Cyber Awareness Program - 03 Online

Download as pdf or txt
Download as pdf or txt
You are on page 1of 19

AR-IN-A-BOX

AR-IN-A-BOX
YOUR GUIDE
TO DESIGNING
A CYBER-AWARENESS
PROGRAMME
CONTACT
For contacting ENISA please use the following details:
[email protected]

AUTHORS
Alexandros Zacharis, Dimitra Liveri, Georgia Bafoutsou, Marianna Kalenti (ENISA)

CONTRIBUTORS
Chloe Blondeau, Goran Milencovic, Theodoros Nikolakopoulos (ENISA)

LEGAL NOTICE
Notice must be taken that this publication represents the views and interpretations of the authors and
editors, unless stated otherwise. This publication should not be construed to be a legal action of ENISA or
the ENISA bodies unless adopted pursuant to the Regulation (EU) No 526/2013. This publication does
not necessarily represent state-of the-art and ENISA may update it from time to time.

Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the external
sources including external websites referenced in this publication.

This publication is intended for information purposes only. It must be accessible free of charge.
NeitherENISA nor any person acting on its behalf is responsible for the use that might be made of the
information contained in this publication.

COPYRIGHT NOTICE
© European Union Agency for Cybersecurity (ENISA), 2023
Reproduction is authorised provided the source is acknowledged.
Catalogue number: TP-09-22-590-EN-N
ISBN: 978-92-9204-591-3
AR-IN-A-BOX

FOREWORD
This is a step-by-step guide for the design of
a cybersecurity-awareness programme in your
professional environment. The document presents
all the necessary steps and relevant suggestions.
However, it is important to note that each
organisation should create their own tailor-made
programme, by picking and choosing the proposals
that suit their needs and recipients the most.

From programme to campaign

Within this document, there will be multiple


references to both programmes and campaigns,
which have different definitions in the context of
awareness raising and can be defined as follows (1).

 Programme. A plan encompassing multiple


awareness-raising activities over a long period
of time (from several months to 1 or even
2 years), following the organisation’s strategy for
cybersecurity. It can include one or more internal
or external campaigns, focused on a common
cybersecurity topic or target group.

 Campaign. A set of individual and dedicated


activities focusing on specific topics, goals or target
audiences. A campaign may be stand alone or part of
a programme.

1 In this report, the term ‘roadmap’ is used to refer to the


visualisation of an awareness programme over a period of time.

YOUR GUIDE TO DESIGNING A CYBER-AWARENESS PROGRAMME 1


STEP-BY-STEP PRESENTATION
AND ANALYSIS
In order to create an internal cyber-awareness
programme, tailored to your employees’ needs, you
need to follow the steps below:

 identify objectives;
 secure financial resources;
 ensure human resources (HR);
 split your employees into target groups;
 choose the right tools;
 create a time plan;
 implement the programme;
 evaluate the programme.

1 2 3 4
Identify Secure financial Ensure human Split employees into
objectives resources resources target groups

5 6 7 8
Choose the right Create Implement Evaluate the
means a timeplan program program

2
AR-IN-A-BOX

1. IDENTIFY OBJECTIVES  To raise cybersecurity awareness by showing


the pervasiveness of cyber risks, promoting cyber
The first step in this process is to set the objectives hygiene and providing guidance on good practices
of your cyber-awareness programme. These derive for individual users.
from the overall cybersecurity strategy of your
organisation. Programme objectives are set on the  To promote cybersecurity education and
basis of the SMART (specific, measurable, achievable, culture within the organisation. This will help
relevant and time-bound) (2) methodology, which different entities of the organisation to identify
can assist in creating a trajectory towards specific the right communicating channels and common
objectives that are clearly defined and attainable in language to be used, in order to unite their efforts
the short and medium term. Those objectives will, in against exposure to threats.
turn, determine the selection of the specific tools and
methods that will be used for each programme.  To be prepared for incidents. This will help the
personnel identify the right order of actions to
take, based on their role, and help the key actors
involved in the event of a cybersecurity incident.

Other generic objectives can be:

Overall goals for Definition of Selection of  to develop an understanding of emerging


awareness and SMART awareness specific material,
learning objectives tools, methods
cybersecurity threats and landscape;

 to promote cybersecurity culture and hygiene;

The awareness-raising objectives stem from the risk  to test policies and procedures (e.g. escalation,
assessment of the organisation. Every organisation backup, incident handling).
might set different objectives for its own awareness
programme, yet some generic ones that are always
applicable, and can easily be converted to SMART
objectives, are the following.

2 https://ec.europa.eu/info/sites/info/files/file_import/better-
regulation-toolbox-16_en_0.pdf

YOUR GUIDE TO DESIGNING A CYBER-AWARENESS PROGRAMME 3


2. SECURING FINANCIAL RESOURCES
Management
Prevention is less expensive than recovery when it
comes to the damage that cyberattacks can cause. They play the most critical role in the
A common misconception is that low budgets adoption and implementation of any
devoted to security-awareness programmes are awareness-raising activity. Based on their
the only reason for the delivery of non-effective endorsement and support, the management
programmes. On the contrary, one can build very can play a catalyst role in the viability of an
thorough cyber-awareness programmes with a low awareness-raising strategy, so make sure they
budget and limited resources. are involved in the design and the objectives-
setting phase of the awareness programme
Along with this guide, the aim of the AR-in-a-Box from an early stage. Management vision can
framework is to provide the basics for anyone to kick- shift the scope of the strategy, based on their
start an awareness-raising programme from scratch, risk appetite. What is more, budget allocation
regardless of the resources available. depends on their support.

Before attempting to secure the budget for your


awareness programme, you need to consider your  Try to identify the must-do topics of your programme
organisation’s overall approach to investing in and the must-train employees who will minimise the
cybersecurity awareness, along with its maturity in the risk for your organisation when trained.
field. Whether you are following a reactive v proactive,
a benchmark or a risk-based approach, some part of  Reuse or update existing material or resources.
your budget will be allocated to awareness.
 Select open-source material or create it in-house.
The best approach to securing the budget is to come
up with real examples and statistics of the money  Exploit synergies in the community where available.
to be saved or the risks to be avoided (based on the
risk assessment) – should the awareness training
take place – and present this to the management.
Collect data on incidents and breaches from your
organisation, or similar ones, to justify the need for
an awareness-raising programme.

In addition to the above, here are some rules to


follow in order to regulate the budget needed and
avoid overspending.

4
AR-IN-A-BOX

3. ENSURING HUMAN RESOURCES

The following roles have been identified as key


for the success of any cybersecurity-awareness
endeavour your organisation might pursue. They
are all equally important and meet different needs
and functions in the various life cycle phases of
a cybersecurity-awareness strategy. Combined, they
will form the cybersecurity-awareness team (CAT)
of your organisation, even if you do not have staff
occupying all the roles. The composition of CATs in Information and communications technology (ICT)
organisations differ.
The heavy weight of ICT maintenance and
Cybersecurity officer implementation or practical security always falls
on the hands of the ICT department. Therefore,
The security officer’s insight and steering ability ICT should always be involved in awareness-raising
are paramount to the future of the strategy. The activities to customise the content based on the
security officer is the one to provide input on the operation reality of each organisation.
objectives and identify the target audiences and most
relevant training topics, based on the needs but also Incident response teams
the threats to which the organisation is exposed. (security operations centres)
The cybersecurity officer can assist in the design of
a programme or undertake its overall supervision, These teams are made up of operational experts
in order to better control content development and that have a good overview of the vulnerabilities of
customise it to the organisation’s needs. the systems in place, but also monitor traffic and
handle potential incidents. They can always feed the
Public relations and communications awareness programme with information and tailor it
to the needs of the staff or to the trending threats.
These teams play an important role in disseminating
the right message internally and engaging the right Human resources
target employee groups via the proper channels
(innovative ideas reflecting the culture of the HR are responsible for promoting but also engaging
organisation might surprise you). the different target audiences to all relevant activities.
HR can introduce procedures that make awareness
programmes mandatory in various stages of the
employees’ induction in an organisation.

YOUR GUIDE TO DESIGNING A CYBER-AWARENESS PROGRAMME 5


Data protection office / legal department 4. CHOOSING EMPLOYEE TARGET GROUPS

The legal department’s valuable input in privacy Identification and categorisation of employees


and personal data topics can enhance the learning in target groups is paramount when developing
experience and also cover specialised security topics a strategy for cyber awareness and cyber-culture
of the awareness-raising training agenda. development, as they improve the dissemination
of key messages to the appropriate recipients.
Instructors Below is an example of the breakdown of a generic
organisation’s staff, which can be used as a guide to
These people are responsible for delivering the follow and fine-tune based on your needs.
programme content to the target audience.
Instructors can be external entities or employees of
the organisation with a specialised background, or
even some other member of the CAT who has the
skills and charisma to deliver public speaking.

Table 1. Employee target groups

Audience groups Clustered audiences


1 Generic employee
2 Contractor
3 HR Generic employee
4 Communications and marketing
5 Legal
6 Operations and research and development
7 Finance and procurement
C-level, decision-makers, handling budgets
8 Managers, officers

9 Heads of unit, directors

Professionals / horizontal implementors of cybersecurity


10 Cybersecurity professionals
measures and users of cybersecurity solutions, working for
11 Information technology (ICT) professionals
organisations and/or individuals

NB: The roles as presented above do not exist in all types of organisations. In several cases one employee might
occupy more than one role (e.g. IT professional and cybersecurity professional).

6
AR-IN-A-BOX

5. SELECTING THE RIGHT TOOLS

The tools that you will employ in order to deliver your


awareness-raising programme must be tailored to
meet all its parameters (target audience, resources,
objectives, budget), and must:

 raise awareness on the most prominent


cybersecurity risks, as derived from the risk
assessment (what are the most prominent risks of
internet use?);

11 groups of employees are identified as potential  provide knowledge on how to tackle and respond to
receivers of learning products and experiences. such risks (how can I navigate the internet safely?);
A further analysis of the audience groups can pinpoint
additional meaningful clusters based on common  influence behavioural change (why should I change
characteristics of theirs (generic employee, chief my digital habits?).
level (C-level), and ICT and security professionals,
as presented in Table 1 below), and can also provide Tools are considered to be the foundation of any activity
insights on the approach and methodology for and may include infographics, tip sheets, posters,
creating awareness. videos, presentations, exercises, quizzes and puzzles,
etc. (More information and an analysis are provided in
“Promotion Channels Analysis” document of AR-in-a-Box

Infographics – Posters Puzzles – Quizzes


Easy to deploy Ensure and test
physically, e.g. in understanding of
elevators, common concepts
spaces

Ads – Videos Live presentations


Able to hold and TOOLS FOR Direct interactions
convey a lot of
information
AWARENESS with participants

RAISING

YOUR GUIDE TO DESIGNING A CYBER-AWARENESS PROGRAMME 7


Based on the analysis of the target groups’ Based on this analysis, decisions can be made about
background, you can divide your target audience into the creation of material and the use of tools and
three categories based on their proficiency level (PL) experiences for the following:
on the topic:
 single topic across relevant employee groups
 aware – proficiency level 1 (PL1), (e.g. video on malware risks targeting the
audience groups);
 trained – proficiency level 2 (PL2),
 single employee group across topics (e.g. website
 experienced – proficiency level 3 (PL3). campaign on common cybersecurity risks, such as
email spams, password attacks, malware, phishing
For the majority of target audiences, the material to and ransomware);
be produced and delivered should aim at achieving
PL1 awareness. A systematic approach towards  cluster employee group across topics (e.g.
devising, delivering and disseminating PL1 awareness networking event for professionals on latest
material will foster a change in the awareness level developments in data breach, malware,
of cybersecurity risks, which can lead to eventual ransomware and relevant certifications).
influence and/or change of behaviour towards more
facilitative, safety-prone digital habits.

Target group PL2 cannot be effectively served by PL1


awareness material only. To ensure this audience
group remains skilled and up to date, awareness
material should include PL2 or even PL3 products.

PL3 covers experienced staff with a technical


background. Specialisation and training are
therefore discussed rather than awareness. Trainers
that conduct the awareness programme are
categorised as PL3.

As such, Table 2 presents proposals for the PL1 and PL2


objectives per audience group and topic categories.

8
AR-IN-A-BOX

Table 2. Matrix of proficiency level per target audience and topic category

Audience groups
PL drop down per audience group
and topic category ICT and security
Generic employee C-level
professionals

Cyberbullying PL1

Online gaming PL1

Online pornography PL1

Safe internet PL1 PL1

Sexting PL1

Fake news PL1

Privacy and data protection PL1 PL1

Financial scams PL1


Topic categories

Mobile banking PL1

Device safety PL1 PL1

Email spam PL1 PL1

Business email compromise fraud PL1 PL1

Password attacks PL1 PL1

Data breach PL1 PL1 PL2

Malware PL1 PL1 PL2

Phishing PL1 PL1

Ransomware PL1 PL1 PL2

Cyber upskilling PL1 PL2

Cyberterrorism PL1

Certifications PL2

YOUR GUIDE TO DESIGNING A CYBER-AWARENESS PROGRAMME 9


6. CREATING A TIME PLAN

First and foremost, a time plan should be tailored


to business activities, the workload and the topics
of the campaign (i.e. if you want to target the
financial department, it is not prudent to launch
a cyber-awareness programme during December
when the fiscal year is closing). Furthermore, do
take into consideration that you need to devote
time beforehand, in order to identify the current
cybersecurity posture of the organisation (e.g.
through a simple, quick survey or quiz). An indicative
example of a time plan is presented below.

January February March April

?
Videos and Videos and
Baseline quiz Training topic dissemination material dissemination material

May June July August

HOLIDAYS HOLIDAYS
Training topic 2 Simulation exercise

September October November December

?
Back-to-school training Games/test/quiz Insights collections Report to management

10
AR-IN-A-BOX

As one may notice, you also need to allocate time to


regular sanity checks (such as tests, simulation exercises Security maturity requires constant
or quizzes) as they provide a better insight on the learning.
effectiveness of the programme and the absorption of
the information provided so far. It also allows for on-the- Training, like many aspects of security, is
fly corrective action to improve the current programme. not a one-off activity. One needs to include
it in all aspects of the organisation until it
becomes an integral part of organisational
7. IMPLEMENTING THE PROGRAMME culture. When hiring new employees, it is
vital that they receive a course as part of
Three timestamps are considered relevant for delivering their ‘welcome package’, which will help them
cybersecurity-awareness training to your employees: perform their tasks while taking cybersecurity
aspects into account. Following that, ongoing
1. when they join the organisation as part of the post-incident and periodic cybersecurity
induction process; training will help maintain the culture.

2. after an incident, in order to indicate the Cybersecurity training is an ongoing


procedures, roles and responsibilities in place; process that you will need to modify and
amend as your organisation grows. This is
3. at regular intervals throughout the year. part of ensuring that your security posture
is as mature as it can be, even as your
Each of these instances offer a different opportunity company and the cybersecurity landscape
to build employee knowledge on specific aspects grows and evolves.
of cybersecurity or to provide them with real-world
examples of what to do and not to do. If you can plan
ahead, you can develop the right types of courses for
the right occasions.

Onboarding

When someone joins an organisation, induction to its


cybersecurity culture is important. The new recruit
has to go over the people, processes and technology
that are most relevant to their job functions when it
comes to security. Focus on general policies and role-
specific information that will help new employees do
their jobs more effectively.

YOUR GUIDE TO DESIGNING A CYBER-AWARENESS PROGRAMME 11


Specifically, set up a one-on-one or group session 8. EVALUATING THE PROGRAMME
for new employees. This can be delivered via an
engaging, interactive presentation, where you go over Upon implementation of the programme, you need to
the key security principles and tools they will be using assess its effectiveness in order to identify the lessons
and those they should be aware of. Following this, learned and the changes that may need to be made
you can quiz them to test out their new knowledge. in the future.

Post-incident

If a security incident occurs in your organisation,


it can be a good time to offer a refresher course.
Instead of laying blame, think of this as an
opportunity to analyse an actual issue that arose and
show how it can be avoided in the future.

What pieces of information did your team not have


(or forgot along the way) that would have helped
them avoid the situation? How can you better educate
them for the future? With this information in hand,
set up an all-company meeting where you can review
best practices for these types of incidents. Focus on
the attack vector and how others in the organisation
can avoid falling victim to the same type of attack.

Continuous

The idea here is to set up a curriculum that covers


the most common security threats (this will change
over time as new ones come to the fore) and keeps
cybersecurity top of mind through a regular cadence
of education and awareness.

12
AR-IN-A-BOX

KEY RECOMMENDATIONS
The key factors for a successful awareness-raising Learning by monitoring and evaluating. The
programme are summarised below. development of measures to assess the impact of the
entire programme should be considered from the very
Deliver the right message to the right employee start of its design. Regular monitoring and evaluation
group. Identifying key audiences from the group of help to keep track of what is happening and allow the
employees helps ensure messages are received by team to take corrective action if necessary.
those who will be most receptive to them. Identifying
the target audiences and tailoring the programme
to their specific needs and level of knowledge, from
the early planning stages of a programme, ensures
that the right message reaches the right audience.
Messages need to be clearly related to cybersecurity
topics that audiences find familiar.

Key message formulation is important for the


success of a cyber-awareness programme. Since
every cybersecurity topic and audience is unique,
each training requires a customised approach.
For the development of future awareness-raising
and educational training, specific and achievable
objectives should be set to act as success indicators.
Taking into consideration the geographical and the
thematic scope, the employees’ group should be
reached with messages that respond directly to their
cybersecurity fears and particular needs.

Selection of the appropriate tools. The process


of selecting the appropriate tools, in order to
communicate the correct message(s) to the employees
effectively, is key in the cyber-awareness design.

YOUR GUIDE TO DESIGNING A CYBER-AWARENESS PROGRAMME 13


ANNEX
Example of an awareness-raising programme.

Objective Indicative implementation


timeline

1. Raise awareness on the cyber threat of phishing. 6 months


• Provide a custom training on the topic, informative material and a hands-on
quiz to evaluate progress.
• Utilise a phishing simulation campaign to capture before and after results.
• 100 % of staff should participate in the activity.

2. Promote cybersecurity education and culture. 1 year


• Provide a custom training, a reporting process in the event of an incident and a
hands-on table-top exercise to evaluate lessons learned.
• 80 % of the staff should participate in the activity.

3. Improve preparedness in the event of an incident. 6 months


• 100 % of ICT personnel should participate in the activity.
• Provide training and a hands-on technical exercise to evaluate lessons learned.
• Test escalation procedures in place and identify gaps.

Table 3. Suggested programme delivery methods according to proficiency level target

PL1 – aware PL2 – trained


Webinars / information sessions Real-time courses (face to face or online)
Intranet/website, portal e-learning / online courses
Videos, leaflets Webinars/workshops
Podcasts Video tutorials
Helplines / hotlines / chat boxes Training labs
Newsletters Discussion groups / forums
Awareness kits (posters, background, screensavers, Gamification (role playing, escape rooms, mock attacks)
infographics, customised Windows login pages)
Online games, quizzes Micro/nano learning
Publications Diplomas and certifications

14
AR-IN-A-BOX

Table 4. Suggested delivery methods per target group

Target audience Channels and delivery methods

Generic employee, contractor • Social media websites, portals


HR, communications • Online games and quizzes
and marketing, legal, • Gamification (e.g. role playing, escape rooms, mock attacks)
operations and research and • Awareness kits (posters, background, screensavers, infographics, customised
development Windows login pages)
• Helplines / hotlines / chat boxes
• Video tutorials
• Discussion groups / forums

Finance and procurement, • Newsletters


managers, officers, heads of • Awareness kits (posters, background, screensavers, infographics, customised
unit, directors Windows login pages)
• Videos
• Webinars/workshops
• e-learning / online courses
• Publications
• Conferences/events

ICT professionals, • Real-time courses (face to face or online)


cybersecurity professionals, • Videos
cyber knowledgeable • Webinars/workshops
• e-learning / online courses
• Training labs
• Certifications/diplomas
• Publications
• Networking events / conferences

YOUR GUIDE TO DESIGNING A CYBER-AWARENESS PROGRAMME 15


ABOUT ENISA
The European Union Agency for Cybersecurity (ENISA) is a centre of network and information security
expertise for the EU, its Member States, the private sector and Europe’s citizens. ENISA works with these
groups to develop advice and recommendations on good practice in information security. It assists EU
Member States in implementing relevant EU legislation and works to improve the resilience of Europe’s
critical information infrastructure and networks. ENISA seeks to enhance existing expertise in EU Member
States by supporting the development of cross-border communities committed to improving network
and information security throughout the EU. More information about ENISA and its work can be found
at www.enisa.europa.eu.

ENISA
European Union Agency for Cybersecurity

Athens Office
Agamemnonos 14
Chalandri 15231, Attiki, Greece

Heraklion Office
95 Nikolaou Plastira
700 13 Vassilika Vouton, Heraklion, Greece

enisa.europa.eu

You might also like