all state employees. All training
programs must be certified by the state.
Utah mandates cyber training executive branch level state employees. 

What Are the Costs of Security Awareness Training?

The benefits of security awareness training far outweigh the costs, but those costs should
be considered nonetheless. 

Programs should be tailored to the organization, which means there is no “standard cost” an
organization should expect. Every business, however, will incur most or all of the following
costs: 

Employee planning
Implementation time
Software fees
In-house or vendor administration
Communications 

Again, there is no single correct method to provide training. But costs can be represented in
one or more of the following ways: 

A percentage of your overall employee training budget

A percentage of your overall IT budget
Allocation per user 
Allocation per user by role (such as security personnel versus general staff)
An itemized budget among multiple departments
Specific allocations for each component of the program
One-time and recurring costs

What Are the Benefits of a Successful Security

Awareness Program?
One key benefit of fostering a high level of security awareness is that you will empower your
employees to mitigate and respond to risk. It’s likely that they currently undervalue the
control they have over their email security and browsing-related risks. 

Awareness training also reduces your risk of non-compliance with regulations or protocols
that are central to your business. A small team of people can’t replicate the assurance of an
entire workforce of trained employees.

Security awareness helps protect assets of every sort. And when it is part of the
organizational culture, that level of protection can be maintained even as the threat
landscape inevitably evolves. 

Do My Employees Need Security Awareness Training?

In a word — yes. 

First, security awareness training is critical to risk management in today’s world, no matter
what; providing it is just good business. Second, as you work to achieve compliance with
what; providing it is just good business. Second, as you work to achieve compliance with
various regulatory obligations, you’ll find that most major frameworks require it. 

The SANS Institute releases a yearly security awareness report to help businesses take a
data-driven approach to their cybersecurity. It highlights the benefit of having security
awareness programs run by people with technical backgrounds. They might, however, lack
the recognition or skill to communicate information in ways that engage employees
effectively.

It’s important to avoid that mistake because engaged, well-trained employees can greatly
impact your overall security.

How Do We Demonstrate Security Awareness?

The needs assessment conducted as part of your security awareness program will be useful
in determining whether security awareness is improving, and by how much. Personnel
should be able to demonstrate security awareness through a mix of qualitative and
quantitative feedback. 

Qualitative information can come from surveys and interviews. You can also gather insights
by observing employees as they engage in awareness activities. Quantitative measurements
will include data generated by penetration tests, simulated attacks, and other activities. 

PCI DSS requires interviewing a sample of personnel to verify they have completed
awareness training and are aware of the importance of cardholder data security, in addition
to acknowledging in writing that they’ve completed training. (This is a useful policy for
assuring compliance with any major protocol.) 

Perhaps the most important demonstration of security awareness is continued

improvement in the areas that have been assessed. It is common to show significant
improvements in the first six months or year of program implementation, followed by
smaller gains. But those smaller gains are usually an indication that your awareness
program is filling significant gaps as it matures. 

Common Security Awareness Failures

Common Security Awareness Failures 
For all the benefits of security awareness training, too many programs fail to make major
improvements. The same handful of roadblocks and oversights are usually to blame. 

Typical reasons why security awareness fails:

Insufficient planning of aspects such as costs, evaluation, or communication 

Lack of support from needed executives and managers
Lack of policies sufficient enough to assure security and underpin training
Predictable tests that fail to simulate the real-world variety of security threats
Too broad or too narrow of a scope
Checkbox mentality that treats awareness as a task, rather than a culture
Lack of engagement from the workforce
Ignoring success and failing to use positive results to motivate people

How to Create a Security Awareness Program

Various baseline assessments should occur at the beginning of the program so you can
assess impact later. This includes but is not limited to:

Penetration testing to gauge awareness of social engineering attacks

Simulated phishing attacks to measure responses
Measuring click rates and other activities
Surveying workforce knowledge and attitudes

Security Awareness Program Topics

While a program should fulfill the needs of an organization and its workforce, certain core
topics should be addressed. 

First, employees need to understand what kinds of materials, processes and

environments present potential threats. Tangible assets like hardware, and intangibles
like personal data, trade secrets, or classified information should be defined. Personnel
should be aware of your policies for handling, transmitting, protecting, storing and
destroying such assets. 
Employees should also know what risks outside contractors or vendors might pose and
any requirements for those people to undergo awareness training themselves. Anybody
who deals with vendors should know his or her responsibilities for confidentiality and
handling sensitive information.

When discussing policies such as password requirements, incident reporting, and two-factor
authentication or limited-time authorizations, employees should learn how these help
thwart security problems. Here, clarify concerns unique to insider and outsider threats. 

Additionally, do not neglect to emphasize relationships between security and compliance.

Clarify any potential civil or criminal liability. 

Security breaches damage and destroy organizations every day, and there is no shortage of
real-world cases that should be used to illustrate this point. The more people understand
the risk—and their power to diminish it—the more effective your awareness training will
be. 

Key Security Threats to Include in Your Security

Awareness Program
Bad actors are constantly innovating and refining their techniques. Here is an up-to-date list
of the most common threats and risk areas that every security awareness training program
should address. 

Devices: Personal devices used for work, or work-issued devices used for personal
purposes, can blur lines and diminish employees’ vigilance when using them,
especially off-site. 

Malware: How such unauthorized access works, the associated risks, and
how unsuspecting employees might be complicit — should all  be clear. 
Password safety: Employees must become willing to put safety over
convenience.
Phishing attacks: It’s imperative that you improve people’s ability to spot
dangerous emails. 
Social engineering: Awareness means understanding that even sophisticated
technology users can be tricked into making a dangerous decision. Explain the
psychological effectiveness of scams, phone calls, fake news sites, text
messages, and social media. 
Remote work: Social engineering will be a high risk for workers who are used
 to working on site but have recently gone remote. So will mobile connections,
password security, and information control. 

Web browsing: A seemingly innocuous activity, nontechnical employees especially

might require extra effort to understand its risks and your organization’s related
policies.

Vishing: The prevalence of potential manipulation via phone call might escape many
people’s understanding of security. Some trainings include text, chat, and direct
messages as vishing.

Critical Components of a Security Awareness Program

Risk assessment: Identify the highest risk assets and employees. 
Measurement: Awareness can and should be measured. Initial assessments can
help you understand the unique needs for your security awareness program.
Ongoing assessment helps you assure those needs are being met. 
Testing: You may want to consider employing a provider to test your organization
with custom phishing tests continually. 
Role-specific information: People should be able to identify quickly what
information is pertinent to their roles and needs. 
Flexibility: Individuals’ awareness will be affected by their stage of involvement with
your organization or their role. It will also evolve as things change within your
company, or in the threat landscape.
Communication plan: How will everyone remain abreast of the threats, policies,
and resources? 
Data and reporting: Be clear on how well you are anticipating and addressing
security threats. Data can also tell you about your policies’ effectiveness and how
well people are implementing them.

What Are the Layers of Security?

A comprehensive security awareness program should address multiple layers of security.
Various models exist. Some emphasize security infrastructure and data transfer, while
others present a more holistic view of an organization.

For the purposes of designing a security awareness program, the most important layers
include the following:

1. Physical security: Access points and hardware

2. Perimeter security: Network traffic, monitored by your IT team
3. Network security: Includes internet and hardware firewalls
4. Endpoint security: All hardware and devices connected to your network from any
location
5. Application security: Desktop, mobile, and web-based applications and operating
systems
6. Data security: The information that flows through all layers
7. Human Security: All users whether permanent or temporary, their access,
permissions, and activities 

The Importance of People-Centric Security Awareness

The human element of security cannot be underestimated. No matter how solid your
technology solutions, your people will always be a major risk factor. Assure your security
awareness program is people-centric by making the following considerations: 

Use fans, not force. You’ll have a much better chance of changing behaviors when
you focus on business and personal benefits instead of requirements. 
Share information about the current state of security, such as recent attacks and
mistakes. (But don’t single anyone out.) 
Vary penetration testing so that it doesn’t become predictable. 
Make sure to have a solid Incident Response Program so people can take action
quickly as their awareness increases. 
Make training interactive. Self-paced modules should only be part of the training. 
Celebrate wins. Security awareness training will improve security in measurable
ways; use that data to tell the positive story of everyone’s concerted efforts.

Security Awareness Compliance Requirements

Security awareness requirements vary. Some place more emphasis on elements such as
information security, training content or cybersecurity. Some elements, however, are
consistent across frameworks. Each major compliance framework requires some form of
the following:

Formal security awareness training

Explanations of the proper rules of behavior
Accessible supporting documentation

Here is an overview of the specific security awareness guidelines from the major
Here is an overview of the specific security awareness guidelines from the major
frameworks. Links will take you to where you can view or learn more about each standard.
Additional solutions for compliance will enhance your awareness program. 

COBIT (ISACA) DSS05.01 

Conduct regular physical information security awareness training.

Communicate malicious software awareness and enforce prevention
procedures and responsibilities. 
Conduct periodic training about malware in email and Internet usage. 
Train users to not open, but report, suspicious emails and to not install shared
or unapproved software.
Regularly review and evaluate information on new potential threats 
Establish procedures to govern the receipt, use, removal and disposal of
sensitive documents and output devices into, within, and outside of the
enterprise.

FISMA U.S.C. § 3544.(b).(4).(A),(B) 

Implement security awareness training to inform personnel, contractors and

other users of information systems that support the operations and assets of
the agency.
People must know the security risks associated with their activities and their
responsibilities in complying with agency policies and procedures designed to
reduce these risks.

GDPR Article 39(1)(b)

Data Protection Officers must “have due regard to the risk associated with
processing operations, taking into account the nature, scope, context and
purposes of processing.”
They are tasked with awareness-raising and training of staff involved in
processing operations, and the related audits
They must assign responsibilities and monitor compliance with GDPR,
European Union and member state data protection provisions, and other
policies. 

HIPAA 

Organizations and their associates must implement a security awareness and

training program for all members of their workforce, including management
(45 CFR § 164 308(a)(5))
 (45 CFR § 164.308(a)(5)).
All members of the workforce must be trained on policies and procedures
related to protected health information as necessary and appropriate for the
members of the workforce to carry out their functions within the covered
entity. (HIPAA Privacy Rule, 45 CFR § 164.530(b)(1))

ISO 27001/27002 Requirement 8.2.2 

All employees of the organization and relevant contractors and third-party

users should receive appropriate awareness training and regular updates in
organizational policies and procedures, as needed for their job function.

NIST

NIST highlights security awareness and training as a core component of the

protect function of the cybersecurity framework. 
In its detailed guidance on how to build and IT and security awareness
training program, NIST emphasizes security awareness and training should be
focused on the organization’s entire user population

PCI DSS 3.2 Requirement 12.6 

Implement a formal security awareness program to improve security

knowledge and awareness and to model appropriate security behaviors to
personnel 
Provide and verify employee PCI security awareness training upon hire and at
least once a year.
Establish and maintain a policy that addresses information security for all
personnel.

SOC 2 – 2.2 

Communicate information to improve security knowledge and awareness and

to model appropriate security behaviors to personnel through a security
awareness training program.

Security Awareness Training Versus Policy

Keep in mind the distinction between training and policy. Your policies will ensure security,
consistency, and compliance. Those should be determined and codified, creating the basis
for your training. Training is the formal education you provide to your workforce to ensure
they understand the policy and important context surrounding it.
 y p y p g

How Effective is Security Awareness Training?

Security awareness training can be highly effective. One single (and highly important) data
point is click-through rates on simulated phishing attacks. That can show just how much
difference training can make. 

Studies show that the more training employees receive, the lower the click through rate will
drop. After a year of training, the click-through rate on phishing simulations can drop by 70
percent. Other data show effectiveness as high as 98 percent.

Best Practices for Security Awareness

With a security awareness training program as the anchor, best practices help ensure
ongoing compliance. 

Do a needs assessment. 

A baseline understanding of the existing level of security awareness among employees will
help you determine KPIs that meet your organization’s needs. It will help you understand
the biggest human risks, as well as how best to deliver your program. Key personnel should
be involved in creating this step. 

Check out competitors. 

Knowing how competitors have invested in security awareness can inform your efforts and
help you make the case to others in your organization, especially leadership.

Develop a strategy. 

Because security awareness must become integral to your organizational culture, it should
be strategized as well as any other business decision. Convincing management or executive
buy-in and resource allocation may need to be part of your strategy (the needs assessment
can help with this).

Communicate the plan. 

People will get on board more easily if they know what to expect. Everyone must
understand your security awareness program’s goals and benefits and their own
responsibilities and time commitments. Managers might also appreciate clarity about how
the program will or will not impact their respective budgets.

Use marketing techniques. 

Buy-in is so important that ISACA developed a guide to using marketing techniques. These
include creating customer personas and analyzing purchase intentions, which can help you
“sell” security awareness and training to your workforce. Your internal communication team
can help. 

Identify advocates. 

No single person can implement a security awareness program. Advocates can help
motivate adoption of security best practices. They can come from a diverse group including
executives, technical staff and other workers.

How the Coronavirus Pandemic Affects Security Awareness

The COVID-19 pandemic has had an effect on security awareness that will last beyond the
emergency stage. You might be among the many who have to consider how to implement a
remote security initiative with a significant part of your workforce working from home or
public areas. 

Employees will need guidance on how to secure their home Wi-Fi networks. Additionally,
they will need to know how to mitigate risk when using networks in public places. They
might also be contending with family or guests in their work environment, requiring specific
guidance on how others might affect the security of their work. 

SANS recommends creating a community or forum for asking questions and reporting
incidents. This may be particularly useful when the on-site and remote populations shift in
response to pandemics or other emergencies.

Additional areas of increased concern in the pandemic era include: 

 p

Secure video conferencing

Remote device security
Social engineering via social media and apps

Tips for Implementation
Sufficient staffing is key to successful implementation. 
Research has shown that many full-time employees dedicated to security awareness
correlate with greater program success.
Leadership support is also critical to successful implementation. Advocacy is even
better. 
Because security awareness is essentially an issue of change management, leaders
must be visible at the forefront of the cultural shift. SANS recommends you dedicate
at least four hours each month to collect and communicate the impact of your
awareness program on your leadership.

How Can I Audit Our Company for Security

Training Effectiveness?

Any audit of your security training should be built from an initial benchmark of awareness
and competence levels as described above. SANS has a similar five-tier Security Awareness
Maturity Model that includes an additional final metric, the existence of a robust metrics
framework. 

Duties like assessments can be done in collaboration with other departments, or

outsourced to marketing or research agencies.

Because communication is integral to your security awareness program, any related internal
audit results should be shared with appropriate parties. A streamlined process for real-time
reporting enables ongoing communication about your program and its impacts.

Software Support for Security Awareness

Knowing security awareness is an ongoing need, how can you be sure you’re keeping your
organization safe and staying compliant? Any tool you choose to help manage your security
awareness program will be most effective and valuable if it helps you do things like: 
 Automate critical processes
Quickly pull real-time compliance reports
Get a clear picture risk across frameworks
Align security awareness with business objectives
Increase visibility to address gaps and respond to incidents

The Zen GRC platform performs all these tasks in support of your security awareness
program. Automation leaves you free to implement and monitor security awareness
training while eliminating compliance worries. Most importantly, it enhances your ability to
understand and communicate your organization’s security status, and use a data-driven
approach to constantly improve your security program.

Learn More

READ MORE

PLATFORM SOLUTIONS SERVICES RESOURCES COMPANY

ZenGRC Risk GRC Experts Resource Center About

Single Source of Compliance Customer Success ZenGage Contact Us

Truth
Privacy Newsroom ZenMaster
Insights & Analysis
Audit Events Careers
Content Library
Third-Party Blog Leadership
Automation
Business Continuity Trust Center
Integrations
Partners
Collaboration

Pricing





Reciprocity Inc.

(877) 440-7971

©2021 All rights reserved

Privacy Policy

CONTACT US